Repository: Kong/kong Branch: master Commit: 58f2daa56b90 Files: 2479 Total size: 14.1 MB Directory structure: gitextract_m8kek0kp/ ├── .bazelignore ├── .bazelrc ├── .bazelversion ├── .busted ├── .ci/ │ ├── ast-grep/ │ │ ├── README.md │ │ ├── common/ │ │ │ └── .gitkeep │ │ ├── rules/ │ │ │ ├── .gitkeep │ │ │ ├── assert-eventually-terminated.yml │ │ │ ├── helpers-outside-of-setup.yml │ │ │ └── ngx-log-string-concat.yml │ │ └── tests/ │ │ ├── .gitkeep │ │ ├── __snapshots__/ │ │ │ ├── assert-eventually-terminated-snapshot.yml │ │ │ ├── helpers-outside-of-setup-snapshot.yml │ │ │ └── ngx-log-string-concat-snapshot.yml │ │ ├── assert-eventually-terminated-test.yml │ │ ├── helpers-outside-of-setup-test.yml │ │ └── ngx-log-string-concat-test.yml │ ├── luacov-stats-aggregator.lua │ └── test_suites.json ├── .devcontainer/ │ ├── Dockerfile │ ├── devcontainer.json │ └── docker-compose.yml ├── .editorconfig ├── .github/ │ ├── ISSUE_TEMPLATE/ │ │ ├── bug_report.yaml │ │ └── config.yml │ ├── PULL_REQUEST_TEMPLATE.md │ ├── actions/ │ │ ├── build-cache-key/ │ │ │ └── action.yml │ │ └── build-wasm-test-filters/ │ │ └── action.yml │ ├── dependabot.yml │ ├── labeler.yml │ ├── matrix-commitly.yml │ ├── matrix-full.yml │ └── workflows/ │ ├── add-release-pongo.yml │ ├── ast-grep.yml │ ├── auto-assignee.yml │ ├── autodocs.yml │ ├── backport-fail-bot.yml │ ├── backport-v2.yml │ ├── build.yml │ ├── build_and_test.yml │ ├── buildifier.yml │ ├── changelog-requirement.yml │ ├── changelog-validation.yml │ ├── cherry-picks-v2.yml │ ├── community-stale.yml │ ├── copyright-check.yml │ ├── deck-integration.yml │ ├── label-check.yml │ ├── label-community-pr.yml │ ├── label-schema.yml │ ├── labeler-v2.yml │ ├── openresty-patches-companion.yml │ ├── perf.yml │ ├── release.yml │ ├── update-ngx-wasm-module.yml │ ├── update-test-runtime-statistics.yml │ └── upgrade-tests.yml ├── .gitignore ├── .luacheckrc ├── .luacov ├── .requirements ├── BUILD.bazel ├── CHANGELOG-OLD.md ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── COMMUNITY_PLEDGE.md ├── CONTRIBUTING.md ├── COPYRIGHT ├── DEVELOPER.md ├── LICENSE ├── MODULE.bazel ├── Makefile ├── README.md ├── SECURITY.md ├── UPGRADE.md ├── WORKSPACE ├── autodoc/ │ ├── README.md │ ├── cli/ │ │ ├── data.lua │ │ └── generate.lua │ └── pdk/ │ ├── generate.lua │ └── ldoc/ │ ├── config.ld │ ├── filters.lua │ ├── json.ltp │ ├── ldoc.ltp │ └── nav_yml.ltp ├── bin/ │ ├── busted │ ├── kong │ └── kong-health ├── build/ │ ├── BUILD.bazel │ ├── README.md │ ├── build_system.bzl │ ├── cross_deps/ │ │ ├── BUILD.bazel │ │ ├── README.md │ │ ├── libxcrypt/ │ │ │ ├── 001-4.4.27-enable-hash-all.patch │ │ │ ├── BUILD.bazel │ │ │ ├── BUILD.libxcrypt.bazel │ │ │ └── repositories.bzl │ │ ├── libyaml/ │ │ │ ├── BUILD.bazel │ │ │ ├── BUILD.libyaml.bazel │ │ │ └── repositories.bzl │ │ ├── repositories.bzl │ │ └── zlib/ │ │ ├── BUILD.bazel │ │ ├── BUILD.zlib.bazel │ │ └── repositories.bzl │ ├── dockerfiles/ │ │ ├── deb.Dockerfile │ │ ├── entrypoint.sh │ │ └── rpm.Dockerfile │ ├── kong_bindings.bzl │ ├── kong_crate/ │ │ ├── BUILD.bazel │ │ ├── crates.bzl │ │ └── deps.bzl │ ├── libexpat/ │ │ ├── BUILD.bazel │ │ ├── BUILD.libexpat.bazel │ │ └── repositories.bzl │ ├── luarocks/ │ │ ├── BUILD.bazel │ │ ├── BUILD.luarocks.bazel │ │ ├── lua/ │ │ │ ├── BUILD.bazel │ │ │ ├── BUILD.lua.bazel │ │ │ ├── lua_repositories.bzl │ │ │ └── patches/ │ │ │ └── lua-cross.patch │ │ ├── luarocks_repositories.bzl │ │ ├── luarocks_wrap_script.lua │ │ └── templates/ │ │ ├── luarocks_exec.sh │ │ ├── luarocks_make.sh │ │ └── luarocks_target.sh │ ├── nfpm/ │ │ ├── BUILD.bazel │ │ ├── BUILD.nfpm.bazel │ │ ├── repositories.bzl │ │ └── rules.bzl │ ├── openresty/ │ │ ├── BUILD.bazel │ │ ├── BUILD.openresty.bazel │ │ ├── ada/ │ │ │ ├── BUILD.bazel │ │ │ └── ada_repositories.bzl │ │ ├── atc_router/ │ │ │ ├── BUILD.atc_router.bazel │ │ │ ├── BUILD.bazel │ │ │ └── atc_router_repositories.bzl │ │ ├── brotli/ │ │ │ ├── BUILD.bazel │ │ │ └── brotli_repositories.bzl │ │ ├── lua-resty-lmdb-cross.patch │ │ ├── openssl/ │ │ │ ├── BUILD.bazel │ │ │ ├── README.md │ │ │ ├── openssl.bzl │ │ │ └── openssl_repositories.bzl │ │ ├── patches/ │ │ │ ├── LuaJIT-2.1-20250117_01-patch-macro-luajit-version.patch │ │ │ ├── LuaJIT-2.1-20250117_02-pass-cc-env.patch │ │ │ ├── LuaJIT-2.1-20250117_03-revert-reflect-override-of-ljlibd.patch │ │ │ ├── lua-cjson-2.1.0.14_01-error-on-t-end.patch │ │ │ ├── nginx-1.27.1_01-upstream-client-certificate-and-ssl-verify.patch │ │ │ ├── nginx-1.27.1_02-remove-server-tokens-from-special-responses-output.patch │ │ │ ├── nginx-1.27.1_03-stream-upstream-client-certificate-and-ssl-verify.patch │ │ │ ├── nginx-1.27.1_04-grpc-authority-override.patch │ │ │ ├── nginx-1.27.1_05-remove-server-headers-from-ngx-header-filter-module.patch │ │ │ ├── nginx-1.27.1_06-dynamic-log-level.patch │ │ │ ├── nginx-1.27.1_07-cross.patch │ │ │ ├── nginx-1.27.1_08-cross-endianness-fix.patch │ │ │ ├── nginx-1.27.1_09-proxy-upstream-next.patch │ │ │ ├── nginx-1.27.1_10-refresh-uri-when-proxy-pass-balancer-recreate.patch │ │ │ ├── nginx-1.27.1_11-upstream-latency-metrics.patch │ │ │ ├── ngx_lua-0.10.28_01-dynamic-log-level.patch │ │ │ ├── ngx_lua-0.10.28_02-fix-invalid-hostname.patch │ │ │ ├── ngx_lua-0.10.28_03-missing-lightud.patch │ │ │ ├── ngx_stream_lua-0.0.16_01-expose-request-struct.patch │ │ │ └── openresty_01-custom-prefix-and-cc.patch │ │ ├── pcre/ │ │ │ ├── BUILD.bazel │ │ │ ├── BUILD.pcre.bazel │ │ │ ├── README.md │ │ │ └── pcre_repositories.bzl │ │ ├── repositories.bzl │ │ ├── simdjson_ffi/ │ │ │ ├── BUILD.bazel │ │ │ └── simdjson_ffi_repositories.bzl │ │ ├── snappy/ │ │ │ ├── BUILD.bazel │ │ │ └── snappy_repositories.bzl │ │ └── wasmx/ │ │ ├── BUILD.bazel │ │ ├── filters/ │ │ │ ├── BUILD.bazel │ │ │ ├── repositories.bzl │ │ │ └── variables.bzl │ │ ├── rules.bzl │ │ └── wasmx_repositories.bzl │ ├── package/ │ │ ├── kong.logrotate │ │ ├── kong.service │ │ ├── nfpm.yaml │ │ └── postinstall.sh │ ├── patches/ │ │ ├── 01-revert-LD-environment.patch │ │ └── 02-revert-Reduce-build-times-especially-on-windows.patch │ ├── platforms/ │ │ └── distro/ │ │ └── BUILD │ ├── repositories.bzl │ ├── templates/ │ │ ├── venv-commons │ │ ├── venv.fish │ │ └── venv.sh │ └── toolchain/ │ ├── .gitignore │ ├── BUILD │ ├── bindings.bzl │ ├── cc_toolchain_config.bzl │ ├── generate_wrappers.sh │ ├── managed_toolchain.bzl │ └── repositories.bzl ├── changelog/ │ ├── 3.5.0/ │ │ ├── 3.5.0.md │ │ └── kong/ │ │ ├── .gitkeep │ │ ├── 10570.yml │ │ ├── 11360-1.yml │ │ ├── 11360-2.yml │ │ ├── 11402.yml │ │ ├── 11424.yml │ │ ├── 11442.yml │ │ ├── 11464.yml │ │ ├── 11468.yml │ │ ├── 11480.yml │ │ ├── 11484.yml │ │ ├── 11502.yml │ │ ├── 11515.yml │ │ ├── 11518.yml │ │ ├── 11523.yml │ │ ├── 11532.yml │ │ ├── 11538.yml │ │ ├── 11551-1.yml │ │ ├── 11551-2.yml │ │ ├── 11553.yml │ │ ├── 11566.yml │ │ ├── 11578.yml │ │ ├── 11599.yml │ │ ├── 11613.yml │ │ ├── 11638.yml │ │ ├── 11639.yml │ │ ├── 11727.yml │ │ ├── aws_lambda_service_cache.yml │ │ ├── bump_openssl_3.1.4.yml │ │ ├── dedicated_config_processing.yml │ │ ├── fix-cve-2023-44487.yml │ │ ├── fix-opentelemetry-parent-id.yml │ │ ├── fix-tcp-log-sslhandshake.yml │ │ ├── fix_dns_enable_dns_no_sync.yml │ │ ├── fix_patch_order.yml │ │ ├── lapis_version_bump.yml │ │ ├── lua_kong_nginx_module_bump.yml │ │ ├── luajit_ldp_stp_fusion.yml │ │ ├── ngx_wasm_module_bump.yml │ │ ├── on_prem_dp_metadata.yml │ │ ├── per_reqeuest_deubgging.yml │ │ ├── plugin-configure-phase.yml │ │ ├── request-aware-table.yml │ │ ├── request_id.yml │ │ ├── session_do_not_read_body_by_default.yml │ │ ├── vault-declarative.yml │ │ ├── vault-init-warmup.yml │ │ ├── vault-resurrect.yml │ │ ├── wasm-filter-config-schemas.yml │ │ ├── wasm-filter-json-config.yml │ │ └── wasmtime_version_bump.yml │ ├── 3.6.0/ │ │ ├── 3.6.0.md │ │ ├── kong/ │ │ │ ├── .gitkeep │ │ │ ├── add-ai-prompt-decorator-plugin.yml │ │ │ ├── add-ai-prompt-guard-plugin.yml │ │ │ ├── add-ai-prompt-template-plugin.yml │ │ │ ├── add-ai-proxy-plugin.yml │ │ │ ├── add-ai-proxy-telemetry.yml │ │ │ ├── add-ai-request-transformer-plugin.yml │ │ │ ├── add-ai-response-transformer-plugin.yml │ │ │ ├── add-gateway-edition-to-root-endpoint-admin-api.yml │ │ │ ├── add_ngx_brotli_module.yml │ │ │ ├── atc_reuse_context.yml │ │ │ ├── basic_www_authenticate.yml │ │ │ ├── bump-atc-router.yml │ │ │ ├── bump-cocurrency-limit-of-timer-ng.yml │ │ │ ├── bump-lapis-1.16.0.1.yml │ │ │ ├── bump-lpeg-1.1.0.yml │ │ │ ├── bump-lua-messagepack-0.5.3.yml │ │ │ ├── bump-lua-messagepack-0.5.4.yml │ │ │ ├── bump-lua-resty-aws-1.3.6.yml │ │ │ ├── bump-lua-resty-healthcheck-3.0.1.yml │ │ │ ├── bump-lua-resty-lmdb-1.4.1.yml │ │ │ ├── bump-lua-resty-timer-ng-to-0.2.6.yml │ │ │ ├── bump-ngx-wasm-module.yml │ │ │ ├── bump-openresty.yml │ │ │ ├── bump-openssl.yml │ │ │ ├── bump-resty-openssl.yml │ │ │ ├── bump-wasmtime.yml │ │ │ ├── bump_dns_stale_ttl.yml │ │ │ ├── bump_ngx_brotli.yml │ │ │ ├── bump_openssl_from_3_1_4_to_3_2_0.yml │ │ │ ├── ca_certificates_reference_check.yml │ │ │ ├── clustering-empty-data-plane-hash-fix.yml │ │ │ ├── cookie-name-validator.yml │ │ │ ├── cp-expose-dp-cert-details.yml │ │ │ ├── dao-pk-as-entity.yml │ │ │ ├── debian-12-support.yml │ │ │ ├── declarative_config_fix.yml │ │ │ ├── default_status_port.yml │ │ │ ├── deps_bump_lua_resty_healthcheck.yml │ │ │ ├── display-warning-message-for-km-misconfig.yml │ │ │ ├── enhance_admin_api_auth_error_response.yml │ │ │ ├── error_handler_494.yml │ │ │ ├── expression_http_headers_sensitive.yml │ │ │ ├── expressions_not_operator.yml │ │ │ ├── feat-add-cipher-to-the-intermediate.yml │ │ │ ├── fix-declarative-config-flattened-data-loss.yml │ │ │ ├── fix-error-message-print.yml │ │ │ ├── fix-ldoc-intermittent-fail.yml │ │ │ ├── fix-pdk-response-set-header-with-table.yml │ │ │ ├── fix-upstream-uri-azure-function-plugin.yml │ │ │ ├── fix-wasm-module-branch.yml │ │ │ ├── fix_dns_blocking.yml │ │ │ ├── fix_dns_disable_dns_no_sync.yml │ │ │ ├── fix_dns_instrument_error_handling.yml │ │ │ ├── inject-nginx-directives-location.yml │ │ │ ├── introduce_lmdb_validation_tag.yml │ │ │ ├── log-serializer-source-property.yml │ │ │ ├── optimize_keepalive_parameters.yml │ │ │ ├── pdk-json-encoding-numbers-precision.yml │ │ │ ├── pdk-response-send-remove-transfer-encoding.yml │ │ │ ├── perf-tracing-from-timers.yml │ │ │ ├── plugin-server-instance-leak.yml │ │ │ ├── postremove.yml │ │ │ ├── prometheus_expose_no_service_metrics.yml │ │ │ ├── rate-limiting-fix-redis-sync-rate.yml │ │ │ ├── respect-custom-proxy_access_log.yml │ │ │ ├── rl-shared-sync-timer.yml │ │ │ ├── router-report-yield.yml │ │ │ ├── serviceless-routes-still-trigger-datalog-plugin.yml │ │ │ ├── standardize-redis-conifguration-acme.yml │ │ │ ├── standardize-redis-conifguration-rate-limiting.yml │ │ │ ├── standardize-redis-conifguration-response-rl.yml │ │ │ ├── subsystems_do_not_share_router_schemas.yml │ │ │ ├── support_http_path_segments_field.yml │ │ │ ├── support_net_src_dst_field_in_expression.yml │ │ │ ├── tracing-dns-query-patch.yml │ │ │ ├── tracing-sampling-rate-scope.yml │ │ │ ├── validate_private_key.yml │ │ │ ├── wasm-attach.yml │ │ │ ├── wasm-dynamic-properties.yml │ │ │ └── wasm-injected-shm-kv.yml │ │ └── kong-manager/ │ │ ├── entity_form_preview.yml │ │ ├── redesigned_basic_components.yml │ │ ├── standardized_notification_format.yml │ │ └── unified_plugin_pages.yml │ ├── 3.7.0/ │ │ ├── 3.7.0.md │ │ ├── kong/ │ │ │ ├── .gitkeep │ │ │ ├── add-ai-data-report.yml │ │ │ ├── add-messages-api-to-anthropic.yml │ │ │ ├── add_tzdata.yml │ │ │ ├── ai-proxy-client-params.yml │ │ │ ├── ai-proxy-preserve-mode.yml │ │ │ ├── analytics-for-anthropic.yml │ │ │ ├── bump-atc-router.yml │ │ │ ├── bump-libexpat.yml │ │ │ ├── bump-lua-kong-nginx-module.yml │ │ │ ├── bump-lua-protobuf.yml │ │ │ ├── bump-lua-resty-acme.yml │ │ │ ├── bump-lua-resty-aws.yml │ │ │ ├── bump-lua-resty-http-0.17.2.yml │ │ │ ├── bump-lua-resty-lmdb.yml │ │ │ ├── bump-lua-resty-openssl.yml │ │ │ ├── bump-lua-resty-timer-ng.yml │ │ │ ├── bump-luarocks.yml │ │ │ ├── bump-ngx-wasm-module.yml │ │ │ ├── bump-pcre.yml │ │ │ ├── bump-penlight.yml │ │ │ ├── bump-v8.yml │ │ │ ├── bump-wasmtime.yml │ │ │ ├── cleanup_ai.yml │ │ │ ├── decrease-cocurrency-limit-of-timer-ng.yml │ │ │ ├── disable-TLSv1_1-in-openssl3.yml │ │ │ ├── feat-add-workspace-label-to-prometheus.yml │ │ │ ├── feat-ai-proxy-add-streaming.yml │ │ │ ├── feat-emmy-debugger.yml │ │ │ ├── feat-hybrid-sync-mixed-route-policy.yml │ │ │ ├── feat-increase-ai-anthropic-regex-expression-length.yml │ │ │ ├── feat-jwt-eddsa.yml │ │ │ ├── feat-jwt-es512.yml │ │ │ ├── feat-wasm-general-shm-kv.yml │ │ │ ├── fix-acme-renewal-bug.yml │ │ │ ├── fix-aws-lambda-kong-latency.yml │ │ │ ├── fix-cjson-t-end.yml │ │ │ ├── fix-cli-db-timeout-overrides.yml │ │ │ ├── fix-ctx-host-port.yml │ │ │ ├── fix-dbless-duplicate-target-error.yml │ │ │ ├── fix-default-value-of-upstream-keepalive-max-requests.yml │ │ │ ├── fix-dns-resolv-timeout-zero.yml │ │ │ ├── fix-external-plugin-instance.yml │ │ │ ├── fix-file-permission-of-logrotate.yml │ │ │ ├── fix-hybrid-dp-certificate-with-vault-not-refresh.yml │ │ │ ├── fix-jwt-plugin-check.yml │ │ │ ├── fix-migrations-for-redis-plugins-acme.yml │ │ │ ├── fix-migrations-for-redis-plugins-response-rl.yml │ │ │ ├── fix-migrations-for-redis-plugins-rl.yml │ │ │ ├── fix-missing-router-section-of-request-debugging.yml │ │ │ ├── fix-mlcache-renew-lock-leaks.yml │ │ │ ├── fix-router-rebuing-flag.yml │ │ │ ├── fix-snis-tls-passthrough-in-trad-compat.yml │ │ │ ├── fix-upstream-status-unset.yml │ │ │ ├── fix-vault-init-worker.yml │ │ │ ├── fix-vault-secret-update-without-ttl.yml │ │ │ ├── fix-vault-workspaces.yml │ │ │ ├── fix-wasm-disable-pwm-lua-resolver.yml │ │ │ ├── fix_api_405_vaults_validate_endpoint.yml │ │ │ ├── fix_balancer_healthecker_unexpected_panic.yml │ │ │ ├── fix_privileged_agent_id_1.yml │ │ │ ├── flavor-expressions-supports-traditional-fields.yml │ │ │ ├── key_auth_www_authenticate.yml │ │ │ ├── log-serializer-kong-latency.yml │ │ │ ├── log-serializer-receive-latency.yml │ │ │ ├── otel-increase-queue-max-batch-size.yml │ │ │ ├── otel-sampling-panic-when-header-trace-id-enable.yml │ │ │ ├── plugin-schema-deprecation-record.yml │ │ │ ├── plugin_server_restart.yml │ │ │ ├── pluginsocket-proto-wrong-type.yml │ │ │ ├── propagation-module-rework.yml │ │ │ ├── revert-req-body-limitation-patch.yml │ │ │ ├── separate_kong_cache_invalidation_cluster_event_channel.yml │ │ │ ├── set_grpc_tls_seclevel.yml │ │ │ ├── speed_up_internal_hooking_mechanism.yml │ │ │ ├── speed_up_router.yml │ │ │ ├── tracing-pdk-short-trace-ids.yml │ │ │ ├── update-ai-proxy-telemetry.yml │ │ │ └── wasm-bundled-filters.yml │ │ └── kong-manager/ │ │ ├── .gitkeep │ │ ├── expressions_routes.yml │ │ ├── plugin_forms_improvements.yml │ │ └── ui_improvements.yml │ ├── 3.8.0/ │ │ ├── 3.8.0.md │ │ ├── kong/ │ │ │ ├── .gitkeep │ │ │ ├── acl-always-use-authenticated-groups.yml │ │ │ ├── add-ai-data-latency.yml │ │ │ ├── add-ai-data-prometheus.yml │ │ │ ├── admin-api-map-brackets-syntax.yml │ │ │ ├── ai-plugin-read-file.yml │ │ │ ├── ai-proxy-add-allow-override-opt.yml │ │ │ ├── ai-proxy-add-deep-copy-lib.yml │ │ │ ├── ai-proxy-aws-bedrock.yml │ │ │ ├── ai-proxy-azure-streaming.yml │ │ │ ├── ai-proxy-cloud-identity-transformer-plugins.yml │ │ │ ├── ai-proxy-fix-model-parameter.yml │ │ │ ├── ai-proxy-fix-nil-response-token-count.yml │ │ │ ├── ai-proxy-fix-sending-own-model.yml │ │ │ ├── ai-proxy-fix-tuning-parameter-precedence.yml │ │ │ ├── ai-proxy-google-gemini.yml │ │ │ ├── ai-proxy-mistral-ai.yml │ │ │ ├── ai-proxy-model-header.yml │ │ │ ├── ai-proxy-proper-model-assignment.yml │ │ │ ├── bump-lua-protobuf.yml │ │ │ ├── bump-lua-resty-acme.yml │ │ │ ├── bump-lua-resty-aws.yml │ │ │ ├── bump-lua-resty-events.yml │ │ │ ├── bump-lua-resty-healthcheck.yml │ │ │ ├── bump-lua-resty-lmdb.yml │ │ │ ├── bump-lua-resty-openssl.yml │ │ │ ├── bump-luarocks.yml │ │ │ ├── bump-ngx-wasm-module.yml │ │ │ ├── bump-openresty.yml │ │ │ ├── bump-pcre.yml │ │ │ ├── bump-wasmtime.yml │ │ │ ├── certificates_schema_validate.yml │ │ │ ├── cp-luarocks-admin-to-bin.yml │ │ │ ├── feat-ai-prompt-guard-all-roles.yml │ │ │ ├── feat-aws-lambda-configurable-sts-endpoint.yml │ │ │ ├── feat-aws-lambda-decode-empty-array.yml │ │ │ ├── feat-pdk-unlimited-body-size.yml │ │ │ ├── feat-queue-concurrency-limit.yml │ │ │ ├── feat-response-transformer-json-rename.yml │ │ │ ├── feat-via.yml │ │ │ ├── fix-acme-misleading-deprecation-logs.yml │ │ │ ├── fix-acme-username-password-auth.yml │ │ │ ├── fix-ai-gzip-content.yml │ │ │ ├── fix-ai-metrics-prometheus-compat.yml │ │ │ ├── fix-ai-plugin-no-consumer.yml │ │ │ ├── fix-ai-prompt-guard-order.yml │ │ │ ├── fix-ai-proxy-shared-state.yml │ │ │ ├── fix-aws-lambda-empty-array-mutli-value.yml │ │ │ ├── fix-aws-lambda-gateway-compat-version-field.yml │ │ │ ├── fix-clustering-forward-proxy-authentication.yml │ │ │ ├── fix-cmd-error-log.yml │ │ │ ├── fix-correlation-id-config-generator.yml │ │ │ ├── fix-cors-wildcard.yml │ │ │ ├── fix-db-read-only.yml │ │ │ ├── fix-deprecate-shorthands-precedence.yml │ │ │ ├── fix-dns-initialization.yml │ │ │ ├── fix-filter-finalize-in-send-header-clear-context.yml │ │ │ ├── fix-for-null-aware-shorthand.yml │ │ │ ├── fix-grpc-gateway-json-decode-bug.yml │ │ │ ├── fix-http-log-host-header.yml │ │ │ ├── fix-log-upstream-status-nil-subrequest.yml │ │ │ ├── fix-multi-modal.yml │ │ │ ├── fix-otel-migrations-exception.yml │ │ │ ├── fix-propagation-remove-redundant-warnings.yml │ │ │ ├── fix-realm-compat-changes-basic-auth.yml │ │ │ ├── fix-realm-compat-changes-key-auth.yml │ │ │ ├── fix-reports-uninitialized-variable-in-400.yml │ │ │ ├── fix-request-size-limiting-with-chunked-transfer-encoding-and-no-content-length.yml │ │ │ ├── fix-request-transformer-uri-replace.yml │ │ │ ├── fix-response-rl-misleading-deprecation-logs.yml │ │ │ ├── fix-rl-misleading-deprecation-logs.yml │ │ │ ├── fix-route-set-priority-with-others.yml │ │ │ ├── fix-service-tls-verify.yml │ │ │ ├── fix-sni-cache-invalidate.yml │ │ │ ├── fix-tracing-sampling-rate.yml │ │ │ ├── fix-type-of-logrotate.yml │ │ │ ├── fix-vault-reference-parsing-endslash.yml │ │ │ ├── fix-vault-resurrect-ttl-multi-worker.yml │ │ │ ├── fix-vault-secret-rotation-log-level.yml │ │ │ ├── fix-wasm-enable-pwm-lua-resolver.yml │ │ │ ├── fix_hash.yml │ │ │ ├── hmac_www_authenticate.yml │ │ │ ├── host_header.yml │ │ │ ├── improve-prometheus-error-logging.yml │ │ │ ├── jwt_www_authenticate.yml │ │ │ ├── ldap_www_authenticate.yml │ │ │ ├── make_rpm_relocatable.yml │ │ │ ├── migration_of_ai_proxy_plugin.yml │ │ │ ├── move-sockets-to-subdir.yml │ │ │ ├── oauth2_www_authenticate.yml │ │ │ ├── otel-formatted-logs.yml │ │ │ ├── pdk-log-error.yml │ │ │ ├── pdk-read-file.yml │ │ │ ├── pdk-telemetry-log.yml │ │ │ ├── plugins-add-standard-webhooks.yml │ │ │ ├── proxy-cache-fix-age-header.yml │ │ │ ├── refactor_dns_client.yml │ │ │ ├── reject-config-on-deprecated-fields-mismatch.yml │ │ │ ├── remove_eol_debian_rhel.yml │ │ │ ├── req-trans-rename.yml │ │ │ ├── resty-simdjson.yml │ │ │ ├── revert-dns-behavior.yml │ │ │ ├── shorten-socket-names.yml │ │ │ ├── wasm-module-cache.yml │ │ │ └── yield-in-gzip.yml │ │ └── kong-manager/ │ │ ├── .gitkeep │ │ ├── a11y-improvements.yml │ │ ├── resizable-entity-lists.yml │ │ ├── sni-field-in-certificate-form.yml │ │ └── ui-improvements.yml │ ├── 3.9.0/ │ │ ├── 3.9.0.md │ │ ├── kong/ │ │ │ ├── .gitkeep │ │ │ ├── add-noble-numbat.yml │ │ │ ├── add_multiple_domain_for_gui.yml │ │ │ ├── ai-anthropic-fix-function-calling.yml │ │ │ ├── ai-bedrock-fix-function-calling.yml │ │ │ ├── ai-bedrock-fix-guardrails.yml │ │ │ ├── ai-cohere-fix-function-calling.yml │ │ │ ├── ai-gemini-blocks-content-safety.yml │ │ │ ├── ai-gemini-fix-function-calling.yml │ │ │ ├── ai-gemini-fix-transformer-plugins.yml │ │ │ ├── ai-transformers-bad-error-handling.yml │ │ │ ├── bump-dockerfile-ubi9.yml │ │ │ ├── bump-lua-kong-nginx-module.yml │ │ │ ├── bump-lua-resty-aws.yml │ │ │ ├── bump-lua-resty-events.yml │ │ │ ├── bump-lua-resty-ljsonschema.yml │ │ │ ├── bump-lua-resty-lmdb-2.yml │ │ │ ├── bump-lua-resty-lmdb.yml │ │ │ ├── bump-ngx-wasm-module.yml │ │ │ ├── bump-prometheus-latency-bucket.yml │ │ │ ├── bump-wasmtime.yml │ │ │ ├── bump_openssl.yml │ │ │ ├── chore-clustering-log-level.yml │ │ │ ├── cp-dp-rpc.yml │ │ │ ├── deprecate_node_id.yml │ │ │ ├── feat-add-ada.yml │ │ │ ├── feat-add-huggingface-llm-driver.yml │ │ │ ├── feat-ai-proxy-disable-h2-alpn.yml │ │ │ ├── feat-api-yaml-media-type.yml │ │ │ ├── feat-correlation-id-order.yml │ │ │ ├── feat-disable-h2-alpn.yml │ │ │ ├── feat-kong-drain-cmd.yml │ │ │ ├── feat-pdk-clear-query-arg.yml │ │ │ ├── feat-request-debguger-finer-resolution-and-total-latency.yml │ │ │ ├── feat-tracing-pdk-attributes.yml │ │ │ ├── fix-admin-api-for-empty-tags.yml │ │ │ ├── fix-ai-proxy-multi-modal-azure.yml │ │ │ ├── fix-ai-semantic-cache-model.yml │ │ │ ├── fix-aws-lambda-multi-value-header-null.yml │ │ │ ├── fix-balancer-health-checker.yml │ │ │ ├── fix-core-pass-ctx-to-log-init-worker-errors.yml │ │ │ ├── fix-jwt-plugin-rsa-public-key-b64decoded.yml │ │ │ ├── fix-key-auth-retain-query-order.yml │ │ │ ├── fix-loggly-hostname-notfound.yml │ │ │ ├── fix-ngx-balancer-recreate-request-api-for-balancer-body-refresh.yml │ │ │ ├── fix-parse-nested-parameters.yml │ │ │ ├── fix-pdk-inspect-notice.yml │ │ │ ├── fix-plugin-conf-ws-id.yml │ │ │ ├── fix-retries-error-message.yml │ │ │ ├── fix-return-values-mistaken-in-rate-limiting-plugin.yml │ │ │ ├── fix-rl-plugin-resp-hdr.yml │ │ │ ├── fix-schema-validation-with-nil-field.yml │ │ │ ├── fix-vault-array-config.yml │ │ │ ├── fix-vault-cache-workspace-id.yml │ │ │ ├── fix-vault-stream-subsystem.yml │ │ │ ├── fix-wasm-check-missing-filters.yml │ │ │ ├── plugins-redirect.yml │ │ │ ├── prometheus-wasmx-metrics.yml │ │ │ ├── remove-datakit.yml │ │ │ ├── revert-http2-limitation-buffered-request.yml │ │ │ └── wasm-filter-plugins.yml │ │ └── kong-manager/ │ │ ├── .gitkeep │ │ ├── hide-plugin-scoping.yml │ │ ├── ui-improvements.yml │ │ └── unified-redirection.yml │ ├── Makefile │ ├── README.md │ ├── changelog-template.yaml │ ├── create_pr │ ├── unreleased/ │ │ ├── kong/ │ │ │ ├── .gitkeep │ │ │ ├── add-cp-connectivity-metric-prometheus.yml │ │ │ ├── add_ai_gemini_boto_support.yml │ │ │ ├── admin-gui-csp-header.yml │ │ │ ├── backport-resty-balancer-set-upstream.yml │ │ │ ├── bump-atc-router.yml │ │ │ ├── bump-kong-nginx-module.yml │ │ │ ├── bump-libexpat-to-2_6_4.yml │ │ │ ├── bump-lua-kong-nginx-module-0140.yml │ │ │ ├── bump-lua-resty-simdjson.yml │ │ │ ├── bump-luarocks-to-3_12_2.yml │ │ │ ├── bump-ngx-wasm-module.yml │ │ │ ├── bump-openresty.yml │ │ │ ├── bump-pcre.yml │ │ │ ├── bump-snappy-library.yml │ │ │ ├── bump_openssl.yml │ │ │ ├── deprecate-llm-upstream-url.yml │ │ │ ├── disable-ngx-wasm-module.yml │ │ │ ├── dynamic-set-tls-in-pdk-set_scheme.yml │ │ │ ├── feat-cors-skip-return-acao-when-no-origin-in-request.yml │ │ │ ├── feat-patch-supprt-set_next_upstream.yml │ │ │ ├── feat-variable-resource-attributes.yml │ │ │ ├── fix-admin-api-route-path-response-error.yml │ │ │ ├── fix-ai-analytics-key.yml │ │ │ ├── fix-ai-azure-incorrect-path-overriding.yml │ │ │ ├── fix-ai-azure-streaming.yml │ │ │ ├── fix-ai-chunking.yml │ │ │ ├── fix-ai-gemini-multimodal.yml │ │ │ ├── fix-ai-parameters-typo-in-huggingface.yml │ │ │ ├── fix-ai-proxy-anthropic-tool-choice.yml │ │ │ ├── fix-ai-proxy-gemini-incorrect-model-name.yml │ │ │ ├── fix-ai-upstream-url-trailing-empty.yml │ │ │ ├── fix-certificate-reference.yml │ │ │ ├── fix-consistent-hashing-for-hyphenated-pascal-case-headers.yml │ │ │ ├── fix-cors-allow-empty-string-origin.yml │ │ │ ├── fix-db_resurrect_ttl.yml │ │ │ ├── fix-dbless-consumer-credential-error.yml │ │ │ ├── fix-declarative-config-load.yml │ │ │ ├── fix-downgrade-routes-plugins-rebuilding-log-level.yml │ │ │ ├── fix-duplicate-content-type.yml │ │ │ ├── fix-error-flattening-json.yml │ │ │ ├── fix-error-handle-certificate.yml │ │ │ ├── fix-escape-dots-in-logging-plugins.yml │ │ │ ├── fix-header_cache.yml │ │ │ ├── fix-invalid-hostname.yml │ │ │ ├── fix-ip-restriction-tcp-error.yml │ │ │ ├── fix-jwt-www-authenticate-header-delimiter.yml │ │ │ ├── fix-new-dns-client-timeout.yml │ │ │ ├── fix-nil-reference-schema-checker.yml │ │ │ ├── fix-nonexisting-anonymous-error-message.yml │ │ │ ├── fix-oauth2-header-delimiter.yml │ │ │ ├── fix-pdk-clear-query-arg-space-encoding.yml │ │ │ ├── fix-potential-socket-connection-leak.yml │ │ │ ├── fix-response-ratelimiting-upstream-headers.yml │ │ │ ├── fix-socket-path-permissions.yml │ │ │ ├── fix-target-deletion.yml │ │ │ ├── fix-upstream-keep-alive-pool-name.yml │ │ │ ├── fix_ai-gemini-truncated-streams.yml │ │ │ ├── fix_ai-logger-error-handling.yml │ │ │ ├── fix_ai-plugins-templating.yml │ │ │ ├── fix_ai-streaming-function-calls.yml │ │ │ ├── fix_ai_ollama_content_streaming.yml │ │ │ ├── fix_ai_proxy_config_issue.yml │ │ │ ├── fix_ai_proxy_preserve_mode.yml │ │ │ ├── fix_file_path_not_allowed_whitespace.yml │ │ │ ├── instana-header-support.yml │ │ │ ├── perf-lmdb-remove-global-query-key.yml │ │ │ ├── perf-string-splitting.yml │ │ │ ├── perf-trace-ID-size-lookup.yml │ │ │ ├── prometheus-upstream-metrics-toggle.yml │ │ │ ├── refine-pdk-performance.yml │ │ │ ├── remove-datakit.yml │ │ │ ├── remove-duplicate-rl-ctx-check.yml │ │ │ ├── revert-translate-backwards.yml │ │ │ ├── session_store_metadata.yml │ │ │ └── upstream-uri-refresh-when-recreate-request.yml │ │ └── kong-manager/ │ │ └── .gitkeep │ └── verify-prs ├── crate_locks/ │ └── README.md ├── kong/ │ ├── admin_gui/ │ │ ├── init.lua │ │ └── utils.lua │ ├── api/ │ │ ├── api_helpers.lua │ │ ├── arguments.lua │ │ ├── arguments_decoder.lua │ │ ├── endpoints.lua │ │ ├── init.lua │ │ └── routes/ │ │ ├── cache.lua │ │ ├── certificates.lua │ │ ├── clustering.lua │ │ ├── config.lua │ │ ├── consumers.lua │ │ ├── debug.lua │ │ ├── dns.lua │ │ ├── filter_chains.lua │ │ ├── health.lua │ │ ├── kong.lua │ │ ├── plugins.lua │ │ ├── snis.lua │ │ ├── tags.lua │ │ ├── targets.lua │ │ └── upstreams.lua │ ├── cache/ │ │ ├── init.lua │ │ └── warmup.lua │ ├── cluster_events/ │ │ ├── init.lua │ │ └── strategies/ │ │ ├── off.lua │ │ └── postgres.lua │ ├── clustering/ │ │ ├── compat/ │ │ │ ├── checkers.lua │ │ │ ├── init.lua │ │ │ ├── removed_fields.lua │ │ │ └── version.lua │ │ ├── config_helper.lua │ │ ├── control_plane.lua │ │ ├── data_plane.lua │ │ ├── events.lua │ │ ├── init.lua │ │ ├── rpc/ │ │ │ ├── callbacks.lua │ │ │ ├── concentrator.lua │ │ │ ├── future.lua │ │ │ ├── json_rpc_v2.lua │ │ │ ├── manager.lua │ │ │ ├── queue.lua │ │ │ ├── socket.lua │ │ │ └── utils.lua │ │ ├── services/ │ │ │ └── sync/ │ │ │ ├── hooks.lua │ │ │ ├── init.lua │ │ │ ├── rpc.lua │ │ │ ├── strategies/ │ │ │ │ └── postgres.lua │ │ │ └── validate.lua │ │ ├── tls.lua │ │ └── utils.lua │ ├── cmd/ │ │ ├── check.lua │ │ ├── config.lua │ │ ├── drain.lua │ │ ├── health.lua │ │ ├── hybrid.lua │ │ ├── init.lua │ │ ├── migrations.lua │ │ ├── prepare.lua │ │ ├── quit.lua │ │ ├── reload.lua │ │ ├── restart.lua │ │ ├── roar.lua │ │ ├── start.lua │ │ ├── stop.lua │ │ ├── utils/ │ │ │ ├── env.lua │ │ │ ├── inject_confs.lua │ │ │ ├── kill.lua │ │ │ ├── log.lua │ │ │ ├── migrations.lua │ │ │ ├── nginx_signals.lua │ │ │ ├── prefix_handler.lua │ │ │ ├── process_secrets.lua │ │ │ ├── timer.lua │ │ │ └── tty.lua │ │ ├── vault.lua │ │ └── version.lua │ ├── concurrency.lua │ ├── conf_loader/ │ │ ├── constants.lua │ │ ├── init.lua │ │ ├── listeners.lua │ │ ├── parse.lua │ │ └── sys.lua │ ├── constants.lua │ ├── db/ │ │ ├── dao/ │ │ │ ├── ca_certificates.lua │ │ │ ├── certificates.lua │ │ │ ├── init.lua │ │ │ ├── key_sets.lua │ │ │ ├── keys.lua │ │ │ ├── plugins.lua │ │ │ ├── services.lua │ │ │ ├── snis.lua │ │ │ ├── tags.lua │ │ │ ├── targets.lua │ │ │ ├── vaults.lua │ │ │ └── workspaces.lua │ │ ├── declarative/ │ │ │ ├── export.lua │ │ │ ├── import.lua │ │ │ ├── init.lua │ │ │ ├── marshaller.lua │ │ │ └── migrations/ │ │ │ ├── init.lua │ │ │ └── route_path.lua │ │ ├── errors.lua │ │ ├── init.lua │ │ ├── iteration.lua │ │ ├── migrations/ │ │ │ ├── core/ │ │ │ │ ├── 000_base.lua │ │ │ │ ├── 003_100_to_110.lua │ │ │ │ ├── 004_110_to_120.lua │ │ │ │ ├── 005_120_to_130.lua │ │ │ │ ├── 006_130_to_140.lua │ │ │ │ ├── 007_140_to_150.lua │ │ │ │ ├── 008_150_to_200.lua │ │ │ │ ├── 009_200_to_210.lua │ │ │ │ ├── 010_210_to_211.lua │ │ │ │ ├── 011_212_to_213.lua │ │ │ │ ├── 012_213_to_220.lua │ │ │ │ ├── 013_220_to_230.lua │ │ │ │ ├── 014_230_to_270.lua │ │ │ │ ├── 015_270_to_280.lua │ │ │ │ ├── 016_280_to_300.lua │ │ │ │ ├── 017_300_to_310.lua │ │ │ │ ├── 018_310_to_320.lua │ │ │ │ ├── 019_320_to_330.lua │ │ │ │ ├── 020_330_to_340.lua │ │ │ │ ├── 021_340_to_350.lua │ │ │ │ ├── 022_350_to_360.lua │ │ │ │ ├── 023_360_to_370.lua │ │ │ │ ├── 024_380_to_390.lua │ │ │ │ ├── 025_390_to_3100.lua │ │ │ │ └── init.lua │ │ │ ├── migrate_path_280_300.lua │ │ │ ├── operations/ │ │ │ │ ├── 200_to_210.lua │ │ │ │ ├── 212_to_213.lua │ │ │ │ ├── 280_to_300.lua │ │ │ │ └── 331_to_332.lua │ │ │ ├── state.lua │ │ │ └── subsystems.lua │ │ ├── schema/ │ │ │ ├── entities/ │ │ │ │ ├── ca_certificates.lua │ │ │ │ ├── certificates.lua │ │ │ │ ├── clustering_data_planes.lua │ │ │ │ ├── consumers.lua │ │ │ │ ├── filter_chains.lua │ │ │ │ ├── key_sets.lua │ │ │ │ ├── keys.lua │ │ │ │ ├── parameters.lua │ │ │ │ ├── plugins.lua │ │ │ │ ├── routes.lua │ │ │ │ ├── routes_subschemas.lua │ │ │ │ ├── services.lua │ │ │ │ ├── snis.lua │ │ │ │ ├── tags.lua │ │ │ │ ├── targets.lua │ │ │ │ ├── upstreams.lua │ │ │ │ ├── vaults.lua │ │ │ │ └── workspaces.lua │ │ │ ├── entity.lua │ │ │ ├── init.lua │ │ │ ├── json.lua │ │ │ ├── metaschema.lua │ │ │ ├── others/ │ │ │ │ ├── declarative_config.lua │ │ │ │ ├── migrations.lua │ │ │ │ └── wasm_filter.lua │ │ │ ├── plugin_loader.lua │ │ │ ├── topological_sort.lua │ │ │ ├── typedefs.lua │ │ │ └── vault_loader.lua │ │ ├── strategies/ │ │ │ ├── connector.lua │ │ │ ├── init.lua │ │ │ ├── off/ │ │ │ │ ├── connector.lua │ │ │ │ ├── init.lua │ │ │ │ ├── plugins.lua │ │ │ │ ├── services.lua │ │ │ │ └── tags.lua │ │ │ └── postgres/ │ │ │ ├── connector.lua │ │ │ ├── init.lua │ │ │ ├── plugins.lua │ │ │ ├── services.lua │ │ │ └── tags.lua │ │ └── utils.lua │ ├── deprecation.lua │ ├── dns/ │ │ ├── README.md │ │ ├── client.lua │ │ ├── stats.lua │ │ └── utils.lua │ ├── dynamic_hook/ │ │ ├── README.md │ │ └── init.lua │ ├── error_handlers.lua │ ├── global.lua │ ├── globalpatches.lua │ ├── hooks.lua │ ├── include/ │ │ ├── kong/ │ │ │ ├── model/ │ │ │ │ ├── ca_certificate.proto │ │ │ │ ├── certificate.proto │ │ │ │ ├── config.proto │ │ │ │ ├── consumer.proto │ │ │ │ ├── parameter.proto │ │ │ │ ├── plugin.proto │ │ │ │ ├── plugin_entities.proto │ │ │ │ ├── route.proto │ │ │ │ ├── service.proto │ │ │ │ ├── sni.proto │ │ │ │ ├── target.proto │ │ │ │ ├── upstream.proto │ │ │ │ └── workspace.proto │ │ │ └── pluginsocket.proto │ │ └── opentelemetry/ │ │ └── proto/ │ │ ├── collector/ │ │ │ ├── logs/ │ │ │ │ └── v1/ │ │ │ │ └── logs_service.proto │ │ │ └── trace/ │ │ │ └── v1/ │ │ │ └── trace_service.proto │ │ ├── common/ │ │ │ └── v1/ │ │ │ └── common.proto │ │ ├── logs/ │ │ │ └── v1/ │ │ │ └── logs.proto │ │ ├── resource/ │ │ │ └── v1/ │ │ │ └── resource.proto │ │ └── trace/ │ │ └── v1/ │ │ └── trace.proto │ ├── init.lua │ ├── llm/ │ │ ├── adapters/ │ │ │ ├── bedrock.lua │ │ │ └── gemini.lua │ │ ├── drivers/ │ │ │ ├── anthropic.lua │ │ │ ├── azure.lua │ │ │ ├── bedrock.lua │ │ │ ├── cohere.lua │ │ │ ├── gemini.lua │ │ │ ├── huggingface.lua │ │ │ ├── llama2.lua │ │ │ ├── mistral.lua │ │ │ ├── openai.lua │ │ │ └── shared.lua │ │ ├── init.lua │ │ ├── plugin/ │ │ │ ├── base.lua │ │ │ ├── crud_handler.lua │ │ │ ├── ctx.lua │ │ │ ├── observability.lua │ │ │ └── shared-filters/ │ │ │ ├── enable-buffering.lua │ │ │ ├── normalize-json-response.lua │ │ │ ├── normalize-request.lua │ │ │ ├── normalize-response-header.lua │ │ │ ├── normalize-sse-chunk.lua │ │ │ ├── parse-json-response.lua │ │ │ ├── parse-request.lua │ │ │ ├── parse-sse-chunk.lua │ │ │ └── serialize-analytics.lua │ │ └── schemas/ │ │ └── init.lua │ ├── meta.lua │ ├── observability/ │ │ ├── logs.lua │ │ ├── otlp/ │ │ │ ├── init.lua │ │ │ └── proto.lua │ │ └── tracing/ │ │ ├── instrumentation.lua │ │ ├── propagation/ │ │ │ ├── extractors/ │ │ │ │ ├── _base.lua │ │ │ │ ├── aws.lua │ │ │ │ ├── b3.lua │ │ │ │ ├── datadog.lua │ │ │ │ ├── gcp.lua │ │ │ │ ├── instana.lua │ │ │ │ ├── jaeger.lua │ │ │ │ ├── ot.lua │ │ │ │ └── w3c.lua │ │ │ ├── init.lua │ │ │ ├── injectors/ │ │ │ │ ├── _base.lua │ │ │ │ ├── aws.lua │ │ │ │ ├── b3-single.lua │ │ │ │ ├── b3.lua │ │ │ │ ├── datadog.lua │ │ │ │ ├── gcp.lua │ │ │ │ ├── instana.lua │ │ │ │ ├── jaeger.lua │ │ │ │ ├── ot.lua │ │ │ │ └── w3c.lua │ │ │ ├── schema.lua │ │ │ └── utils.lua │ │ ├── request_id.lua │ │ └── tracing_context.lua │ ├── pdk/ │ │ ├── client/ │ │ │ └── tls.lua │ │ ├── client.lua │ │ ├── cluster.lua │ │ ├── ctx.lua │ │ ├── init.lua │ │ ├── ip.lua │ │ ├── log.lua │ │ ├── nginx.lua │ │ ├── node.lua │ │ ├── plugin.lua │ │ ├── private/ │ │ │ ├── checks.lua │ │ │ ├── node.lua │ │ │ ├── phases.lua │ │ │ └── rate_limiting.lua │ │ ├── request.lua │ │ ├── response.lua │ │ ├── router.lua │ │ ├── service/ │ │ │ ├── request.lua │ │ │ └── response.lua │ │ ├── service.lua │ │ ├── table.lua │ │ ├── telemetry.lua │ │ ├── tracing.lua │ │ └── vault.lua │ ├── plugins/ │ │ ├── acl/ │ │ │ ├── acls.lua │ │ │ ├── api.lua │ │ │ ├── daos.lua │ │ │ ├── groups.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_acl.lua │ │ │ │ ├── 002_130_to_140.lua │ │ │ │ ├── 003_200_to_210.lua │ │ │ │ ├── 004_212_to_213.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── acme/ │ │ │ ├── api.lua │ │ │ ├── client.lua │ │ │ ├── clustering/ │ │ │ │ └── compat/ │ │ │ │ └── redis_translation.lua │ │ │ ├── daos.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_acme.lua │ │ │ │ ├── 001_280_to_300.lua │ │ │ │ ├── 002_320_to_330.lua │ │ │ │ ├── 003_350_to_360.lua │ │ │ │ └── init.lua │ │ │ ├── reserved_words.lua │ │ │ ├── schema.lua │ │ │ └── storage/ │ │ │ ├── config_adapters/ │ │ │ │ ├── init.lua │ │ │ │ └── redis.lua │ │ │ └── kong.lua │ │ ├── ai-prompt-decorator/ │ │ │ ├── filters/ │ │ │ │ └── decorate-prompt.lua │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── ai-prompt-guard/ │ │ │ ├── filters/ │ │ │ │ └── guard-prompt.lua │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── ai-prompt-template/ │ │ │ ├── filters/ │ │ │ │ └── render-prompt-template.lua │ │ │ ├── handler.lua │ │ │ ├── schema.lua │ │ │ └── templater.lua │ │ ├── ai-proxy/ │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 001_360_to_370.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── ai-request-transformer/ │ │ │ ├── filters/ │ │ │ │ └── transform-request.lua │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── ai-response-transformer/ │ │ │ ├── filters/ │ │ │ │ └── transform-response.lua │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── aws-lambda/ │ │ │ ├── handler.lua │ │ │ ├── request-util.lua │ │ │ └── schema.lua │ │ ├── azure-functions/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── basic-auth/ │ │ │ ├── access.lua │ │ │ ├── crypto.lua │ │ │ ├── daos.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_basic_auth.lua │ │ │ │ ├── 002_130_to_140.lua │ │ │ │ ├── 003_200_to_210.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── bot-detection/ │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 001_200_to_210.lua │ │ │ │ └── init.lua │ │ │ ├── rules.lua │ │ │ └── schema.lua │ │ ├── correlation-id/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── cors/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── datadog/ │ │ │ ├── handler.lua │ │ │ ├── schema.lua │ │ │ └── statsd_logger.lua │ │ ├── file-log/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── grpc-gateway/ │ │ │ ├── deco.lua │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── grpc-web/ │ │ │ ├── deco.lua │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── hmac-auth/ │ │ │ ├── access.lua │ │ │ ├── daos.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_hmac_auth.lua │ │ │ │ ├── 002_130_to_140.lua │ │ │ │ ├── 003_200_to_210.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── http-log/ │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 001_280_to_300.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── ip-restriction/ │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 001_200_to_210.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── jwt/ │ │ │ ├── daos.lua │ │ │ ├── handler.lua │ │ │ ├── jwt_parser.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_jwt.lua │ │ │ │ ├── 002_130_to_140.lua │ │ │ │ ├── 003_200_to_210.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── key-auth/ │ │ │ ├── daos.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_key_auth.lua │ │ │ │ ├── 002_130_to_140.lua │ │ │ │ ├── 003_200_to_210.lua │ │ │ │ ├── 004_320_to_330.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── ldap-auth/ │ │ │ ├── access.lua │ │ │ ├── asn1.lua │ │ │ ├── handler.lua │ │ │ ├── ldap.lua │ │ │ └── schema.lua │ │ ├── loggly/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── oauth2/ │ │ │ ├── access.lua │ │ │ ├── daos/ │ │ │ │ └── oauth2_tokens.lua │ │ │ ├── daos.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_oauth2.lua │ │ │ │ ├── 003_130_to_140.lua │ │ │ │ ├── 004_200_to_210.lua │ │ │ │ ├── 005_210_to_211.lua │ │ │ │ ├── 006_320_to_330.lua │ │ │ │ ├── 007_320_to_330.lua │ │ │ │ └── init.lua │ │ │ ├── schema.lua │ │ │ └── secret.lua │ │ ├── opentelemetry/ │ │ │ ├── handler.lua │ │ │ ├── logs.lua │ │ │ ├── migrations/ │ │ │ │ ├── 001_331_to_332.lua │ │ │ │ └── init.lua │ │ │ ├── schema.lua │ │ │ ├── traces.lua │ │ │ └── utils.lua │ │ ├── post-function/ │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 001_280_to_300.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── pre-function/ │ │ │ ├── _handler.lua │ │ │ ├── _schema.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 001_280_to_300.lua │ │ │ │ ├── _001_280_to_300.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── prometheus/ │ │ │ ├── api.lua │ │ │ ├── exporter.lua │ │ │ ├── grafana/ │ │ │ │ ├── README.md │ │ │ │ └── kong-official.json │ │ │ ├── handler.lua │ │ │ ├── prometheus.lua │ │ │ ├── schema.lua │ │ │ ├── serve.lua │ │ │ ├── status_api.lua │ │ │ └── wasmx.lua │ │ ├── proxy-cache/ │ │ │ ├── api.lua │ │ │ ├── cache_key.lua │ │ │ ├── handler.lua │ │ │ ├── schema.lua │ │ │ └── strategies/ │ │ │ ├── init.lua │ │ │ └── memory.lua │ │ ├── rate-limiting/ │ │ │ ├── clustering/ │ │ │ │ └── compat/ │ │ │ │ └── redis_translation.lua │ │ │ ├── daos.lua │ │ │ ├── expiration.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_rate_limiting.lua │ │ │ │ ├── 003_10_to_112.lua │ │ │ │ ├── 004_200_to_210.lua │ │ │ │ ├── 005_320_to_330.lua │ │ │ │ ├── 006_350_to_360.lua │ │ │ │ └── init.lua │ │ │ ├── policies/ │ │ │ │ ├── cluster.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── redirect/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── request-size-limiting/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── request-termination/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── request-transformer/ │ │ │ ├── access.lua │ │ │ ├── handler.lua │ │ │ ├── migrations/ │ │ │ │ ├── common.lua │ │ │ │ └── postgres.lua │ │ │ └── schema.lua │ │ ├── response-ratelimiting/ │ │ │ ├── access.lua │ │ │ ├── clustering/ │ │ │ │ └── compat/ │ │ │ │ └── redis_translation.lua │ │ │ ├── handler.lua │ │ │ ├── header_filter.lua │ │ │ ├── log.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_response_rate_limiting.lua │ │ │ │ ├── 001_350_to_360.lua │ │ │ │ └── init.lua │ │ │ ├── policies/ │ │ │ │ ├── cluster.lua │ │ │ │ └── init.lua │ │ │ └── schema.lua │ │ ├── response-transformer/ │ │ │ ├── body_transformer.lua │ │ │ ├── handler.lua │ │ │ ├── header_transformer.lua │ │ │ └── schema.lua │ │ ├── session/ │ │ │ ├── access.lua │ │ │ ├── daos/ │ │ │ │ └── session_metadatas.lua │ │ │ ├── daos.lua │ │ │ ├── handler.lua │ │ │ ├── header_filter.lua │ │ │ ├── migrations/ │ │ │ │ ├── 000_base_session.lua │ │ │ │ ├── 001_add_ttl_index.lua │ │ │ │ ├── 002_320_to_330.lua │ │ │ │ ├── 003_330_to_3100.lua │ │ │ │ └── init.lua │ │ │ ├── schema.lua │ │ │ ├── session.lua │ │ │ ├── storage/ │ │ │ │ └── kong.lua │ │ │ └── strategies/ │ │ │ └── postgres/ │ │ │ └── session_metadatas.lua │ │ ├── standard-webhooks/ │ │ │ ├── handler.lua │ │ │ ├── internal.lua │ │ │ └── schema.lua │ │ ├── statsd/ │ │ │ ├── constants.lua │ │ │ ├── handler.lua │ │ │ ├── log.lua │ │ │ ├── schema.lua │ │ │ └── statsd_logger.lua │ │ ├── syslog/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── tcp-log/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── udp-log/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ └── zipkin/ │ │ ├── README.md │ │ ├── handler.lua │ │ ├── reporter.lua │ │ ├── request_tags.lua │ │ ├── schema.lua │ │ └── span.lua │ ├── reports.lua │ ├── resty/ │ │ ├── ctx.lua │ │ ├── dns/ │ │ │ ├── client.lua │ │ │ └── utils.lua │ │ └── mlcache/ │ │ ├── init.lua │ │ └── ipc.lua │ ├── router/ │ │ ├── atc.lua │ │ ├── compat.lua │ │ ├── expressions.lua │ │ ├── fields.lua │ │ ├── init.lua │ │ ├── traditional.lua │ │ ├── transform.lua │ │ └── utils.lua │ ├── runloop/ │ │ ├── balancer/ │ │ │ ├── balancers.lua │ │ │ ├── consistent_hashing.lua │ │ │ ├── healthcheckers.lua │ │ │ ├── init.lua │ │ │ ├── latency.lua │ │ │ ├── least_connections.lua │ │ │ ├── round_robin.lua │ │ │ ├── targets.lua │ │ │ └── upstreams.lua │ │ ├── certificate.lua │ │ ├── events.lua │ │ ├── handler.lua │ │ ├── log_level.lua │ │ ├── plugin_servers/ │ │ │ ├── init.lua │ │ │ ├── plugin.lua │ │ │ ├── process.lua │ │ │ └── rpc/ │ │ │ ├── init.lua │ │ │ ├── mp_rpc.lua │ │ │ ├── pb_rpc.lua │ │ │ └── util.lua │ │ ├── plugins_iterator.lua │ │ ├── upstream_retry.lua │ │ ├── upstream_ssl.lua │ │ ├── wasm/ │ │ │ ├── plugins.lua │ │ │ └── properties.lua │ │ └── wasm.lua │ ├── status/ │ │ ├── init.lua │ │ └── ready.lua │ ├── templates/ │ │ ├── kong_defaults.lua │ │ ├── kong_yml.lua │ │ ├── nginx.lua │ │ ├── nginx_inject.lua │ │ ├── nginx_kong.lua │ │ ├── nginx_kong_gui_include.lua │ │ ├── nginx_kong_inject.lua │ │ ├── nginx_kong_stream.lua │ │ ├── nginx_kong_stream_inject.lua │ │ └── wasmtime_cache_config.lua │ ├── timing/ │ │ ├── context.lua │ │ ├── hooks/ │ │ │ ├── dns.lua │ │ │ ├── http.lua │ │ │ ├── init.lua │ │ │ ├── redis.lua │ │ │ └── socket.lua │ │ └── init.lua │ ├── tools/ │ │ ├── aws_stream.lua │ │ ├── cjson.lua │ │ ├── dns.lua │ │ ├── emmy_debugger.lua │ │ ├── grpc.lua │ │ ├── gzip.lua │ │ ├── http.lua │ │ ├── ip.lua │ │ ├── kong-lua-sandbox.lua │ │ ├── mime_type.lua │ │ ├── module.lua │ │ ├── protobuf.lua │ │ ├── queue.lua │ │ ├── queue_schema.lua │ │ ├── rand.lua │ │ ├── redis/ │ │ │ └── schema.lua │ │ ├── request_aware_table.lua │ │ ├── sandbox/ │ │ │ ├── environment/ │ │ │ │ ├── handler.lua │ │ │ │ ├── init.lua │ │ │ │ ├── lua.lua │ │ │ │ └── schema.lua │ │ │ ├── init.lua │ │ │ ├── kong.lua │ │ │ └── require/ │ │ │ ├── handler.lua │ │ │ ├── init.lua │ │ │ ├── lua.lua │ │ │ └── schema.lua │ │ ├── sha256.lua │ │ ├── stream_api.lua │ │ ├── string.lua │ │ ├── system.lua │ │ ├── table.lua │ │ ├── time.lua │ │ ├── timestamp.lua │ │ ├── uri.lua │ │ ├── utils.lua │ │ ├── uuid.lua │ │ └── yield.lua │ ├── vaults/ │ │ └── env/ │ │ ├── init.lua │ │ └── schema.lua │ └── workspaces/ │ └── init.lua ├── kong-latest.rockspec ├── kong.conf.default ├── scripts/ │ ├── Dockerfile │ ├── autodoc │ ├── build-wasm-test-filters.sh │ ├── changelog-helper.lua │ ├── check-labeler.pl │ ├── check_spec_files_spelling.sh │ ├── dependency_services/ │ │ ├── 00-create-pg-db.sh │ │ ├── common.sh │ │ ├── docker-compose-test-services.yml │ │ ├── up.fish │ │ └── up.sh │ ├── explain_manifest/ │ │ ├── .gitignore │ │ ├── config.py │ │ ├── docker_image_filelist.txt │ │ ├── expect.py │ │ ├── explain.py │ │ ├── filelist.txt │ │ ├── fixtures/ │ │ │ ├── amazonlinux-2-amd64.txt │ │ │ ├── amazonlinux-2023-amd64.txt │ │ │ ├── amazonlinux-2023-arm64.txt │ │ │ ├── debian-11-amd64.txt │ │ │ ├── debian-12-amd64.txt │ │ │ ├── el8-amd64.txt │ │ │ ├── el9-amd64.txt │ │ │ ├── el9-arm64.txt │ │ │ ├── ubuntu-20.04-amd64.txt │ │ │ ├── ubuntu-22.04-amd64.txt │ │ │ ├── ubuntu-22.04-arm64.txt │ │ │ ├── ubuntu-24.04-amd64.txt │ │ │ └── ubuntu-24.04-arm64.txt │ │ ├── main.py │ │ ├── requirements.txt │ │ └── suites.py │ ├── grep-kong-version.sh │ ├── make-release │ ├── release-kong.sh │ ├── release-lib.sh │ ├── update-copyright │ ├── upgrade-tests/ │ │ ├── docker-compose.yml │ │ ├── luarocks-system-lua │ │ ├── source-versions │ │ └── test-upgrade-path.sh │ └── validate-rockspec ├── sgconfig.yml ├── spec/ │ ├── 01-unit/ │ │ ├── 01-db/ │ │ │ ├── 01-schema/ │ │ │ │ ├── 01-schema_spec.lua │ │ │ │ ├── 02-metaschema_spec.lua │ │ │ │ ├── 03-typedefs_spec.lua │ │ │ │ ├── 04-entities_schema_spec.lua │ │ │ │ ├── 05-services_spec.lua │ │ │ │ ├── 06-routes_spec.lua │ │ │ │ ├── 07-plugins_spec.lua │ │ │ │ ├── 08-targets_spec.lua │ │ │ │ ├── 09-upstreams_spec.lua │ │ │ │ ├── 10-migrations_spec.lua │ │ │ │ ├── 11-declarative_config/ │ │ │ │ │ ├── 01-validate_spec.lua │ │ │ │ │ ├── 02-process_auto_fields_spec.lua │ │ │ │ │ ├── 03-flatten_spec.lua │ │ │ │ │ ├── 04-on-the-fly-migration_spec.lua │ │ │ │ │ └── 05-error-flattening_spec.lua │ │ │ │ ├── 11-snis_spec.lua │ │ │ │ ├── 12-topological_sort_spec.lua │ │ │ │ ├── 13-cluster_status_spec.lua │ │ │ │ ├── 14-consumers_spec.lua │ │ │ │ └── 15-workspaces_spec.lua │ │ │ ├── 02-db-errors_spec.lua │ │ │ ├── 03-arguments_spec.lua │ │ │ ├── 04-dao_spec.lua │ │ │ ├── 06-postgres_spec.lua │ │ │ ├── 07-dao/ │ │ │ │ ├── 01-plugins_spec.lua │ │ │ │ └── 02-tags_spec.lua │ │ │ ├── 07-db_spec.lua │ │ │ ├── 08-cache_warmup_spec.lua │ │ │ ├── 09-no_broadcast_crud_event_spec.lua │ │ │ ├── 10-declarative_spec.lua │ │ │ ├── 11-declarative_lmdb_spec.lua │ │ │ ├── 12-missing-migrations_spec.lua │ │ │ └── 13-off/ │ │ │ └── 01-select-by-ca-certificate_spec.lua │ │ ├── 02-rockspec_meta_spec.lua │ │ ├── 03-conf_loader_spec.lua │ │ ├── 04-prefix_handler_spec.lua │ │ ├── 05-utils_spec.lua │ │ ├── 06-timestamp_spec.lua │ │ ├── 07-api_helpers_spec.lua │ │ ├── 08-router_spec.lua │ │ ├── 09-balancer/ │ │ │ ├── 01-generic_spec.lua │ │ │ ├── 02-least_connections_spec.lua │ │ │ ├── 03-consistent_hashing_spec.lua │ │ │ ├── 04-round_robin_spec.lua │ │ │ ├── 05-worker_consistency_spec.lua │ │ │ └── 06-latency_spec.lua │ │ ├── 10-log_serializer_spec.lua │ │ ├── 11-reports_spec.lua │ │ ├── 12-plugins_order_spec.lua │ │ ├── 13-plugins_version_spec.lua │ │ ├── 14-dns_spec.lua │ │ ├── 16-runloop_handler_spec.lua │ │ ├── 17-concurrency_spec.lua │ │ ├── 18-tools_uri_spec.lua │ │ ├── 19-hooks_spec.lua │ │ ├── 19-hybrid/ │ │ │ ├── 02-clustering_spec.lua │ │ │ ├── 03-compat_spec.lua │ │ │ ├── 04-validate_deltas_spec.lua │ │ │ └── 05-validate-versions_spec.lua │ │ ├── 20-sandbox_spec.lua │ │ ├── 21-dns-client/ │ │ │ ├── 01-utils_spec.lua │ │ │ ├── 02-client_spec.lua │ │ │ └── 03-client_cache_spec.lua │ │ ├── 22-grpc-utils_spec.lua │ │ ├── 23-vaults_spec.lua │ │ ├── 24-runloop_certificate_spec.lua │ │ ├── 25-msgpack_rpc_spec.lua │ │ ├── 26-mime-type_spec.lua │ │ ├── 26-observability/ │ │ │ ├── 01-tracer_pdk_spec.lua │ │ │ ├── 02-propagation_strategies_spec.lua │ │ │ ├── 03-propagation_module_spec.lua │ │ │ ├── 04-request-id_spec.lua │ │ │ ├── 05-logs_spec.lua │ │ │ └── 06-telemetry-pdk_spec.lua │ │ ├── 27-queue_spec.lua │ │ ├── 28-inject_confs_spec.lua │ │ ├── 28-plugins-iterator/ │ │ │ ├── 01-compound_key_spec.lua │ │ │ └── 02-lookup_cfg_spec.lua │ │ ├── 29-admin_gui/ │ │ │ ├── 01-admin_gui_spec.lua │ │ │ └── 02-admin_gui_template_spec.lua │ │ ├── 29-lua_cjson_large_str_spec.lua │ │ ├── 30-new-dns-client/ │ │ │ ├── 01-utils_spec.lua │ │ │ ├── 02-old_client_spec.lua │ │ │ ├── 03-old_client_cache_spec.lua │ │ │ ├── 04-client_ipc_spec.lua │ │ │ └── 05-client_stat_spec.lua │ │ ├── 30-standardized_redis_config_spec.lua │ │ ├── 31-ada-url_spec.lua │ │ ├── 31-simdjson/ │ │ │ ├── 01-cjson_compatibility_spec.lua │ │ │ └── 02-yield_spec.lua │ │ └── 32-tools_string_spec.lua │ ├── 02-integration/ │ │ ├── 01-helpers/ │ │ │ ├── 01-helpers_spec.lua │ │ │ ├── 02-blueprints_spec.lua │ │ │ ├── 03-http_mock_spec.lua │ │ │ ├── 04-redis_helper_spec.lua │ │ │ └── 05-rpc-mock_spec.lua │ │ ├── 02-cmd/ │ │ │ ├── 01-cmds_spec.lua │ │ │ ├── 02-start_stop_spec.lua │ │ │ ├── 03-reload_spec.lua │ │ │ ├── 04-version_spec.lua │ │ │ ├── 05-check_spec.lua │ │ │ ├── 06-restart_spec.lua │ │ │ ├── 07-health_spec.lua │ │ │ ├── 08-quit_spec.lua │ │ │ ├── 09-prepare_spec.lua │ │ │ ├── 10-migrations_spec.lua │ │ │ ├── 11-config_spec.lua │ │ │ ├── 12-hybrid_spec.lua │ │ │ ├── 13-signals_spec.lua │ │ │ ├── 14-vault_spec.lua │ │ │ ├── 15-utils_spec.lua │ │ │ ├── 16-verbose_spec.lua │ │ │ └── 17-drain_spec.lua │ │ ├── 03-db/ │ │ │ ├── 01-db_spec.lua │ │ │ ├── 02-db_core_entities_spec.lua │ │ │ ├── 03-plugins_spec.lua │ │ │ ├── 04-db_cluster_mutex_spec.lua │ │ │ ├── 06-migrations_state_spec.lua │ │ │ ├── 07-tags_spec.lua │ │ │ ├── 08-declarative_spec.lua │ │ │ ├── 09-query-semaphore_spec.lua │ │ │ ├── 10-db_unique_foreign_spec.lua │ │ │ ├── 11-db_transformations_spec.lua │ │ │ ├── 11-postgres-ro_spec.lua │ │ │ ├── 12-dao_hooks_spec.lua │ │ │ ├── 13-cluster_status_spec.lua │ │ │ ├── 14-dao_spec.lua │ │ │ ├── 15-connection_pool_spec.lua │ │ │ ├── 18-keys_spec.lua │ │ │ ├── 19-key-sets_spec.lua │ │ │ ├── 20-ttl-cleanup_spec.lua │ │ │ ├── 21-services_spec.lua │ │ │ ├── 22-ca_certificates_spec.lua │ │ │ └── 23-shorthand_fields_translate_backwards_spec.lua │ │ ├── 04-admin_api/ │ │ │ ├── 01-admin_api_spec.lua │ │ │ ├── 02-kong_routes_spec.lua │ │ │ ├── 03-consumers_routes_spec.lua │ │ │ ├── 04-plugins_routes_spec.lua │ │ │ ├── 05-cache_routes_spec.lua │ │ │ ├── 06-certificates_routes_spec.lua │ │ │ ├── 07-upstreams_routes_spec.lua │ │ │ ├── 08-targets_routes_spec.lua │ │ │ ├── 09-routes_routes_spec.lua │ │ │ ├── 10-services_routes_spec.lua │ │ │ ├── 11-reports_spec.lua │ │ │ ├── 12-plugins-conf_spec.lua │ │ │ ├── 13-plugin-endpoints_spec.lua │ │ │ ├── 14-tags_spec.lua │ │ │ ├── 15-off_spec.lua │ │ │ ├── 16-ca_certificates_routes_spec.lua │ │ │ ├── 17-foreign-entity_spec.lua │ │ │ ├── 19-vaults_spec.lua │ │ │ ├── 20-timers_spec.lua │ │ │ ├── 21-admin-api-keys_spec.lua │ │ │ ├── 21-truncated_arguments_spec.lua │ │ │ ├── 22-debug_spec.lua │ │ │ ├── 23-cors_spec.lua │ │ │ ├── 25-max_safe_integer_spec.lua │ │ │ └── 25-workspaces_spec.lua │ │ ├── 05-proxy/ │ │ │ ├── 01-proxy_spec.lua │ │ │ ├── 02-router_spec.lua │ │ │ ├── 03-upstream_headers_spec.lua │ │ │ ├── 04-plugins_triggering_spec.lua │ │ │ ├── 05-dns_spec.lua │ │ │ ├── 06-ssl_spec.lua │ │ │ ├── 07-upstream_timeouts_spec.lua │ │ │ ├── 08-uri_encoding_spec.lua │ │ │ ├── 09-websockets_spec.lua │ │ │ ├── 10-balancer/ │ │ │ │ ├── 01-healthchecks_spec.lua │ │ │ │ ├── 02-least-connections_spec.lua │ │ │ │ ├── 03-consistent-hashing_spec.lua │ │ │ │ ├── 04-round-robin_spec.lua │ │ │ │ ├── 05-recreate-request_spec.lua │ │ │ │ ├── 05-stress.lua │ │ │ │ ├── 06-stream_spec.lua │ │ │ │ └── 07-latency_spec.lua │ │ │ ├── 11-handler_spec.lua │ │ │ ├── 12-error_default_type_spec.lua │ │ │ ├── 13-error_handlers_spec.lua │ │ │ ├── 14-server_tokens_spec.lua │ │ │ ├── 15-upstream-status-header_spec.lua │ │ │ ├── 16-custom_nginx_directive_spec.lua │ │ │ ├── 18-upstream_tls_spec.lua │ │ │ ├── 19-grpc_proxy_spec.lua │ │ │ ├── 21-grpc_plugins_triggering_spec.lua │ │ │ ├── 22-reports_spec.lua │ │ │ ├── 23-context_spec.lua │ │ │ ├── 24-buffered_spec.lua │ │ │ ├── 25-upstream_keepalive_spec.lua │ │ │ ├── 26-udp_spec.lua │ │ │ ├── 27-lua-ssl-trusted-cert_spec.lua │ │ │ ├── 27-unbuffered_spec.lua │ │ │ ├── 28-stream_plugins_triggering_spec.lua │ │ │ ├── 29-collect-plugin-errors_spec.lua │ │ │ ├── 30-max-args_spec.lua │ │ │ ├── 31-stream_tls_spec.lua │ │ │ ├── 32-query-params_spec.lua │ │ │ ├── 33-request-aware-table_spec.lua │ │ │ ├── 33-request-id-header_spec.lua │ │ │ ├── 34-proxy_with_compress_spec.lua │ │ │ └── 35-via_spec.lua │ │ ├── 06-invalidations/ │ │ │ ├── 01-cluster_events_spec.lua │ │ │ ├── 02-core_entities_invalidations_spec.lua │ │ │ ├── 03-plugins_iterator_invalidation_spec.lua │ │ │ └── 04-balancer_cache_correctness_spec.lua │ │ ├── 07-sdk/ │ │ │ ├── 01-ctx_spec.lua │ │ │ ├── 02-log_spec.lua │ │ │ ├── 03-cluster_spec.lua │ │ │ ├── 04-plugin-config_spec.lua │ │ │ ├── 05-pdk_spec.lua │ │ │ └── 06-worker_events_spec.lua │ │ ├── 08-status_api/ │ │ │ ├── 01-core_routes_spec.lua │ │ │ ├── 02-targets_routes_spec.lua │ │ │ ├── 03-readiness_endpoint_spec.lua │ │ │ ├── 04-config_spec.lua │ │ │ └── 05-dns_client_spec.lua │ │ ├── 09-hybrid_mode/ │ │ │ ├── 01-sync_spec.lua │ │ │ ├── 02-start_stop_spec.lua │ │ │ ├── 03-pki_spec.lua │ │ │ ├── 04-cp_cluster_sync_spec.lua │ │ │ ├── 05-ocsp_spec.lua │ │ │ ├── 08-lazy_export_spec.lua │ │ │ ├── 09-config-compat_spec.lua │ │ │ ├── 09-node-id-persistence_spec.lua │ │ │ ├── 10-forward-proxy_spec.lua │ │ │ ├── 11-status_spec.lua │ │ │ ├── 12-errors_spec.lua │ │ │ ├── 13-deprecations_spec.lua │ │ │ ├── 14-dp_privileged_agent_spec.lua │ │ │ └── 15-cp_inert_rpc_sync_spec.lua │ │ ├── 10-external-plugins/ │ │ │ ├── 01-process-management_spec.lua │ │ │ ├── 02-execution_spec.lua │ │ │ ├── 03-wasm_spec.lua │ │ │ └── 99-reports_spec.lua │ │ ├── 11-dbless/ │ │ │ ├── 01-respawn_spec.lua │ │ │ ├── 02-workers_spec.lua │ │ │ ├── 03-config_persistence_spec.lua │ │ │ └── 04-pagination_spec.lua │ │ ├── 12-stream_api/ │ │ │ └── 01-stream_api_endpoint_spec.lua │ │ ├── 13-vaults/ │ │ │ ├── 01-vault_spec.lua │ │ │ ├── 02-env_vault_spec.lua │ │ │ ├── 03-mock_spec.lua │ │ │ ├── 04-echo_spec.lua │ │ │ ├── 05-ttl_spec.lua │ │ │ ├── 06-refresh-secrets_spec.lua │ │ │ └── 07-resurrect_spec.lua │ │ ├── 14-observability/ │ │ │ ├── 01-instrumentations_spec.lua │ │ │ ├── 02-propagation_spec.lua │ │ │ ├── 03-tracer-pdk_spec.lua │ │ │ ├── 04-trace-ids-log_spec.lua │ │ │ ├── 05-logs_spec.lua │ │ │ └── 06-telemetry-pdk_spec.lua │ │ ├── 15-plugins-iterator/ │ │ │ ├── 01-precedence_spec.lua │ │ │ └── 02-correctness_spec.lua │ │ ├── 16-queues/ │ │ │ └── 01-shutdown_spec.lua │ │ ├── 17-admin_gui/ │ │ │ ├── 01-admin-gui-path_spec.lua │ │ │ ├── 02-log_spec.lua │ │ │ └── 03-reports_spec.lua │ │ ├── 18-hybrid_rpc/ │ │ │ ├── 01-rpc_spec.lua │ │ │ ├── 02-error_spec.lua │ │ │ ├── 03-inert_spec.lua │ │ │ ├── 04-concentrator_spec.lua │ │ │ ├── 05-sync-rpc_spec.lua │ │ │ ├── 06-batch-rpc_spec.lua │ │ │ ├── 07-notification_spec.lua │ │ │ ├── 08-sync_v2_get_delta_spec.lua │ │ │ ├── 09-notify_new_version_spec.lua │ │ │ └── 10-validate_deltas_spec.lua │ │ ├── 21-request-debug/ │ │ │ └── 01-request-debug_spec.lua │ │ └── 22-ai_plugins/ │ │ └── 01-reports_spec.lua │ ├── 03-plugins/ │ │ ├── 01-legacy_queue_parameter_warning_spec.lua │ │ ├── 01-tcp-log/ │ │ │ └── 01-tcp-log_spec.lua │ │ ├── 02-legacy_propagation_parameter_warning_spec.lua │ │ ├── 02-udp-log/ │ │ │ └── 01-udp-log_spec.lua │ │ ├── 03-http-log/ │ │ │ ├── 01-log_spec.lua │ │ │ ├── 02-schema_spec.lua │ │ │ ├── 03-schem-vault_spec.lua │ │ │ ├── 04-legacy_queue_sharing_spec.lua │ │ │ └── 05-old-plugin-compatibility_spec.lua │ │ ├── 04-file-log/ │ │ │ ├── 01-log_spec.lua │ │ │ └── 02-schema_spec.lua │ │ ├── 05-syslog/ │ │ │ └── 01-log_spec.lua │ │ ├── 06-statsd/ │ │ │ ├── 01-log_spec.lua │ │ │ ├── 02-schema_spec.lua │ │ │ └── 03-allow_status_codes_spec.lua │ │ ├── 07-loggly/ │ │ │ └── 01-log_spec.lua │ │ ├── 08-datadog/ │ │ │ ├── 01-log_spec.lua │ │ │ └── 02-schema_spec.lua │ │ ├── 09-key-auth/ │ │ │ ├── 01-api_spec.lua │ │ │ ├── 02-access_spec.lua │ │ │ ├── 03-invalidations_spec.lua │ │ │ └── 04-hybrid_mode_spec.lua │ │ ├── 10-basic-auth/ │ │ │ ├── 01-crypto_spec.lua │ │ │ ├── 02-api_spec.lua │ │ │ ├── 03-access_spec.lua │ │ │ ├── 04-invalidations_spec.lua │ │ │ └── 05-declarative_spec.lua │ │ ├── 11-correlation-id/ │ │ │ ├── 01-access_spec.lua │ │ │ └── 02-schema_spec.lua │ │ ├── 12-request-size-limiting/ │ │ │ └── 01-access_spec.lua │ │ ├── 13-cors/ │ │ │ ├── 01-access_spec.lua │ │ │ └── 02-schema_spec.lua │ │ ├── 14-request-termination/ │ │ │ ├── 01-schema_spec.lua │ │ │ ├── 02-access_spec.lua │ │ │ └── 03-integration_spec.lua │ │ ├── 15-response-transformer/ │ │ │ ├── 01-header_transformer_spec.lua │ │ │ ├── 02-body_transformer_spec.lua │ │ │ ├── 03-api_spec.lua │ │ │ ├── 04-filter_spec.lua │ │ │ └── 05-big_response_body_spec.lua │ │ ├── 16-jwt/ │ │ │ ├── 01-jwt_parser_spec.lua │ │ │ ├── 02-api_spec.lua │ │ │ ├── 03-access_spec.lua │ │ │ ├── 04-invalidations_spec.lua │ │ │ ├── 06-schema_spec.lua │ │ │ └── fixtures.lua │ │ ├── 17-ip-restriction/ │ │ │ ├── 01-schema_spec.lua │ │ │ └── 02-access_spec.lua │ │ ├── 18-acl/ │ │ │ ├── 01-api_spec.lua │ │ │ ├── 02-access_spec.lua │ │ │ └── 03-invalidations_spec.lua │ │ ├── 19-hmac-auth/ │ │ │ ├── 01-schema_spec.lua │ │ │ ├── 02-api_spec.lua │ │ │ ├── 03-access_spec.lua │ │ │ └── 04-invalidations_spec.lua │ │ ├── 20-ldap-auth/ │ │ │ ├── 01-access_spec.lua │ │ │ ├── 02-invalidations_spec.lua │ │ │ ├── 02-schema_spec.lua │ │ │ └── 03-decode_spec.lua │ │ ├── 21-bot-detection/ │ │ │ ├── 01-access_spec.lua │ │ │ ├── 02-invalidations_spec.lua │ │ │ └── 03-api_spec.lua │ │ ├── 23-rate-limiting/ │ │ │ ├── 01-schema_spec.lua │ │ │ ├── 02-policies_spec.lua │ │ │ ├── 03-api_spec.lua │ │ │ ├── 04-access_spec.lua │ │ │ ├── 05-integration_spec.lua │ │ │ ├── 06-shorthand_fields_spec.lua │ │ │ └── 07-hybrid_mode_spec.lua │ │ ├── 24-response-rate-limiting/ │ │ │ ├── 01-schema_spec.lua │ │ │ ├── 02-policies_spec.lua │ │ │ ├── 03-api_spec.lua │ │ │ ├── 04-access_spec.lua │ │ │ ├── 05-integration_spec.lua │ │ │ └── 06-shorthand_fields_spec.lua │ │ ├── 25-oauth2/ │ │ │ ├── 01-schema_spec.lua │ │ │ ├── 02-api_spec.lua │ │ │ ├── 03-access_spec.lua │ │ │ ├── 04-invalidations_spec.lua │ │ │ └── 05-kdf_spec.lua │ │ ├── 26-prometheus/ │ │ │ ├── 01-api_spec.lua │ │ │ ├── 02-access_spec.lua │ │ │ ├── 03-custom-serve_spec.lua │ │ │ ├── 04-status_api_spec.lua │ │ │ ├── 05-metrics_spec.lua │ │ │ ├── 06-hybrid-mode_metrics_spec.lua │ │ │ ├── 07-optional_fields_spec.lua │ │ │ ├── 08-unit_spec.lua │ │ │ └── 09-wasmx_spec.lua │ │ ├── 27-aws-lambda/ │ │ │ ├── 02-schema_spec.lua │ │ │ ├── 05-aws-serializer_spec.lua │ │ │ ├── 06-request-util_spec.lua │ │ │ ├── 08-sam-integration_spec.lua │ │ │ └── 99-access_spec.lua │ │ ├── 28-grpc-gateway/ │ │ │ └── 01-proxy_spec.lua │ │ ├── 29-acme/ │ │ │ ├── 01-client_spec.lua │ │ │ ├── 02-kong_storage_spec.lua │ │ │ ├── 03-access_spec.lua │ │ │ ├── 04-schema_spec.lua │ │ │ ├── 05-redis_storage_spec.lua │ │ │ ├── 06-hybrid_mode_spec.lua │ │ │ └── 07-shorthand_fields_spec.lua │ │ ├── 30-session/ │ │ │ ├── 01-access_spec.lua │ │ │ ├── 02-kong_storage_adapter_spec.lua │ │ │ └── 03-session_spec.lua │ │ ├── 31-proxy-cache/ │ │ │ ├── 01-schema_spec.lua │ │ │ ├── 02-access_spec.lua │ │ │ ├── 03-api_spec.lua │ │ │ ├── 04-invalidations_spec.lua │ │ │ └── 05-cache_key_spec.lua │ │ ├── 32-grpc-web/ │ │ │ └── 01-proxy_spec.lua │ │ ├── 33-serverless-functions/ │ │ │ ├── 01-schema_spec.lua │ │ │ ├── 02-access_spec.lua │ │ │ ├── 03-dbless_spec.lua │ │ │ └── 04-phases_spec.lua │ │ ├── 34-zipkin/ │ │ │ ├── request_tags_spec.lua │ │ │ ├── schema_spec.lua │ │ │ ├── zipkin_no_endpoint_spec.lua │ │ │ ├── zipkin_queue_spec.lua │ │ │ └── zipkin_spec.lua │ │ ├── 35-azure-functions/ │ │ │ └── 01-access_spec.lua │ │ ├── 36-request-transformer/ │ │ │ ├── 01-schema_spec.lua │ │ │ ├── 02-access_spec.lua │ │ │ └── 03-api_spec.lua │ │ ├── 37-opentelemetry/ │ │ │ ├── 01-otlp_spec.lua │ │ │ ├── 02-schema_spec.lua │ │ │ ├── 03-propagation_spec.lua │ │ │ ├── 04-exporter_spec.lua │ │ │ ├── 05-otelcol_spec.lua │ │ │ ├── 06-regression_spec.lua │ │ │ └── 07-utils_spec.lua │ │ ├── 38-ai-proxy/ │ │ │ ├── 00-config_spec.lua │ │ │ ├── 01-unit_spec.lua │ │ │ ├── 02-openai_integration_spec.lua │ │ │ ├── 03-anthropic_integration_spec.lua │ │ │ ├── 04-cohere_integration_spec.lua │ │ │ ├── 05-azure_integration_spec.lua │ │ │ ├── 06-mistral_integration_spec.lua │ │ │ ├── 07-llama2_integration_spec.lua │ │ │ ├── 08-encoding_integration_spec.lua │ │ │ ├── 09-streaming_integration_spec.lua │ │ │ ├── 10-huggingface_integration_spec.lua │ │ │ ├── 11-gemini_integration_spec.lua │ │ │ ├── 12-native_unit_spec.lua │ │ │ ├── json-schema.json │ │ │ └── oas.yaml │ │ ├── 39-ai-request-transformer/ │ │ │ ├── 00-config_spec.lua │ │ │ ├── 01-transformer_spec.lua │ │ │ └── 02-integration_spec.lua │ │ ├── 39-reconfiguration-completion/ │ │ │ ├── 01-access_spec.lua │ │ │ └── 02-helper_spec.lua │ │ ├── 40-ai-response-transformer/ │ │ │ ├── 00-config_spec.lua │ │ │ ├── 01-transformer_spec.lua │ │ │ └── 02-integration_spec.lua │ │ ├── 41-ai-prompt-decorator/ │ │ │ ├── 00-config_spec.lua │ │ │ ├── 01-unit_spec.lua │ │ │ └── 02-integration_spec.lua │ │ ├── 42-ai-prompt-guard/ │ │ │ ├── 00-config_spec.lua │ │ │ ├── 01-unit_spec.lua │ │ │ └── 02-integration_spec.lua │ │ ├── 43-ai-prompt-template/ │ │ │ ├── 01-unit_spec.lua │ │ │ └── 02-integration_spec.lua │ │ ├── 44-standard-webhooks/ │ │ │ ├── 01-unit_spec.lua │ │ │ └── 02-integration_spec.lua │ │ └── 45-redirect/ │ │ ├── 01-schema_spec.lua │ │ ├── 02-access_spec.lua │ │ └── 03-integration_spec.lua │ ├── 04-perf/ │ │ ├── 01-rps/ │ │ │ ├── 01-simple_spec.lua │ │ │ ├── 02-balancer_spec.lua │ │ │ ├── 03-plugin_iterator_spec.lua │ │ │ ├── 04-simple_hybrid_spec.lua │ │ │ ├── 05-prometheus.lua │ │ │ ├── 06-core_entities_crud_spec.lua │ │ │ └── 07-upstream_lock_regression_spec.lua │ │ ├── 02-flamegraph/ │ │ │ ├── 01-simple_spec.lua │ │ │ ├── 03-plugin_iterator_spec.lua │ │ │ ├── 05-prometheus.lua │ │ │ └── 07-upstream_lock_regression_spec.lua │ │ └── 99-teardown/ │ │ └── 01-teardown_spec.lua │ ├── 05-migration/ │ │ ├── db/ │ │ │ └── migrations/ │ │ │ └── core/ │ │ │ ├── 016_280_to_300_spec.lua │ │ │ ├── 017_300_to_310_spec.lua │ │ │ ├── 018_310_to_320_spec.lua │ │ │ ├── 019_320_to_330_spec.lua │ │ │ ├── 020_330_to_340_spec.lua │ │ │ ├── 021_340_to_350_spec.lua │ │ │ ├── 022_350_to_360_spec.lua │ │ │ ├── 023_360_to_370_spec.lua │ │ │ ├── 024_380_to_390_spec.lua │ │ │ └── 025_390_to_3100_spec.lua │ │ └── plugins/ │ │ ├── acme/ │ │ │ └── migrations/ │ │ │ ├── 001_280_to_300_spec.lua │ │ │ ├── 002_320_to_330_spec.lua │ │ │ └── 003_350_to_360_spec.lua │ │ ├── ai-proxy/ │ │ │ └── migrations/ │ │ │ └── 001_360_to_370_spec.lua │ │ ├── http-log/ │ │ │ └── migrations/ │ │ │ └── 001_280_to_300_spec.lua │ │ ├── key-auth/ │ │ │ └── migrations/ │ │ │ └── 004_320_to_330_spec.lua │ │ ├── oauth2/ │ │ │ └── migrations/ │ │ │ ├── 006_320_to_330_spec.lua │ │ │ └── 007_320_to_330_spec.lua │ │ ├── opentelemetry/ │ │ │ └── migrations/ │ │ │ └── 001_331_to_332_spec.lua │ │ ├── post-function/ │ │ │ └── migrations/ │ │ │ └── 001_280_to_300_spec.lua │ │ ├── pre-function/ │ │ │ └── migrations/ │ │ │ └── 001_280_to_300_spec.lua │ │ ├── rate-limiting/ │ │ │ └── migrations/ │ │ │ ├── 005_320_to_330_spec.lua │ │ │ └── 006_350_to_360_spec.lua │ │ ├── response-ratelimiting/ │ │ │ └── migrations/ │ │ │ └── 001_350_to_360_spec.lua │ │ └── session/ │ │ └── migrations/ │ │ ├── 002_320_to_330_spec.lua │ │ └── 003_330_to_3100_spec.lua │ ├── 06-third-party/ │ │ └── 01-deck/ │ │ └── 01-deck-integration_spec.lua │ ├── README.md │ ├── busted-ci-helper.lua │ ├── config.ld │ ├── fixtures/ │ │ ├── 1.2_custom_nginx.template │ │ ├── admin_api.lua │ │ ├── ai-proxy/ │ │ │ ├── anthropic/ │ │ │ │ ├── llm-v1-chat/ │ │ │ │ │ ├── requests/ │ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ │ ├── good-stream.json │ │ │ │ │ │ ├── good.json │ │ │ │ │ │ └── good_own_model.json │ │ │ │ │ └── responses/ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ ├── bad_upstream_response.json │ │ │ │ │ ├── good.json │ │ │ │ │ ├── internal_server_error.html │ │ │ │ │ ├── malformed_usage_response.json │ │ │ │ │ ├── no_usage_response.json │ │ │ │ │ └── unauthorized.json │ │ │ │ ├── llm-v1-completions/ │ │ │ │ │ ├── requests/ │ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ │ └── good.json │ │ │ │ │ └── responses/ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ ├── good.json │ │ │ │ │ └── unauthorized.json │ │ │ │ └── request-transformer/ │ │ │ │ └── response-in-json.json │ │ │ ├── azure/ │ │ │ │ └── request-transformer/ │ │ │ │ └── response-in-json.json │ │ │ ├── bedrock/ │ │ │ │ └── chunks/ │ │ │ │ ├── chunk-1.txt │ │ │ │ ├── chunk-2.txt │ │ │ │ └── chunk-3.txt │ │ │ ├── cohere/ │ │ │ │ ├── llm-v1-chat/ │ │ │ │ │ ├── requests/ │ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ │ ├── good-stream.json │ │ │ │ │ │ ├── good.json │ │ │ │ │ │ └── good_own_model.json │ │ │ │ │ └── responses/ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ ├── bad_upstream_response.json │ │ │ │ │ ├── good.json │ │ │ │ │ ├── internal_server_error.html │ │ │ │ │ └── unauthorized.json │ │ │ │ ├── llm-v1-completions/ │ │ │ │ │ ├── requests/ │ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ │ └── good.json │ │ │ │ │ └── responses/ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ ├── good.json │ │ │ │ │ └── unauthorized.json │ │ │ │ └── request-transformer/ │ │ │ │ └── response-in-json.json │ │ │ ├── gemini/ │ │ │ │ ├── llm-v1-chat/ │ │ │ │ │ └── responses/ │ │ │ │ │ ├── fails_safety.json │ │ │ │ │ └── good.json │ │ │ │ └── request-transformer/ │ │ │ │ └── response-in-json.json │ │ │ ├── huggingface/ │ │ │ │ ├── llm-v1-chat/ │ │ │ │ │ ├── requests/ │ │ │ │ │ │ └── good.json │ │ │ │ │ └── responses/ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ ├── bad_response_model_load.json │ │ │ │ │ ├── bad_response_timeout.json │ │ │ │ │ ├── good.json │ │ │ │ │ └── unauthorized.json │ │ │ │ └── llm-v1-completions/ │ │ │ │ ├── requests/ │ │ │ │ │ └── good.json │ │ │ │ └── responses/ │ │ │ │ ├── bad_request.json │ │ │ │ ├── good.json │ │ │ │ └── unauthorized.json │ │ │ ├── json-schema.json │ │ │ ├── llama2/ │ │ │ │ ├── ollama/ │ │ │ │ │ └── chat-stream.json │ │ │ │ ├── raw/ │ │ │ │ │ ├── requests/ │ │ │ │ │ │ ├── good-chat.json │ │ │ │ │ │ └── good-completions.json │ │ │ │ │ └── responses/ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ ├── good.json │ │ │ │ │ └── unauthorized.json │ │ │ │ └── request-transformer/ │ │ │ │ └── response-in-json.json │ │ │ ├── mistral/ │ │ │ │ ├── llm-v1-chat/ │ │ │ │ │ └── responses/ │ │ │ │ │ └── good.json │ │ │ │ ├── llm-v1-completions/ │ │ │ │ │ └── responses/ │ │ │ │ │ └── good.json │ │ │ │ └── request-transformer/ │ │ │ │ └── response-in-json.json │ │ │ ├── native/ │ │ │ │ ├── bedrock/ │ │ │ │ │ └── request/ │ │ │ │ │ └── with-functions-and-chatter.json │ │ │ │ ├── gemini/ │ │ │ │ │ └── request/ │ │ │ │ │ ├── basic-chat.json │ │ │ │ │ ├── basic-multimodal.json │ │ │ │ │ ├── with-functions-and-chatter.json │ │ │ │ │ └── with-functions.json │ │ │ │ └── target/ │ │ │ │ ├── target-openai-complete-stream.json │ │ │ │ └── target-openai-complete.json │ │ │ ├── oas.yaml │ │ │ ├── openai/ │ │ │ │ ├── llm-v1-chat/ │ │ │ │ │ ├── requests/ │ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ │ ├── good-stream-with-functions.json │ │ │ │ │ │ ├── good-stream.json │ │ │ │ │ │ ├── good.json │ │ │ │ │ │ ├── good_multi_modal.json │ │ │ │ │ │ ├── good_own_model.json │ │ │ │ │ │ ├── tool_choice_auto.json │ │ │ │ │ │ ├── tool_choice_none.json │ │ │ │ │ │ ├── tool_choice_object_function.json │ │ │ │ │ │ └── tool_choice_required.json │ │ │ │ │ └── responses/ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ ├── bad_upstream_response.json │ │ │ │ │ ├── good.json │ │ │ │ │ ├── internal_server_error.html │ │ │ │ │ └── unauthorized.json │ │ │ │ ├── llm-v1-completions/ │ │ │ │ │ ├── requests/ │ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ │ └── good.json │ │ │ │ │ └── responses/ │ │ │ │ │ ├── bad_request.json │ │ │ │ │ ├── good.json │ │ │ │ │ └── unauthorized.json │ │ │ │ ├── llm-v1-embeddings/ │ │ │ │ │ └── responses/ │ │ │ │ │ └── good.json │ │ │ │ └── request-transformer/ │ │ │ │ ├── response-in-json.json │ │ │ │ ├── response-not-json.json │ │ │ │ ├── response-with-bad-instructions.json │ │ │ │ └── response-with-instructions.json │ │ │ └── unit/ │ │ │ ├── expected-requests/ │ │ │ │ ├── anthropic/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── azure/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── bedrock/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ ├── cohere/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── gemini/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ ├── llama2/ │ │ │ │ │ ├── ollama/ │ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ │ └── raw/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── mistral/ │ │ │ │ │ ├── ollama/ │ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ │ └── openai/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ └── openai/ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ └── llm-v1-completions.json │ │ │ ├── expected-responses/ │ │ │ │ ├── anthropic/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── azure/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── bedrock/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ ├── cohere/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── gemini/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ ├── llama2/ │ │ │ │ │ ├── ollama/ │ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ │ └── raw/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── mistral/ │ │ │ │ │ ├── ollama/ │ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ │ └── openai/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ └── openai/ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ └── llm-v1-completions.json │ │ │ ├── real-responses/ │ │ │ │ ├── anthropic/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── azure/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── bedrock/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ ├── cohere/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── gemini/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ ├── llama2/ │ │ │ │ │ ├── ollama/ │ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ │ └── raw/ │ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ │ └── llm-v1-completions.json │ │ │ │ ├── mistral/ │ │ │ │ │ ├── ollama/ │ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ │ └── openai/ │ │ │ │ │ └── llm-v1-chat.json │ │ │ │ └── openai/ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ └── llm-v1-completions.json │ │ │ ├── real-stream-frames/ │ │ │ │ ├── cohere/ │ │ │ │ │ ├── llm-v1-chat.txt │ │ │ │ │ └── llm-v1-completions.txt │ │ │ │ └── openai/ │ │ │ │ ├── llm-v1-chat.txt │ │ │ │ └── llm-v1-completions.txt │ │ │ ├── requests/ │ │ │ │ ├── llm-v1-chat.json │ │ │ │ ├── llm-v1-completion-template.json │ │ │ │ └── llm-v1-completions.json │ │ │ └── streaming-chunk-formats/ │ │ │ ├── aws/ │ │ │ │ └── expected-output.json │ │ │ ├── complete-json/ │ │ │ │ └── expected-output.json │ │ │ ├── partial-json-beginning/ │ │ │ │ └── expected-output.json │ │ │ ├── partial-json-end/ │ │ │ │ └── expected-output.json │ │ │ └── text-event-stream/ │ │ │ └── expected-output.json │ │ ├── aws-lambda.lua │ │ ├── aws-sam.lua │ │ ├── balancer_utils.lua │ │ ├── blueprints.lua │ │ ├── burst.yml │ │ ├── custom_nginx.template │ │ ├── custom_plugins/ │ │ │ └── kong/ │ │ │ └── plugins/ │ │ │ ├── admin-api-method/ │ │ │ │ ├── api.lua │ │ │ │ ├── handler.lua │ │ │ │ ├── schema.lua │ │ │ │ └── status_api.lua │ │ │ ├── api-override/ │ │ │ │ ├── api.lua │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── cache/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── cache-key-vs-endpoint-key/ │ │ │ │ ├── daos.lua │ │ │ │ ├── handler.lua │ │ │ │ ├── migrations/ │ │ │ │ │ ├── 000_base_cache_key_vs_endpoint_key.lua │ │ │ │ │ └── init.lua │ │ │ │ └── schema.lua │ │ │ ├── cluster-error-reporting/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── ctx-checker/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── ctx-checker-last/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── ctx-tests/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── ctx-tests-response/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── dns-client-test/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── dummy/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── enable-buffering/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── enable-buffering-response/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── error-generator/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── error-generator-last/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── error-handler-log/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── fail-once-auth/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── foreign-entity/ │ │ │ │ ├── api.lua │ │ │ │ ├── daos.lua │ │ │ │ ├── handler.lua │ │ │ │ ├── migrations/ │ │ │ │ │ ├── 000_base_foreign_entity.lua │ │ │ │ │ └── init.lua │ │ │ │ └── schema.lua │ │ │ ├── get-plugin-id/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── init-worker-lua-error/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── invalid-schema/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── invalidations/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── logger/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── logger-last/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── max-args/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── muti-external-http-calls/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── older-version/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── pdk-logger/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── plugin-config-dump/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── plugin-with-custom-dao/ │ │ │ │ ├── custom_dao.lua │ │ │ │ ├── daos.lua │ │ │ │ ├── handler.lua │ │ │ │ ├── schema.lua │ │ │ │ └── strategies/ │ │ │ │ └── postgres/ │ │ │ │ └── custom_dao.lua │ │ │ ├── preserve-nulls/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── reconfiguration-completion/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── redis-dummy/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── reference-ca-cert/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── reports-api/ │ │ │ │ ├── api.lua │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── request-aware-table/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── response-phase/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rewriter/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-batch-test/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-concentrator-test/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-debug/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-error-test/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-get-delta-test/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-hello-test/ │ │ │ │ ├── api.lua │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-notification-test/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-notify-new-version-test/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── rpc-validation-test/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── secret-response/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── short-circuit/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── slow-query/ │ │ │ │ ├── api.lua │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── stream-api-echo/ │ │ │ │ ├── api.lua │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── tcp-trace-exporter/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── transformations/ │ │ │ │ ├── daos.lua │ │ │ │ ├── handler.lua │ │ │ │ ├── migrations/ │ │ │ │ │ ├── 000_base_transformations.lua │ │ │ │ │ └── init.lua │ │ │ │ └── schema.lua │ │ │ ├── translate-backwards-older-plugin/ │ │ │ │ ├── handler.lua │ │ │ │ └── schema.lua │ │ │ ├── unique-foreign/ │ │ │ │ ├── daos.lua │ │ │ │ ├── handler.lua │ │ │ │ ├── migrations/ │ │ │ │ │ ├── 000_base_unique_foreign.lua │ │ │ │ │ └── init.lua │ │ │ │ └── schema.lua │ │ │ ├── with-migrations/ │ │ │ │ ├── daos.lua │ │ │ │ ├── handler.lua │ │ │ │ ├── migrations/ │ │ │ │ │ ├── 000_base_with_migrations.lua │ │ │ │ │ ├── 001_14_to_15.lua │ │ │ │ │ └── init.lua │ │ │ │ └── schema.lua │ │ │ └── worker-events/ │ │ │ ├── handler.lua │ │ │ └── schema.lua │ │ ├── custom_vaults/ │ │ │ └── kong/ │ │ │ └── vaults/ │ │ │ ├── echo/ │ │ │ │ ├── init.lua │ │ │ │ └── schema.lua │ │ │ ├── mock/ │ │ │ │ ├── init.lua │ │ │ │ └── schema.lua │ │ │ ├── mocksocket/ │ │ │ │ ├── init.lua │ │ │ │ └── schema.lua │ │ │ ├── random/ │ │ │ │ ├── init.lua │ │ │ │ └── schema.lua │ │ │ └── test/ │ │ │ ├── init.lua │ │ │ └── schema.lua │ │ ├── dc_blueprints.lua │ │ ├── default_status_listen.conf │ │ ├── dump_lmdb_key.lua │ │ ├── error_templates/ │ │ │ ├── error_template.html │ │ │ ├── error_template.json │ │ │ ├── error_template.plain │ │ │ └── error_template.xml │ │ ├── external_plugins/ │ │ │ ├── go/ │ │ │ │ ├── go-hello.go │ │ │ │ ├── go.mod │ │ │ │ └── go.sum │ │ │ ├── js/ │ │ │ │ └── js-hello.js │ │ │ └── py/ │ │ │ ├── py-hello.py │ │ │ └── requirements.txt │ │ ├── factories/ │ │ │ └── plugins.lua │ │ ├── forward-proxy-server.lua │ │ ├── grpc/ │ │ │ ├── direct_imports.proto │ │ │ ├── google/ │ │ │ │ ├── api/ │ │ │ │ │ ├── annotations.proto │ │ │ │ │ ├── http.proto │ │ │ │ │ └── httpbody.proto │ │ │ │ └── protobuf/ │ │ │ │ ├── any.proto │ │ │ │ ├── api.proto │ │ │ │ ├── descriptor.proto │ │ │ │ ├── duration.proto │ │ │ │ ├── empty.proto │ │ │ │ ├── field_mask.proto │ │ │ │ ├── source_context.proto │ │ │ │ ├── struct.proto │ │ │ │ ├── timestamp.proto │ │ │ │ ├── type.proto │ │ │ │ └── wrappers.proto │ │ │ ├── hello.proto │ │ │ ├── helloworld.proto │ │ │ ├── second_level_imports.proto │ │ │ ├── target/ │ │ │ │ ├── go.mod │ │ │ │ ├── go.sum │ │ │ │ ├── grpc-target.go │ │ │ │ └── targetservice/ │ │ │ │ ├── targetservice.pb.go │ │ │ │ └── targetservice_grpc.pb.go │ │ │ └── targetservice.proto │ │ ├── headers.conf │ │ ├── hosts │ │ ├── https_server.lua │ │ ├── invalid-module.lua │ │ ├── invalid.conf │ │ ├── invalid_nginx_directives.conf │ │ ├── kong_clustering.crt │ │ ├── kong_clustering.key │ │ ├── kong_clustering_ca.crt │ │ ├── kong_clustering_client.crt │ │ ├── kong_clustering_client.key │ │ ├── kong_spec.crt │ │ ├── kong_spec.key │ │ ├── migrations/ │ │ │ └── kong/ │ │ │ └── db/ │ │ │ └── migrations/ │ │ │ └── core/ │ │ │ ├── 000_base.lua │ │ │ ├── 001_14_to_15.lua │ │ │ └── init.lua │ │ ├── mock_cp.lua │ │ ├── mock_upstream.lua │ │ ├── mock_webserver_tpl.lua │ │ ├── mocker.lua │ │ ├── mocks/ │ │ │ ├── lua-resty-dns/ │ │ │ │ └── resty/ │ │ │ │ └── dns/ │ │ │ │ └── resolver.lua │ │ │ └── lua-resty-websocket/ │ │ │ └── resty/ │ │ │ └── websocket/ │ │ │ └── peer.lua │ │ ├── mtls_certs/ │ │ │ ├── ca.crt │ │ │ ├── ca.key │ │ │ ├── example.com.crt │ │ │ ├── example.com.key │ │ │ ├── example2.com.crt │ │ │ └── example2.com.key │ │ ├── nginx-directives.conf │ │ ├── ocsp_certs/ │ │ │ ├── ca-chain.crt │ │ │ ├── ca.crt │ │ │ ├── index.txt │ │ │ ├── index.txt.revoked │ │ │ ├── kong_clustering.crt │ │ │ ├── kong_clustering.key │ │ │ ├── kong_data_plane.crt │ │ │ ├── kong_data_plane.key │ │ │ ├── ocsp.crt │ │ │ └── ocsp.key │ │ ├── opentelemetry/ │ │ │ └── otelcol.yaml │ │ ├── perf/ │ │ │ ├── 500services-each-4-routes.sql │ │ │ ├── charts/ │ │ │ │ ├── test_data1.json │ │ │ │ └── test_data2.json │ │ │ └── terraform/ │ │ │ ├── aws-ec2/ │ │ │ │ ├── .gitignore │ │ │ │ ├── ec2.tf │ │ │ │ ├── main.tf │ │ │ │ ├── output.tf │ │ │ │ ├── ssh.tf │ │ │ │ └── variables.tf │ │ │ ├── bring-your-own/ │ │ │ │ ├── main.tf │ │ │ │ ├── output.tf │ │ │ │ ├── ssh.tf │ │ │ │ └── variables.tf │ │ │ ├── digitalocean/ │ │ │ │ ├── .gitignore │ │ │ │ ├── droplets.tf │ │ │ │ ├── main.tf │ │ │ │ ├── output.tf │ │ │ │ ├── project.tf │ │ │ │ ├── ssh.tf │ │ │ │ └── variables.tf │ │ │ └── equinix-metal/ │ │ │ ├── .gitignore │ │ │ ├── README.md │ │ │ ├── main.tf │ │ │ ├── metal.tf │ │ │ ├── output.tf │ │ │ ├── scripts/ │ │ │ │ └── wrk.lua │ │ │ ├── ssh.tf │ │ │ ├── tls.tf │ │ │ └── variables.tf │ │ ├── prometheus/ │ │ │ └── metrics.conf │ │ ├── proxy_wasm_filters/ │ │ │ ├── Cargo.toml │ │ │ ├── response_transformer/ │ │ │ │ ├── Cargo.toml │ │ │ │ └── src/ │ │ │ │ ├── filter.rs │ │ │ │ └── types.rs │ │ │ └── tests/ │ │ │ ├── Cargo.toml │ │ │ └── src/ │ │ │ ├── filter.rs │ │ │ ├── metrics.rs │ │ │ ├── routines.rs │ │ │ ├── test_cases.rs │ │ │ ├── test_http.rs │ │ │ └── types.rs │ │ ├── redis/ │ │ │ ├── ca.crt │ │ │ ├── ca.key │ │ │ ├── docker-entrypoint.sh │ │ │ ├── server.crt │ │ │ └── server.key │ │ ├── reload.conf │ │ ├── router_path_handling_tests.lua │ │ ├── sam-app/ │ │ │ ├── .gitignore │ │ │ ├── README.md │ │ │ ├── __init__.py │ │ │ ├── events/ │ │ │ │ └── event.json │ │ │ ├── hello_world/ │ │ │ │ ├── __init__.py │ │ │ │ ├── app.py │ │ │ │ └── requirements.txt │ │ │ ├── template.yaml │ │ │ └── tests/ │ │ │ ├── __init__.py │ │ │ ├── integration/ │ │ │ │ ├── __init__.py │ │ │ │ └── test_api_gateway.py │ │ │ ├── requirements.txt │ │ │ └── unit/ │ │ │ ├── __init__.py │ │ │ └── test_handler.py │ │ ├── shared_dict.lua │ │ ├── shm-stub.lua │ │ ├── ssl.lua │ │ ├── stress_generator.lua │ │ ├── template_inject/ │ │ │ ├── nginx_kong_test_custom_inject_http.lua │ │ │ ├── nginx_kong_test_custom_inject_stream.lua │ │ │ └── nginx_kong_test_tcp_echo_server_custom_inject_stream.lua │ │ ├── to-strip.conf │ │ └── valid-module.lua │ ├── helpers/ │ │ ├── dns.lua │ │ ├── http_mock/ │ │ │ ├── asserts.lua │ │ │ ├── clients.lua │ │ │ ├── debug_port.lua │ │ │ ├── nginx_instance.lua │ │ │ ├── tapping.lua │ │ │ └── template.lua │ │ ├── http_mock.lua │ │ ├── perf/ │ │ │ ├── charts/ │ │ │ │ ├── .gitignore │ │ │ │ ├── charts.py │ │ │ │ └── requirements.txt │ │ │ ├── charts.lua │ │ │ ├── drivers/ │ │ │ │ ├── docker.lua │ │ │ │ └── terraform.lua │ │ │ ├── git.lua │ │ │ ├── logger.lua │ │ │ └── utils.lua │ │ ├── perf.lua │ │ ├── redis_helper.lua │ │ ├── rpc_mock/ │ │ │ ├── cp.lua │ │ │ ├── default.lua │ │ │ ├── dp.lua │ │ │ ├── readme.md │ │ │ └── setup.lua │ │ └── wait.lua │ ├── helpers.lua │ ├── hybrid.lua │ ├── internal/ │ │ ├── asserts.lua │ │ ├── client.lua │ │ ├── cmd.lua │ │ ├── conf.lua │ │ ├── constants.lua │ │ ├── db.lua │ │ ├── dns.lua │ │ ├── grpc.lua │ │ ├── misc.lua │ │ ├── module.lua │ │ ├── pid.lua │ │ ├── server.lua │ │ ├── shell.lua │ │ ├── ssl.lua │ │ ├── sys.lua │ │ └── wait.lua │ ├── kong_tests.conf │ ├── ldoc.css │ ├── on_demand_specs │ ├── renderdocs.sh │ ├── require.lua │ └── upgrade_helpers.lua └── t/ ├── 01-pdk/ │ ├── 01-table.t │ ├── 02-log/ │ │ ├── 00-phase_checks.t │ │ ├── 01-sanity.t │ │ ├── 02-new.t │ │ ├── 03-set_format.t │ │ ├── 04-inspect.t │ │ ├── 05-set_serialize_value.t │ │ └── 06-deprecation.t │ ├── 03-ip/ │ │ └── 01-is_trusted.t │ ├── 04-request/ │ │ ├── 00-phase_checks.t │ │ ├── 01-get_scheme.t │ │ ├── 02-get_host.t │ │ ├── 03-get_port.t │ │ ├── 04-get_forwarded_scheme.t │ │ ├── 05-get_forwarded_host.t │ │ ├── 06-get_forwarded_port.t │ │ ├── 07-get_http_version.t │ │ ├── 08-get_method.t │ │ ├── 09-get_path.t │ │ ├── 10-get_raw_query.t │ │ ├── 11-get_query_arg.t │ │ ├── 12-get_query.t │ │ ├── 13-get_header.t │ │ ├── 14-get_headers.t │ │ ├── 15-get_raw_body.t │ │ ├── 16-get_body.t │ │ ├── 17-get_path_with_query.t │ │ ├── 18-get_forwarded_path.t │ │ ├── 19-get_forwarded_prefix.t │ │ ├── 20-get_raw_path.t │ │ ├── 20-get_start_time.t │ │ └── 21-get_uri_captures.t │ ├── 05-client/ │ │ ├── 00-phase_checks.t │ │ ├── 01-get_ip.t │ │ ├── 02-get_forwarded_ip.t │ │ ├── 03-get_port.t │ │ ├── 04-get_forwarded_port.t │ │ ├── 05-get_credential.t │ │ ├── 06-get_consumer.t │ │ ├── 07-authenticate.t │ │ ├── 08-get_protocol.t │ │ └── 09-load-consumer.t │ ├── 06-service-request/ │ │ ├── 00-phase_checks.t │ │ ├── 01-set_scheme.t │ │ ├── 04-set_path.t │ │ ├── 05-set_raw_query.t │ │ ├── 06-set_method.t │ │ ├── 07-set_body.t │ │ ├── 08-set_query.t │ │ ├── 09-set_header.t │ │ ├── 10-add_header.t │ │ ├── 11-clear_header.t │ │ ├── 12-set_headers.t │ │ ├── 13-set_raw_body.t │ │ └── 14-clear_query_arg.t │ ├── 07-service-response/ │ │ ├── 00-phase_checks.t │ │ ├── 01-get_status.t │ │ ├── 02-get_headers.t │ │ ├── 03-get_header.t │ │ ├── 04-get_raw_body.t │ │ └── 05-get_body.t │ ├── 08-response/ │ │ ├── 00-phase_checks.t │ │ ├── 01-get_status.t │ │ ├── 02-get_header.t │ │ ├── 03-get_headers.t │ │ ├── 04-set_status.t │ │ ├── 05-set_header.t │ │ ├── 06-add_header.t │ │ ├── 07-clear_header.t │ │ ├── 08-set_headers.t │ │ ├── 09-set_raw_body.t │ │ ├── 10-set_body.t │ │ ├── 11-exit.t │ │ ├── 12-get_source.t │ │ ├── 13-error.t │ │ └── 14-get_raw_body.t │ ├── 09-service/ │ │ ├── 00-phase_checks.t │ │ ├── 01-set-upstream.t │ │ ├── 02-set-target.t │ │ ├── 03-set-tls-cert-key.t │ │ ├── 04-set-retries.t │ │ └── 05-set-timeouts.t │ ├── 10-nginx/ │ │ ├── 00-phase_checks.t │ │ ├── 01-get_subsystem.t │ │ └── 02-get_statistics.t │ ├── 11-ctx.t │ ├── 12-node/ │ │ ├── 00-phase_checks.t │ │ ├── 01-get_id.t │ │ ├── 02-get_memory_stats.t │ │ └── 03-get_hostname.t │ ├── 13-router/ │ │ ├── 00-phase_checks.t │ │ ├── 01-get_route.t │ │ └── 02-get_service.t │ ├── 14-client-tls/ │ │ ├── 00-phase_checks.t │ │ └── 01-request_client_certificate.t │ ├── 15-tracing/ │ │ └── 01-context.t │ └── 16-rl-ctx.t ├── 02-global/ │ ├── 01-init-pdk.t │ ├── 02-set-named-ctx.t │ └── 03-namespaced_log.t ├── 03-dns-client/ │ ├── 00-sanity.t │ ├── 01-phases.t │ └── 02-timer-usage.t ├── 04-patch/ │ ├── 01-ngx-buf-double-free.t │ ├── 02-ngx-read-body-block.t │ ├── 03-fix-ngx-send-header-filter-finalize-ctx.t │ ├── 04-fix-ngx-recreate-request-work-for-body.t │ └── 05-ngx-refresh-upstream-uri-when-balancer-retry.t ├── 05-mlcache/ │ ├── 00-ipc.t │ ├── 01-new.t │ ├── 02-get.t │ ├── 03-peek.t │ ├── 04-update.t │ ├── 05-set.t │ ├── 06-delete.t │ ├── 07-l1_serializer.t │ ├── 08-purge.t │ ├── 09-isolation.t │ ├── 10-ipc_shm.t │ ├── 11-locks_shm.t │ ├── 12-resurrect-stale.t │ ├── 13-get_bulk.t │ ├── 14-bulk-and-res.t │ └── 15-renew.t ├── Util.pm ├── certs/ │ ├── ca.crt │ ├── ca.key │ ├── client_example.com.crt │ ├── client_example.com.key │ ├── intermediate.crt │ ├── intermediate.key │ ├── test.crt │ └── test.key ├── pdk.luacov └── phase_checks.luacov ================================================ FILE CONTENTS ================================================ ================================================ FILE: .bazelignore ================================================ # NB: sematics here are not the same as .gitignore # see https://github.com/bazelbuild/bazel/issues/8106 # Ignore backup files. *~ # Ignore Vim swap files. .*.swp # Ignore files generated by IDEs. /.aswb/ /.cache/ /.classpath /.clwb/ /.factorypath /.idea/ /.ijwb/ /.project /.settings /.vscode/ /bazel.iml # Ignore all bazel-* symlinks. There is no full list since this can change # based on the name of the directory bazel is cloned into. /bazel-* # Ignore outputs generated during Bazel bootstrapping. /output/ # Ignore jekyll build output. /production /.sass-cache # Bazelisk version file .bazelversion # User-specific .bazelrc user.bazelrc /t/ /spec/ /spec-ee/ /servroot/ /autodoc/ /.github/ .DS_Store ================================================ FILE: .bazelrc ================================================ # Bazel doesn't need more than 200MB of memory for local build based on memory profiling: # https://docs.bazel.build/versions/master/skylark/performance.html#memory-profiling # The default JVM max heapsize is 1/4 of physical memory up to 32GB which could be large # enough to consume all memory constrained by cgroup in large host. # Limiting JVM heapsize here to let it do GC more when approaching the limit to # leave room for compiler/linker. # The number 3G is chosen heuristically to both support large VM and small VM with RBE. # Startup options cannot be selected via config. startup --host_jvm_args=-Xmx512m run --color=yes common --color=yes common --curses=auto # TODO: remove after bump to bazel >= 8 common --enable_workspace build --experimental_ui_max_stdouterr_bytes=10485760 build --show_progress_rate_limit=0 build --show_timestamps build --worker_verbose build --incompatible_strict_action_env # make output files and directories 0755 instead of 0555 build --experimental_writable_outputs # Pass PATH, CC, CXX variables from the environment. build --action_env=CC --host_action_env=CC build --action_env=CXX --host_action_env=CXX build --action_env=PATH --host_action_env=PATH # temporary fix for https://github.com/bazelbuild/bazel/issues/12905 on macOS build --features=-debug_prefix_map_pwd_is_dot # Build flags. build --action_env=BUILD_NAME=kong-dev build --action_env=INSTALL_DESTDIR=MANAGED build --strip=never # Release flags build:release --//:debug=false build:release --//:licensing=true build:release --action_env=BUILD_NAME=kong-dev build:release --action_env=INSTALL_DESTDIR=/usr/local build:release --compilation_mode=opt build:release --copt="-g" build:release --strip=never build --spawn_strategy=local ================================================ FILE: .bazelversion ================================================ 7.3.1 ================================================ FILE: .busted ================================================ return { default = { lpath = "./?.lua;./?/init.lua;", -- make setup() and teardown() behave like their lazy_ variants lazy = true, helper = "./spec/busted-ci-helper.lua", } } ================================================ FILE: .ci/ast-grep/README.md ================================================ # ast-grep `ast-grep` is a tool for querying source code in a (relatively) language-agnostic manner. It allows us to write lint rules that target patterns that are specific to our codebase and therefore not covered by tools like `luacheck`. ## Installing ast-grep See the [installation docs](https://ast-grep.github.io/guide/quick-start.html#installation) for guidance. ## Crafting a New Lint Rule The workflow for writing a new lint rule looks like this: 1. Draft your rule at `.ci/ast-grep/rules/${name}.yml` * Use `ast-grep scan --filter ${name} [paths...]` to evaluate your rule's behavior 2. Write tests for the rule in `.ci/ast-grep/tests/${name}-test.yml` * Make sure to fill out several `valid` and `invalid` code snippets * Use `ast-grep test --interactive`* to test the rule 3. `git add .gi/ast-grep && git commit ...` \* `ast-grep test` uses a file snapshot testing pattern. Almost any time a rule or test is created/modified, the snapshots must be updated. The `--interactive` flag for `ast-grep test` will prompt you to accept these updates. The snapshots provide very granular testing for rule behavior, but for many cases where we just care about whether or not a rule matches a certain snippet of code, they can be overkill. Use `ast-grep --update-all` to automatically accept and save new snapshots. ## CI `ast-grep` is executed in the ([ast-grep lint workflow](/.github/workflows/ast-grep.yml)). In addition to running the linter, this workflow also performs self-tests and ensures that all existing rules are well-formed and have tests associated with them. ### Links * [ast-grep website and documentation](https://ast-grep.github.io) * [ast-grep source code](https://github.com/ast-grep/ast-grep) ================================================ FILE: .ci/ast-grep/common/.gitkeep ================================================ ================================================ FILE: .ci/ast-grep/rules/.gitkeep ================================================ ================================================ FILE: .ci/ast-grep/rules/assert-eventually-terminated.yml ================================================ id: assert-eventually-terminated language: lua message: Unterminated eventual assertion severity: error note: | `assert.eventually()` does not perform any assertion unless followed by one of its terminator methods: * `is_truthy(message)` * `is_falsy(message)` * `has_error(message)` * `has_no_error(message)` files: - '**/*_spec.lua' rule: all: - kind: function_call pattern: $$$.eventually($$$) - has: kind: dot_index_expression any: - pattern: assert.$$$ - pattern: luassert.$$$ stopBy: end - not: inside: kind: function_call any: - pattern: $$$.is_truthy($$$) - pattern: $$$.is_falsy($$$) - pattern: $$$.has_error($$$) - pattern: $$$.has_no_error($$$) stopBy: end ================================================ FILE: .ci/ast-grep/rules/helpers-outside-of-setup.yml ================================================ id: helpers-outside-of-setup language: lua message: Calling test setup helper function in the wrong scope severity: warning note: | Avoid calling test setup functions outside of `setup()`/`lazy_setup()`. ## good ```lua describe("my test", function() local port_a local port_b lazy_setup(function() port_a = helpers.get_available_port() end) it("my test case", function() port_b = helpers.get_available_port() end) end) ## bad ```lua local port_a = helpers.get_available_port() describe("my test", function() local port_b = helpers.get_available_port() it("my test case", function() end) end) files: - '**/*_spec.lua' utils: function-scope: any: - kind: function_call - kind: function_declaration - kind: function_definition module-scope: not: inside: matches: function-scope stopBy: end busted-test-case: inside: kind: function_call any: - pattern: it($$$) - pattern: pending($$$) # aliases for it/pending seen in test files - pattern: do_it($$$) - pattern: postgres_only($$$) busted-lifecycle: inside: kind: function_call any: - pattern: setup($$$) - pattern: lazy_setup($$$) - pattern: teardown($$$) - pattern: lazy_teardown($$$) - pattern: before_each($$$) - pattern: after_each($$$) in-upgrade-helper-setup: pattern: $IDENT.setup($$$) inside: kind: chunk stopBy: end has: any: - pattern: $IDENT = require "spec.upgrade_helpers" - pattern: $IDENT = require("spec.upgrade_helpers") stopBy: end in-function-scope: any: # local function my_setup() # helpers.get_available_port() # end - kind: function_declaration # local my_setup = function() # helpers.get_available_port() # end - pattern: $IDENT = function($$$) $$$ end busted-describe: inside: kind: function_call pattern: describe($$$) stopBy: any: - matches: busted-test-case - matches: busted-lifecycle - matches: in-function-scope - matches: in-upgrade-helper-setup non-setup-scope: any: - matches: module-scope - matches: busted-describe rule: kind: function_call pattern: helpers.$FUNC($$$) matches: non-setup-scope constraints: FUNC: kind: identifier any: - pattern: admin_client - pattern: generate_keys - pattern: get_available_port - pattern: get_db_utils - pattern: setenv - pattern: start_kong - pattern: tcp_server ================================================ FILE: .ci/ast-grep/rules/ngx-log-string-concat.yml ================================================ id: ngx-log-string-concat language: lua message: Using string concatenation to build arguments for ngx.log() severity: error note: | When invoking `ngx.log()` with some variable as input, prefer vararg-style calls rather than using the string concatenation operator (`..`): ## bad ```lua ngx.log(ngx.DEBUG, "if `my_var` is nil, this code throws an exception: " .. my_var) ``` ## good ```lua ngx.log(ngx.DEBUG, "if `my_var` is nil, this code is fine: ", my_var) ``` files: - kong/** - test*.lua rule: all: - matches: string-concat inside: kind: arguments inside: matches: ngx-log-call - not: matches: string-literal-concat utils: ngx-log-call: any: # direct invocation of `_G.ngx.log()` - pattern: ngx.log($_LEVEL, $$$) # track local var assignments of `_G.ngx.log` - pattern: $IDENT($_LEVEL, $$$) inside: kind: chunk stopBy: end has: pattern: $IDENT = ngx.log stopBy: end string-concat: kind: binary_expression pattern: $LHS .. $RHS string-literal-concat: kind: binary_expression all: - has: nthChild: 1 any: - kind: string - matches: string-literal-concat - has: nthChild: 2 any: - kind: string - matches: string-literal-concat ================================================ FILE: .ci/ast-grep/tests/.gitkeep ================================================ ================================================ FILE: .ci/ast-grep/tests/__snapshots__/assert-eventually-terminated-snapshot.yml ================================================ id: assert-eventually-terminated snapshots: assert.eventually(function() end): labels: - source: assert.eventually(function() end) style: primary start: 0 end: 33 - source: assert.eventually style: secondary start: 0 end: 17 ? | assert.eventually(function() end) : labels: - source: assert.eventually(function() end) style: primary start: 0 end: 33 - source: assert.eventually style: secondary start: 0 end: 17 assert.eventually(function() end).with_timeout(1): labels: - source: assert.eventually(function() end) style: primary start: 0 end: 33 - source: assert.eventually style: secondary start: 0 end: 17 assert.with_timeout(1).eventually(function() end): labels: - source: assert.with_timeout(1).eventually(function() end) style: primary start: 0 end: 49 - source: assert.with_timeout style: secondary start: 0 end: 19 assert.with_timeout(1).eventually(function() end).with_timeout(1): labels: - source: assert.with_timeout(1).eventually(function() end) style: primary start: 0 end: 49 - source: assert.with_timeout style: secondary start: 0 end: 19 luassert.eventually(function() end): labels: - source: luassert.eventually(function() end) style: primary start: 0 end: 35 - source: luassert.eventually style: secondary start: 0 end: 19 ? | luassert.eventually(function() end) : labels: - source: luassert.eventually(function() end) style: primary start: 0 end: 35 - source: luassert.eventually style: secondary start: 0 end: 19 luassert.eventually(function() end).with_timeout(1): labels: - source: luassert.eventually(function() end) style: primary start: 0 end: 35 - source: luassert.eventually style: secondary start: 0 end: 19 luassert.with_timeout(1).eventually(function() end): labels: - source: luassert.with_timeout(1).eventually(function() end) style: primary start: 0 end: 51 - source: luassert.with_timeout style: secondary start: 0 end: 21 luassert.with_timeout(1).eventually(function() end).with_timeout(1): labels: - source: luassert.with_timeout(1).eventually(function() end) style: primary start: 0 end: 51 - source: luassert.with_timeout style: secondary start: 0 end: 21 ================================================ FILE: .ci/ast-grep/tests/__snapshots__/helpers-outside-of-setup-snapshot.yml ================================================ id: helpers-outside-of-setup snapshots: ? | describe("my test", function() for , strategy in helpers.each_strategy() do local a = 123 local port = helpers.get_available_port() end end) : labels: - source: helpers.get_available_port() style: primary start: 113 end: 141 - source: |- describe("my test", function() for , strategy in helpers.each_strategy() do local a = 123 local port = helpers.get_available_port() end end) style: secondary start: 0 end: 152 ? | describe("my test", function() local a = 123 local port = helpers.get_available_port() end) : labels: - source: helpers.get_available_port() style: primary start: 62 end: 90 - source: |- describe("my test", function() local a = 123 local port = helpers.get_available_port() end) style: secondary start: 0 end: 95 ? | describe(function() local a = 123 local port = helpers.get_available_port() end) : labels: - source: helpers.get_available_port() style: primary start: 51 end: 79 - source: |- describe(function() local a = 123 local port = helpers.get_available_port() end) style: secondary start: 0 end: 84 ? | for , strategy in helpers.each_strategy() do local a = 123 local port = helpers.get_available_port() describe("my test", function() -- ... end) end : labels: - source: helpers.get_available_port() style: primary start: 76 end: 104 ? | for , strategy in helpers.each_strategy() do local a = 123 local port = helpers.get_available_port() end : labels: - source: helpers.get_available_port() style: primary start: 76 end: 104 ? | local a = 123 local port = helpers.get_available_port() : labels: - source: helpers.get_available_port() style: primary start: 27 end: 55 local port = helpers.get_available_port(): labels: - source: helpers.get_available_port() style: primary start: 13 end: 41 ================================================ FILE: .ci/ast-grep/tests/__snapshots__/ngx-log-string-concat-snapshot.yml ================================================ id: ngx-log-string-concat snapshots: ? | local foo = ngx.log foo(ngx.NOTICE, b .. c .. ": STRING") : labels: - source: 'b .. c .. ": STRING"' style: primary start: 37 end: 57 - source: foo = ngx.log style: secondary start: 6 end: 19 - source: | local foo = ngx.log foo(ngx.NOTICE, b .. c .. ": STRING") style: secondary start: 0 end: 59 - source: 'foo(ngx.NOTICE, b .. c .. ": STRING")' style: secondary start: 21 end: 58 - source: '(ngx.NOTICE, b .. c .. ": STRING")' style: secondary start: 24 end: 58 ? | local foo = ngx.log if true then local function my_log(a, b, c) foo(ngx.NOTICE, b .. c .. ": STRING") end end : labels: - source: 'b .. c .. ": STRING"' style: primary start: 87 end: 107 - source: foo = ngx.log style: secondary start: 6 end: 19 - source: | local foo = ngx.log if true then local function my_log(a, b, c) foo(ngx.NOTICE, b .. c .. ": STRING") end end style: secondary start: 0 end: 119 - source: 'foo(ngx.NOTICE, b .. c .. ": STRING")' style: secondary start: 71 end: 108 - source: '(ngx.NOTICE, b .. c .. ": STRING")' style: secondary start: 74 end: 108 ? | local ngx_log = ngx.log local foo = ngx.log if true then local function my_log(a, b, c) ngx_log(ngx.ERR, "STRING: " .. a) foo(ngx.NOTICE, b .. c .. ": STRING") end end : labels: - source: '"STRING: " .. a' style: primary start: 112 end: 127 - source: ngx_log = ngx.log style: secondary start: 6 end: 23 - source: | local ngx_log = ngx.log local foo = ngx.log if true then local function my_log(a, b, c) ngx_log(ngx.ERR, "STRING: " .. a) foo(ngx.NOTICE, b .. c .. ": STRING") end end style: secondary start: 0 end: 181 - source: 'ngx_log(ngx.ERR, "STRING: " .. a)' style: secondary start: 95 end: 128 - source: '(ngx.ERR, "STRING: " .. a)' style: secondary start: 102 end: 128 ? | local ngx_log = ngx.log local foo = ngx.log local function my_log(a, b, c) ngx_log(ngx.ERR, "STRING: " .. a) foo(ngx.NOTICE, b .. c .. ": STRING") end my_log(1, 2, 3) : labels: - source: '"STRING: " .. a' style: primary start: 95 end: 110 - source: ngx_log = ngx.log style: secondary start: 6 end: 23 - source: | local ngx_log = ngx.log local foo = ngx.log local function my_log(a, b, c) ngx_log(ngx.ERR, "STRING: " .. a) foo(ngx.NOTICE, b .. c .. ": STRING") end my_log(1, 2, 3) style: secondary start: 0 end: 172 - source: 'ngx_log(ngx.ERR, "STRING: " .. a)' style: secondary start: 78 end: 111 - source: '(ngx.ERR, "STRING: " .. a)' style: secondary start: 85 end: 111 ? | local ngx_log = ngx.log local foo = ngx.log ngx_log(ngx.ERR, "STRING: " .. a) foo(ngx.NOTICE, b .. c .. ": STRING") : labels: - source: '"STRING: " .. a' style: primary start: 62 end: 77 - source: ngx_log = ngx.log style: secondary start: 6 end: 23 - source: | local ngx_log = ngx.log local foo = ngx.log ngx_log(ngx.ERR, "STRING: " .. a) foo(ngx.NOTICE, b .. c .. ": STRING") style: secondary start: 0 end: 117 - source: 'ngx_log(ngx.ERR, "STRING: " .. a)' style: secondary start: 45 end: 78 - source: '(ngx.ERR, "STRING: " .. a)' style: secondary start: 52 end: 78 ? | ngx.log(ngx.INFO, "STRING: " .. my_var .. ": STRING") : labels: - source: '"STRING: " .. my_var .. ": STRING"' style: primary start: 18 end: 52 - source: 'ngx.log(ngx.INFO, "STRING: " .. my_var .. ": STRING")' style: secondary start: 0 end: 53 - source: '(ngx.INFO, "STRING: " .. my_var .. ": STRING")' style: secondary start: 7 end: 53 'ngx.log(ngx.INFO, "STRING: " .. my_var)': labels: - source: '"STRING: " .. my_var' style: primary start: 18 end: 38 - source: 'ngx.log(ngx.INFO, "STRING: " .. my_var)' style: secondary start: 0 end: 39 - source: '(ngx.INFO, "STRING: " .. my_var)' style: secondary start: 7 end: 39 ? | ngx.log(ngx.INFO, "STRING: " .. my_var) : labels: - source: '"STRING: " .. my_var' style: primary start: 18 end: 38 - source: 'ngx.log(ngx.INFO, "STRING: " .. my_var)' style: secondary start: 0 end: 39 - source: '(ngx.INFO, "STRING: " .. my_var)' style: secondary start: 7 end: 39 ? | ngx.log(ngx.INFO, my_var .. ": STRING :" .. my_other_var) : labels: - source: 'my_var .. ": STRING :" .. my_other_var' style: primary start: 18 end: 56 - source: 'ngx.log(ngx.INFO, my_var .. ": STRING :" .. my_other_var)' style: secondary start: 0 end: 57 - source: '(ngx.INFO, my_var .. ": STRING :" .. my_other_var)' style: secondary start: 7 end: 57 'ngx.log(ngx.INFO, my_var .. ": STRING")': labels: - source: 'my_var .. ": STRING"' style: primary start: 18 end: 38 - source: 'ngx.log(ngx.INFO, my_var .. ": STRING")' style: secondary start: 0 end: 39 - source: '(ngx.INFO, my_var .. ": STRING")' style: secondary start: 7 end: 39 ? | ngx.log(ngx.INFO, my_var .. ": STRING") : labels: - source: 'my_var .. ": STRING"' style: primary start: 18 end: 38 - source: 'ngx.log(ngx.INFO, my_var .. ": STRING")' style: secondary start: 0 end: 39 - source: '(ngx.INFO, my_var .. ": STRING")' style: secondary start: 7 end: 39 ================================================ FILE: .ci/ast-grep/tests/assert-eventually-terminated-test.yml ================================================ id: assert-eventually-terminated valid: # simple, all terminators - | assert.eventually(function() end).is_truthy() assert.eventually(function() end).is_falsy() assert.eventually(function() end).has_error() assert.eventually(function() end).has_no_error() # luassert counts too - | luassert.eventually(function() end).is_truthy() luassert.eventually(function() end).is_falsy() luassert.eventually(function() end).has_error() luassert.eventually(function() end).has_no_error() # with modifiers before .eventually() - | assert .with_timeout(1) .eventually(function() end) .is_truthy() # with modifiers after .eventually() - | assert .eventually(function() end) .with_timeout(1) .is_truthy() # eventually() but unrelated to assert - | local t = {} t.eventually(function() end) invalid: # unterminated assert - assert.eventually(function() end) - assert.with_timeout(1).eventually(function() end) - assert.with_timeout(1).eventually(function() end).with_timeout(1) - assert.eventually(function() end).with_timeout(1) # same, but luassert - luassert.eventually(function() end) - luassert.with_timeout(1).eventually(function() end) - luassert.with_timeout(1).eventually(function() end).with_timeout(1) - luassert.eventually(function() end).with_timeout(1) ================================================ FILE: .ci/ast-grep/tests/helpers-outside-of-setup-test.yml ================================================ id: helpers-outside-of-setup valid: # inside `lazy_setup()` - | lazy_setup(function() local a = 123 local port = helpers.get_available_port() end) # inside `setup()` - | setup(function() local a = 123 local port = helpers.get_available_port() end) # inside `it()` - | it(function() local a = 123 local port = helpers.get_available_port() end) # inside a local function (declaration) - | describe("foo", function() local port local function my_setup() port = helpers.get_available_port() end local function my_setup_with_opts(opts) port = helpers.get_available_port() end lazy_setup(function() my_setup() my_setup_with_opts({}) end) end) # inside a local function (declaration + assignment) - | describe("foo", function() local port local my_setup = function() port = helpers.get_available_port() end local my_setup_with_opts = function(opts) port = helpers.get_available_port() end lazy_setup(function() my_setup() my_setup_with_opts({}) end) end) # inside a non-local function (declaration + assignment) - | local my_setup, my_setup_with_opts describe("foo", function() local port my_setup = function() port = helpers.get_available_port() end my_setup_with_opts = function(opts) port = helpers.get_available_port() end lazy_setup(function() my_setup() my_setup_with_opts({}) end) end) # inside require"spec.upgrade_helpers".setup - | local uh = require "spec.upgrade_helpers" describe("my test", function() local port uh.setup(function() port = helpers.get_available_port() end) end) # inside require("spec.upgrade_helpers").setup - | local uh = require("spec.upgrade_helpers") describe("my test", function() local port uh.setup(function() port = helpers.get_available_port() end) end) invalid: # at the outermost scope - | local a = 123 local port = helpers.get_available_port() # inside some strategy iterator thing - | for , strategy in helpers.each_strategy() do local a = 123 local port = helpers.get_available_port() describe("my test", function() -- ... end) end # inside describe() inside some iterator - | describe("my test", function() for , strategy in helpers.each_strategy() do local a = 123 local port = helpers.get_available_port() end end) # directly inside `describe()` (no label) - | describe(function() local a = 123 local port = helpers.get_available_port() end) # directly inside `describe()` (with label) - | describe("my test", function() local a = 123 local port = helpers.get_available_port() end) ================================================ FILE: .ci/ast-grep/tests/ngx-log-string-concat-test.yml ================================================ id: ngx-log-string-concat valid: # normal, expected usage - | ngx.log(ngx.ERR, "STRING: ", my_var) # string literals can be concatenated to keep line lengths in check - | ngx.log(ngx.ERR, "my very super long line" .. " my continuation of that line") # chained/nested concatenation of string literals is allowed - | ngx.log(ngx.ERR, "my very super long line" .. " my continuation of that line" .. " my extra continuation of that line") # only ngx.log() calls are checked - | my_other_function(ngx.ERR, "STRING: " .. my_var) # saving a local reference ngx.log doesn't affect other function calls - | local ngx_log = ngx.log my_other_function(ngx.ERR, "STRING: " .. my_var) invalid: # string .. variable - | ngx.log(ngx.INFO, "STRING: " .. my_var) # variable .. string - | ngx.log(ngx.INFO, my_var .. ": STRING") # variable .. string .. variable - | ngx.log(ngx.INFO, my_var .. ": STRING :" .. my_other_var) # string .. variable .. string - | ngx.log(ngx.INFO, "STRING: " .. my_var .. ": STRING") # calling ngx.log via local var reference - | local foo = ngx.log foo(ngx.NOTICE, b .. c .. ": STRING") # calling ngx.log via local var reference (nested) - | local foo = ngx.log if true then local function my_log(a, b, c) foo(ngx.NOTICE, b .. c .. ": STRING") end end ================================================ FILE: .ci/luacov-stats-aggregator.lua ================================================ -- Aggregates stats from multiple luacov stat files. -- Example stats for a 12 lines file `my/file.lua` -- that received hits on lines 3, 4, 9: -- -- ["my/file.lua"] = { -- [3] = 1, -- [4] = 3, -- [9] = 2, -- max = 12, -- max_hits = 3 -- } -- local luacov_stats = require "luacov.stats" local luacov_reporter = require "luacov.reporter" local luacov_runner = require "luacov.runner" local lfs = require "lfs" -- load parameters local params = {...} local stats_folders_prefix = params[1] or "luacov-stats-out-" local file_name = params[2] or "luacov.stats.out" local strip_prefix = params[3] or "" local base_path = "." -- load stats from different folders named using the format: -- luacov-stats-out-${timestamp} local loaded_stats = {} for folder in lfs.dir(base_path) do if folder:find(stats_folders_prefix, 1, true) then local stats_file = folder .. "/" .. file_name local loaded = luacov_stats.load(stats_file) if loaded then loaded_stats[#loaded_stats + 1] = loaded print("loading file: " .. stats_file) end end end -- aggregate luacov_runner.load_config() for _, stat_data in ipairs(loaded_stats) do -- make all paths relative to ensure file keys have the same format -- and avoid having separate counters for the same file local rel_stat_data = {} for f_name, data in pairs(stat_data) do if f_name:sub(0, #strip_prefix) == strip_prefix then f_name = f_name:sub(#strip_prefix + 1) end rel_stat_data[f_name] = data end luacov_runner.data = rel_stat_data luacov_runner.save_stats() end -- generate report luacov_reporter.report() ================================================ FILE: .ci/test_suites.json ================================================ [ { "name": "unit", "exclude_tags": "flaky,ipv6", "venv_script": "kong-dev-venv.sh", "specs": ["spec/01-unit/"] }, { "name": "integration", "exclude_tags": "flaky,ipv6,off", "environment": { "KONG_TEST_DATABASE": "postgres" }, "venv_script": "kong-dev-venv.sh", "specs": ["spec/02-integration/"] }, { "name": "dbless", "exclude_tags": "flaky,ipv6,postgres,db", "environment": { "KONG_TEST_DATABASE": "off" }, "venv_script": "kong-dev-venv.sh", "specs": [ "spec/02-integration/02-cmd/", "spec/02-integration/05-proxy/", "spec/02-integration/04-admin_api/02-kong_routes_spec.lua", "spec/02-integration/04-admin_api/15-off_spec.lua", "spec/02-integration/08-status_api/01-core_routes_spec.lua", "spec/02-integration/08-status_api/03-readiness_endpoint_spec.lua", "spec/02-integration/11-dbless/" ] }, { "name": "plugins", "exclude_tags": "flaky,ipv6", "venv_script": "kong-dev-venv.sh", "specs": ["spec/03-plugins/"] } ] ================================================ FILE: .devcontainer/Dockerfile ================================================ FROM kong/kong:3.0.0-ubuntu USER root RUN apt-get update RUN apt-get install -y \ build-essential \ unzip \ git \ m4 \ libyaml-dev \ curl ================================================ FILE: .devcontainer/devcontainer.json ================================================ // For format details, see https://code.visualstudio.com/docs/remote/devcontainerjson-reference { "name": "Kong Gateway Dev", // Update the 'dockerComposeFile' list if you have more compose files or use different names. "dockerComposeFile": "docker-compose.yml", // The 'service' property is the name of the service for the container that VS Code should // use. Update this value and .devcontainer/docker-compose.yml to the real service name. "service": "kong", // The optional 'workspaceFolder' property is the path VS Code should open by default when // connected. This is typically a volume mount in .devcontainer/docker-compose.yml "workspaceFolder": "/workspace", // Use 'forwardPorts' to make a list of ports inside the container available locally. "forwardPorts": [8000, 8001, "db:5432"], "postCreateCommand": "make dev-legacy", // Set *default* container specific settings.json values on container create. // "settings": {}, // Add the IDs of extensions you want installed when the container is created. // "extensions": [], // Uncomment the next line if you want to keep your containers running after VS Code shuts down. // "shutdownAction": "none", // Uncomment the next line to use 'postCreateCommand' to run commands after the container is created. // "postCreateCommand": "uname -a", // Comment out to connect as root instead. To add a non-root user, see: https://aka.ms/vscode-remote/containers/non-root. // "remoteUser": "vscode" } ================================================ FILE: .devcontainer/docker-compose.yml ================================================ version: "3.8" services: db: image: postgres:9.6 environment: POSTGRES_PASSWORD: kong POSTGRES_USER: kong kong: build: # Using a Dockerfile is optional, but included for completeness. context: . dockerfile: Dockerfile volumes: # This is where VS Code should expect to find your project's source code and the value of "workspaceFolder" in .devcontainer/devcontainer.json - ..:/workspace:cached # Uncomment the next line to use Docker from inside the container. See https://aka.ms/vscode-remote/samples/docker-from-docker-compose for details. - /var/run/docker.sock:/var/run/docker.sock # Uncomment the next four lines if you will use a ptrace-based debugger like C++, Go, and Rust. cap_add: - SYS_PTRACE security_opt: - seccomp:unconfined environment: KONG_PROXY_ERROR_LOG: /dev/stderr KONG_PG_USER: kong KONG_PG_DATABASE: kong KONG_PG_PASSWORD: kong KONG_PG_HOST: db OPENSSL_DIR: /usr/local/kong CRYPTO_DIR: /usr/local/kong # Overrides default command so things don't shut down after the process ends. command: /bin/sh -c "while sleep 1000; do :; done" # Runs app on the same network as the service container, allows "forwardPorts" in devcontainer.json function. network_mode: service:db # Use "forwardPorts" in **devcontainer.json** to forward an app port locally. # (Adding the "ports" property to this file will not forward from a Codespace.) # Uncomment the next line to use a non-root user for all processes - See https://aka.ms/vscode-remote/containers/non-root for details. # user: vscode ================================================ FILE: .editorconfig ================================================ root = true [*] end_of_line = lf insert_final_newline = true trim_trailing_whitespace = true charset = utf-8 [*.lua] indent_style = space indent_size = 2 [kong/templates/nginx*] indent_style = space indent_size = 4 [*.template] indent_style = space indent_size = 4 [Makefile] indent_style = tab [bin/kong] indent_style = space indent_size = 2 [bin/busted] indent_style = space indent_size = 2 [bin/kong-health] indent_style = space indent_size = 2 ================================================ FILE: .github/ISSUE_TEMPLATE/bug_report.yaml ================================================ name: 🐞 Bug description: Something is not working as indended. body: - type: checkboxes attributes: label: Is there an existing issue for this? description: Please search to see if an issue already exists for the bug you encountered. Make sure you are also using the latest version of Kong. options: - label: I have searched the existing issues required: true - type: input attributes: label: Kong version (`$ kong version`) description: 'example: Kong 2.5' placeholder: 'Please provide the current Kong Gateway version you are using here.' validations: required: true - type: textarea attributes: label: Current Behavior description: A concise description of what you're experiencing. placeholder: | When I do , happens and I see the error message attached below: ```...``` validations: required: false - type: textarea attributes: label: Expected Behavior description: A concise description of what you expected to happen. placeholder: When I do , should happen instead. validations: required: false - type: textarea attributes: label: Steps To Reproduce description: Steps to reproduce the behavior. placeholder: | 1. In this environment... 2. With this config... 3. Run '...' 4. See error... validations: required: false - type: textarea attributes: label: Anything else? description: | - Kong debug-level startup logs (`$ kong start --vv`) - Kong error logs (`/logs/error.log`) - Kong configuration (the output of a GET request to Kong's Admin port - see https://docs.konghq.com/latest/admin-api/#retrieve-node-information) - Running operating system validations: required: false ================================================ FILE: .github/ISSUE_TEMPLATE/config.yml ================================================ blank_issues_enabled: true contact_links: - name: Kong Gateway Open Source Community Pledge url: https://github.com/Kong/kong/blob/master/COMMUNITY_PLEDGE.md - name: Feature Request url: https://github.com/Kong/kong/discussions/categories/ideas-and-feature-requests about: Propose your cool ideas and feature requests at the Kong discussion forum - name: Question url: https://github.com/Kong/kong/discussions/categories/help about: Ask (and answer) questions at the Kong discussion forum ================================================ FILE: .github/PULL_REQUEST_TEMPLATE.md ================================================ ### Summary ### Checklist - [ ] The Pull Request has tests - [ ] A changelog file has been created under `changelog/unreleased/kong` or `skip-changelog` label added on PR if changelog is unnecessary. [README.md](https://github.com/Kong/gateway-changelog/blob/main/README.md) - [ ] There is a user-facing docs PR against https://github.com/Kong/developer.konghq.com - PUT DOCS PR HERE ### Issue reference Fix #_[issue number]_ ================================================ FILE: .github/actions/build-cache-key/action.yml ================================================ name: Build Cache Key description: > Generates a cache key suitable for save/restore of Kong builds. inputs: prefix: description: 'String prefix applied to the build cache key' required: false default: 'build' extra: description: 'Additional values/file hashes to use in the cache key' required: false outputs: cache-key: description: 'The generated cache key' value: ${{ steps.cache-key.outputs.CACHE_KEY }} runs: using: composite steps: - name: Generate cache key id: cache-key shell: bash env: PREFIX: ${{ inputs.prefix }} EXTRA: ${{ inputs.extra }} run: | # please keep these sorted FILE_HASHES=( ${{ hashFiles('.bazelignore') }} ${{ hashFiles('.bazelrc') }} ${{ hashFiles('.bazelversion') }} ${{ hashFiles('.github/actions/build-cache-key/**') }} ${{ hashFiles('.github/workflows/build.yml') }} ${{ hashFiles('.requirements') }} ${{ hashFiles('BUILD.bazel') }} ${{ hashFiles('WORKSPACE') }} ${{ hashFiles('bin/kong') }} ${{ hashFiles('bin/kong-health') }} ${{ hashFiles('build/**') }} ${{ hashFiles('kong-*.rockspec') }} ${{ hashFiles('kong.conf.default') }} ) if [[ -n ${EXTRA:-} ]]; then readarray \ -O "${#FILE_HASHES[@]}" \ -t \ FILE_HASHES \ <<< "$EXTRA" fi HASH=$(printf '%s\n' "${FILE_HASHES[@]}" \ | grep -vE '^$' \ | sort --stable --unique \ | sha256sum - \ | awk '{print $1}' ) echo "CACHE_KEY=${PREFIX}::${HASH}" | tee -a $GITHUB_OUTPUT ================================================ FILE: .github/actions/build-wasm-test-filters/action.yml ================================================ name: Build WASM Test Filters description: > Installs the rust toolchain and builds the WASM filters that are used in our integration tests runs: using: composite steps: - name: Setup env vars shell: bash run: | FILTER_PATH=$PWD/spec/fixtures/proxy_wasm_filters { echo "WASM_FILTER_PATH=$FILTER_PATH" echo "WASM_FIXTURE_PATH=$FILTER_PATH/build" echo "WASM_FILTER_CARGO_LOCK=$FILTER_PATH/Cargo.lock" echo "WASM_FILTER_TARGET=wasm32-wasip1" } >> $GITHUB_ENV - name: Setup cache key shell: bash env: FILE_HASH: ${{ hashFiles(env.WASM_FILTER_CARGO_LOCK, format('{0}/**/*.rs', env.WASM_FILTER_PATH)) }} CACHE_VERSION: "6" RUNNER_OS: ${{ runner.os }} run: | CACHE_PREFIX="wasm-test-filters::v${CACHE_VERSION}::${RUNNER_OS}::${WASM_FILTER_TARGET}::" { echo "WASM_CACHE_PREFIX=${CACHE_PREFIX}" echo "WASM_CACHE_KEY=${CACHE_PREFIX}${FILE_HASH}" } >> $GITHUB_ENV - name: Restore Cache uses: actions/cache/restore@v4 id: restore-cache with: path: ${{ env.WASM_FILTER_PATH }}/target/**/*.wasm key: ${{ env.WASM_CACHE_KEY }} - name: Install Rust Toolchain if: steps.restore-cache.outputs.cache-hit != 'true' uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 with: toolchain: stable components: cargo targets: ${{ env.WASM_FILTER_TARGET }} - name: Build Test Filters if: steps.restore-cache.outputs.cache-hit != 'true' shell: bash run: | # building in release mode yields smaller library sizes, so it's # better for our cacheability cargo build \ --manifest-path "${WASM_FILTER_PATH:?}/Cargo.toml" \ --workspace \ --lib \ --target "${WASM_FILTER_TARGET:?}" \ --release - name: Save cache if: steps.restore-cache.outputs.cache-hit != 'true' id: save-cache uses: actions/cache/save@v4 with: path: ${{ env.WASM_FILTER_PATH }}/target/**/*.wasm key: ${{ env.WASM_CACHE_KEY }} - name: Create a symlink to the target directory shell: bash run: | ln -sfv \ --no-target-directory \ "${WASM_FILTER_PATH:?}"/target/"${WASM_FILTER_TARGET:?}"/release \ "${WASM_FIXTURE_PATH:?}" - name: debug shell: bash run: ls -la "${{ env.WASM_FIXTURE_PATH }}"/*.wasm ================================================ FILE: .github/dependabot.yml ================================================ # Set update schedule for GitHub Actions version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: # Check for updates to GitHub Actions every week interval: "weekly" ================================================ FILE: .github/labeler.yml ================================================ 'cherry-pick kong-ee': - changed-files: - any-glob-to-any-file: ['kong/**/*', 'spec/**/*', 'build/**/*', 'bin/**/*', 'scripts/**/*', 'changelog/**/*'] core/admin-api: - changed-files: - any-glob-to-any-file: kong/api/**/* core/balancer: - changed-files: - any-glob-to-any-file: kong/runloop/balancer/* core/cli: - changed-files: - any-glob-to-any-file: kong/cmd/**/* core/clustering: - changed-files: - any-glob-to-any-file: ['kong/clustering/**/*', 'kong/cluster_events/**/*'] core/configuration: - changed-files: - any-glob-to-any-file: kong/conf_loader/* core/db/migrations: - changed-files: - any-glob-to-any-file: kong/db/migrations/**/* core/db: - changed-files: - all-globs-to-any-file: ['kong/db/**/*', '!kong/db/migrations/**/*'] changelog: - changed-files: - any-glob-to-any-file: CHANGELOG.md core/docs: - changed-files: - all-globs-to-any-file: ['**/*.md', '!CHANGELOG.md'] autodoc: - changed-files: - any-glob-to-any-file: 'autodoc/**/*' core/language/go: - changed-files: - any-glob-to-any-file: kong/runloop/plugin_servers/* core/language/js: - changed-files: - any-glob-to-any-file: kong/runloop/plugin_servers/* core/language/python: - changed-files: - any-glob-to-any-file: kong/runloop/plugin_servers/* core/logs: - changed-files: - any-glob-to-any-file: kong/pdk/log.lua core/pdk: - changed-files: - all-globs-to-any-file: ['kong/pdk/**/*', '!kong/pdk/log.lua'] core/proxy: - changed-files: - all-globs-to-any-file: ['kong/runloop/**/*', '!kong/runloop/balancer/*', '!kong/runloop/plugin_servers/*'] core/router: - changed-files: - any-glob-to-any-file: kong/router/* core/templates: - changed-files: - any-glob-to-any-file: kong/templates/* core/tracing: - changed-files: - any-glob-to-any-file: ['kong/observability/tracing/**/*', 'kong/pdk/tracing.lua'] core/wasm: - changed-files: - any-glob-to-any-file: ['kong/runloop/wasm.lua', 'kong/runloop/wasm/**/*'] chore: - changed-files: - any-glob-to-any-file: ['.github/**/*', '.devcontainer/**/*'] plugins/acl: - changed-files: - any-glob-to-any-file: kong/plugins/acl/**/* plugins/acme: - changed-files: - any-glob-to-any-file: kong/plugins/acme/**/* plugins/ai-proxy: - changed-files: - any-glob-to-any-file: ['kong/plugins/ai-proxy/**/*', 'kong/llm/**/*'] plugins/ai-prompt-decorator: - changed-files: - any-glob-to-any-file: kong/plugins/ai-prompt-decorator/**/* plugins/ai-prompt-template: - changed-files: - any-glob-to-any-file: kong/plugins/ai-prompt-template/**/* plugins/ai-request-transformer: - changed-files: - any-glob-to-any-file: ['kong/plugins/ai-request-transformer/**/*', 'kong/llm/**/*'] plugins/ai-response-transformer: - changed-files: - any-glob-to-any-file: ['kong/plugins/ai-response-transformer/**/*', 'kong/llm/**/*'] plugins/ai-prompt-guard: - changed-files: - any-glob-to-any-file: kong/plugins/ai-prompt-guard/**/* plugins/aws-lambda: - changed-files: - any-glob-to-any-file: kong/plugins/aws-lambda/**/* plugins/azure-functions: - changed-files: - any-glob-to-any-file: kong/plugins/azure-functions/**/* plugins/basic-auth: - changed-files: - any-glob-to-any-file: kong/plugins/basic-auth/**/* plugins/bot-detection: - changed-files: - any-glob-to-any-file: kong/plugins/bot-detection/**/* plugins/correlation-id: - changed-files: - any-glob-to-any-file: kong/plugins/correlation-id/**/* plugins/cors: - changed-files: - any-glob-to-any-file: kong/plugins/cors/**/* plugins/datadog: - changed-files: - any-glob-to-any-file: kong/plugins/datadog/**/* plugins/file-log: - changed-files: - any-glob-to-any-file: kong/plugins/file-log/**/* plugins/grpc-gateway: - changed-files: - any-glob-to-any-file: kong/plugins/grpc-gateway/**/* plugins/grpc-web: - changed-files: - any-glob-to-any-file: kong/plugins/grpc-web/**/* plugins/hmac-auth: - changed-files: - any-glob-to-any-file: kong/plugins/hmac-auth/**/* plugins/http-log: - changed-files: - any-glob-to-any-file: kong/plugins/http-log/**/* plugins/ip-restriction: - changed-files: - any-glob-to-any-file: kong/plugins/ip-restriction/**/* plugins/jwt: - changed-files: - any-glob-to-any-file: kong/plugins/jwt/**/* plugins/key-auth: - changed-files: - any-glob-to-any-file: kong/plugins/key-auth/**/* plugins/ldap-auth: - changed-files: - any-glob-to-any-file: kong/plugins/ldap-auth/**/* plugins/loggly: - changed-files: - any-glob-to-any-file: kong/plugins/loggly/**/* plugins/oauth2: - changed-files: - any-glob-to-any-file: kong/plugins/oauth2/**/* plugins/prometheus: - changed-files: - any-glob-to-any-file: kong/plugins/prometheus/**/* plugins/proxy-cache: - changed-files: - any-glob-to-any-file: kong/plugins/proxy-cache/**/* plugins/rate-limiting: - changed-files: - any-glob-to-any-file: kong/plugins/rate-limiting/**/* plugins/request-size-limiting: - changed-files: - any-glob-to-any-file: kong/plugins/request-size-limiting/**/* plugins/request-termination: - changed-files: - any-glob-to-any-file: kong/plugins/request-termination/**/* plugins/request-transformer: - changed-files: - any-glob-to-any-file: kong/plugins/request-transformer/**/* plugins/response-ratelimiting: - changed-files: - any-glob-to-any-file: kong/plugins/response-ratelimiting/**/* plugins/response-transformer: - changed-files: - any-glob-to-any-file: kong/plugins/response-transformer/**/* plugins/session: - changed-files: - any-glob-to-any-file: kong/plugins/session/**/* plugins/serverless-functions: - changed-files: - any-glob-to-any-file: ['kong/plugins/post-function/**/*', 'kong/plugins/pre-function/**/*'] plugins/statsd: - changed-files: - any-glob-to-any-file: kong/plugins/statsd/**/* plugins/syslog: - changed-files: - any-glob-to-any-file: kong/plugins/syslog/**/* plugins/tcp-log: - changed-files: - any-glob-to-any-file: kong/plugins/tcp-log/**/* plugins/udp-log: - changed-files: - any-glob-to-any-file: kong/plugins/udp-log/**/* plugins/zipkin: - changed-files: - any-glob-to-any-file: kong/plugins/zipkin/**/* plugins/opentelemetry: - changed-files: - any-glob-to-any-file: kong/plugins/opentelemetry/**/* plugins/standard-webhooks: - changed-files: - any-glob-to-any-file: kong/plugins/standard-webhooks/**/* plugins/redirect: - changed-files: - any-glob-to-any-file: kong/plugins/redirect/**/* schema-change-noteworthy: - changed-files: - any-glob-to-any-file: [ 'kong/db/schema/**/*.lua', 'kong/**/schema.lua', 'kong/plugins/**/daos.lua', 'plugins-ee/**/daos.lua', 'plugins-ee/**/schema.lua', 'kong/db/dao/*.lua', 'kong/enterprise_edition/redis/init.lua', 'kong/llm/init.lua', 'kong/llm/schemas/*.lua', 'kong/llm/vectordb/strategies/pgvector/init.lua', ] build/bazel: - changed-files: - any-glob-to-any-file: ['**/*.bazel', '**/*.bzl', 'build/**/*', 'WORKSPACE', '.bazelignore', '.bazelrc', '.bazelversion', 'scripts/build-*.sh'] ================================================ FILE: .github/matrix-commitly.yml ================================================ # please see matrix-full.yml for meaning of each field build-packages: - label: ubuntu-24.04 image: ubuntu:24.04 package: deb check-manifest-suite: ubuntu-24.04-amd64 build-images: - label: ubuntu base-image: ubuntu:24.04 package: deb artifact-from: ubuntu-24.04 smoke-tests: - label: ubuntu scan-vulnerabilities: - label: ubuntu release-packages: release-images: - label: ubuntu package: deb ================================================ FILE: .github/matrix-full.yml ================================================ build-packages: # label: used to distinguish artifacts for later use # image: docker image name if the build is running in side a container # package: package type # package-type: the nfpm packaging target, //:kong_{package} target; only used when package is rpm # bazel-args: additional bazel build flags # check-manifest-suite: the check manifest suite as defined in scripts/explain_manifest/config.py # Ubuntu - label: ubuntu-20.04 image: ubuntu:20.04 package: deb check-manifest-suite: ubuntu-20.04-amd64 - label: ubuntu-22.04 image: ubuntu:22.04 package: deb check-manifest-suite: ubuntu-22.04-amd64 - label: ubuntu-22.04-arm64 image: ubuntu:22.04 package: deb bazel-args: --platforms=//:generic-crossbuild-aarch64 check-manifest-suite: ubuntu-22.04-arm64 - label: ubuntu-24.04 image: ubuntu:24.04 package: deb check-manifest-suite: ubuntu-24.04-amd64 - label: ubuntu-24.04-arm64 image: ubuntu:24.04 package: deb bazel-args: --platforms=//:generic-crossbuild-aarch64 check-manifest-suite: ubuntu-24.04-arm64 # Debian - label: debian-11 image: debian:11 package: deb check-manifest-suite: debian-11-amd64 - label: debian-12 image: debian:12 package: deb check-manifest-suite: debian-12-amd64 # RHEL - label: rhel-8 image: rockylinux:8 package: rpm package-type: el8 check-manifest-suite: el8-amd64 - label: rhel-9 image: rockylinux:9 package: rpm package-type: el9 check-manifest-suite: el9-amd64 - label: rhel-9-arm64 package: rpm package-type: el9 bazel-args: --platforms=//:rhel9-crossbuild-aarch64 --//:brotli=False check-manifest-suite: el9-arm64 # Amazon Linux - label: amazonlinux-2 package: rpm package-type: aws2 check-manifest-suite: amazonlinux-2-amd64 # simdjson doesn't compile on gcc7.3.1 (needs 7.4) bazel-args: --platforms=//:aws2-crossbuild-x86_64 --//:simdjson=False - label: amazonlinux-2023 image: amazonlinux:2023 package: rpm package-type: aws2023 check-manifest-suite: amazonlinux-2023-amd64 - label: amazonlinux-2023-arm64 package: rpm package-type: aws2023 bazel-args: --platforms=//:aws2023-crossbuild-aarch64 --//:brotli=False check-manifest-suite: amazonlinux-2023-arm64 build-images: # Only build images for the latest version of each major release. # label: used as compose docker image label ${github.sha}-${label} # base-image: docker image to use as base # package: package type # artifact-from: label of build-packages to use # artifact-from-alt: another label of build-packages to use for downloading package (to build multi-arch image) # docker-platforms: comma separated list of docker buildx platforms to build for # Ubuntu - label: ubuntu base-image: ubuntu:24.04 package: deb artifact-from: ubuntu-24.04 artifact-from-alt: ubuntu-24.04-arm64 docker-platforms: linux/amd64, linux/arm64 # Debian - label: debian base-image: debian:12-slim package: deb artifact-from: debian-12 # RHEL - label: rhel base-image: registry.access.redhat.com/ubi9 package: rpm rpm_platform: el9 artifact-from: rhel-9 artifact-from-alt: rhel-9-arm64 docker-platforms: linux/amd64, linux/arm64 smoke-tests: - label: ubuntu - label: debian - label: rhel scan-vulnerabilities: - label: ubuntu - label: debian - label: rhel release-packages: # Ubuntu - label: ubuntu-20.04 package: deb artifact-from: ubuntu-20.04 artifact-version: 20.04 artifact-type: ubuntu artifact: kong.amd64.deb - label: ubuntu-22.04 package: deb artifact-from: ubuntu-22.04 artifact-version: 22.04 artifact-type: ubuntu artifact: kong.amd64.deb - label: ubuntu-22.04-arm64 package: deb artifact-from: ubuntu-22.04-arm64 artifact-version: 22.04 artifact-type: ubuntu artifact: kong.arm64.deb - label: ubuntu-24.04 package: deb artifact-from: ubuntu-24.04 artifact-version: 24.04 artifact-type: ubuntu artifact: kong.amd64.deb - label: ubuntu-24.04-arm64 package: deb artifact-from: ubuntu-24.04-arm64 artifact-version: 24.04 artifact-type: ubuntu artifact: kong.arm64.deb # Debian - label: debian-11 package: deb artifact-from: debian-11 artifact-version: 11 artifact-type: debian artifact: kong.amd64.deb - label: debian-12 package: deb artifact-from: debian-12 artifact-version: 12 artifact-type: debian artifact: kong.amd64.deb # RHEL - label: rhel-8 package: rpm artifact-from: rhel-8 artifact-version: 8 artifact-type: rhel artifact: kong.el8.amd64.rpm - label: rhel-9 package: rpm artifact-from: rhel-9 artifact-version: 9 artifact-type: rhel artifact: kong.el9.amd64.rpm - label: rhel-9-arm64 package: rpm artifact-from: rhel-9-arm64 artifact-version: 9 artifact-type: rhel artifact: kong.el9.arm64.rpm # Amazon Linux - label: amazonlinux-2 package: rpm artifact-from: amazonlinux-2 artifact-version: 2 artifact-type: amazonlinux artifact: kong.aws2.amd64.rpm - label: amazonlinux-2023 package: rpm artifact-from: amazonlinux-2023 artifact-version: 2023 artifact-type: amazonlinux artifact: kong.aws2023.amd64.rpm - label: amazonlinux-2023-arm64 package: rpm artifact-from: amazonlinux-2023-arm64 artifact-version: 2023 artifact-type: amazonlinux artifact: kong.aws2023.arm64.rpm release-images: - label: ubuntu - label: debian - label: rhel ================================================ FILE: .github/workflows/add-release-pongo.yml ================================================ name: Add New Release to Pongo on: push: tags: - '[1-9]+.[0-9]+.[0-9]+' jobs: set_vars: name: Set Vars runs-on: ubuntu-latest-kong env: REF_NAME: ${{ github.ref_name }} RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} outputs: code_base: ${{ steps.define_vars.outputs.CODE_BASE }} tag_version: ${{ steps.define_vars.outputs.TAG_VERSION }} steps: - name: Define Vars id: define_vars shell: bash run: | if [[ "${GITHUB_REPOSITORY,,}" = "kong/kong" ]] ; then CODE_BASE=CE elif [[ "${GITHUB_REPOSITORY,,}" = "kong/kong-ee" ]] ; then CODE_BASE=EE fi echo "CODE_BASE=$CODE_BASE" >> "$GITHUB_OUTPUT" if [[ "${{ github.event_name }}" == "push" ]] ; then TAG_VERSION="$REF_NAME" elif [[ "${{ github.event_name }}" == "release" ]] ; then TAG_VERSION="$RELEASE_TAG_NAME" fi echo "TAG_VERSION=$TAG_VERSION" >> "$GITHUB_OUTPUT" add_release_to_pongo: name: Add Release to Pongo runs-on: ubuntu-latest-kong needs: - set_vars env: GITHUB_TOKEN: ${{ secrets.PAT }} steps: - name: Checkout Pongo id: checkout_pongo uses: actions/checkout@v4 with: token: ${{ env.GITHUB_TOKEN }} repository: kong/kong-pongo ref: master - name: Set git Env id: set_git_env shell: bash run: | git config --global user.email "ci-bot@konghq.com" git config --global user.name "CI Bot" - name: Create PR id: create_pr shell: bash run: | ./assets/add_version.sh "${{ needs.set_vars.outputs.code_base }}" "${{ needs.set_vars.outputs.tag_version }}" ================================================ FILE: .github/workflows/ast-grep.yml ================================================ name: ast-grep lint on: pull_request: paths: - .github/workflows/ast-grep.yml # this workflow - sgconfig.yml - .ci/ast-grep/** # globs for files that we want to check with ast-grep here - '**/*.lua' concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true jobs: lint: name: lint runs-on: ubuntu-22.04 defaults: run: shell: bash steps: - name: git checkout uses: actions/checkout@v4 - name: ensure all rules are properly formed and have tests run: | shopt -s failglob declare -i failed=0 fail() { failed=1 local -r fname=${1:?} shift local entry printf -v entry '::error file=%s' "$fname" while (( $# > 0 )); do case $1 in -t|--title) local title=${2:?} shift 2 printf -v entry '%s,title=%s' "$entry" "$title" ;; *) break ;; esac done local msg printf -v msg "$@" printf '%s::%s\n' "$entry" "$msg" } declare -i count=0 for rule in .ci/ast-grep/rules/*.yml; do count+=1 name=${rule##*/} name=${name%*.yml} printf 'Rule(%s): %s\n' "$name" "$rule" id=$(yq -r .id < "$rule") if [[ $id != "$name" ]]; then fail "$rule" \ --title 'Rule .id/filename mismatch' \ 'Rule(%s) ${filename}.yml must match its .id (%s)' \ "$name" "$id" fi test=.ci/ast-grep/tests/${name}-test.yml if [[ ! -e $test ]]; then failed=1 fail "$rule" \ --title 'Rule test required' \ 'Rule test file (%s) not found' "$test" continue fi printf 'Rule(%s): test file: %s\n' "$name" "$test" test_id=$(yq -r .id < "$test") if [[ $test_id != $id ]]; then fail "$test" \ --title 'Rule test file/.id mismatch' \ 'Rule test file .id (%s) does not match rule .id (%s)' \ "$test_id" "$id" fi declare -i valid invalid valid=$(yq -r '.valid | length' < "$test") invalid=$(yq -r '.invalid | length' < "$test") if (( valid < 1 || invalid < 1 )); then fail "$test" \ --title 'Rule tests insufficient' \ 'Rule test file must contain at least one valid and one invalid test case' fi printf 'Rule(%s) test has %s valid and %s invalid test cases\n' \ "$name" "$valid" "$invalid" done printf 'Checked %s rules\n' "$count" if (( failed > 0 )); then printf '::error::Found one or more problems while checking ast-grep rules and tests\n' exit 1 fi # NOTE: this is basically an inline of the official, public gh action # (https://github.com/ast-grep/action). - name: install ast-grep run: | set -euo pipefail readonly VERSION=0.36.2 readonly CHECKSUM=7fd693b013447582d8befa1695f00d17301c2cff1763cfb0b52191096309dbef readonly FILENAME=app-x86_64-unknown-linux-gnu.zip readonly BINDIR=$HOME/.local/bin readonly URL=https://github.com/ast-grep/ast-grep/releases/download/${VERSION}/${FILENAME} curl --fail \ --silent \ --location \ --output "$FILENAME" \ "$URL" sha256sum --check --strict <<< "${CHECKSUM} ${FILENAME}" unzip "$FILENAME" ast-grep ./ast-grep --version mkdir -p "$BINDIR" mv ast-grep "$BINDIR" echo "$BINDIR" >> $GITHUB_PATH - name: ast-grep test run: ast-grep test - name: ast-grep scan run: ast-grep scan --format github ================================================ FILE: .github/workflows/auto-assignee.yml ================================================ name: Add assignee to PRs on: pull_request: types: [ opened, reopened ] permissions: pull-requests: write jobs: assign-author: runs-on: ubuntu-latest steps: - name: assign-author # ignore the pull requests opened from PR because token is not correct if: github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]' uses: toshimaru/auto-author-assign@ebd30f10fb56e46eb0759a14951f36991426fed0 ================================================ FILE: .github/workflows/autodocs.yml ================================================ name: Autodocs on: workflow_dispatch: inputs: version: description: "Version (e.g. 2.4.x)" required: true source_branch: description: "Source Branch in kong/kong (e.g. release/2.4.x)" required: true target_branch: description: "Target Branch in kong/docs.konghq.com (e.g. release/2.4)" required: true force_build: description: "Ignore the build cache and build dependencies from scratch" type: boolean default: false jobs: build: name: Build dependencies runs-on: ubuntu-22.04 env: DOWNLOAD_ROOT: $HOME/download-root steps: - name: Set environment variables run: | echo "INSTALL_ROOT=$HOME/install-root" >> $GITHUB_ENV echo "DOWNLOAD_ROOT=$HOME/download-root" >> $GITHUB_ENV echo "LD_LIBRARY_PATH=$INSTALL_ROOT/openssl/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV - name: Checkout Kong source code uses: actions/checkout@v4 - name: Lookup build cache uses: actions/cache@v4 id: cache-deps with: path: ${{ env.INSTALL_ROOT }} key: ${{ hashFiles('.ci/setup_env_github.sh') }}-${{ hashFiles('.requirements') }}-${{ hashFiles('kong-*.rockspec') }} - name: Checkout kong-build-tools if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true' uses: actions/checkout@v4 with: repository: Kong/kong-build-tools path: kong-build-tools ref: master - name: Checkout go-pluginserver if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true' uses: actions/checkout@v4 with: repository: Kong/go-pluginserver path: go-pluginserver - name: Add to Path if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true' run: echo "$INSTALL_ROOT/openssl/bin:$INSTALL_ROOT/openresty/nginx/sbin:$INSTALL_ROOT/openresty/bin:$INSTALL_ROOT/luarocks/bin:$GITHUB_WORKSPACE/kong-build-tools/openresty-build-tools" >> $GITHUB_PATH - name: Install packages if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true' run: sudo apt update && sudo apt install libyaml-dev valgrind - name: Build Kong dependencies if: steps.cache-deps.outputs.cache-hit != 'true' || github.event.inputs.force_build == 'true' run: | source .ci/setup_env_github.sh make dev autodoc: runs-on: ubuntu-22.04 needs: [build] steps: - name: Set environment variables run: | echo "INSTALL_ROOT=$HOME/install-root" >> $GITHUB_ENV echo "DOWNLOAD_ROOT=$HOME/download-root" >> $GITHUB_ENV echo "LD_LIBRARY_PATH=$INSTALL_ROOT/openssl/lib:$LD_LIBRARY_PATH" >> $GITHUB_ENV - name: Checkout Kong source code uses: actions/checkout@v4 with: path: kong ref: ${{ github.event.inputs.source_branch }} - name: Checkout Kong Docs uses: actions/checkout@v4 with: repository: kong/docs.konghq.com path: docs.konghq.com token: ${{ secrets.PAT }} ref: ${{ github.event.inputs.target_branch }} - name: Lookup build cache uses: actions/cache@v4 id: cache-deps with: path: ${{ env.INSTALL_ROOT }} key: ${{ hashFiles('kong/.ci/setup_env_github.sh') }}-${{ hashFiles('kong/.requirements') }}-${{ hashFiles('kong/kong-*.rockspec') }} - name: Add to Path run: echo "$INSTALL_ROOT/openssl/bin:$INSTALL_ROOT/openresty/nginx/sbin:$INSTALL_ROOT/openresty/bin:$INSTALL_ROOT/luarocks/bin:$GITHUB_WORKSPACE/kong-build-tools/openresty-build-tools:$INSTALL_ROOT/go-pluginserver" >> $GITHUB_PATH - name: Run Autodocs run: | cd kong eval `luarocks path` scripts/autodoc ../docs.konghq.com ${{ github.event.inputs.version }} - name: Generate branch name id: kong-branch run: | cd kong output="$(git branch --show-current)" echo "name=$output" >> $GITHUB_OUTPUT - name: Show Docs status run: | cd docs.konghq.com git status git checkout -b "autodocs-${{ steps.kong-branch.outputs.name }}" - name: Commit autodoc changes uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # v5 with: repository: "./docs.konghq.com" commit_message: "Autodocs update" branch: "autodocs-${{ steps.kong-branch.outputs.name }}" skip_fetch: true push_options: "--force" - name: Raise PR run: | cd docs.konghq.com echo "${{ secrets.PAT }}" | gh auth login --with-token gh pr create --base "${{ github.event.inputs.target_branch }}" --fill --label "review:autodoc" ================================================ FILE: .github/workflows/backport-fail-bot.yml ================================================ name: Forward failed backport alert to Slack on: issue_comment: types: [created] jobs: check_comment: runs-on: ubuntu-latest if: github.event.issue.pull_request != null && contains(github.event.comment.body, 'cherry-pick the changes locally and resolve any conflicts') steps: - name: Fetch mapping file id: fetch_mapping uses: actions/github-script@v7 env: ACCESS_TOKEN: ${{ secrets.PAT }} with: script: | const url = 'https://raw.githubusercontent.com/Kong/github-slack-mapping/main/mapping.json'; const headers = {Authorization: `token ${process.env.ACCESS_TOKEN}`}; const response = await fetch(url, {headers}); const mapping = await response.json(); return mapping; - name: Generate Slack Payload id: generate-payload uses: actions/github-script@v7 env: SLACK_CHANNEL: gateway-notifications SLACK_MAPPING: "${{ steps.fetch_mapping.outputs.result }}" with: script: | const pr_url = ${{ github.event.issue.pull_request.html_url }}; const slack_mapping = JSON.parse(process.env.SLACK_MAPPING); const pr_author_github_id = ${{ github.event.issue.user.login }}; const pr_author_slack_id = slack_mapping[pr_author_github_id]; const author = pr_author_slack_id ? `<@${pr_author_slack_id}>` : pr_author_github_id; const payload = { text: `${pr_url} from ${author} failed to backport.`, channel: process.env.SLACK_CHANNEL, }; return JSON.stringify(payload); result-encoding: string - name: Send Slack Message uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0 with: payload: ${{ steps.generate-payload.outputs.result }} env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_GATEWAY_NOTIFICATIONS_WEBHOOK }} ================================================ FILE: .github/workflows/backport-v2.yml ================================================ name: Backport v2 on: pull_request: types: [closed, labeled] # runs when the pull request is closed/merged or labeled (to trigger a backport in hindsight) permissions: contents: write # so it can comment pull-requests: write # so it can create pull requests actions: write jobs: backport: name: Backport runs-on: ubuntu-latest if: github.event.pull_request.merged steps: - uses: actions/checkout@v4 - name: Create backport pull requests uses: korthout/backport-action@924c8170740fa1e3685f69014971f7f251633f53 # v2.4.1 id: backport with: github_token: ${{ secrets.PAT }} pull_title: '[backport -> ${target_branch}] ${pull_title}' merge_commits: 'skip' copy_labels_pattern: ^(?!backport ).* # copies all labels except those starting with "backport " label_pattern: ^backport (release\/[^ ]+)$ # filters for labels starting with "backport " and extracts the branch name pull_description: |- Automated backport to `${target_branch}`, triggered by a label in #${pull_number}. ## Original description ${pull_description} copy_assignees: true copy_milestone: true copy_requested_reviewers: true experimental: > { "detect_merge_method": true } - name: add label if: steps.backport.outputs.was_successful == 'false' uses: Kong/action-add-labels@81b0a07d6b2ec64d770be1ca94c31ec827418054 with: labels: incomplete-backport ================================================ FILE: .github/workflows/build.yml ================================================ name: Build on: workflow_call: inputs: relative-build-root: required: true type: string outputs: cache-key: description: 'Computed cache key, used for restoring cache in other workflows' value: ${{ jobs.build.outputs.cache-key }} env: BUILD_ROOT: ${{ github.workspace }}/${{ inputs.relative-build-root }} jobs: build: name: Build dependencies runs-on: ubuntu-22.04 outputs: cache-key: ${{ steps.cache-key.outputs.cache-key }} steps: - name: Checkout Kong source code uses: actions/checkout@v4 - name: Generate cache key id: cache-key uses: ./.github/actions/build-cache-key - name: Lookup build cache id: cache-deps uses: actions/cache@v4 with: path: ${{ env.BUILD_ROOT }} key: ${{ steps.cache-key.outputs.cache-key }} - name: Install packages if: steps.cache-deps.outputs.cache-hit != 'true' run: sudo apt update && sudo apt install libyaml-dev valgrind libprotobuf-dev - name: Build Kong if: steps.cache-deps.outputs.cache-hit != 'true' env: GH_TOKEN: ${{ github.token }} run: | make build-kong chmod +rw -R "$BUILD_ROOT/kong-dev" - name: Update PATH run: | echo "$BUILD_ROOT/kong-dev/bin" >> $GITHUB_PATH echo "$BUILD_ROOT/kong-dev/openresty/nginx/sbin" >> $GITHUB_PATH echo "$BUILD_ROOT/kong-dev/openresty/bin" >> $GITHUB_PATH - name: Debug (nginx) run: | echo nginx: $(which nginx) nginx -V 2>&1 | sed -re 's/ --/\n--/g' ldd $(which nginx) - name: Debug (luarocks) run: | echo luarocks: $(which luarocks) luarocks --version luarocks config - name: Bazel Outputs uses: actions/upload-artifact@v4 if: failure() with: name: bazel-outputs path: | bazel-out/_tmp/actions retention-days: 3 - name: Build Dev Kong dependencies if: steps.cache-deps.outputs.cache-hit != 'true' run: | make install-dev-rocks ================================================ FILE: .github/workflows/build_and_test.yml ================================================ name: Build & Test on: pull_request: paths-ignore: # ignore markdown files (CHANGELOG.md, README.md, etc.) - '**/*.md' - 'COPYRIGHT' - 'LICENSE' - '.github/workflows/release.yml' - 'changelog/**' - 'kong.conf.default' push: paths-ignore: # ignore markdown files (CHANGELOG.md, README.md, etc.) - '**/*.md' # ignore PRs for the generated COPYRIGHT file - 'COPYRIGHT' - 'LICENSE' branches: - master - release/* - test-please/* workflow_dispatch: inputs: coverage: description: 'Coverage enabled' required: false type: boolean default: false # cancel previous runs if new commits are pushed to the PR, but run for each commit on master concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true env: BUILD_ROOT: ${{ github.workspace }}/bazel-bin/build KONG_TEST_COVERAGE: ${{ inputs.coverage == true || github.event_name == 'schedule' }} RUNNER_COUNT: 7 jobs: metadata: name: Metadata runs-on: ubuntu-22.04 outputs: old-kong-version: ${{ steps.old-kong-version.outputs.ref }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 # `git merge-base` requires the history - name: Get Old Kong Version id: old-kong-version run: | KONG_VERSION=$(bash scripts/grep-kong-version.sh) major=$(echo "$KONG_VERSION" | cut -d. -f1) minor=$(echo "$KONG_VERSION" | cut -d. -f2) # if the minor version isn't 0, use the first release or starting point of the previous minor branch; # otherwise just leave it empty, so later the default branch or commit will be used. if [ "$minor" -ne 0 ]; then minor=$((minor - 1)) git fetch origin master -t if [ $(git tag -l "$major.$minor.0") ]; then echo "ref=$major.$minor.0" >> $GITHUB_OUTPUT else git fetch origin release/$major.$minor.x COMMIT_HASH=$(git merge-base origin/master origin/release/$major.$minor.x) echo "ref=$COMMIT_HASH" >> $GITHUB_OUTPUT fi else echo "ref=" >> $GITHUB_OUTPUT fi build: uses: ./.github/workflows/build.yml with: relative-build-root: bazel-bin/build lint-and-doc-tests: name: Lint and Doc tests runs-on: ubuntu-22.04 needs: build steps: - name: Bump max open files run: | sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo 'kong hard nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo "$(whoami) soft nofile 65536" | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo "$(whoami) hard nofile 65536" | sudo tee -a /etc/security/limits.d/kong-ci.conf - name: Checkout Kong source code uses: actions/checkout@v4 - name: Lookup build cache id: cache-deps uses: actions/cache@v4 with: path: ${{ env.BUILD_ROOT }} key: ${{ needs.build.outputs.cache-key }} - name: Check test-helpers doc generation run: | source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh pushd ./spec && ldoc . - name: Check autodoc generation run: | source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh scripts/autodoc - name: Lint Lua code run: | make lint - name: Validate rockspec file run: | source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh scripts/validate-rockspec - name: Check spec file misspelling run: | scripts/check_spec_files_spelling.sh - name: Check labeler configuration run: scripts/check-labeler.pl .github/labeler.yml schedule: name: Schedule busted tests to run runs-on: ubuntu-22.04 needs: build env: WORKFLOW_ID: ${{ github.run_id }} outputs: runners: ${{ steps.generate-runner-array.outputs.RUNNERS }} steps: - name: Checkout source code uses: actions/checkout@v4 - name: Download runtimes file uses: Kong/gh-storage/download@b196a6b94032e56e414227c749e9f96a6afc2b91 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: repo-path: Kong/gateway-action-storage/main/.ci/runtimes.json - name: Schedule tests uses: Kong/gateway-test-scheduler/schedule@69f0c2a562ac44fc3650b8bfa62106b34094b5ce # v3 with: test-suites-file: .ci/test_suites.json test-file-runtime-file: .ci/runtimes.json output-prefix: test-chunk. runner-count: ${{ env.RUNNER_COUNT }} static-mode: ${{ github.run_attempt > 1 }} - name: Upload schedule files uses: actions/upload-artifact@v4 continue-on-error: true with: name: schedule-test-files path: test-chunk.* retention-days: 7 - name: Generate runner array id: generate-runner-array run: | echo "RUNNERS=[$(seq -s "," 1 $(( "$RUNNER_COUNT" )))]" >> "$GITHUB_OUTPUT" busted-tests: name: Busted test runner ${{ matrix.runner }} runs-on: ubuntu-22.04 needs: [metadata,build,schedule] strategy: fail-fast: false matrix: runner: ${{ fromJSON(needs.schedule.outputs.runners) }} services: postgres: image: postgres:13 env: POSTGRES_USER: kong POSTGRES_DB: kong POSTGRES_HOST_AUTH_METHOD: trust ports: - 5432:5432 options: --health-cmd pg_isready --health-interval 5s --health-timeout 5s --health-retries 8 grpcbin: image: kong/grpcbin ports: - 15002:9000 - 15003:9001 redis: image: redis ports: - 6379:6379 - 6380:6380 options: >- --name kong_redis zipkin: image: openzipkin/zipkin:2 ports: - 9411:9411 redis-auth: image: redis/redis-stack-server # Set health checks to wait until redis has started options: >- --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5 ports: - 6385:6379 env: REDIS_ARGS: "--requirepass passdefault" steps: - name: Bump max open files run: | sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo 'kong hard nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo "$(whoami) soft nofile 65536" | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo "$(whoami) hard nofile 65536" | sudo tee -a /etc/security/limits.d/kong-ci.conf - name: Checkout Kong source code uses: actions/checkout@v4 # used for plugin compatibility test - name: Checkout old version Kong source code uses: actions/checkout@v4 with: path: kong-old # if the minor version is 0, `ref` will default to '' # which is same as in the previous step ref: ${{ needs.metadata.outputs.old-kong-version }} - name: Lookup build cache id: cache-deps uses: actions/cache@v4 with: path: ${{ env.BUILD_ROOT }} key: ${{ needs.build.outputs.cache-key }} - name: Add gRPC test host names run: | echo "127.0.0.1 grpcs_1.test" | sudo tee -a /etc/hosts echo "127.0.0.1 grpcs_2.test" | sudo tee -a /etc/hosts - name: Enable SSL for Redis run: | docker cp ${{ github.workspace }} kong_redis:/workspace docker cp ${{ github.workspace }}/spec/fixtures/redis/docker-entrypoint.sh kong_redis:/usr/local/bin/docker-entrypoint.sh docker restart kong_redis docker logs kong_redis - name: Run OpenTelemetry Collector run: | mkdir -p ${{ github.workspace }}/tmp/otel touch ${{ github.workspace }}/tmp/otel/file_exporter.json sudo chmod 777 -R ${{ github.workspace }}/tmp/otel docker run -p 4317:4317 -p 4318:4318 -p 55679:55679 \ -v ${{ github.workspace }}/spec/fixtures/opentelemetry/otelcol.yaml:/etc/otel-collector-config.yaml \ -v ${{ github.workspace }}/tmp/otel:/etc/otel \ --name opentelemetry-collector -d \ otel/opentelemetry-collector-contrib:0.52.0 \ --config=/etc/otel-collector-config.yaml sleep 2 docker logs opentelemetry-collector - name: Install AWS SAM cli tool run: | curl -L -s -o /tmp/aws-sam-cli.zip https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip unzip -o /tmp/aws-sam-cli.zip -d /tmp/aws-sam-cli sudo /tmp/aws-sam-cli/install --update - name: Update PATH run: | echo "$BUILD_ROOT/kong-dev/bin" >> $GITHUB_PATH echo "$BUILD_ROOT/kong-dev/openresty/nginx/sbin" >> $GITHUB_PATH echo "$BUILD_ROOT/kong-dev/openresty/bin" >> $GITHUB_PATH - name: Debug (nginx) run: | echo nginx: $(which nginx) nginx -V 2>&1 | sed -re 's/ --/\n--/g' ldd $(which nginx) - name: Debug (luarocks) run: | echo luarocks: $(which luarocks) luarocks --version luarocks config - name: Tune up postgres max_connections run: | # arm64 runners may use more connections due to more worker cores psql -hlocalhost -Ukong kong -tAc 'alter system set max_connections = 5000;' - name: Download test schedule file uses: actions/download-artifact@v4 with: name: schedule-test-files - name: Generate helper environment variables run: | echo FAILED_TEST_FILES_FILE=failed-tests.json >> $GITHUB_ENV echo TEST_FILE_RUNTIME_FILE=test-runtime.json >> $GITHUB_ENV echo SPEC_ERRLOG_CACHE_DIR=/tmp/${{ github.run_id }}/build_test/${{ matrix.runner }} >> $GITHUB_ENV - name: Build & install dependencies run: | make dev # python pluginserver tests dependency pip install kong-pdk - name: Download test rerun information uses: actions/download-artifact@v4 continue-on-error: true with: name: test-rerun-info-${{ matrix.runner }} - name: Download test runtime statistics from previous runs uses: actions/download-artifact@v4 continue-on-error: true with: name: test-runtime-statistics-${{ matrix.runner }} - name: Run Tests env: KONG_TEST_PG_DATABASE: kong KONG_TEST_PG_USER: kong KONG_TEST_DATABASE: postgres KONG_SPEC_TEST_GRPCBIN_PORT: "15002" KONG_SPEC_TEST_GRPCBIN_SSL_PORT: "15003" KONG_SPEC_TEST_OTELCOL_FILE_EXPORTER_PATH: ${{ github.workspace }}/tmp/otel/file_exporter.json KONG_SPEC_TEST_OLD_VERSION_KONG_PATH: ${{ github.workspace }}/kong-old DD_ENV: ci DD_SERVICE: kong-ce-ci DD_CIVISIBILITY_MANUAL_API_ENABLED: 1 DD_CIVISIBILITY_AGENTLESS_ENABLED: true DD_TRACE_GIT_METADATA_ENABLED: true DD_API_KEY: ${{ secrets.DATADOG_API_KEY }} SPEC_ERRLOG_CACHE_DIR: ${{ env.SPEC_ERRLOG_CACHE_DIR }} uses: Kong/gateway-test-scheduler/runner@69f0c2a562ac44fc3650b8bfa62106b34094b5ce # v3 with: tests-to-run-file: test-chunk.${{ matrix.runner }}.json failed-test-files-file: ${{ env.FAILED_TEST_FILES_FILE }} test-file-runtime-file: ${{ env.TEST_FILE_RUNTIME_FILE }} setup-venv-path: ${{ env.BUILD_ROOT }} - name: Upload error logs if: failure() uses: actions/upload-artifact@v4 with: name: busted-test-errlogs-${{ matrix.runner }} path: ${{ env.SPEC_ERRLOG_CACHE_DIR }} retention-days: 1 - name: Upload test rerun information if: always() uses: actions/upload-artifact@v4 with: name: test-rerun-info-${{ matrix.runner }} path: ${{ env.FAILED_TEST_FILES_FILE }} retention-days: 2 - name: Upload test runtime statistics for offline scheduling if: always() uses: actions/upload-artifact@v4 with: name: test-runtime-statistics-${{ matrix.runner }} path: ${{ env.TEST_FILE_RUNTIME_FILE }} retention-days: 7 - name: Archive coverage stats file uses: actions/upload-artifact@v4 if: ${{ always() && (inputs.coverage == true || github.event_name == 'schedule') }} with: name: luacov-stats-out-${{ github.job }}-${{ github.run_id }}-${{ matrix.runner }} retention-days: 1 path: | luacov.stats.out - name: Get kernel message if: failure() run: | sudo dmesg -T pdk-tests: name: PDK tests runs-on: ubuntu-22.04 needs: build steps: - name: Bump max open files run: | sudo echo 'kong soft nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo 'kong hard nofile 65536' | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo "$(whoami) soft nofile 65536" | sudo tee -a /etc/security/limits.d/kong-ci.conf sudo echo "$(whoami) hard nofile 65536" | sudo tee -a /etc/security/limits.d/kong-ci.conf - name: Checkout Kong source code uses: actions/checkout@v4 - name: Lookup build cache id: cache-deps uses: actions/cache@v4 with: path: ${{ env.BUILD_ROOT }} key: ${{ needs.build.outputs.cache-key }} - name: Install Test::Nginx run: | CPAN_DOWNLOAD=./cpanm mkdir -p $CPAN_DOWNLOAD curl -o $CPAN_DOWNLOAD/cpanm https://cpanmin.us chmod +x $CPAN_DOWNLOAD/cpanm echo "Installing CPAN dependencies..." $CPAN_DOWNLOAD/cpanm --notest --local-lib=$HOME/perl5 local::lib && eval $(perl -I $HOME/perl5/lib/perl5/ -Mlocal::lib) $CPAN_DOWNLOAD/cpanm --notest Test::Nginx - name: Generate environment variables run: | echo SPEC_ERRLOG_CACHE_DIR=/tmp/${{ github.run_id }}/PDK_test >> $GITHUB_ENV - name: Tests env: TEST_SUITE: pdk run: | source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh if [[ $KONG_TEST_COVERAGE = true ]]; then export PDK_LUACOV=1 fi eval $(perl -I $HOME/perl5/lib/perl5/ -Mlocal::lib) prove -I. -r t - name: Upload error logs if: failure() uses: actions/upload-artifact@v4 with: name: PDK-test-errlogs path: ${{ env.SPEC_ERRLOG_CACHE_DIR }} retention-days: 1 - name: Archive coverage stats file uses: actions/upload-artifact@v4 if: ${{ always() && (inputs.coverage == true || github.event_name == 'schedule') }} with: name: luacov-stats-out-${{ github.job }}-${{ github.run_id }} retention-days: 1 path: | luacov.stats.out - name: Get kernel message if: failure() run: | sudo dmesg -T cleanup-and-aggregate-stats: needs: [lint-and-doc-tests,pdk-tests,busted-tests] name: Cleanup and Luacov stats aggregator if: ${{ always() && (inputs.coverage == true || github.event_name == 'schedule') }} runs-on: ubuntu-22.04 steps: - name: Checkout source code uses: actions/checkout@v4 - name: Install requirements run: | sudo apt-get update && sudo apt-get install -y luarocks sudo luarocks install luacov sudo luarocks install luafilesystem # Download all archived coverage stats files - uses: actions/download-artifact@v4 - name: Stats aggregation shell: bash run: | lua .ci/luacov-stats-aggregator.lua "luacov-stats-out-" "luacov.stats.out" ${{ github.workspace }}/ # The following prints a report with each file sorted by coverage percentage, and the total coverage printf "\n\nCoverage File\n\n" awk -v RS='Coverage\n-+\n' 'NR>1{print $0}' luacov.report.out | grep -vE "^-|^$" > summary.out cat summary.out | grep -v "^Total" | awk '{printf "%7d%% %s\n", $4, $1}' | sort -n cat summary.out | grep "^Total" | awk '{printf "%7d%% %s\n", $4, $1}' ================================================ FILE: .github/workflows/buildifier.yml ================================================ name: Buildifier on: pull_request: paths: - '**/*.bzl' - '**/*.bazel' - 'BUILD*' - 'WORKSPACE*' push: paths: - '**/*.bzl' - '**/*.bazel' - 'BUILD*' - 'WORKSPACE*' branches: - master - release/* jobs: autoformat: name: Auto-format and Check runs-on: ubuntu-22.04 steps: - name: Check out code uses: actions/checkout@v4 - name: Install Dependencies run: | sudo wget -O /bin/buildifier https://github.com/bazelbuild/buildtools/releases/download/5.1.0/buildifier-linux-amd64 sudo chmod +x /bin/buildifier - name: Run buildifier run: | buildifier -mode=fix $(find . -name 'BUILD*' -o -name 'WORKSPACE*' -o -name '*.bzl' -o -name '*.bazel' -type f) - name: Verify buildifier shell: bash run: | # From: https://backreference.org/2009/12/23/how-to-match-newlines-in-sed/ # This is to leverage this workaround: # https://github.com/actions/toolkit/issues/193#issuecomment-605394935 function urlencode() { sed ':begin;$!N;s/\n/%0A/;tbegin' } if [[ $(git diff-index --name-only HEAD --) ]]; then for x in $(git diff-index --name-only HEAD --); do echo "::error file=$x::Please run buildifier.%0A$(git diff $x | urlencode)" done echo "${{ github.repository }} is out of style. Please run buildifier." exit 1 fi echo "${{ github.repository }} is formatted correctly." ================================================ FILE: .github/workflows/changelog-requirement.yml ================================================ name: Changelog Requirement on: pull_request: types: [ opened, synchronize, labeled, unlabeled ] paths: - 'kong/**' - '**.rockspec' - '.requirements' - 'changelog/**' jobs: require-changelog: if: ${{ !contains(github.event.*.labels.*.name, 'skip-changelog') }} name: Requires changelog runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 2 - name: Find changelog files id: changelog-list uses: kong/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf with: files_yaml: | changelogs: - 'changelog/unreleased/**/*.yml' upper_case: - 'CHANGELOG/**' numbered: - 'changelog/unreleased/**/[0-9]+.yml' - name: Check changelog existence if: steps.changelog-list.outputs.changelogs_any_changed == 'false' run: | echo "Changelog file expected but found none. If you believe this PR requires no changelog entry, label it with \"skip-changelog\"." echo "Refer to https://github.com/Kong/gateway-changelog for format guidelines." exit 1 - name: Check correct case for changelog directory if: steps.changelog-list.outputs.upper_case_any_changed == 'true' run: | echo "Please use \"changelog\" (all lowercase) for changelog modifications." echo "Refer to https://github.com/Kong/gateway-changelog for format guidelines." echo "Bad file(s): ${{ steps.changelog-list.outputs.upper_case_all_changed_files }}" exit 1 - name: Check descriptive filename for changelog entry if: steps.changelog-list.outputs.numbered_any_changed == 'true' run: | echo "Please use short descriptive name for changelog files instead of numbers." echo "E.g. bump_openresty.yml instead of 12345.yml." echo "Refer to https://github.com/Kong/gateway-changelog for format guidelines." echo "Bad file(s): ${{ steps.changelog-list.outputs.numbered_all_changed_files }}" exit 1 - name: Fail when deprecated YAML keys are used run: | for file in ${{ steps.changelog-list.outputs.changelogs_all_changed_files }}; do if grep -q "prs:" $file || grep -q "jiras:" $file; then echo "Please do not include \"prs\" or \"jiras\" keys in new changelogs, put the JIRA number inside commit message and PR description instead." echo "Refer to https://github.com/Kong/gateway-changelog for format guidelines." echo "Bad file: $file" exit 1 fi done ================================================ FILE: .github/workflows/changelog-validation.yml ================================================ name: Changelog Validation on: pull_request: types: [ opened, synchronize ] jobs: validate-changelog: name: Validate changelog runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Validate changelogs uses: Kong/gateway-changelog@bc389e6bcc015b3560c4d1024a3782331602a0f6 with: files: changelog/unreleased/*/*.yml ================================================ FILE: .github/workflows/cherry-picks-v2.yml ================================================ name: Cherry Pick to remote repository v2 on: pull_request: types: [closed, labeled] issue_comment: types: [created] permissions: contents: write # so it can comment pull-requests: write # so it can create pull requests and labels jobs: cross-repo-cherrypick: name: Cherry pick to remote repository runs-on: ubuntu-latest # Only run when pull request is merged, or labeled # or when a comment containing `/cherry-pick` is created # and the author is a member, collaborator or owner if: > github.ref == 'refs/heads/master' && ( github.event_name == 'pull_request' && github.event.pull_request.merged ) || ( github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(fromJSON('["MEMBER", "COLLABORATOR", "OWNER"]'), github.event.comment.author_association) && startsWith(github.event.comment.body, '/cherry-pick') ) steps: - uses: actions/checkout@v4 with: token: ${{ secrets.CHERRY_PICK_TOKEN }} - name: Create backport pull requests uses: jschmid1/cross-repo-cherrypick-action@9d2ead0043acba474373992c8175f2b8ffcdb31c #v1.2.0 id: cherry_pick with: token: ${{ secrets.CHERRY_PICK_TOKEN }} pull_title: '[cherry-pick -> ${target_branch}] ${pull_title}' merge_commits: 'skip' trigger_label: 'cherry-pick kong-ee' # trigger based on this label pull_description: |- Automated cherry-pick to `${target_branch}`, triggered by a label in https://github.com/${owner}/${repo}/pull/${pull_number} :robot:. ## Original description ${pull_description} upstream_repo: 'kong/kong-ee' branch_map: |- { "master": "master" } - name: add label if: steps.cherry_pick.outputs.was_successful == 'false' uses: Kong/action-add-labels@81b0a07d6b2ec64d770be1ca94c31ec827418054 with: labels: incomplete-cherry-pick ================================================ FILE: .github/workflows/community-stale.yml ================================================ name: Close inactive issues on: schedule: - cron: "30 1 * * *" jobs: close-issues: runs-on: ubuntu-latest permissions: issues: write pull-requests: write steps: - uses: actions/stale@v9 with: days-before-stale: 14 days-before-close: 7 only-labels: "pending author feedback" exempt-pr-labels: "pinned,security" exempt-issue-labels: "pinned,security" stale-issue-label: "stale" stale-issue-message: "This issue is marked as stale because it has been open for 14 days with no activity." close-issue-message: | Dear contributor, We are automatically closing this issue because it has not seen any activity for three weeks. We're sorry that your issue could not be resolved. If any new information comes up that could help resolving it, please feel free to reopen it. Your contribution is greatly appreciated! Please have a look [our pledge to the community](https://github.com/Kong/kong/blob/master/COMMUNITY_PLEDGE.md) for more information. Sincerely, Your Kong Gateway team stale-pr-message: "This PR is marked as stale because it has been open for 14 days with no activity." close-pr-message: | Dear contributor, We are automatically closing this pull request because it has not seen any activity for three weeks. We're sorry that we could not merge it. If you still want to pursure your patch, please feel free to reopen it and address any remaining issues. Your contribution is greatly appreciated! Please have a look [our pledge to the community](https://github.com/Kong/kong/blob/master/COMMUNITY_PLEDGE.md) for more information. Sincerely, Your Kong Gateway team repo-token: ${{ secrets.GITHUB_TOKEN }} ================================================ FILE: .github/workflows/copyright-check.yml ================================================ name: Detect Unexpected EE Changes on: pull_request: concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: check-copyright-and-ee-files: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Find Enterprise Copyright shell: bash run: | set -e workflow_file=$(grep -rnl "^name:[[:space:]]*Detect Unexpected EE Changes" .github/workflows/*.yml | head -n1) echo "Detected workflow file: $workflow_file" all_files=$(grep -r -F -l "This software is copyright Kong Inc. and its licensors." .) # ignore this file files=$(echo "$all_files" | grep -v "$workflow_file$" || true) if [ -n "$files" ]; then echo "Error: Enterprise copyright detected in the following files:" echo "$files" exit 1 else echo "No enterprise copyright found." fi - name: Get changed EE files id: changed-ee-files uses: kong/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf with: files: | spec-ee/** plugins-ee/** kong/enterprise_edition/** kong/plugins/*-advanced/** changelog/**/*-ee/** - name: Detect EE files if: steps.changed-ee-files.outputs.any_changed == 'true' run: | echo "The following unexpected EE files were detected:" echo "${{ steps.changed-ee-files.outputs.all_changed_files }}" exit 1 ================================================ FILE: .github/workflows/deck-integration.yml ================================================ name: Gateway decK Integration Tests on: pull_request: paths: - 'kong/db/schema/**/*.lua' - 'kong/**/schema.lua' - 'kong/plugins/**/daos.lua' - 'kong/db/dao/*.lua' - 'kong/api/**/*.lua' - '.github/workflows/deck-integration.yml' permissions: pull-requests: write env: LIBRARY_PREFIX: /usr/local/kong TEST_RESULTS_XML_OUTPUT: test-results BUILD_ROOT: ${{ github.workspace }}/bazel-bin/build # cancel previous runs if new commits are pushed to the PR concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true jobs: build: uses: ./.github/workflows/build.yml with: relative-build-root: bazel-bin/build deck-integration: name: Gateway decK integration tests runs-on: ubuntu-22.04 needs: build timeout-minutes: 5 services: postgres: image: postgres:13 env: POSTGRES_USER: kong POSTGRES_DB: kong POSTGRES_HOST_AUTH_METHOD: trust ports: - 5432:5432 options: --health-cmd pg_isready --health-interval 5s --health-timeout 5s --health-retries 8 steps: - name: Install packages run: sudo apt update && sudo apt install -y libyaml-dev valgrind libprotobuf-dev libpam-dev postgresql-client jq - name: Checkout Kong source code uses: actions/checkout@v4 with: submodules: recursive - name: Lookup build cache id: cache-deps uses: actions/cache@v4 with: path: ${{ env.BUILD_ROOT }} key: ${{ needs.build.outputs.cache-key }} - name: Install Kong dev run: make dev - name: Tests id: deck_tests env: KONG_TEST_PG_DATABASE: kong KONG_TEST_PG_USER: kong KONG_TEST_DATABASE: postgres run: | mkdir $TEST_RESULTS_XML_OUTPUT source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh bin/busted spec/06-third-party/01-deck -o hjtest -Xoutput $(realpath $TEST_RESULTS_XML_OUTPUT)/report.xml -v ================================================ FILE: .github/workflows/label-check.yml ================================================ name: Pull Request Label Checker on: pull_request: types: [opened, edited, synchronize, labeled, unlabeled] jobs: check-labels: name: prevent merge labels runs-on: ubuntu-latest steps: - name: backport master label found run: echo "Please do not backport into master, instead, create a PR targeting master and backport from it instead."; exit 1 if: ${{ contains(github.event.*.labels.*.name, 'backport master') }} ================================================ FILE: .github/workflows/label-community-pr.yml ================================================ name: Label community PRs on: schedule: - cron: '*/30 * * * *' permissions: pull-requests: write jobs: check_author: runs-on: ubuntu-latest defaults: run: shell: bash steps: - uses: actions/checkout@v4 - name: Label Community PR env: GH_TOKEN: ${{ secrets.COMMUNITY_PRS_TOKEN }} LABEL: "author/community" BOTS: "team-gateway-bot app/dependabot" run: | set +e for id in `gh pr list -S 'draft:false' -s 'open'|awk '{print $1}'` do name=`gh pr view $id --json author -q '.author.login'` ret=`gh api orgs/Kong/members --paginate -q '.[].login'|grep "^${name}$"` if [[ -z $ret && ! "${BOTS[@]}" =~ $name ]]; then gh pr edit $id --add-label "${{ env.LABEL }}" else gh pr edit $id --remove-label "${{ env.LABEL }}" fi done ================================================ FILE: .github/workflows/label-schema.yml ================================================ name: Pull Request Schema Labeler on: pull_request: types: [opened, edited, labeled, unlabeled] jobs: schema-change-labels: if: "${{ contains(github.event.*.labels.*.name, 'schema-change-noteworthy') }}" runs-on: ubuntu-latest steps: - name: Schema change label found uses: Kong/action-slack-notify@bd750854aaf93c5c6f69799bf813c40e7786368a # v2_node20 continue-on-error: true env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_SCHEMA_CHANGE }} SLACK_MESSAGE: ${{ github.event.pull_request.title }} SLACK_FOOTER: "<${{ github.server_url }}/${{ github.repository }}/pull/${{ github.event.pull_request.number }}>" ================================================ FILE: .github/workflows/labeler-v2.yml ================================================ name: "Pull Request Labeler v2" on: - pull_request jobs: labeler: if: ${{ !github.event.pull_request.head.repo.fork }} permissions: contents: read pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/labeler@v5 ================================================ FILE: .github/workflows/openresty-patches-companion.yml ================================================ name: Openresty patches review companion on: pull_request: paths: - 'build/openresty/patches/**' jobs: create-pr: runs-on: ubuntu-latest steps: - name: Dispatch the workflow if: ${{ github.repository_owner == 'Kong' }} uses: benc-uk/workflow-dispatch@25b02cc069be46d637e8fe2f1e8484008e9e9609 # v1 with: workflow: create-pr.yml repo: kong/openresty-patches-review ref: master token: ${{ secrets.PAT }} inputs: | {"pr-branch":"${{ github.event.pull_request.head.repo.owner.login }}:${{ github.head_ref }}", "pr-base":"${{ github.base_ref }}", "ee":${{ contains(github.repository, 'kong-ee') && 'true' || 'false' }}, "pr-id":"${{ github.event.pull_request.number }}"} ================================================ FILE: .github/workflows/perf.yml ================================================ name: Performance Test on: pull_request: schedule: # don't know the timezone but it's daily at least - cron: '0 7 * * *' env: terraform_version: '1.2.4' HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }} BUILD_ROOT: ${{ github.workspace }}/bazel-bin/build # only for pr GHA_CACHE: ${{ github.event_name == 'pull_request' }} jobs: build-packages: name: Build dependencies runs-on: ubuntu-22.04 if: | github.event_name == 'schedule' || (github.event_name == 'pull_request' && startsWith(github.event.pull_request.title, 'perf(')) || (github.event_name == 'issue_comment' && github.event.action == 'created' && github.event.issue.pull_request && contains('["OWNER", "COLLABORATOR", "MEMBER"]', github.event.comment.author_association) && (startsWith(github.event.comment.body, '/perf') || startsWith(github.event.comment.body, '/flamegraph')) ) outputs: cache-key: ${{ steps.cache-key.outputs.cache-key }} steps: - name: Checkout Kong source code uses: actions/checkout@v4 - name: Generate cache key id: cache-key uses: ./.github/actions/build-cache-key with: prefix: perf - name: Lookup build cache id: cache-deps uses: actions/cache@v4 with: path: ${{ env.BUILD_ROOT }} key: ${{ steps.cache-key.outputs.cache-key }} - name: Install packages if: steps.cache-deps.outputs.cache-hit != 'true' run: sudo apt update && sudo apt install libyaml-dev valgrind libprotobuf-dev - name: Build Kong if: steps.cache-deps.outputs.cache-hit != 'true' env: GH_TOKEN: ${{ github.token }} run: | make build-kong BUILD_PREFIX=$BUILD_ROOT/kong-dev export PATH="$BUILD_PREFIX/bin:$BUILD_PREFIX/openresty/nginx/sbin:$BUILD_PREFIX/openresty/bin:$PATH" chmod +rw -R $BUILD_PREFIX nginx -V ldd $(which nginx) luarocks - name: Bazel Outputs uses: actions/upload-artifact@v4 if: failure() with: name: bazel-outputs path: | bazel-out/_tmp/actions retention-days: 3 - name: Build Dev Kong dependencies if: steps.cache-deps.outputs.cache-hit != 'true' run: | make install-dev-rocks perf: name: RPS, latency and flamegraphs runs-on: ubuntu-22.04 needs: build-packages permissions: # required to send comment of graphs and results in the PR pull-requests: write if: | github.event_name == 'schedule' || (github.event_name == 'pull_request' && startsWith(github.event.pull_request.title, 'perf(')) || (github.event_name == 'issue_comment' && github.event.action == 'created' && github.event.issue.pull_request && contains('["OWNER", "COLLABORATOR", "MEMBER"]', github.event.comment.author_association) && (startsWith(github.event.comment.body, '/perf') || startsWith(github.event.comment.body, '/flamegraph')) ) # perf test can only run one at a time per repo for now concurrency: group: perf-ce steps: # set up mutex across CE and EE to avoid resource race - name: Set up mutex uses: ben-z/gh-action-mutex@9709ba4d8596ad4f9f8bbe8e0f626ae249b1b3ac # v1.0-alpha-6 with: repository: "Kong/kong-perf-mutex-lock" branch: "gh-mutex" repo-token: ${{ secrets.PAT }} - name: Checkout Kong source code uses: actions/checkout@v4 with: # Fetch all history for all tags and branches fetch-depth: 0 - name: Load Cached Packages id: cache-deps if: env.GHA_CACHE == 'true' uses: actions/cache@v4 with: path: ${{ env.BUILD_ROOT }} key: ${{ needs.build-packages.outputs.cache-key }} - name: Install performance test Dependencies run: | # in Kong repository sudo apt update && sudo apt install inkscape -y # terraform! wget https://releases.hashicorp.com/terraform/${{ env.terraform_version }}/terraform_${{ env.terraform_version }}_linux_amd64.zip unzip terraform_${{ env.terraform_version }}_linux_amd64.zip sudo mv terraform /usr/bin/ - name: Choose perf suites id: choose_perf env: COMMENT_BODY: ${{ github.event.comment.body }} run: | suites="$(printf '%s' "$COMMENT_BODY" | awk '{print $1}')" tags="$(printf '%s' "$COMMENT_BODY" | awk '{print $2}')" if [[ $suite == "/flamegraph" ]]; then suites="02-flamegraph" if [[ -z $tags ]]; then tags="simple" fi elif [[ $suite == "/perf" ]]; then suites="01-rps" if [[ -z $tags ]]; then tags="baseline,single_route" fi else # if not specified by comment, run both suites="01-rps 02-flamegraph" if [[ -z $tags ]]; then tags="baseline,single_route,simple" fi fi echo "suites=$suites" >> $GITHUB_OUTPUT echo "tags=$tags" >> $GITHUB_OUTPUT - uses: xt0rted/pull-request-comment-branch@d97294d304604fa98a2600a6e2f916a84b596dc7 # v1.4.1 id: comment-branch if: github.event_name == 'issue_comment' && github.event.action == 'created' - name: Find compared versions id: compare_versions env: PR_BASE_REF: ${{ github.event.pull_request.base.ref }} COMMENT_BODY: ${{ github.event.comment.body }} run: | pr_ref=$(echo "$PR_BASE_REF") custom_vers="$(printf '%s' "$COMMENT_BODY" | awk '{print $3}')" if [[ ! -z "${pr_ref}" ]]; then vers="git:${{ github.head_ref }},git:${pr_ref}" elif [[ ! -z "${custom_vers}" ]]; then vers="${custom_vers}" elif [[ ! -z "$COMMENT_BODY" ]]; then vers="git:${{ steps.comment-branch.outputs.head_ref}},git:${{ steps.comment-branch.outputs.base_ref}}" else # is cron job/on master vers="git:master,git:origin/master~10,git:origin/master~50" fi echo $vers echo "vers=$vers" >> $GITHUB_OUTPUT - name: Run Tests env: PERF_TEST_VERSIONS: ${{ steps.compare_versions.outputs.vers }} PERF_TEST_DRIVER: terraform PERF_TEST_TERRAFORM_PROVIDER: bring-your-own PERF_TEST_BYO_KONG_IP: ${{ secrets.PERF_TEST_BYO_KONG_IP }} PERF_TEST_BYO_WORKER_IP: ${{ secrets.PERF_TEST_BYO_WORKER_IP }} PERF_TEST_BYO_SSH_USER: gha PERF_TEST_USE_DAILY_IMAGE: true PERF_TEST_DISABLE_EXEC_OUTPUT: true timeout-minutes: 180 run: | export PERF_TEST_BYO_SSH_KEY_PATH=$(pwd)/ssh_key echo "${{ secrets.PERF_TEST_BYO_SSH_KEY }}" > ${PERF_TEST_BYO_SSH_KEY_PATH} chmod 600 ${PERF_TEST_BYO_SSH_KEY_PATH} # setup tunnel for psql and admin port ssh -o StrictHostKeyChecking=no -o TCPKeepAlive=yes -o ServerAliveInterval=10 \ -o ExitOnForwardFailure=yes -o ConnectTimeout=5 \ -L 15432:localhost:5432 -L 39001:localhost:39001 \ -i ${PERF_TEST_BYO_SSH_KEY_PATH} \ ${PERF_TEST_BYO_SSH_USER}@${PERF_TEST_BYO_KONG_IP} tail -f /dev/null & sleep 5 sudo iptables -t nat -I OUTPUT -p tcp --dport 5432 -d ${PERF_TEST_BYO_KONG_IP} -j DNAT --to 127.0.0.1:15432 sudo iptables -t nat -I OUTPUT -p tcp --dport 39001 -d ${PERF_TEST_BYO_KONG_IP} -j DNAT --to 127.0.0.1:39001 make dev # required to install other dependencies like bin/grpcurl source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh for suite in ${{ steps.choose_perf.outputs.suites }}; do # Run each test individually, ngx.pipe doesn't like to be imported twice # maybe bin/busted --no-auto-insulate for f in $(find "spec/04-perf/$suite/" -type f); do bin/busted "$f" \ -t "${{ steps.choose_perf.outputs.tags }}" done done - name: Teardown # Note: by default each job has if: ${{ success() }} if: always() env: PERF_TEST_VERSIONS: git:${{ github.sha }} PERF_TEST_DRIVER: terraform PERF_TEST_TERRAFORM_PROVIDER: bring-your-own PERF_TEST_BYO_KONG_IP: ${{ secrets.PERF_TEST_BYO_KONG_IP }} PERF_TEST_BYO_WORKER_IP: ${{ secrets.PERF_TEST_BYO_WORKER_IP }} PERF_TEST_BYO_SSH_USER: gha PERF_TEST_TEARDOWN_ALL: true run: | export PERF_TEST_BYO_SSH_KEY_PATH=$(pwd)/ssh_key echo "${{ secrets.PERF_TEST_BYO_SSH_KEY }}" > ${PERF_TEST_BYO_SSH_KEY_PATH} make dev # required to install other dependencies like bin/grpcurl source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh bin/busted spec/04-perf/99-teardown/ rm -f ${PERF_TEST_BYO_SSH_KEY_PATH} - name: Generate high DPI graphs if: always() run: | for i in $(ls output/*.svg); do inkscape --export-area-drawing --export-png="${i%.*}.png" --export-dpi=300 -b FFFFFF $i done - uses: actions/setup-python@v5 with: python-version: '3.10' cache: 'pip' - name: Generate plots if: always() run: | cwd=$(pwd) cd spec/helpers/perf/charts/ pip install -r requirements.txt for i in $(ls ${cwd}/output/*.data.json); do python ./charts.py $i -o "${cwd}/output/" done - name: Save results uses: actions/upload-artifact@v3 if: always() with: name: perf-results path: | output/ !output/**/*.log retention-days: 31 - name: Save error logs uses: actions/upload-artifact@v3 if: always() with: name: error_logs path: | output/**/*.log retention-days: 31 - name: Output if: always() id: output run: | if [[ "${{ steps.choose_perf.outputs.suites }}" =~ "02-flamegraph" ]]; then result="Please see Github Actions artifacts for flamegraphs. " fi result="${result}$(cat output/result.txt)" || true # https://github.community/t/set-output-truncates-multiline-strings/16852/2 result="${result//'%'/'%25'}" result="${result//$'\n'/'%0A'}" result="${result//$'\r'/'%0D'}" echo "result=$results" >> $GITHUB_OUTPUT - name: Upload charts if: always() id: charts uses: devicons/public-upload-to-imgur@352cf5f2805c692539a96cfe49a09669e6fca88e # v2.2.2 continue-on-error: true with: path: output/*.png client_id: ${{ secrets.PERF_TEST_IMGUR_CLIENT_ID }} - name: Comment if: | github.event_name == 'pull_request' || (github.event_name == 'issue_comment' && github.event.issue.pull_request) uses: actions-ecosystem/action-create-comment@e23bc59fbff7aac7f9044bd66c2dc0fe1286f80b # v1.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} body: | ## :rocket: Performance test result **Test Suite**: ${{ steps.choose_perf.outputs.suites }} (${{ steps.choose_perf.outputs.tags }}) ${{ join(fromJSON(steps.charts.outputs.markdown_urls), ' ') }}
Click to expand ``` ${{ steps.output.outputs.result }} Kong error logs are also available in Github Actions artifacts. ```
[Download Artifacts](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}#artifacts) for detailed results and interactive SVG flamegraphs. ================================================ FILE: .github/workflows/release.yml ================================================ name: Package & Release # The workflow to build and release official Kong packages and images. on: # yamllint disable-line rule:truthy pull_request: paths-ignore: - '**/*.md' - 'COPYRIGHT' - 'LICENSE' - '.github/workflows/build_and_test.yml' - 'changelog/**' - 'kong.conf.default' schedule: - cron: '0 0 * * *' push: branches: - master workflow_dispatch: inputs: official: description: 'Official release?' required: true type: boolean default: false version: description: 'Release version, e.g. `3.0.0.0-beta.2`' required: true type: string # `commit-ly` is a flag that indicates whether the build should be run per commit. env: # official release repo DOCKER_ORGANIZATION: kong DOCKER_REPOSITORY: kong/kong PRERELEASE_DOCKER_REPOSITORY: kong/kong-dev FULL_RELEASE: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.actor == 'dependabot[bot]'}} # only for PR GHA_CACHE: ${{ github.event_name == 'pull_request' }} # PRs opened from fork and from dependabot don't have access to repo secrets HAS_ACCESS_TO_GITHUB_TOKEN: ${{ github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') }} jobs: metadata: name: Metadata runs-on: ubuntu-24.04 outputs: kong-version: ${{ steps.build-info.outputs.kong-version }} prerelease-docker-repository: ${{ env.PRERELEASE_DOCKER_REPOSITORY }} docker-repository: ${{ steps.build-info.outputs.docker-repository }} release-desc: ${{ steps.build-info.outputs.release-desc }} release-label: ${{ steps.build-info.outputs.release-label || '' }} deploy-environment: ${{ steps.build-info.outputs.deploy-environment }} matrix: ${{ steps.build-info.outputs.matrix }} arch: ${{ steps.build-info.outputs.arch }} # use github.event.pull_request.head.sha instead of github.sha on a PR, as github.sha on PR is the merged commit (temporary commit) commit-sha: ${{ github.event.pull_request.head.sha || github.sha }} steps: - uses: actions/checkout@v4 - name: Build Info id: build-info run: | KONG_VERSION=$(bash scripts/grep-kong-version.sh) echo "kong-version=$KONG_VERSION" >> $GITHUB_OUTPUT if [ "${{ github.event_name == 'schedule' }}" == "true" ]; then echo "release-label=$(date -u +'%Y%m%d')" >> $GITHUB_OUTPUT fi matrix_file=".github/matrix-commitly.yml" if [ "$FULL_RELEASE" == "true" ]; then matrix_file=".github/matrix-full.yml" fi if [ "${{ github.event.inputs.official }}" == "true" ]; then release_desc="$KONG_VERSION (official)" echo "docker-repository=$DOCKER_REPOSITORY" >> $GITHUB_OUTPUT echo "deploy-environment=release" >> $GITHUB_OUTPUT else release_desc="$KONG_VERSION (pre-release)" echo "docker-repository=$PRERELEASE_DOCKER_REPOSITORY" >> $GITHUB_OUTPUT fi echo "release-desc=$release_desc" >> $GITHUB_OUTPUT echo "matrix=$(yq -I=0 -o=json $matrix_file)" >> $GITHUB_OUTPUT echo "docker-test-image=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.event.pull_request.head.sha || github.sha }}" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT echo "### :package: Building and packaging for $release_desc" >> $GITHUB_STEP_SUMMARY echo >> $GITHUB_STEP_SUMMARY echo '- event_name: ${{ github.event_name }}' >> $GITHUB_STEP_SUMMARY echo '- ref_name: ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY echo '- inputs.version: ${{ github.event.inputs.version }}' >> $GITHUB_STEP_SUMMARY echo >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY cat $GITHUB_OUTPUT >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY build-packages: needs: metadata name: Build & Package - ${{ matrix.label }} environment: ${{ needs.metadata.outputs.deploy-environment }} strategy: fail-fast: false matrix: include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-packages'] }}" runs-on: ubuntu-24.04 container: image: ${{ matrix.image }} options: --privileged steps: - name: Early Rpm Setup if: matrix.package == 'rpm' && matrix.image != '' run: | # tar/gzip is needed to restore git cache (if available) yum install -y tar gzip which file zlib-devel - name: Early Deb in Container Setup if: matrix.package == 'deb' && matrix.image != '' run: | # tar/gzip is needed to restore git cache (if available) apt-get update apt-get install -y git tar gzip file sudo - name: Cache Git id: cache-git if: (matrix.package == 'rpm') && matrix.image != '' uses: actions/cache@v4 with: path: /usr/local/git key: ${{ matrix.label }}-git-2.41.0 # el-7,8, amazonlinux-2,2023 doesn't have git 2.18+, so we need to install it manually - name: Install newer Git if: (matrix.package == 'rpm') && matrix.image != '' && steps.cache-git.outputs.cache-hit != 'true' run: | if which apt 2>/dev/null; then apt update apt install -y wget libz-dev libssl-dev libcurl4-gnutls-dev libexpat1-dev gettext make gcc autoconf sudo else yum update -y yum groupinstall -y 'Development Tools' yum install -y wget zlib-devel openssl-devel curl-devel expat-devel gettext-devel perl-CPAN perl-devel fi wget https://mirrors.edge.kernel.org/pub/software/scm/git/git-2.41.0.tar.gz tar xf git-2.41.0.tar.gz cd git-2.41.0 make configure ./configure --prefix=/usr/local/git make -j$(nproc) make install - name: Add Git to PATH if: (matrix.package == 'rpm') && matrix.image != '' run: | echo "/usr/local/git/bin" >> $GITHUB_PATH - name: Checkout Kong source code uses: actions/checkout@v4 - name: Swap git with https run: git config --global url."https://github".insteadOf git://github - name: Generate build cache key id: cache-key if: env.GHA_CACHE == 'true' uses: ./.github/actions/build-cache-key with: prefix: ${{ matrix.label }}-build extra: | ${{ hashFiles('kong/**') }} - name: Cache Packages id: cache-deps if: env.GHA_CACHE == 'true' uses: actions/cache@v4 with: path: bazel-bin/pkg key: ${{ steps.cache-key.outputs.cache-key }} - name: Set .requirements into environment variables run: | grep -v '^#' .requirements >> $GITHUB_ENV - name: Setup Bazel uses: bazel-contrib/setup-bazel@e403ad507104847c3539436f64a9e9eecc73eeec #0.8.5 with: bazelisk-version: "1.20.0" # Avoid downloading Bazel every time. bazelisk-cache: true - name: Install Deb Dependencies if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' run: | sudo apt-get update && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y \ automake \ build-essential \ curl \ file \ libyaml-dev \ m4 \ perl \ pkg-config \ unzip \ zlib1g-dev - name: Install Ubuntu Cross Build Dependencies (arm64) if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' && endsWith(matrix.label, 'arm64') run: | sudo apt-get install crossbuild-essential-arm64 -y - name: Install Rpm Dependencies if: matrix.package == 'rpm' && matrix.image != '' run: | yum groupinstall -y 'Development Tools' dnf install -y 'dnf-command(config-manager)' dnf config-manager --set-enabled powertools || true # enable devel packages on rockylinux:8 dnf config-manager --set-enabled crb || true # enable devel packages on rockylinux:9 yum install -y libyaml-devel yum install -y cpanminus || (yum install -y perl && curl -L https://raw.githubusercontent.com/miyagawa/cpanminus/master/cpanm | perl - App::cpanminus) # amazonlinux2023 removed cpanminus # required for openssl 3.x config cpanm IPC/Cmd.pm - name: Build Kong dependencies if: steps.cache-deps.outputs.cache-hit != 'true' env: GH_TOKEN: ${{ github.token }} run: | bazel build --config release //build:kong --verbose_failures ${{ matrix.bazel-args }} - name: Package Kong - ${{ matrix.package }} if: matrix.package != 'rpm' && steps.cache-deps.outputs.cache-hit != 'true' run: | bazel build --config release :kong_${{ matrix.package }} --verbose_failures ${{ matrix.bazel-args }} - name: Package Kong - rpm if: matrix.package == 'rpm' && steps.cache-deps.outputs.cache-hit != 'true' env: RELEASE_SIGNING_GPG_KEY: ${{ secrets.RELEASE_SIGNING_GPG_KEY }} NFPM_RPM_PASSPHRASE: ${{ secrets.RELEASE_SIGNING_GPG_KEY_PASSPHRASE }} run: | if [ -n "${RELEASE_SIGNING_GPG_KEY:-}" ]; then RPM_SIGNING_KEY_FILE=$(mktemp) echo "$RELEASE_SIGNING_GPG_KEY" > $RPM_SIGNING_KEY_FILE export RPM_SIGNING_KEY_FILE=$RPM_SIGNING_KEY_FILE fi bazel build --config release :kong_${{ matrix.package-type }} --action_env=RPM_SIGNING_KEY_FILE --action_env=NFPM_RPM_PASSPHRASE ${{ matrix.bazel-args }} - name: Bazel Debug Outputs if: failure() run: | cat bazel-out/_tmp/actions/stderr-* sudo dmesg || true tail -n500 bazel-out/**/*/CMake.log || true - name: Upload artifacts uses: actions/upload-artifact@v4 with: name: ${{ matrix.label }}-packages path: bazel-bin/pkg retention-days: 3 verify-manifest-packages: needs: [metadata, build-packages] name: Verify Manifest - Package ${{ matrix.label }} runs-on: ubuntu-24.04 strategy: fail-fast: false matrix: include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-packages'] }}" steps: - uses: actions/checkout@v4 - name: Download artifact uses: actions/download-artifact@v4 with: name: ${{ matrix.label }}-packages path: bazel-bin/pkg - name: Install Python uses: actions/setup-python@v5 with: python-version: '3.11' cache: 'pip' # caching pip dependencies - name: Verify run: | cd scripts/explain_manifest pip install -r requirements.txt pkg=$(ls ../../bazel-bin/pkg/kong* |head -n1) python ./main.py -f filelist.txt -p $pkg -o test.txt -s ${{ matrix.check-manifest-suite }} build-images: name: Build Images - ${{ matrix.label }} needs: [metadata, build-packages] runs-on: ubuntu-24.04 permissions: # create comments on commits for docker images needs the `write` permission contents: write strategy: fail-fast: false matrix: include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}" steps: - uses: actions/checkout@v4 - name: Download artifact uses: actions/download-artifact@v4 with: name: ${{ matrix.artifact-from }}-packages path: bazel-bin/pkg - name: Download artifact (alt) if: matrix.artifact-from-alt != '' uses: actions/download-artifact@v4 with: name: ${{ matrix.artifact-from-alt }}-packages path: bazel-bin/pkg - name: Login to Docker Hub if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }} uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0 with: username: ${{ env.DOCKER_ORGANIZATION }} password: ${{ secrets.DOCKER_OAT_PUSH }} - name: Docker meta id: meta uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 env: DOCKER_METADATA_PR_HEAD_SHA: true with: images: ${{ needs.metadata.outputs.prerelease-docker-repository }} tags: | type=raw,${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} type=raw,enable=${{ matrix.label == 'ubuntu' }},${{ needs.metadata.outputs.commit-sha }} - name: Set up QEMU if: matrix.docker-platforms != '' uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3 - name: Set platforms id: docker_platforms_arg run: | platforms="${{ matrix.docker-platforms }}" if [[ -z "$platforms" ]]; then platforms="linux/amd64" fi echo "platforms=$platforms" echo "platforms=$platforms" >> $GITHUB_OUTPUT - name: Set rpm platform id: docker_rpm_platform_arg if: matrix.package == 'rpm' run: | rpm_platform="${{ matrix.rpm_platform }}" if [[ -z "$rpm_platform" ]]; then rpm_platform="el9" fi echo "rpm_platform=$rpm_platform" echo "rpm_platform=$rpm_platform" >> $GITHUB_OUTPUT - name: Build Docker Image uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: file: build/dockerfiles/${{ matrix.package }}.Dockerfile context: . push: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: ${{ steps.docker_platforms_arg.outputs.platforms }} build-args: | KONG_BASE_IMAGE=${{ matrix.base-image }} KONG_ARTIFACT_PATH=bazel-bin/pkg KONG_VERSION=${{ needs.metadata.outputs.kong-version }} RPM_PLATFORM=${{ steps.docker_rpm_platform_arg.outputs.rpm_platform }} EE_PORTS=8002 8445 8003 8446 8004 8447 - name: Comment on commit if: github.event_name == 'push' && matrix.label == 'ubuntu' uses: peter-evans/commit-comment@5a6f8285b8f2e8376e41fe1b563db48e6cf78c09 # v3.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} body: | ### Bazel Build Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}` Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} verify-manifest-images: needs: [metadata, build-images] name: Verify Manifest - Image ${{ matrix.label }} runs-on: ubuntu-24.04 if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') strategy: fail-fast: false matrix: include: "${{ fromJSON(needs.metadata.outputs.matrix)['build-images'] }}" steps: - uses: actions/checkout@v4 - name: Install Python uses: actions/setup-python@v5 with: python-version: '3.11' cache: 'pip' # caching pip dependencies - name: Verify run: | cd scripts/explain_manifest # docker image verify requires sudo to set correct permissions, so we # also install deps for root sudo -E pip install -r requirements.txt IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image if [[ ! -z "${{ matrix.docker-platforms }}" ]]; then DOCKER_DEFAULT_PLATFORM=linux/arm64 sudo -E python ./main.py --image $IMAGE -f docker_image_filelist.txt -s docker-image fi scan-images: name: Scan Images - ${{ matrix.label }} needs: [metadata, build-images] runs-on: ubuntu-24.04 timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} if: |- always() && vars.DISABLE_SCA_SCAN == 'false' && fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != '' && needs.build-images.result == 'success' && (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')) strategy: fail-fast: false matrix: include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}" env: IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} steps: - name: Install regctl uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 - name: Login to Docker Hub if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN }} uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0 with: username: ${{ env.DOCKER_ORGANIZATION }} password: ${{ secrets.DOCKER_OAT_PUSH }} # TODO: Refactor matrix file to support and parse platforms specific to distro # Workaround: Look for specific amd64 and arm64 hardcooded architectures - name: Parse Architecture Specific Image Manifest Digests id: image_manifest_metadata run: | manifest_list_exists="$( if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then echo true else echo false fi )" echo "manifest_list_exists=$manifest_list_exists" echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')" arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')" echo "amd64_sha=$amd64_sha" echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT echo "arm64_sha=$arm64_sha" echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT - name: Scan AMD64 Image digest id: sbom_action_amd64 if: steps.image_manifest_metadata.outputs.amd64_sha != '' uses: Kong/public-shared-actions/security-actions/scan-docker-image@a5b1cfac7d55d8cf9390456a1e6799425e28840d # v4.0.1 with: asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-amd64 image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} skip_cis_scan: true # FIXME - name: Scan ARM64 Image digest if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' id: sbom_action_arm64 uses: Kong/public-shared-actions/security-actions/scan-docker-image@a5b1cfac7d55d8cf9390456a1e6799425e28840d # v4.0.1 with: asset_prefix: kong-${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }}-linux-arm64 image: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} skip_cis_scan: true # FIXME release-packages: name: Release Packages - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }} needs: [metadata, build-packages, build-images] runs-on: ubuntu-24.04 if: fromJSON(needs.metadata.outputs.matrix)['release-packages'] != '' timeout-minutes: 5 # PULP takes a while to publish environment: release strategy: # limit to 3 jobs at a time max-parallel: 3 fail-fast: false matrix: include: "${{ fromJSON(needs.metadata.outputs.matrix)['release-packages'] }}" steps: - uses: actions/checkout@v4 - name: Download artifact uses: actions/download-artifact@v4 with: name: ${{ matrix.artifact-from }}-packages path: bazel-bin/pkg - name: Set package architecture id: pkg-arch run: | arch='amd64' if [[ '${{ matrix.label }}' == *'arm64' ]]; then arch='arm64' fi echo "arch=$arch" echo "arch=$arch" >> $GITHUB_OUTPUT - name: Upload Packages env: ARCHITECTURE: ${{ steps.pkg-arch.outputs.arch }} OFFICIAL_RELEASE: ${{ github.event.inputs.official }} ARTIFACT_VERSION: ${{ matrix.artifact-version }} ARTIFACT_TYPE: ${{ matrix.artifact-type }} ARTIFACT: ${{ matrix.artifact }} INPUT_VERSION: ${{ github.event.inputs.version }} PACKAGE_TYPE: ${{ matrix.package }} KONG_RELEASE_LABEL: ${{ needs.metadata.outputs.release-label }} VERBOSE: ${{ runner.debug == '1' && '1' || '' }} CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} CLOUDSMITH_DRY_RUN: '' IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }} USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }} run: | sha256sum bazel-bin/pkg/* # set the version input as tags passed to release-scripts # note: release-scripts rejects user tags if missing internal flag # # this can be a comma-sepratated list of tags to apply if [[ "$OFFICIAL_RELEASE" == 'false' ]]; then if echo "$INPUT_VERSION" | grep -qs -E 'rc|alpha|beta|nightly'; then PACKAGE_TAGS="$INPUT_VERSION" export PACKAGE_TAGS fi fi scripts/release-kong.sh release-images: name: Release Images - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }} needs: [metadata, build-images] runs-on: ubuntu-24.04 if: fromJSON(needs.metadata.outputs.matrix)['release-images'] != '' strategy: # limit to 3 jobs at a time max-parallel: 3 fail-fast: false matrix: include: "${{ fromJSON(needs.metadata.outputs.matrix)['release-images'] }}" steps: - name: Login to Docker Hub if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }} uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v2.1.0 with: username: ${{ env.DOCKER_ORGANIZATION }} password: ${{ secrets.DOCKER_OAT_PUSH }} - uses: actions/checkout@v4 - name: Get latest commit SHA on master run: | echo "latest_sha=$(git ls-remote origin -h refs/heads/master | cut -f1)" >> $GITHUB_ENV - name: Docker meta id: meta uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 with: images: ${{ needs.metadata.outputs.docker-repository }} sep-tags: " " tags: | type=raw,value=latest,enable=${{ matrix.label == 'ubuntu' && github.ref_name == 'master' && env.latest_sha == needs.metadata.outputs.commit-sha }} type=match,enable=${{ github.event_name == 'workflow_dispatch' }},pattern=^\d+\.\d+,value=${{ github.event.inputs.version }} type=match,enable=${{ github.event_name == 'workflow_dispatch' && matrix.label == 'ubuntu' }},pattern=^\d+\.\d+,value=${{ github.event.inputs.version }},suffix= type=raw,enable=${{ github.event_name == 'workflow_dispatch' }},${{ github.event.inputs.version }} type=raw,enable=${{ github.event_name == 'workflow_dispatch' && matrix.label == 'ubuntu' }},${{ github.event.inputs.version }},suffix= type=ref,event=branch type=ref,enable=${{ matrix.label == 'ubuntu' }},event=branch,suffix= type=ref,event=tag type=ref,enable=${{ matrix.label == 'ubuntu' }},event=tag,suffix= type=ref,event=pr type=schedule,pattern=nightly type=schedule,enable=${{ matrix.label == 'ubuntu' }},pattern=nightly,suffix= type=schedule,pattern={{date 'YYYYMMDD'}} type=schedule,enable=${{ matrix.label == 'ubuntu' }},pattern={{date 'YYYYMMDD'}},suffix= flavor: | latest=false suffix=-${{ matrix.label }} - name: Install regctl uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc - name: Push Images if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN == 'true' }} env: TAGS: "${{ steps.meta.outputs.tags }}" run: | PRERELEASE_IMAGE=${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ needs.metadata.outputs.commit-sha }}-${{ matrix.label }} docker pull $PRERELEASE_IMAGE for tag in $TAGS; do regctl -v debug image copy $PRERELEASE_IMAGE $tag done ================================================ FILE: .github/workflows/update-ngx-wasm-module.yml ================================================ name: Update ngx_wasm_module dependency on: workflow_dispatch: schedule: # run weekly - cron: '0 0 * * 0' jobs: update: runs-on: ubuntu-22.04 permissions: # required to create a branch and push commits contents: write # required to open a PR for updates pull-requests: write steps: - name: Checkout Kong source code uses: actions/checkout@v4 with: ref: master - name: Detect current version of NGX_WASM_MODULE in .requirements id: check-kong run: | SHA=$(sed -nre 's/^NGX_WASM_MODULE=([^ ]+) .*/\1/p' < .requirements) echo "sha=$SHA" | tee -a "$GITHUB_OUTPUT" - name: Check Kong/ngx_wasm_module HEAD id: check-repo env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | SHA=$(gh api repos/Kong/ngx_wasm_module/commits/main --jq '.sha') echo "sha=$SHA" | tee -a "$GITHUB_OUTPUT" - name: Update .requirements and create a pull request if: steps.check-kong.outputs.sha != steps.check-repo.outputs.sha env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} FROM: ${{ steps.check-kong.outputs.sha }} TO: ${{ steps.check-repo.outputs.sha }} run: | set -x gh auth status gh auth setup-git # masquerade as dependabot for the purposes of this commit/PR git config --global user.email \ "49699333+dependabot[bot]@users.noreply.github.com" git config --global user.name "dependabot[bot]" readonly BRANCH=chore/deps-bump-ngx-wasm-module if gh api repos/Kong/kong/branches/"$BRANCH"; then echo "branch ($BRANCH) already exists, exiting" exit 1 fi EXISTING_PRS=$( gh pr list \ --json id \ --head "$BRANCH" \ | jq '.[]' ) if [[ -n ${EXISTING_PRS:-} ]]; then echo "existing PR for $BRANCH already exists, exiting" echo "$EXISTING_PRS" exit 1 fi git switch --create "$BRANCH" sed -i \ -re "s/^NGX_WASM_MODULE=.*/NGX_WASM_MODULE=$TO/" \ .requirements git add .requirements # create or update changelog file readonly CHANGELOG_FILE=changelog/unreleased/kong/bump-ngx-wasm-module.yml { printf 'message: "Bumped `ngx_wasm_module` to `%s`"\n' "$TO" printf 'type: dependency\n' } > "$CHANGELOG_FILE" git add "$CHANGELOG_FILE" gh api repos/Kong/ngx_wasm_module/compare/"$FROM...$TO" \ --jq '.commits | reverse | .[] | { sha: .sha[0:7], url: .html_url, message: ( .commit.message | split("\n") | .[0] ) }' \ > commits.json # craft commit message readonly HEADER="chore(deps): bump ngx_wasm_module to $TO" { printf '%s\n\nChanges since %s:\n\n' \ "$HEADER" "$FROM" jq -r '"* \(.sha) - \(.message)"' \ < commits.json } > commit.txt git commit --file commit.txt git push origin HEAD # craft PR body { printf '## Changelog `%s...%s`\n\n' \ "${FROM:0:7}" "${TO:0:7}" printf '[Compare on GitHub](%s/compare/%s...%s)\n\n' \ "https://github.com/Kong/ngx_wasm_module" \ "$FROM" "$TO" # turn the commits into links for the PR body jq -r \ '"* [`\(.sha)`](\(.url)) - \(.message)"' \ < commits.json printf '\n\n' printf '**IMPORTANT: Remember to scan this commit log for updates ' printf 'to Wasmtime/V8/Wasmer and update `.requirements` manually ' printf 'as needed**\n' } > body.md gh pr create \ --base master \ --head "$BRANCH" \ --title "$HEADER" \ --body-file body.md ================================================ FILE: .github/workflows/update-test-runtime-statistics.yml ================================================ name: Update test runtime statistics file for test scheduling on: workflow_dispatch: schedule: - cron: "1 0 * * SAT" # push rule below needed for testing only push: branches: - feat/test-run-scheduler jobs: process-statistics: name: Download statistics from GitHub and combine them runs-on: ubuntu-22.04 steps: - name: Checkout source code uses: actions/checkout@v4 with: token: ${{ secrets.PAT }} - name: Process statistics uses: Kong/gateway-test-scheduler/analyze@69f0c2a562ac44fc3650b8bfa62106b34094b5ce # v3 env: GITHUB_TOKEN: ${{ secrets.PAT }} with: workflow-name: build_and_test.yml test-file-runtime-file: .ci/runtimes.json artifact-name-regexp: "^test-runtime-statistics-\\d+$" - name: Upload new runtimes file uses: Kong/gh-storage/upload@b196a6b94032e56e414227c749e9f96a6afc2b91 # v1 env: GITHUB_TOKEN: ${{ secrets.PAT }} with: repo-path: Kong/gateway-action-storage/main/.ci/runtimes.json ================================================ FILE: .github/workflows/upgrade-tests.yml ================================================ name: Upgrade Tests on: pull_request: paths: - 'scripts/upgrade-tests/**' - 'kong/db/migrations/**' - 'spec/05-migration/**' - 'kong/enterprise_edition/db/migrations/**' - '.github/workflows/upgrade-tests.yml' - 'kong/plugins/*/migrations/**' - 'plugins-ee/**/migrations/**' push: paths-ignore: # ignore markdown files (CHANGELOG.md, README.md, etc.) - '**/*.md' branches: - master - release/* - test-please/* workflow_dispatch: # cancel previous runs if new commits are pushed to the PR, but run for each commit on master concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true env: GH_TOKEN: ${{ github.token }} BUILD_ROOT: ${{ github.workspace }}/bazel-bin/build jobs: build: uses: ./.github/workflows/build.yml with: relative-build-root: bazel-bin/build upgrade-test: name: Run migration tests runs-on: ubuntu-22.04 needs: build steps: - name: Clone Source Code uses: actions/checkout@v4 with: fetch-depth: 0 submodules: recursive - name: Lookup build cache id: cache-deps uses: actions/cache@v4 with: path: ${{ env.BUILD_ROOT }} key: ${{ needs.build.outputs.cache-key }} - name: Run Upgrade Tests run: | bash ./scripts/upgrade-tests/test-upgrade-path.sh -i ${{ env.BUILD_ROOT }}/kong-dev-venv.sh ================================================ FILE: .gitignore ================================================ .DS_Store .vagrant/ .buildpath .project .idea .env .vscode .VSCodeCounter servroot* mockserver # kong nginx_tmp/ kong*.yml # luacov luacov.* /doc # autodoc autodoc/output # ldoc spec/docs kong-build-tools bin/grpcurl *.so *.bak *.rock worktree/ bin/bazel bin/h2client # wasm *.wasm spec/fixtures/proxy_wasm_filters/build spec/fixtures/proxy_wasm_filters/target # bazel bazel-* # remove it after migrating from WORKSPACE to Bzlmod MODULE.bazel.lock spec/fixtures/external_plugins/go/go-hello ================================================ FILE: .luacheckrc ================================================ std = "ngx_lua" unused_args = false redefined = false max_line_length = false globals = { "_KONG", "kong", "ngx.IS_CLI", } not_globals = { "string.len", "table.getn", } ignore = { "6.", -- ignore whitespace warnings } exclude_files = { "spec/fixtures/invalid-module.lua", "spec-old-api/fixtures/invalid-module.lua", "bazel-bin", "bazel-out", "bazel-kong", } files["kong/tools/sandbox/kong.lua"] = { read_globals = { "_ENV", "table.pack", "table.unpack", } } files["kong/hooks.lua"] = { read_globals = { "table.pack", "table.unpack", } } files["kong/db/schema/entities/workspaces.lua"] = { read_globals = { "table.unpack", } } files["kong/plugins/ldap-auth/*.lua"] = { read_globals = { "bit.mod", "string.pack", "string.unpack", }, } files["spec/**/*.lua"] = { std = "ngx_lua+busted", } files["**/*_test.lua"] = { std = "ngx_lua+busted", } files["spec-old-api/**/*.lua"] = { std = "ngx_lua+busted", } ================================================ FILE: .luacov ================================================ return { includeuntestedfiles = { "kong/", }, runreport = true, include = { "kong$", "kong%/.+$", }, exclude = { "bazel%-bin/build", "^spec/", } } ================================================ FILE: .requirements ================================================ KONG_PACKAGE_NAME=kong OPENRESTY=1.27.1.2 OPENRESTY_SHA256=74f076f7e364b2a99a6c5f9bb531c27610c78985abe956b442b192a2295f7548 LUAROCKS=3.12.2 LUAROCKS_SHA256=b0e0c85205841ddd7be485f53d6125766d18a81d226588d2366931e9a1484492 OPENSSL=3.4.1 OPENSSL_SHA256=002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3 PCRE=10.45 PCRE_SHA256=0e138387df7835d7403b8351e2226c1377da804e0737db0e071b48f07c9d12ee ADA=2.9.2 ADA_SHA256=b2cce630590b490d79ea4f4460ba77efd5fb29c5a87a4e8cb7ebc4859bc4b564 LIBEXPAT=2.6.4 LIBEXPAT_SHA256=fd03b7172b3bd7427a3e7a812063f74754f24542429b634e0db6511b53fb2278 # Note: git repositories can be loaded from local path if path is set as value LUA_KONG_NGINX_MODULE=3f305911823301a98a12ec6ecdd9070b8ebe499b # 0.18.0 LUA_RESTY_LMDB=9da0e9f3313960d06e2d8e718b7ac494faa500f1 # 1.6.0 LUA_RESTY_EVENTS=bc85295b7c23eda2dbf2b4acec35c93f77b26787 # 0.3.1 LUA_RESTY_SIMDJSON=176755a45f128fd4b3069c1bdee24d14bfb6900a # 1.2.0 LUA_RESTY_WEBSOCKET=966c69c39f03029b9b42ec0f8e55aaed7d6eebc0 # 0.4.0.1 ATC_ROUTER=4d29e10517e2c9d1dae3966f4034b38c557e2eaa # 1.7.1 SNAPPY=2c94e11145f0b7b184b831577c93e5a41c4c0346 # 1.2.1 KONG_MANAGER=nightly NGX_WASM_MODULE=a376e67ce02c916304cc9b9ef25a540865ee6740 WASMER=3.1.1 WASMTIME=26.0.0 V8=12.0.267.17 NGX_BROTLI=a71f9312c2deb28875acc7bacfdd5695a111aa53 # master branch of Oct 9, 2023 BROTLI=ed738e842d2fbdf2d6459e39267a633c4a9b2f5d # 1.1.0 ================================================ FILE: BUILD.bazel ================================================ load("@bazel_skylib//lib:selects.bzl", "selects") load("@bazel_skylib//rules:common_settings.bzl", "bool_flag", "string_flag") load("//build/nfpm:rules.bzl", "nfpm_pkg") load("//build/toolchain:managed_toolchain.bzl", "aarch64_glibc_distros") filegroup( name = "distribution_srcs", srcs = glob(["distribution/**"]), visibility = ["//visibility:public"], ) filegroup( name = "rockspec_srcs", srcs = glob([ "kong/**", "*.rockspec", ]), visibility = ["//visibility:public"], ) filegroup( name = "plugins_ee_rockspec_srcs", srcs = glob(["plugins-ee/**/*.rockspec"]), visibility = ["//visibility:public"], ) nfpm_env = { "KONG_NAME": "kong", "KONG_REPLACES_1": "kong-community-edition", "KONG_REPLACES_2": "kong-enterprise-edition-fips", "KONG_CONFLICTS_1": "kong-community-edition", "KONG_CONFLICTS_2": "kong-enterprise-edition-fips", } nfpm_pkg( name = "kong_deb", config = "//build:package/nfpm.yaml", env = nfpm_env, packager = "deb", pkg_name = "kong", visibility = ["//visibility:public"], ) nfpm_pkg( name = "kong_el9", config = "//build:package/nfpm.yaml", env = nfpm_env, packager = "rpm", pkg_name = "kong.el9", visibility = ["//visibility:public"], ) nfpm_pkg( name = "kong_el8", config = "//build:package/nfpm.yaml", env = nfpm_env, packager = "rpm", pkg_name = "kong.el8", visibility = ["//visibility:public"], ) nfpm_pkg( name = "kong_aws2", config = "//build:package/nfpm.yaml", env = nfpm_env, extra_env = { "RPM_EXTRA_DEPS": "/usr/sbin/useradd", "RPM_EXTRA_DEPS_2": "/usr/sbin/groupadd", }, packager = "rpm", pkg_name = "kong.aws2", visibility = ["//visibility:public"], ) nfpm_pkg( name = "kong_aws2023", config = "//build:package/nfpm.yaml", env = nfpm_env, extra_env = { "RPM_EXTRA_DEPS": "/usr/sbin/useradd", "RPM_EXTRA_DEPS_2": "/usr/sbin/groupadd", "RPM_EXTRA_DEPS_3": "libxcrypt-compat", }, packager = "rpm", pkg_name = "kong.aws2023", visibility = ["//visibility:public"], ) ###### flags # --//:debug=true bool_flag( name = "debug", build_setting_default = True, ) config_setting( name = "debug_flag", flag_values = { ":debug": "true", }, visibility = ["//visibility:public"], ) config_setting( name = "debug_linux_flag", constraint_values = [ "@platforms//os:linux", ], flag_values = { ":debug": "true", }, visibility = ["//visibility:public"], ) # --//:brotli=true bool_flag( name = "brotli", build_setting_default = True, ) config_setting( name = "brotli_flag", flag_values = { ":brotli": "true", }, visibility = ["//visibility:public"], ) # --//:simdjson=true bool_flag( name = "simdjson", build_setting_default = True, ) config_setting( name = "simdjson_flag", flag_values = { ":simdjson": "true", }, visibility = ["//visibility:public"], ) # --//:licensing=false bool_flag( name = "licensing", build_setting_default = False, ) config_setting( name = "licensing_flag", flag_values = { ":licensing": "true", }, visibility = ["//visibility:public"], ) # --//:fips=false bool_flag( name = "fips", build_setting_default = False, ) config_setting( name = "fips_flag", flag_values = { ":fips": "true", }, visibility = ["//visibility:public"], ) # --//:skip_webui=false bool_flag( name = "skip_webui", build_setting_default = False, ) config_setting( name = "skip_webui_flags", flag_values = { ":skip_webui": "true", }, visibility = ["//visibility:public"], ) # --//:wasmx=false bool_flag( name = "wasmx", build_setting_default = False, visibility = ["//visibility:public"], ) # --//:wasmx_module_flag=dynamic string_flag( name = "wasmx_module_flag", build_setting_default = "dynamic", values = [ "dynamic", "static", ], ) config_setting( name = "wasmx_flag", flag_values = { ":wasmx": "true", }, visibility = ["//visibility:public"], ) config_setting( name = "wasmx_static_mod", flag_values = { ":wasmx": "true", ":wasmx_module_flag": "static", }, visibility = ["//visibility:public"], ) config_setting( name = "wasmx_dynamic_mod", flag_values = { ":wasmx": "true", ":wasmx_module_flag": "dynamic", }, visibility = ["//visibility:public"], ) # --//:wasm_runtime=wasmtime string_flag( name = "wasm_runtime", build_setting_default = "wasmtime", values = [ "v8", "wasmer", "wasmtime", ], visibility = ["//visibility:public"], ) # --//:skip_tools=false bool_flag( name = "skip_tools", build_setting_default = False, ) config_setting( name = "skip_tools_flag", flag_values = { ":skip_tools": "true", }, visibility = ["//visibility:public"], ) ##### constraints, platforms and config_settings for cross-compile constraint_setting(name = "cross_build_setting") constraint_value( name = "cross_build", constraint_setting = ":cross_build_setting", ) # platform sets the constraint values based on user input (--platform=//:PLATFOTM) platform( name = "generic-crossbuild-x86_64", constraint_values = [ "@platforms//os:linux", "@platforms//cpu:x86_64", "//build/platforms/distro:generic", ":cross_build", ], ) platform( name = "generic-crossbuild-aarch64", constraint_values = [ "@platforms//os:linux", "@platforms//cpu:aarch64", "//build/platforms/distro:generic", ":cross_build", ], ) [ platform( name = vendor + "-crossbuild-aarch64", constraint_values = [ "@platforms//os:linux", "@platforms//cpu:aarch64", "//build/platforms/distro:" + vendor, ":cross_build", ], ) for vendor in aarch64_glibc_distros ] platform( name = "aws2-crossbuild-x86_64", constraint_values = [ "@platforms//os:linux", "@platforms//cpu:x86_64", "//build/platforms/distro:aws2", ":cross_build", ], ) # config_settings define a select() condition based on user-set constraint_values # see https://bazel.build/docs/configurable-attributes config_setting( name = "aarch64-linux-glibc-cross", constraint_values = [ "@platforms//os:linux", "@platforms//cpu:aarch64", ":cross_build", ], visibility = ["//visibility:public"], ) config_setting( name = "x86_64-linux-glibc-cross", constraint_values = [ "@platforms//os:linux", "@platforms//cpu:x86_64", ":cross_build", ], visibility = ["//visibility:public"], ) selects.config_setting_group( # matches all cross build platforms name = "any-cross", match_any = [ ":aarch64-linux-glibc-cross", ":x86_64-linux-glibc-cross", ], visibility = ["//visibility:public"], ) ================================================ FILE: CHANGELOG-OLD.md ================================================ # Table of Contents Looking for recent releases? Please see [CHANGELOG.md](CHANGELOG.md) instead. - [2.8.5](#285) - [2.8.4](#284) - [2.8.3](#283) - [2.8.2](#282) - [2.8.1](#281) - [2.8.0](#280) - [2.7.1](#271) - [2.7.0](#270) - [2.6.0](#260) - [2.5.1](#251) - [2.5.0](#250) - [2.4.1](#241) - [2.4.0](#240) - [2.3.3](#233) - [2.3.2](#232) - [2.3.1](#231) - [2.3.0](#230) - [2.2.2](#222) - [2.2.1](#221) - [2.2.0](#220) - [2.1.4](#214) - [2.1.3](#213) - [2.1.2](#212) - [2.1.1](#211) - [2.1.0](#210) - [2.0.5](#205) - [2.0.4](#204) - [2.0.3](#203) - [2.0.2](#202) - [2.0.1](#201) - [2.0.0](#200) - [1.5.1](#151) - [1.5.0](#150) - [1.4.3](#143) - [1.4.2](#142) - [1.4.1](#141) - [1.4.0](#140) - [1.3.0](#130) - [1.2.2](#122) - [1.2.1](#121) - [1.2.0](#120) - [1.1.2](#112) - [1.1.1](#111) - [1.1.0](#110) - [1.0.3](#103) - [1.0.2](#102) - [1.0.1](#101) - [1.0.0](#100) - [0.15.0](#0150) - [0.14.1](#0141) - [0.14.0](#0140---20180705) - [0.13.1](#0131---20180423) - [0.13.0](#0130---20180322) - [0.12.3](#0123---20180312) - [0.12.2](#0122---20180228) - [0.12.1](#0121---20180118) - [0.12.0](#0120---20180116) - [0.11.2](#0112---20171129) - [0.11.1](#0111---20171024) - [0.10.4](#0104---20171024) - [0.11.0](#0110---20170816) - [0.10.3](#0103---20170524) - [0.10.2](#0102---20170501) - [0.10.1](#0101---20170327) - [0.10.0](#0100---20170307) - [0.9.9 and prior](#099---20170202) ## [2.8.5] ### Kong #### Performance ##### Performance - Fixed an inefficiency issue in the Luajit hashing algorithm [#13269](https://github.com/Kong/kong/issues/13269) #### Fixes ##### Default - Added zlib1g-dev dependency to Ubuntu packages. [#13269](https://github.com/Kong/kong/issues/13269) ## [2.8.4] ### Fixes - Fixed a bug where internal redirects (i.e. those produced by the error_page directive) could interfere with worker process handling the request when buffered proxying is being used. ## [2.8.3] ### Fixes ##### Plugins - **HTTP Log**: fix internal error during validating the schema if http_endpoint contains userinfo but headers is empty [#9574](https://github.com/Kong/kong/pull/9574) - Update the batch queues module so that queues no longer grow without bounds if their consumers fail to process the entries. Instead, old batches are now dropped and an error is logged. [#10247](https://github.com/Kong/kong/pull/10247) ##### CLI - Fixed a packaging problem affecting a subset of releases where the `kong version` command was incorrect ## [2.8.2] ### Dependencies - Bumped `OpenSSL` from 1.1.1n to 1.1.1o [#8635](https://github.com/Kong/kong/pull/8809) ## [2.8.1] ### Dependencies - Bumped lua-resty-healthcheck from 1.5.0 to 1.5.1 [#8584](https://github.com/Kong/kong/pull/8584) - Bumped `OpenSSL` from 1.1.1l to 1.1.1n [#8635](https://github.com/Kong/kong/pull/8635) ### Fixes #### Core - Only reschedule router and plugin iterator timers after finishing previous execution, avoiding unnecessary concurrent executions. [#8634](https://github.com/Kong/kong/pull/8634) - Implements conditional rebuilding of router, plugins iterator and balancer on data planes. This means that DPs will not rebuild router if there were no changes in routes or services. Similarly, the plugins iterator will not be rebuilt if there were no changes to plugins, and, finally, the balancer will not be reinitialized if there are no changes to upstreams or targets. [#8639](https://github.com/Kong/kong/pull/8639) ## [2.8.0] ### Deprecations - The external [go-pluginserver](https://github.com/Kong/go-pluginserver) project is considered deprecated in favor of the embedded server approach described in the [docs](https://docs.konghq.com/gateway/2.7.x/reference/external-plugins/). ### Dependencies - OpenSSL bumped to 1.1.1m [#8191](https://github.com/Kong/kong/pull/8191) - Bumped resty.session from 3.8 to 3.10 [#8294](https://github.com/Kong/kong/pull/8294) - Bumped lua-resty-openssl to 0.8.5 [#8368](https://github.com/Kong/kong/pull/8368) ### Additions #### Core - Customizable transparent dynamic TLS SNI name. Thanks, [@zhangshuaiNB](https://github.com/zhangshuaiNB)! [#8196](https://github.com/Kong/kong/pull/8196) - Routes now support matching headers with regular expressions Thanks, [@vanhtuan0409](https://github.com/vanhtuan0409)! [#6079](https://github.com/Kong/kong/pull/6079) #### Beta - Secrets Management and Vault support as been introduced as a Beta feature. This means it is intended for testing in staging environments. It not intended for use in Production environments. You can read more about Secrets Management in [our docs page](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/secrets-management/backends-overview). [#8403](https://github.com/Kong/kong/pull/8403) #### Performance - Improved the calculation of declarative configuration hash for big configurations The new method is faster and uses less memory [#8204](https://github.com/Kong/kong/pull/8204) - Multiple improvements in the Router. Amongst others: - The router builds twice as fast compared to prior Kong versions - Failures are cached and discarded faster (negative caching) - Routes with header matching are cached These changes should be particularly noticeable when rebuilding on db-less environments [#8087](https://github.com/Kong/kong/pull/8087) [#8010](https://github.com/Kong/kong/pull/8010) - **Prometheus** plugin export performance is improved, it now has less impact to proxy side traffic when being scrapped. [#9028](https://github.com/Kong/kong/pull/9028) #### Plugins - **Response-ratelimiting**: Redis ACL support, and genenarized Redis connection support for usernames. Thanks, [@27ascii](https://github.com/27ascii) for the original contribution! [#8213](https://github.com/Kong/kong/pull/8213) - **ACME**: Add rsa_key_size config option Thanks, [lodrantl](https://github.com/lodrantl)! [#8114](https://github.com/Kong/kong/pull/8114) - **Prometheus**: Added gauges to track `ngx.timer.running_count()` and `ngx.timer.pending_count()` [#8387](https://github.com/Kong/kong/pull/8387) #### Clustering - `CLUSTERING_MAX_PAYLOAD` is now configurable in kong.conf Thanks, [@andrewgkew](https://github.com/andrewgkew)! [#8337](https://github.com/Kong/kong/pull/8337) #### Admin API - The current declarative configuration hash is now returned by the `status` endpoint when Kong node is running in dbless or data-plane mode. [#8214](https://github.com/Kong/kong/pull/8214) [#8425](https://github.com/Kong/kong/pull/8425) ### Fixes #### Core - When the Router encounters an SNI FQDN with a trailing dot (`.`), the dot will be ignored, since according to [RFC-3546](https://datatracker.ietf.org/doc/html/rfc3546#section-3.1) said dot is not part of the hostname. [#8269](https://github.com/Kong/kong/pull/8269) - Fixed a bug in the Router that would not prioritize the routes with both a wildcard and a port (`route.*:80`) over wildcard-only routes (`route.*`), which have less specificity [#8233](https://github.com/Kong/kong/pull/8233) - The internal DNS client isn't confused by the single-dot (`.`) domain which can appear in `/etc/resolv.conf` in special cases like `search .` [#8307](https://github.com/Kong/kong/pull/8307) - Cassandra connector now records migration consistency level. Thanks, [@mpenick](https://github.com/mpenick)! [#8226](https://github.com/Kong/kong/pull/8226) #### Balancer - Targets keep their health status when upstreams are updated. [#8394](https://github.com/Kong/kong/pull/8394) - One debug message which was erroneously using the `error` log level has been downgraded to the appropiate `debug` log level. [#8410](https://github.com/Kong/kong/pull/8410) #### Clustering - Replaced cryptic error message with more useful one when there is a failure on SSL when connecting with CP: [#8260](https://github.com/Kong/kong/pull/8260) #### Admin API - Fix incorrect `next` field in when paginating Upstreams [#8249](https://github.com/Kong/kong/pull/8249) #### PDK - Phase names are correctly selected when performing phase checks [#8208](https://github.com/Kong/kong/pull/8208) - Fixed a bug in the go-PDK where if `kong.request.getrawbody` was big enough to be buffered into a temporary file, it would return an an empty string. [#8390](https://github.com/Kong/kong/pull/8390) #### Plugins - **External Plugins**: Fixed incorrect handling of the Headers Protobuf Structure and representation of null values, which provoked an error on init with the go-pdk. [#8267](https://github.com/Kong/kong/pull/8267) - **External Plugins**: Unwrap `ConsumerSpec` and `AuthenticateArgs`. Thanks, [@raptium](https://github.com/raptium)! [#8280](https://github.com/Kong/kong/pull/8280) - **External Plugins**: Fixed a problem in the stream subsystem would attempt to load HTTP headers. [#8414](https://github.com/Kong/kong/pull/8414) - **CORS**: The CORS plugin does not send the `Vary: Origin` header any more when the header `Access-Control-Allow-Origin` is set to `*`. Thanks, [@jkla-dr](https://github.com/jkla-dr)! [#8401](https://github.com/Kong/kong/pull/8401) - **AWS-Lambda**: Fixed incorrect behavior when configured to use an http proxy and deprecated the `proxy_scheme` config attribute for removal in 3.0 [#8406](https://github.com/Kong/kong/pull/8406) - **oauth2**: The plugin clears the `X-Authenticated-UserId` and `X-Authenticated-Scope` headers when it configured in logical OR and is used in conjunction with another authentication plugin. [#8422](https://github.com/Kong/kong/pull/8422) - **Datadog**: The plugin schema now lists the default values for configuration options in a single place instead of in two separate places. [#8315](https://github.com/Kong/kong/pull/8315) ## [2.7.1] ### Fixes - Reschedule resolve timer only when the previous one has finished. [#8344](https://github.com/Kong/kong/pull/8344) - Plugins, and any entities implemented with subchemas, now can use the `transformations` and `shorthand_fields` properties, which were previously only available for non-subschema entities. [#8146](https://github.com/Kong/kong/pull/8146) ## [2.7.0] ### Dependencies - Bumped `kong-plugin-session` from 0.7.1 to 0.7.2 [#7910](https://github.com/Kong/kong/pull/7910) - Bumped `resty.openssl` from 0.7.4 to 0.7.5 [#7909](https://github.com/Kong/kong/pull/7909) - Bumped `go-pdk` used in tests from v0.6.0 to v0.7.1 [#7964](https://github.com/Kong/kong/pull/7964) - Cassandra support is deprecated with 2.7 and will be fully removed with 4.0. ### Additions #### Configuration - Deprecated the `worker_consistency` directive, and changed its default to `eventual`. Future versions of Kong will remove the option and act with `eventual` consistency only. #### Performance In this release we continued our work on better performance: - Improved the plugin iterator performance and JITability [#7912](https://github.com/Kong/kong/pull/7912) [#7979](https://github.com/Kong/kong/pull/7979) - Simplified the Kong core context read and writes for better performance [#7919](https://github.com/Kong/kong/pull/7919) - Reduced proxy long tail latency while reloading DB-less config [#8133](https://github.com/Kong/kong/pull/8133) #### Core - DAOs in plugins must be listed in an array, so that their loading order is explicit. Loading them in a hash-like table is now **deprecated**. [#7942](https://github.com/Kong/kong/pull/7942) - Postgres credentials `pg_user` and `pg_password`, and `pg_ro_user` and `pg_ro_password` now support automatic secret rotation when used together with [Kong Secrets Management](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/secrets-management/) vault references. [#8967](https://github.com/Kong/kong/pull/8967) #### PDK - New functions: `kong.response.get_raw_body` and `kong.response.set_raw_body` [#7887](https://github.com/Kong/kong/pull/7877) #### Plugins - **IP-Restriction**: response status and message can now be customized through configurations `status` and `message`. [#7728](https://github.com/Kong/kong/pull/7728) Thanks [timmkelley](https://github.com/timmkelley) for the patch! - **Datadog**: add support for the `distribution` metric type. [#6231](https://github.com/Kong/kong/pull/6231) Thanks [onematchfox](https://github.com/onematchfox) for the patch! - **Datadog**: allow service, consumer, and status tags to be customized through plugin configurations `service_tag`, `consumer_tag`, and `status_tag`. [#6230](https://github.com/Kong/kong/pull/6230) Thanks [onematchfox](https://github.com/onematchfox) for the patch! - **gRPC Gateway** and **gRPC Web**: Now share most of the ProtoBuf definitions. Both plugins now share the Timestamp transcoding and included `.proto` files features. [#7950](https://github.com/Kong/kong/pull/7950) - **gRPC Gateway**: processes services and methods defined in imported `.proto` files. [#8107](https://github.com/Kong/kong/pull/8107) - **Rate-Limiting**: add support for Redis SSL, through configuration properties `redis_ssl` (can be set to `true` or `false`), `ssl_verify`, and `ssl_server_name`. [#6737](https://github.com/Kong/kong/pull/6737) Thanks [gabeio](https://github.com/gabeio) for the patch! - **LDAP**: basic authentication header was not parsed correctly when the password contained colon (`:`). [#7977](https://github.com/Kong/kong/pull/7977) Thanks [beldahanit](https://github.com/beldahanit) for reporting the issue! - Old `BasePlugin` is deprecated and will be removed in a future version of Kong. Porting tips in the [documentation](https://docs.konghq.com/gateway-oss/2.3.x/plugin-development/custom-logic/#porting-from-old-baseplugin-style) - The deprecated **BasePlugin** has been removed. [#7961](https://github.com/Kong/kong/pull/7961) ### Configuration - Removed the following config options, which had been deprecated in previous versions, in favor of other config names. If you have any of these options in your config you will have to rename them: (removed option -> current option). - upstream_keepalive -> nginx_upstream_keepalive + nginx_http_upstream_keepalive - nginx_http_upstream_keepalive -> nginx_upstream_keepalive - nginx_http_upstream_keepalive_requests -> nginx_upstream_keepalive_requests - nginx_http_upstream_keepalive_timeout -> nginx_upstream_keepalive_timeout - nginx_http_upstream_directives -> nginx_upstream_directives - nginx_http_status_directives -> nginx_status_directives - nginx_upstream_keepalive -> upstream_keepalive_pool_size - nginx_upstream_keepalive_requests -> upstream_keepalive_max_requests - nginx_upstream_keepalive_timeout -> upstream_keepalive_idle_timeout - client_max_body_size -> nginx_http_client_max_body_size - client_body_buffer_size -> nginx_http_client_max_buffer_size - cassandra_consistency -> cassandra_write_consistency / cassandra_read_consistency - router_update_frequency -> worker_state_update_frequency - Removed the nginx_optimizations config option. If you have it in your configuration, please remove it before updating to 3.0. ### Fixes #### Core - Balancer caches are now reset on configuration reload. [#7924](https://github.com/Kong/kong/pull/7924) - Configuration reload no longer causes a new DNS-resolving timer to be started. [#7943](https://github.com/Kong/kong/pull/7943) - Fixed problem when bootstrapping multi-node Cassandra clusters, where migrations could attempt insertions before schema agreement occurred. [#7667](https://github.com/Kong/kong/pull/7667) - Fixed intermittent botting error which happened when a custom plugin had inter-dependent entity schemas on its custom DAO and they were loaded in an incorrect order [#7911](https://github.com/Kong/kong/pull/7911) - Fixed problem when the consistent hash header is not found, the balancer tries to hash a nil value. [#8141](https://github.com/Kong/kong/pull/8141) - Fixed DNS client fails to resolve unexpectedly in `ssl_cert` and `ssl_session_fetch` phases. [#8161](https://github.com/Kong/kong/pull/8161) #### PDK - `kong.log.inspect` log level is now debug instead of warn. It also renders text boxes more cleanly now [#7815](https://github.com/Kong/kong/pull/7815) #### Plugins - **Prometheus**: Control Plane does not show Upstream Target health metrics [#7992](https://github.com/Kong/kong/pull/7922) ### Dependencies - Bumped `lua-pack` from 1.0.5 to 2.0.0 [#8004](https://github.com/Kong/kong/pull/8004) [Back to TOC](#table-of-contents) ## [2.6.0] > Release date: 2021/10/04 ### Dependencies - Bumped `openresty` from 1.19.3.2 to [1.19.9.1](https://openresty.org/en/changelog-1019009.html) [#7430](https://github.com/Kong/kong/pull/7727) - Bumped `openssl` from `1.1.1k` to `1.1.1l` [7767](https://github.com/Kong/kong/pull/7767) - Bumped `lua-resty-http` from 0.15 to 0.16.1 [#7797](https://github.com/kong/kong/pull/7797) - Bumped `Penlight` to 1.11.0 [#7736](https://github.com/Kong/kong/pull/7736) - Bumped `lua-resty-http` from 0.15 to 0.16.1 [#7797](https://github.com/kong/kong/pull/7797) - Bumped `lua-protobuf` from 0.3.2 to 0.3.3 [#7656](https://github.com/Kong/kong/pull/7656) - Bumped `lua-resty-openssl` from 0.7.3 to 0.7.4 [#7657](https://github.com/Kong/kong/pull/7657) - Bumped `lua-resty-acme` from 0.6 to 0.7.1 [#7658](https://github.com/Kong/kong/pull/7658) - Bumped `grpcurl` from 1.8.1 to 1.8.2 [#7659](https://github.com/Kong/kong/pull/7659) - Bumped `luasec` from 1.0.1 to 1.0.2 [#7750](https://github.com/Kong/kong/pull/7750) - Bumped `lua-resty-ipmatcher` to 0.6.1 [#7703](https://github.com/Kong/kong/pull/7703) Thanks [EpicEric](https://github.com/EpicEric) for the patch! All Kong Gateway OSS plugins will be moved from individual repositories and centralized into the main Kong Gateway (OSS) repository. We are making a gradual transition. On this release: - Moved AWS-Lambda inside the Kong repo [#7464](https://github.com/Kong/kong/pull/7464). - Moved ACME inside the Kong repo [#7464](https://github.com/Kong/kong/pull/7464). - Moved Prometheus inside the Kong repo [#7666](https://github.com/Kong/kong/pull/7666). - Moved Session inside the Kong repo [#7738](https://github.com/Kong/kong/pull/7738). - Moved GRPC-web inside the Kong repo [#7782](https://github.com/Kong/kong/pull/7782). - Moved Serverless functions inside the Kong repo [#7792](https://github.com/Kong/kong/pull/7792). ### Additions #### Core - New schema entity validator: `mutually_exclusive`. It accepts a list of fields. If more than 1 of those fields is set simultaneously, the entity is considered invalid. [#7765](https://github.com/Kong/kong/pull/7765) #### Performance On this release we've done some special efforts with regards to performance. There's a new performance workflow which periodically checks new code additions against some typical scenarios [#7030](https://github.com/Kong/kong/pull/7030) [#7547](https://github.com/Kong/kong/pull/7547) In addition to that, the following changes were specifically included to improve performance: - Reduced unnecessary reads of `ngx.var` [#7840](https://github.com/Kong/kong/pull/7840) - Loaded more indexed variables [#7849](https://github.com/Kong/kong/pull/7849) - Optimized table creation in Balancer [#7852](https://github.com/Kong/kong/pull/7852) - Reduce calls to `ngx.update_time` [#7853](https://github.com/Kong/kong/pull/7853) - Use read-only replica for PostgreSQL meta-schema reading [#7454](https://github.com/Kong/kong/pull/7454) - URL escaping detects cases when it's not needed and early-exits [#7742](https://github.com/Kong/kong/pull/7742) - Accelerated variable loading via indexes [#7818](https://github.com/Kong/kong/pull/7818) - Removed unnecessary call to `get_phase` in balancer [#7854](https://github.com/Kong/kong/pull/7854) #### Configuration - Enable IPV6 on `dns_order` as unsupported experimental feature. Please give it a try and report back any issues [#7819](https://github.com/Kong/kong/pull/7819). - The template renderer can now use `os.getenv` [#6872](https://github.com/Kong/kong/pull/6872). #### Hybrid Mode - Data plane is able to eliminate some unknown fields when Control Plane is using a more modern version [#7827](https://github.com/Kong/kong/pull/7827). #### Admin API - Added support for the HTTP HEAD method for all Admin API endpoints [#7796](https://github.com/Kong/kong/pull/7796) - Added better support for OPTIONS requests. Previously, the Admin API replied the same on all OPTIONS requests, where as now OPTIONS request will only reply to routes that our Admin API has. Non-existing routes will have a 404 returned. It also adds Allow header to responses, both Allow and Access-Control-Allow-Methods now contain only the methods that the specific API supports. [#7830](https://github.com/Kong/kong/pull/7830) #### Plugins - **AWS-Lambda**: The plugin will now try to detect the AWS region by using `AWS_REGION` and `AWS_DEFAULT_REGION` environment variables (when not specified with the plugin configuration). This allows to specify a 'region' on a per Kong node basis, hence adding the ability to invoke the Lamda in the same region where Kong is located. [#7765](https://github.com/Kong/kong/pull/7765) - **Datadog**: `host` and `port` config options can be configured from environment variables `KONG_DATADOG_AGENT_HOST` and `KONG_DATADOG_AGENT_PORT`. This allows to set different destinations on a per Kong node basis, which makes multi-DC setups easier and in Kubernetes allows to run the datadog agents as a daemon-set. [#7463](https://github.com/Kong/kong/pull/7463) Thanks [rallyben](https://github.com/rallyben) for the patch! - **Prometheus:** A new metric `data_plane_cluster_cert_expiry_timestamp` is added to expose the Data Plane's cluster_cert expiry timestamp for improved monitoring in Hybrid Mode. [#7800](https://github.com/Kong/kong/pull/7800). **Request Termination**: - New `trigger` config option, which makes the plugin only activate for any requests with a header or query parameter named like the trigger. This can be a great debugging aid, without impacting actual traffic being processed. [#6744](https://github.com/Kong/kong/pull/6744). - The `request-echo` config option was added. If set, the plugin responds with a copy of the incoming request. This eases troubleshooting when Kong is behind one or more other proxies or LB's, especially when combined with the new 'trigger' option. [#6744](https://github.com/Kong/kong/pull/6744). **GRPC-Gateway**: - Fields of type `.google.protobuf.Timestamp` on the gRPC side are now transcoded to and from ISO8601 strings in the REST side. [#7538](https://github.com/Kong/kong/pull/7538) - URI arguments like `..?foo.bar=x&foo.baz=y` are interpreted as structured fields, equivalent to `{"foo": {"bar": "x", "baz": "y"}}` [#7564](https://github.com/Kong/kong/pull/7564) Thanks [git-torrent](https://github.com/git-torrent) for the patch! ### Fixes #### Core - Balancer retries now correctly set the `:authority` pseudo-header on balancer retries [#7725](https://github.com/Kong/kong/pull/7725). - Healthchecks are now stopped while the Balancer is being recreated [#7549](https://github.com/Kong/kong/pull/7549). - Fixed an issue in which a malformed `Accept` header could cause unexpected HTTP 500 [#7757](https://github.com/Kong/kong/pull/7757). - Kong no longer removes `Proxy-Authentication` request header and `Proxy-Authenticate` response header [#7724](https://github.com/Kong/kong/pull/7724). - Fixed an issue where Kong would not sort correctly Routes with both regex and prefix paths [#7695](https://github.com/Kong/kong/pull/7695) Thanks [jiachinzhao](https://github.com/jiachinzhao) for the patch! #### Hybrid Mode - Ensure data plane config thread is terminated gracefully, preventing a semi-deadlocked state [#7568](https://github.com/Kong/kong/pull/7568) Thanks [flrgh](https://github.com/flrgh) for the patch! - Older data planes using `aws-lambda`, `grpc-web` or `request-termination` plugins can now talk with newer control planes by ignoring new plugin fields. [#7881](https://github.com/Kong/kong/pull/7881) ##### CLI - `kong config parse` no longer crashes when there's a Go plugin server enabled [#7589](https://github.com/Kong/kong/pull/7589). ##### Configuration - Declarative Configuration parser now prints more correct errors when pointing unknown foreign references [#7756](https://github.com/Kong/kong/pull/7756). - YAML anchors in Declarative Configuration are properly processed [#7748](https://github.com/Kong/kong/pull/7748). ##### Admin API - `GET /upstreams/:upstreams/targets/:target` no longer returns 404 when target weight is 0 [#7758](https://github.com/Kong/kong/pull/7758). ##### PDK - `kong.response.exit` now uses customized "Content-Length" header when found [#7828](https://github.com/Kong/kong/pull/7828). ##### Plugins - **ACME**: Dots in wildcard domains are escaped [#7839](https://github.com/Kong/kong/pull/7839). - **Prometheus**: Upstream's health info now includes previously missing `subsystem` field [#7802](https://github.com/Kong/kong/pull/7802). - **Proxy-Cache**: Fixed an issue where the plugin would sometimes fetch data from the cache but not return it [#7775](https://github.com/Kong/kong/pull/7775) Thanks [agile6v](https://github.com/agile6v) for the patch! [Back to TOC](#table-of-contents) ## [2.5.1] > Release date: 2021/09/07 This is the first patch release in the 2.5 series. Being a patch release, it strictly contains bugfixes. There are no new features or breaking changes. ### Dependencies - Bumped `grpcurl` from 1.8.1 to 1.8.2 [#7659](https://github.com/Kong/kong/pull/7659) - Bumped `lua-resty-openssl` from 0.7.3 to 0.7.4 [#7657](https://github.com/Kong/kong/pull/7657) - Bumped `penlight` from 1.10.0 to 1.11.0 [#7736](https://github.com/Kong/kong/pull/7736) - Bumped `luasec` from 1.0.1 to 1.0.2 [#7750](https://github.com/Kong/kong/pull/7750) - Bumped `OpenSSL` from 1.1.1k to 1.1.1l [#7767](https://github.com/Kong/kong/pull/7767) ### Fixes ##### Core - You can now successfully delete workspaces after deleting all entities associated with that workspace. Previously, Kong Gateway was not correctly cleaning up parent-child relationships. For example, creating an Admin also creates a Consumer and RBAC user. When deleting the Admin, the Consumer and RBAC user are also deleted, but accessing the `/workspaces/workspace_name/meta` endpoint would show counts for Consumers and RBAC users, which prevented the workspace from being deleted. Now deleting entities correctly updates the counts, allowing an empty workspace to be deleted. [#7560](https://github.com/Kong/kong/pull/7560) - When an upstream event is received from the DAO, `handler.lua` now gets the workspace ID from the request and adds it to the upstream entity that will be used in the worker and cluster events. Before this change, when posting balancer CRUD events, the workspace ID was lost and the balancer used the default workspace ID as a fallback. [#7778](https://github.com/Kong/kong/pull/7778) ##### CLI - Fixes regression that included an issue where Go plugins prevented CLI commands like `kong config parse` or `kong config db_import` from working as expected. [#7589](https://github.com/Kong/kong/pull/7589) ##### CI / Process - Improves tests reliability. ([#7578](https://github.com/Kong/kong/pull/7578) [#7704](https://github.com/Kong/kong/pull/7704)) - Adds Github Issues template forms. [#7774](https://github.com/Kong/kong/pull/7774) - Moves "Feature Request" link from Github Issues to Discussions. [#7777](https://github.com/Kong/kong/pull/7777) ##### Admin API - Kong Gateway now validates workspace names, preventing the use of reserved names on workspaces. [#7380](https://github.com/Kong/kong/pull/7380) [Back to TOC](#table-of-contents) ## [2.5.0] > Release date: 2021-07-13 This is the final release of Kong 2.5.0, with no breaking changes with respect to the 2.x series. This release includes Control Plane resiliency to database outages and the new `declarative_config_string` config option, among other features and fixes. ### Distribution - :warning: Since 2.4.1, Kong packages are no longer distributed through Bintray. Please visit [the installation docs](https://konghq.com/install/#kong-community) for more details. ### Dependencies - Bumped `openresty` from 1.19.3.1 to 1.19.3.2 [#7430](https://github.com/kong/kong/pull/7430) - Bumped `luasec` from 1.0 to 1.0.1 [#7126](https://github.com/kong/kong/pull/7126) - Bumped `luarocks` from 3.5.0 to 3.7.0 [#7043](https://github.com/kong/kong/pull/7043) - Bumped `grpcurl` from 1.8.0 to 1.8.1 [#7128](https://github.com/kong/kong/pull/7128) - Bumped `penlight` from 1.9.2 to 1.10.0 [#7127](https://github.com/Kong/kong/pull/7127) - Bumped `lua-resty-dns-client` from 6.0.0 to 6.0.2 [#7539](https://github.com/Kong/kong/pull/7539) - Bumped `kong-plugin-prometheus` from 1.2 to 1.3 [#7415](https://github.com/Kong/kong/pull/7415) - Bumped `kong-plugin-zipkin` from 1.3 to 1.4 [#7455](https://github.com/Kong/kong/pull/7455) - Bumped `lua-resty-openssl` from 0.7.2 to 0.7.3 [#7509](https://github.com/Kong/kong/pull/7509) - Bumped `lua-resty-healthcheck` from 1.4.1 to 1.4.2 [#7511](https://github.com/Kong/kong/pull/7511) - Bumped `hmac-auth` from 2.3.0 to 2.4.0 [#7522](https://github.com/Kong/kong/pull/7522) - Pinned `lua-protobuf` to 0.3.2 (previously unpinned) [#7079](https://github.com/kong/kong/pull/7079) All Kong Gateway OSS plugins will be moved from individual repositories and centralized into the main Kong Gateway (OSS) repository. We are making a gradual transition, starting with the grpc-gateway plugin first: - Moved grpc-gateway inside the Kong repo. [#7466](https://github.com/Kong/kong/pull/7466) ### Additions #### Core - Control Planes can now send updates to new data planes even if the control planes lose connection to the database. [#6938](https://github.com/kong/kong/pull/6938) - Kong now automatically adds `cluster_cert`(`cluster_mtls=shared`) or `cluster_ca_cert`(`cluster_mtls=pki`) into `lua_ssl_trusted_certificate` when operating in Hybrid mode. Before, Hybrid mode users needed to configure `lua_ssl_trusted_certificate` manually as a requirement for Lua to verify the Control Plane’s certificate. See [Starting Data Plane Nodes](https://docs.konghq.com/gateway-oss/2.5.x/hybrid-mode/#starting-data-plane-nodes) in the Hybrid Mode guide for more information. [#7044](https://github.com/kong/kong/pull/7044) - New `declarative_config_string` option allows loading a declarative config directly from a string. See the [Loading The Declarative Configuration File](https://docs.konghq.com/2.5.x/db-less-and-declarative-config/#loading-the-declarative-configuration-file) section of the DB-less and Declarative Configuration guide for more information. [#7379](https://github.com/kong/kong/pull/7379) #### PDK - The Kong PDK now accepts tables in the response body for Stream subsystems, just as it does for the HTTP subsystem. Before developers had to check the subsystem if they wrote code that used the `exit()` function before calling it, because passing the wrong argument type would break the request response. [#7082](https://github.com/kong/kong/pull/7082) #### Plugins - **hmac-auth**: The HMAC Authentication plugin now includes support for the `@request-target` field in the signature string. Before, the plugin used the `request-line` parameter, which contains the HTTP request method, request URI, and the HTTP version number. The inclusion of the HTTP version number in the signature caused requests to the same target but using different request methods(such as HTTP/2) to have different signatures. The newly added request-target field only includes the lowercase request method and request URI when calculating the hash, avoiding those issues. See the [HMAC Authentication](https://docs.konghq.com/hub/kong-inc/hmac-auth) documentation for more information. [#7037](https://github.com/kong/kong/pull/7037) - **syslog**: The Syslog plugin now includes facility configuration options, which are a way for the plugin to group error messages from different sources. See the description for the facility parameter in the [Parameters](https://docs.konghq.com/hub/kong-inc/syslog/#parameters) section of the Syslog documentation for more information. [#6081](https://github.com/kong/kong/pull/6081). Thanks, [jideel](https://github.com/jideel)! - **Prometheus**: The Prometheus plugin now exposes connected data planes' status on the control plane. New metrics include the following: `data_plane_last_seen`, `data_plane_config_hash` and `data_plane_version_compatible`. These metrics can be useful for troubleshooting when data planes have inconsistent configurations across the cluster. See the [Available metrics](https://docs.konghq.com/hub/kong-inc/prometheus) section of the Prometheus plugin documentation for more information. [98](https://github.com/Kong/kong-plugin-prometheus/pull/98) - **Zipkin**: The Zipkin plugin now includes the following tags: `kong.route`,`kong.service_name` and `kong.route_name`. See the [Spans](https://docs.konghq.com/hub/kong-inc/zipkin/#spans) section of the Zipkin plugin documentation for more information. [115](https://github.com/Kong/kong-plugin-zipkin/pull/115) #### Hybrid Mode - Kong now exposes an upstream health checks endpoint (using the status API) on the data plane for better observability. [#7429](https://github.com/Kong/kong/pull/7429) - Control Planes are now more lenient when checking Data Planes' compatibility in Hybrid mode. See the [Version compatibility](https://docs.konghq.com/gateway-oss/2.5.x/hybrid-mode/#version_compatibility) section of the Hybrid Mode guide for more information. [#7488](https://github.com/Kong/kong/pull/7488) - This release starts the groundwork for Hybrid Mode 2.0 Protocol. This code isn't active by default in Kong 2.5, but it allows future development. [#7462](https://github.com/Kong/kong/pull/7462) ### Fixes #### Core - When using DB-less mode, `select_by_cache_key` now finds entities by using the provided `field` directly in ` select_by_key` and does not complete unnecessary cache reads. [#7146](https://github.com/kong/kong/pull/7146) - Kong can now finish initialization even if a plugin’s `init_worker` handler fails, improving stability. [#7099](https://github.com/kong/kong/pull/7099) - TLS keepalive requests no longer share their context. Before when two calls were made to the same "server+hostname" but different routes and using a keepalive connection, plugins that were active in the first call were also sometimes (incorrectly) active in the second call. The wrong plugin was active because Kong was passing context in the SSL phase to the plugin iterator, creating connection-wide structures in that context, which was then shared between different keepalive requests. With this fix, Kong does not pass context to plugin iterators with the `certificate` phase, avoiding plugin mixups.[#7102](https://github.com/kong/kong/pull/7102) - The HTTP status 405 is now handled by Kong's error handler. Before accessing Kong using the TRACE method returned a standard NGINX error page because the 405 wasn’t included in the error page settings of the NGINX configuration. [#6933](https://github.com/kong/kong/pull/6933). Thanks, [yamaken1343](https://github.com/yamaken1343)! - Custom `ngx.sleep` implementation in `init_worker` phase now invokes `update_time` in order to prevent time-based deadlocks [#7532](https://github.com/Kong/kong/pull/7532) - `Proxy-Authorization` header is removed when it is part of the original request **or** when a plugin sets it to the same value as the original request [#7533](https://github.com/Kong/kong/pull/7533) - `HEAD` requests don't provoke an error when a Plugin implements the `response` phase [#7535](https://github.com/Kong/kong/pull/7535) #### Hybrid Mode - Control planes no longer perform health checks on CRUD upstreams’ and targets’ events. [#7085](https://github.com/kong/kong/pull/7085) - To prevent unnecessary cache flips on data planes, Kong now checks `dao:crud` events more strictly and has a new cluster event, `clustering:push_config` for configuration pushes. These updates allow Kong to filter invalidation events that do not actually require a database change. Furthermore, the clustering module does not subscribe to the generic `invalidations` event, which has a more broad scope than database entity invalidations. [#7112](https://github.com/kong/kong/pull/7112) - Data Planes ignore null fields coming from Control Planes when doing schema validation. [#7458](https://github.com/Kong/kong/pull/7458) - Kong now includes the source in error logs produced by Control Planes. [#7494](https://github.com/Kong/kong/pull/7494) - Data Plane config hash calculation and checking is more consistent now: it is impervious to changes in table iterations, hashes are calculated in both CP and DP, and DPs send pings more immediately and with the new hash now [#7483](https://github.com/Kong/kong/pull/7483) #### Balancer - All targets are returned by the Admin API now, including targets with a `weight=0`, or disabled targets. Before disabled targets were not included in the output when users attempted to list all targets. Then when users attempted to add the targets again, they received an error message telling them the targets already existed. [#7094](https://github.com/kong/kong/pull/7094) - Upserting existing targets no longer fails. Before, because of updates made to target configurations since Kong v2.2.0, upserting older configurations would fail. This fix allows older configurations to be imported. [#7052](https://github.com/kong/kong/pull/7052) - The last balancer attempt is now correctly logged. Before balancer tries were saved when retrying, which meant the last retry state was not saved since there were no more retries. This update saves the failure state so it can be correctly logged. [#6972](https://github.com/kong/kong/pull/6972) - Kong now ensures that the correct upstream event is removed from the queue when updating the balancer state. [#7103](https://github.com/kong/kong/pull/7103) #### CLI - The `prefix` argument in the `kong stop` command now takes precedence over environment variables, as it does in the `kong start` command. [#7080](https://github.com/kong/kong/pull/7080) #### Configuration - Declarative configurations now correctly parse custom plugin entities schemas with attributes called "plugins". Before when using declarative configurations, users with custom plugins that included a "plugins" field would encounter startup exceptions. With this fix, the declarative configuration can now distinguish between plugins schema and custom plugins fields. [#7412](https://github.com/kong/kong/pull/7412) - The stream access log configuration options are now properly separated from the HTTP access log. Before when users used Kong with TCP, they couldn’t use a custom log format. With this fix, `proxy_stream_access_log` and `proxy_stream_error_log` have been added to differentiate stream access log from the HTTP subsystem. See [`proxy_stream_access_log`](https://docs.konghq.com/gateway-oss/2.5.x/configuration/#proxy_stream_access_log) and [`proxy_stream_error`](https://docs.konghq.com/gateway-oss/2.5.x/configuration/#proxy_stream_error) in the Configuration Property Reference for more information. [#7046](https://github.com/kong/kong/pull/7046) #### Migrations - Kong no longer assumes that `/?/init.lua` is in the Lua path when doing migrations. Before, when users created a custom plugin in a non-standard location and set `lua_package_path = /usr/local/custom/?.lua`, migrations failed. Migrations failed because the Kong core file is `init.lua` and it is required as part of `kong.plugins..migrations`. With this fix, migrations no longer expect `init.lua` to be a part of the path. [#6993](https://github.com/kong/kong/pull/6993) - Kong no longer emits errors when doing `ALTER COLUMN` operations in Apache Cassandra 4.0. [#7490](https://github.com/Kong/kong/pull/7490) #### PDK - With this update, `kong.response.get_XXX()` functions now work in the log phase on external plugins. Before `kong.response.get_XXX()` functions required data from the response object, which was not accessible in the post-log timer used to call log handlers in external plugins. Now these functions work by accessing the required data from the set saved at the start of the log phase. See [`kong.response`](https://docs.konghq.com/gateway-oss/{{page.kong_version}}/kong.response) in the Plugin Development Kit for more information. [#7048](https://github.com/kong/kong/pull/7048) - External plugins handle certain error conditions better while the Kong balancer is being refreshed. Before when an `instance_id` of an external plugin changed, and the plugin instance attempted to reset and retry, it was failing because of a typo in the comparison. [#7153](https://github.com/kong/kong/pull/7153). Thanks, [ealogar](https://github.com/ealogar)! - With this release, `kong.log`'s phase checker now accounts for the existence of the new `response` pseudo-phase. Before users may have erroneously received a safe runtime error for using a function out-of-place in the PDK. [#7109](https://github.com/kong/kong/pull/7109) - Kong no longer sandboxes the `string.rep` function. Before `string.rep` was sandboxed to disallow a single operation from allocating too much memory. However, a single operation allocating too much memory is no longer an issue because in LuaJIT there are no debug hooks and it is trivial to implement a loop to allocate memory on every single iteration. Additionally, since the `string` table is global and obtainable by any sandboxed string, its sandboxing provoked issues on global state. [#7167](https://github.com/kong/kong/pull/7167) - The `kong.pdk.node` function can now correctly iterates over all the shared dict metrics. Before this fix, users using the `kong.pdk.node` function could not see all shared dict metrics under the Stream subsystem. [#7078](https://github.com/kong/kong/pull/7078) #### Plugins - All custom plugins that are using the deprecated `BasePlugin` class have to remove this inheritance. - **LDAP-auth**: The LDAP Authentication schema now includes a default value for the `config.ldap_port` parameter that matches the documentation. Before the plugin documentation [Parameters](https://docs.konghq.com/hub/kong-inc/ldap-auth/#parameters) section included a reference to a default value for the LDAP port; however, the default value was not included in the plugin schema. [#7438](https://github.com/kong/kong/pull/7438) - **Prometheus**: The Prometheus plugin exporter now attaches subsystem labels to memory stats. Before, the HTTP and Stream subsystems were not distinguished, so their metrics were interpreted as duplicate entries by Prometheus. https://github.com/Kong/kong-plugin-prometheus/pull/118 - **External Plugins**: the return code 127 (command not found) is detected and appropriate error is returned [#7523](https://github.com/Kong/kong/pull/7523) ## [2.4.1] > Released 2021/05/11 This is a patch release in the 2.4 series. Being a patch release, it strictly contains bugfixes. There are no new features or breaking changes. ### Distribution - :warning: Starting with this release, Kong packages are no longer distributed through Bintray. Please download from [download.konghq.com](https://download.konghq.com). ### Dependencies - Bump `luasec` from 1.0.0 to 1.0.1 [#7126](https://github.com/Kong/kong/pull/7126) - Bump `prometheus` plugin from 1.2.0 to 1.2.1 [#7061](https://github.com/Kong/kong/pull/7061) ### Fixes ##### Core - Ensure healthchecks and balancers are not created on control plane nodes. [#7085](https://github.com/Kong/kong/pull/7085) - Optimize URL normalization code. [#7100](https://github.com/Kong/kong/pull/7100) - Fix issue where control plane nodes would needlessly invalidate and send new configuration to data plane nodes. [#7112](https://github.com/Kong/kong/pull/7112) - Ensure HTTP code `405` is handled by Kong's error page. [#6933](https://github.com/Kong/kong/pull/6933) - Ensure errors in plugins `init_worker` do not break Kong's worker initialization. [#7099](https://github.com/Kong/kong/pull/7099) - Fix issue where two subsequent TLS keepalive requests would lead to incorrect plugin execution. [#7102](https://github.com/Kong/kong/pull/7102) - Ensure Targets upsert operation behaves similarly to other entities' upsert method. [#7052](https://github.com/Kong/kong/pull/7052) - Ensure failed balancer retry is saved and accounted for in log data. [#6972](https://github.com/Kong/kong/pull/6972) ##### CLI - Ensure `kong start` and `kong stop` prioritize CLI flag `--prefix` over environment variable `KONG_PREFIX`. [#7080](https://github.com/Kong/kong/pull/7080) ##### Configuration - Ensure Stream subsystem allows for configuration of access logs format. [#7046](https://github.com/Kong/kong/pull/7046) ##### Admin API - Ensure targets with weight 0 are displayed in the Admin API. [#7094](https://github.com/Kong/kong/pull/7094) ##### PDK - Ensure new `response` phase is accounted for in phase checkers. [#7109](https://github.com/Kong/kong/pull/7109) ##### Plugins - Ensure plugins written in languages other than Lua can use `kong.response.get_*` methods - e.g., `kong.response.get_status`. [#7048](https://github.com/Kong/kong/pull/7048) - `hmac-auth`: enable JIT compilation of authorization header regex. [#7037](https://github.com/Kong/kong/pull/7037) [Back to TOC](#table-of-contents) ## [2.4.0] > Released 2021/04/06 This is the final release of Kong 2.4.0, with no breaking changes with respect to the 2.x series. This release includes JavaScript PDK, improved CP/DP updates and UTF-8 Tags, amongst other improvements and fixes. ### Dependencies - :warning: For Kong 2.4, the required OpenResty version has been bumped to [1.19.3.1](http://openresty.org/en/changelog-1019003.html), and the set of patches included has changed, including the latest release of [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module). If you are installing Kong from one of our distribution packages, you are not affected by this change. **Note:** if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's [OpenResty patches](https://github.com/Kong/kong-build-tools/tree/master/openresty-build-tools/patches) (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our [kong-build-tools](https://github.com/Kong/kong-build-tools) repository will allow you to do both easily. - Bump luarocks from 3.4.0 to 3.5.0. [#6699](https://github.com/Kong/kong/pull/6699) - Bump luasec from 0.9 to 1.0. [#6814](https://github.com/Kong/kong/pull/6814) - Bump lua-resty-dns-client from 5.2.1 to 6.0.0. [#6999](https://github.com/Kong/kong/pull/6999) - Bump kong-lapis from 1.8.1.2 to 1.8.3.1. [#6925](https://github.com/Kong/kong/pull/6925) - Bump pgmoon from 1.11.0 to 1.12.0. [#6741](https://github.com/Kong/kong/pull/6741) - Bump lua-resty-openssl from 0.6.9 to 0.7.2. [#6967](https://github.com/Kong/kong/pull/6967) - Bump kong-plugin-zipkin from 1.2 to 1.3. [#6936](https://github.com/Kong/kong/pull/6936) - Bump kong-prometheus-plugin from 1.0 to 1.2. [#6958](https://github.com/Kong/kong/pull/6958) - Bump lua-cassandra from 1.5.0 to 1.5.1 [#6857](https://github.com/Kong/kong/pull/6857) - Bump luasyslog from 1.0.0 to 2.0.1 [#6957](https://github.com/Kong/kong/pull/6957) ### Additions ##### Core - Relaxed version check between Control Planes and Data Planes, allowing Data Planes that are missing minor updates to still connect to the Control Plane. Also, now Data Plane is allowed to have a superset of Control Plane plugins. [6932](https://github.com/Kong/kong/pull/6932) - Allowed UTF-8 in Tags [6784](https://github.com/Kong/kong/pull/6784) - Added support for Online Certificate Status Protocol responder found in cluster. [6887](https://github.com/Kong/kong/pull/6887) ##### PDK - [JavaScript Plugin Development Kit (PDK)](https://github.com/Kong/kong-js-pdk) is released alongside with Kong 2.4. It allows users to write Kong plugins in JavaScript and TypeScript. - Beta release of Protobuf plugin communication protocol, which can be used in place of MessagePack to communicate with non-Lua plugins. [6941](https://github.com/Kong/kong/pull/6941) - Enabled `ssl_certificate` phase on plugins with stream module. [6873](https://github.com/Kong/kong/pull/6873) ##### Plugins - Zipkin: support for Jaeger style uber-trace-id headers. [101](https://github.com/Kong/kong-plugin-zipkin/pull/101) Thanks [nvx](https://github.com/nvx) for the patch! - Zipkin: support for OT headers. [103](https://github.com/Kong/kong-plugin-zipkin/pull/103) Thanks [ishg](https://github.com/ishg) for the patch! - Zipkin: allow insertion of custom tags on the Zipkin request trace. [102](https://github.com/Kong/kong-plugin-zipkin/pull/102) - Zipkin: creation of baggage items on child spans is now possible. [98](https://github.com/Kong/kong-plugin-zipkin/pull/98) Thanks [Asafb26](https://github.com/Asafb26) for the patch! - JWT: Add ES384 support [6854](https://github.com/Kong/kong/pull/6854) Thanks [pariviere](https://github.com/pariviere) for the patch! - Several plugins: capability to set new log fields, or unset existing fields, by executing custom Lua code in the Log phase. [6944](https://github.com/Kong/kong/pull/6944) ### Fixes ##### Core - Changed default values and validation rules for plugins that were not well-adjusted for dbless or hybrid modes. [6885](https://github.com/Kong/kong/pull/6885) - Kong 2.4 ensures that all the Core entities are loaded before loading any plugins. This fixes an error in which Plugins to could not link to or modify Core entities because they would not be loaded yet [6880](https://github.com/Kong/kong/pull/6880) - If needed, `Host` header is now updated between balancer retries, using the value configured in the correct upstream entity. [6796](https://github.com/Kong/kong/pull/6796) - Schema validations now log more descriptive error messages when types are invalid. [6593](https://github.com/Kong/kong/pull/6593) Thanks [WALL-E](https://github.com/WALL-E) for the patch! - Kong now ignores tags in Cassandra when filtering by multiple entities, which is the expected behavior and the one already existent when using Postgres databases. [6931](https://github.com/Kong/kong/pull/6931) - `Upgrade` header is not cleared anymore when response `Connection` header contains `Upgrade`. [6929](https://github.com/Kong/kong/pull/6929) - Accept fully-qualified domain names ending in dots. [6864](https://github.com/Kong/kong/pull/6864) - Kong does not try to warmup upstream names when warming up DNS entries. [6891](https://github.com/Kong/kong/pull/6891) - Migrations order is now guaranteed to be always the same. [6901](https://github.com/Kong/kong/pull/6901) - Buffered responses are disabled on connection upgrades. [6902](https://github.com/Kong/kong/pull/6902) - Make entity relationship traverse-order-independent. [6743](https://github.com/Kong/kong/pull/6743) - The host header is updated between balancer retries. [6796](https://github.com/Kong/kong/pull/6796) - The router prioritizes the route with most matching headers when matching headers. [6638](https://github.com/Kong/kong/pull/6638) - Fixed an edge case on multipart/form-data boundary check. [6638](https://github.com/Kong/kong/pull/6638) - Paths are now properly normalized inside Route objects. [6976](https://github.com/Kong/kong/pull/6976) - Do not cache empty upstream name dictionary. [7002](https://github.com/Kong/kong/pull/7002) - Do not assume upstreams do not exist after init phase. [7010](https://github.com/Kong/kong/pull/7010) - Do not overwrite configuration files when running migrations. [7017](https://github.com/Kong/kong/pull/7017) ##### PDK - Now Kong does not leave plugin servers alive after exiting and does not try to start them in the unsupported stream subsystem. [6849](https://github.com/Kong/kong/pull/6849) - Go does not cache `kong.log` methods [6701](https://github.com/Kong/kong/pull/6701) - The `response` phase is included on the list of public phases [6638](https://github.com/Kong/kong/pull/6638) - Config file style and options case are now consistent all around. [6981](https://github.com/Kong/kong/pull/6981) - Added right protobuf MacOS path to enable external plugins in Homebrew installations. [6980](https://github.com/Kong/kong/pull/6980) - Auto-escape upstream path to avoid proxying errors. [6978](https://github.com/Kong/kong/pull/6978) - Ports are now declared as `Int`. [6994](https://github.com/Kong/kong/pull/6994) ##### Plugins - oauth2: better handling more cases of client invalid token generation. [6594](https://github.com/Kong/kong/pull/6594) Thanks [jeremyjpj0916](https://github.com/jeremyjpj0916) for the patch! - Zipkin: the w3c parsing function was returning a non-used extra value, and it now early-exits. [100](https://github.com/Kong/kong-plugin-zipkin/pull/100) Thanks [nvx](https://github.com/nvx) for the patch! - Zipkin: fixed a bug in which span timestamping could sometimes raise an error. [105](https://github.com/Kong/kong-plugin-zipkin/pull/105) Thanks [Asafb26](https://github.com/Asafb26) for the patch! [Back to TOC](#table-of-contents) ## [2.3.3] > Released 2021/03/05 This is a patch release in the 2.3 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes. ### Dependencies - Bump OpenSSL from `1.1.1i` to `1.1.1j`. [6859](https://github.com/Kong/kong/pull/6859) ### Fixes ##### Core - Ensure control plane nodes do not execute healthchecks. [6805](https://github.com/Kong/kong/pull/6805) - Ensure only one worker executes active healthchecks. [6844](https://github.com/Kong/kong/pull/6844) - Declarative config can be now loaded as an inline yaml file by `kong config` (previously it was possible only as a yaml string inside json). JSON declarative config is now parsed with the `cjson` library, instead of with `libyaml`. [6852](https://github.com/Kong/kong/pull/6852) - When using eventual worker consistency now every Nginx worker deals with its upstreams changes, avoiding unnecessary synchronization among workers. [6833](https://github.com/Kong/kong/pull/6833) ##### Admin API - Remove `prng_seed` from the Admin API and add PIDs instead. [6842](https://github.com/Kong/kong/pull/6842) ##### PDK - Ensure `kong.log.serialize` properly calculates reported latencies. [6869](https://github.com/Kong/kong/pull/6869) ##### Plugins - HMAC-Auth: fix issue where the plugin would check if both a username and signature were specified, rather than either. [6826](https://github.com/Kong/kong/pull/6826) [Back to TOC](#table-of-contents) ## [2.3.2] > Released 2021/02/09 This is a patch release in the 2.3 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes. ### Fixes ##### Core - Fix an issue where certain incoming URI may make it possible to bypass security rules applied on Route objects. This fix make such attacks more difficult by always normalizing the incoming request's URI before matching against the Router. [#6821](https://github.com/Kong/kong/pull/6821) - Properly validate Lua input in sandbox module. [#6765](https://github.com/Kong/kong/pull/6765) - Mark boolean fields with default values as required. [#6785](https://github.com/Kong/kong/pull/6785) ##### CLI - `kong migrations` now accepts a `-p`/`--prefix` flag. [#6819](https://github.com/Kong/kong/pull/6819) ##### Plugins - JWT: disallow plugin on consumers. [#6777](https://github.com/Kong/kong/pull/6777) - rate-limiting: improve counters accuracy. [#6802](https://github.com/Kong/kong/pull/6802) [Back to TOC](#table-of-contents) ## [2.3.1] > Released 2021/01/26 This is a patch release in the 2.3 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes. ### Fixes ##### Core - lua-resty-dns-client was bumped to 5.2.1, which fixes an issue that could lead to a busy loop when renewing addresses. [#6760](https://github.com/Kong/kong/pull/6760) - Fixed an issue that made Kong return HTTP 500 Internal Server Error instead of HTTP 502 Bad Gateway on upstream connection errors when using buffered proxying. [#6735](https://github.com/Kong/kong/pull/6735) [Back to TOC](#table-of-contents) ## [2.3.0] > Released 2021/01/08 This is a new release of Kong, with no breaking changes with respect to the 2.x series, with **Control Plane/Data Plane version checks**, **UTF-8 names for Routes and Services**, and **a Plugin Servers**. ### Distributions - :warning: Support for Centos 6 has been removed, as said distro entered EOL on Nov 30. [#6641](https://github.com/Kong/kong/pull/6641) ### Dependencies - Bump kong-plugin-serverless-functions from 1.0 to 2.1. [#6715](https://github.com/Kong/kong/pull/6715) - Bump lua-resty-dns-client from 5.1.0 to 5.2.0. [#6711](https://github.com/Kong/kong/pull/6711) - Bump lua-resty-healthcheck from 1.3.0 to 1.4.0. [#6711](https://github.com/Kong/kong/pull/6711) - Bump OpenSSL from 1.1.1h to 1.1.1i. [#6639](https://github.com/Kong/kong/pull/6639) - Bump `kong-plugin-zipkin` from 1.1 to 1.2. [#6576](https://github.com/Kong/kong/pull/6576) - Bump `kong-plugin-request-transformer` from 1.2 to 1.3. [#6542](https://github.com/Kong/kong/pull/6542) ### Additions ##### Core - Introduce version checks between Control Plane and Data Plane nodes in Hybrid Mode. Sync will be stopped if the major/minor version differ or if installed plugin versions differ between Control Plane and Data Plane nodes. [#6612](https://github.com/Kong/kong/pull/6612) - Kong entities with a `name` field now support utf-8 characters. [#6557](https://github.com/Kong/kong/pull/6557) - The certificates entity now has `cert_alt` and `key_alt` fields, used to specify an alternative certificate and key pair. [#6536](https://github.com/Kong/kong/pull/6536) - The go-pluginserver `stderr` and `stdout` are now written into Kong's logs. [#6503](https://github.com/Kong/kong/pull/6503) - Introduce support for multiple pluginservers. This feature is backwards-compatible with the existing single Go pluginserver. [#6600](https://github.com/Kong/kong/pull/6600) ##### PDK - Introduce a `kong.node.get_hostname` method that returns current's node host name. [#6613](https://github.com/Kong/kong/pull/6613) - Introduce a `kong.cluster.get_id` method that returns a unique ID for the current Kong cluster. If Kong is running in DB-less mode without a cluster ID explicitly defined, then this method returns nil. For Hybrid mode, all Control Planes and Data Planes belonging to the same cluster returns the same cluster ID. For traditional database based deployments, all Kong nodes pointing to the same database will also return the same cluster ID. [#6576](https://github.com/Kong/kong/pull/6576) - Introduce a `kong.log.set_serialize_value`, which allows for customizing the output of `kong.log.serialize`. [#6646](https://github.com/Kong/kong/pull/6646) ##### Plugins - `http-log`: the plugin now has a `headers` configuration, so that custom headers can be specified for the log request. [#6449](https://github.com/Kong/kong/pull/6449) - `key-auth`: the plugin now has two additional boolean configurations: * `key_in_header`: if `false`, the plugin will ignore keys passed as headers. * `key_in_query`: if `false`, the plugin will ignore keys passed as query arguments. Both default to `true`. [#6590](https://github.com/Kong/kong/pull/6590) - `request-size-limiting`: add new configuration `require_content_length`, which causes the plugin to ensure a valid `Content-Length` header exists before reading the request body. [#6660](https://github.com/Kong/kong/pull/6660) - `serverless-functions`: introduce a sandboxing capability, and it has been *enabled* by default, where only Kong PDK, OpenResty `ngx` APIs, and Lua standard libraries are allowed. [#32](https://github.com/Kong/kong-plugin-serverless-functions/pull/32/) ##### Configuration - `client_max_body_size` and `client_body_buffer_size`, that previously hardcoded to 10m, are now configurable through `nginx_admin_client_max_body_size` and `nginx_admin_client_body_buffer_size`. [#6597](https://github.com/Kong/kong/pull/6597) - Kong-generated SSL privates keys now have `600` file system permission. [#6509](https://github.com/Kong/kong/pull/6509) - Properties `ssl_cert`, `ssl_cert_key`, `admin_ssl_cert`, `admin_ssl_cert_key`, `status_ssl_cert`, and `status_ssl_cert_key` is now an array: previously, only an RSA certificate was generated by default; with this change, an ECDSA is also generated. On intermediate and modern cipher suites, the ECDSA certificate is set as the default fallback certificate; on old cipher suite, the RSA certificate remains as the default. On custom certificates, the first certificate specified in the array is used. [#6509](https://github.com/Kong/kong/pull/6509) - Kong now runs as a `kong` user if it exists; it said user does not exist in the system, the `nobody` user is used, as before. [#6421](https://github.com/Kong/kong/pull/6421) ### Fixes ##### Core - Fix issue where a Go plugin would fail to read kong.ctx.shared values set by Lua plugins. [#6490](https://github.com/Kong/kong/pull/6490) - Properly trigger `dao:delete_by:post` hook. [#6567](https://github.com/Kong/kong/pull/6567) - Fix issue where a route that supports both http and https (and has a hosts and snis match criteria) would fail to proxy http requests, as it does not contain an SNI. [#6517](https://github.com/Kong/kong/pull/6517) - Fix issue where a `nil` request context would lead to errors `attempt to index local 'ctx'` being shown in the logs - Reduced the number of needed timers to active health check upstreams and to resolve hosts. - Schemas for full-schema validations are correctly cached now, avoiding memory leaks when reloading declarative configurations. [#6713](https://github.com/Kong/kong/pull/6713) - The schema for the upstream entities now limits the highest configurable number of successes and failures to 255, respecting the limits imposed by lua-resty-healthcheck. [#6705](https://github.com/Kong/kong/pull/6705) - Certificates for database connections now are loaded in the right order avoiding failures to connect to Postgres databases. [#6650](https://github.com/Kong/kong/pull/6650) ##### CLI - Fix issue where `kong reload -c ` would fail. [#6664](https://github.com/Kong/kong/pull/6664) - Fix issue where the Kong configuration cache would get corrupted. [#6664](https://github.com/Kong/kong/pull/6664) ##### PDK - Ensure the log serializer encodes the `tries` field as an array when empty, rather than an object. [#6632](https://github.com/Kong/kong/pull/6632) ##### Plugins - request-transformer plugin does not allow `null` in config anymore as they can lead to runtime errors. [#6710](https://github.com/Kong/kong/pull/6710) [Back to TOC](#table-of-contents) ## [2.2.2] > Released 2021/03/01 This is a patch release in the 2.2 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes. ### Fixes ##### Plugins - `serverless-functions`: introduce a sandboxing capability, *enabled* by default, where only Kong PDK, OpenResty `ngx` APIs, and some Lua standard libraries are allowed. Read the documentation [here](https://docs.konghq.com/hub/kong-inc/serverless-functions/#sandboxing). [#32](https://github.com/Kong/kong-plugin-serverless-functions/pull/32/) [Back to TOC](#table-of-contents) ## [2.2.1] > Released 2020/12/01 This is a patch release in the 2.2 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes. ### Fixes ##### Distribution ##### Core - Fix issue where Kong would fail to start a Go plugin instance with a `starting instance: nil` error. [#6507](https://github.com/Kong/kong/pull/6507) - Fix issue where a route that supports both `http` and `https` (and has a `hosts` and `snis` match criteria) would fail to proxy `http` requests, as it does not contain an SNI. [#6517](https://github.com/Kong/kong/pull/6517) - Fix issue where a Go plugin would fail to read `kong.ctx.shared` values set by Lua plugins. [#6426](https://github.com/Kong/kong/issues/6426) - Fix issue where gRPC requests would fail to set the `:authority` pseudo-header in upstream requests. [#6603](https://github.com/Kong/kong/pull/6603) ##### CLI - Fix issue where `kong config db_import` and `kong config db_export` commands would fail if Go plugins were enabled. [#6596](https://github.com/Kong/kong/pull/6596) Thanks [daniel-shuy](https://github.com/daniel-shuy) for the patch! [Back to TOC](#table-of-contents) ## [2.2.0] > Released 2020/10/23 This is a new major release of Kong, including new features such as **UDP support**, **Configurable Request and Response Buffering**, **Dynamically Loading of OS Certificates**, and much more. ### Distributions - Added support for running Kong as the non-root user kong on distributed systems. ### Dependencies - :warning: For Kong 2.2, the required OpenResty version has been bumped to [1.17.8.2](http://openresty.org/en/changelog-1017008.html), and the the set of patches included has changed, including the latest release of [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module). If you are installing Kong from one of our distribution packages, you are not affected by this change. - Bump OpenSSL version from `1.1.1g` to `1.1.1h`. [#6382](https://github.com/Kong/kong/pull/6382) **Note:** if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's [OpenResty patches](https://github.com/Kong/kong-build-tools/tree/master/openresty-build-tools/openresty-patches) (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our [kong-build-tools](https://github.com/Kong/kong-build-tools) repository will allow you to do both easily. - :warning: Cassandra 2.x support is now deprecated. If you are still using Cassandra 2.x with Kong, we recommend you to upgrade, since this series of Cassandra is about to be EOL with the upcoming release of Cassandra 4.0. ### Additions ##### Core - :fireworks: **UDP support**: Kong now features support for UDP proxying in its stream subsystem. The `"udp"` protocol is now accepted in the `protocols` attribute of Routes and the `protocol` attribute of Services. Load balancing and logging plugins support UDP as well. [#6215](https://github.com/Kong/kong/pull/6215) - **Configurable Request and Response Buffering**: The buffering of requests or responses can now be enabled or disabled on a per-route basis, through setting attributes `Route.request_buffering` or `Route.response_buffering` to `true` or `false`. Default behavior remains the same: buffering is enabled by default for requests and responses. [#6057](https://github.com/Kong/kong/pull/6057) - **Option to Automatically Load OS Certificates**: The configuration attribute `lua_ssl_trusted_certificate` was extended to accept a comma-separated list of certificate paths, as well as a special `system` value, which expands to the "system default" certificates file installed by the operating system. This follows a very simple heuristic to try to use the most common certificate file in most popular distros. [#6342](https://github.com/Kong/kong/pull/6342) - Consistent-Hashing load balancing algorithm does not require to use the entire target history to build the same proxying destinations table on all Kong nodes anymore. Now deleted targets are actually removed from the database and the targets entities can be manipulated by the Admin API as any other entity. [#6336](https://github.com/Kong/kong/pull/6336) - Add `X-Forwarded-Path` header: if a trusted source provides a `X-Forwarded-Path` header, it is proxied as-is. Otherwise, Kong will set the content of said header to the request's path. [#6251](https://github.com/Kong/kong/pull/6251) - Hybrid mode synchronization performance improvements: Kong now uses a new internal synchronization method to push changes from the Control Plane to the Data Plane, drastically reducing the amount of communication between nodes during bulk updates. [#6293](https://github.com/Kong/kong/pull/6293) - The `Upstream.client_certificate` attribute can now be used from proxying: This allows `client_certificate` setting used for mTLS handshaking with the `Upstream` server to be shared easily among different Services. However, `Service.client_certificate` will take precedence over `Upstream.client_certificate` if both are set simultaneously. In previous releases, `Upstream.client_certificate` was only used for mTLS in active health checks. [#6348](https://github.com/Kong/kong/pull/6348) - New `shorthand_fields` top-level attribute in schema definitions, which deprecates `shorthands` and includes type definitions in addition to the shorthand callback. [#6364](https://github.com/Kong/kong/pull/6364) - Hybrid Mode: the table of Data Plane nodes at the Control Plane is now cleaned up automatically, according to a delay value configurable via the `cluster_data_plane_purge_delay` attribute, set to 14 days by default. [#6376](https://github.com/Kong/kong/pull/6376) - Hybrid Mode: Data Plane nodes now apply only the last config when receiving several updates in sequence, improving the performance when large configs are in use. [#6299](https://github.com/Kong/kong/pull/6299) ##### Admin API - Hybrid Mode: new endpoint `/clustering/data-planes` which returns complete information about all Data Plane nodes that are connected to the Control Plane cluster, regardless of the Control Plane node to which they connected. [#6308](https://github.com/Kong/kong/pull/6308) * :warning: The `/clustering/status` endpoint is now deprecated, since it returns only information about Data Plane nodes directly connected to the Control Plane node to which the Admin API request was made, and is superseded by `/clustering/data-planes`. - Admin API responses now honor the `headers` configuration setting for including or removing the `Server` header. [#6371](https://github.com/Kong/kong/pull/6371) ##### PDK - New function `kong.request.get_forwarded_prefix`: returns the prefix path component of the request's URL that Kong stripped before proxying to upstream, respecting the value of `X-Forwarded-Prefix` when it comes from a trusted source. [#6251](https://github.com/Kong/kong/pull/6251) - `kong.response.exit` now honors the `headers` configuration setting for including or removing the `Server` header. [#6371](https://github.com/Kong/kong/pull/6371) - `kong.log.serialize` function now can be called using the stream subsystem, allowing various logging plugins to work under TCP and TLS proxy modes. [#6036](https://github.com/Kong/kong/pull/6036) - Requests with `multipart/form-data` MIME type now can use the same part name multiple times. [#6054](https://github.com/Kong/kong/pull/6054) ##### Plugins - **New Response Phase**: both Go and Lua pluggins now support a new plugin phase called `response` in Lua plugins and `Response` in Go. Using it automatically enables response buffering, which allows you to manipulate both the response headers and the response body in the same phase. This enables support for response handling in Go, where header and body filter phases are not available, allowing you to use PDK functions such as `kong.Response.GetBody()`, and provides an equivalent simplified feature for handling buffered responses from Lua plugins as well. [#5991](https://github.com/Kong/kong/pull/5991) - aws-lambda: bump to version 3.5.0: [#6379](https://github.com/Kong/kong/pull/6379) * support for 'isBase64Encoded' flag in Lambda function responses - grpc-web: introduce configuration pass_stripped_path, which, if set to true, causes the plugin to pass the stripped request path (see the `strip_path` Route attribute) to the upstream gRPC service. - rate-limiting: Support for rate limiting by path, by setting the `limit_by = "path"` configuration attribute. Thanks [KongGuide](https://github.com/KongGuide) for the patch! [#6286](https://github.com/Kong/kong/pull/6286) - correlation-id: the plugin now generates a correlation-id value by default if the correlation id header arrives but is empty. [#6358](https://github.com/Kong/kong/pull/6358) ## [2.1.4] > Released 2020/09/18 This is a patch release in the 2.0 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes. ### Fixes ##### Core - Improve graceful exit of Control Plane and Data Plane nodes in Hybrid Mode. [#6306](https://github.com/Kong/kong/pull/6306) ##### Plugins - datadog, loggly, statsd: fixes for supporting logging TCP/UDP services. [#6344](https://github.com/Kong/kong/pull/6344) - Logging plugins: request and response sizes are now reported by the log serializer as number attributes instead of string. [#6356](https://github.com/Kong/kong/pull/6356) - prometheus: Remove unnecessary `WARN` log that was seen in the Kong 2.1 series. [#6258](https://github.com/Kong/kong/pull/6258) - key-auth: no longer trigger HTTP 400 error when the body cannot be decoded. [#6357](https://github.com/Kong/kong/pull/6357) - aws-lambda: respect `skip_large_bodies` config setting even when not using AWS API Gateway compatibility. [#6379](https://github.com/Kong/kong/pull/6379) [Back to TOC](#table-of-contents) - Fix issue where `kong reload` would occasionally leave stale workers locked at 100% CPU. [#6300](https://github.com/Kong/kong/pull/6300) - Hybrid Mode: more informative error message when the Control Plane cannot be reached. [#6267](https://github.com/Kong/kong/pull/6267) ##### CLI - `kong hybrid gen_cert` now reports "permission denied" errors correctly when it fails to write the certificate files. [#6368](https://github.com/Kong/kong/pull/6368) ##### Plugins - acl: bumped to 3.0.1 * Fix regression in a scenario where an ACL plugin with a `deny` clause was configured for a group that does not exist would cause a HTTP 401 when an authenticated plugin would match the anonymous consumer. The behavior is now restored to that seen in Kong 1.x and 2.0. [#6354](https://github.com/Kong/kong/pull/6354) - request-transformer: bumped to 1.2.7 * Fix the construction of the error message when a template throws a Lua error. [#26](https://github.com/Kong/kong-plugin-request-transformer/pull/26) ## [2.1.3] > Released 2020/08/19 This is a patch release in the 2.0 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes. ### Fixes ##### Core - Fix behavior of `X-Forwarded-Prefix` header with stripped path prefixes: the stripped portion of path is now added in `X-Forwarded-Prefix`, except if it is `/` or if it is received from a trusted client. [#6222](https://github.com/Kong/kong/pull/6222) ##### Migrations - Avoid creating unnecessary an index for Postgres. [#6250](https://github.com/Kong/kong/pull/6250) ##### Admin API - DB-less: fix concurrency issues with `/config` endpoint. It now waits for the configuration to update across workers before returning, and returns HTTP 429 on attempts to perform concurrent updates and HTTP 504 in case of update timeouts. [#6121](https://github.com/Kong/kong/pull/6121) ##### Plugins - request-transformer: bump from v1.2.5 to v1.2.6 * Fix an issue where query parameters would get incorrectly URL-encoded. [#24](https://github.com/Kong/kong-plugin-request-transformer/pull/24) - acl: Fix migration of ACLs table for the Kong 2.1 series. [#6250](https://github.com/Kong/kong/pull/6250) ## [2.1.2] > Released 2020/08/13 :white_check_mark: **Update (2020/08/13)**: This release fixed a balancer bug that may cause incorrect request payloads to be sent to unrelated upstreams during balancer retries, potentially causing responses for other requests to be returned. Therefore it is **highly recommended** that Kong users running versions `2.1.0` and `2.1.1` to upgrade to this version as soon as possible, or apply mitigation from the [2.1.0](#210) section below. ### Fixes ##### Core - Fix a bug that balancer retries causes incorrect requests to be sent to subsequent upstream connections of unrelated requests. [#6224](https://github.com/Kong/kong/pull/6224) - Fix an issue where plugins iterator was being built before setting the default workspace id, therefore indexing the plugins under the wrong workspace. [#6206](https://github.com/Kong/kong/pull/6206) ##### Migrations - Improve reentrancy of Cassandra migrations. [#6206](https://github.com/Kong/kong/pull/6206) ##### PDK - Make sure the `kong.response.error` PDK function respects gRPC related content types. [#6214](https://github.com/Kong/kong/pull/6214) ## [2.1.1] > Released 2020/08/05 :red_circle: **Post-release note (as of 2020/08/13)**: A faulty behavior has been observed with this change. When Kong proxies using the balancer and a request to one of the upstream `Target` fails, Kong might send the same request to another healthy `Target` in a different request later, causing response for the failed request to be returned. This bug could be mitigated temporarily by disabling upstream keepalive pools. It can be achieved by either: 1. In `kong.conf`, set `upstream_keepalive_pool_size=0`, or 2. Setting the environment `KONG_UPSTREAM_KEEPALIVE_POOL_SIZE=0` when starting Kong with the CLI. Then restart/reload the Kong instance. Thanks Nham Le (@nhamlh) for reporting it in [#6212](https://github.com/Kong/kong/issues/6212). :white_check_mark: **Update (2020/08/13)**: A fix to this regression has been released as part of [2.1.2](#212). See the section of the Changelog related to this release for more details. ### Dependencies - Bump [lua-multipart](https://github.com/Kong/lua-multipart) to `0.5.9`. [#6148](https://github.com/Kong/kong/pull/6148) ### Fixes ##### Core - No longer reject valid characters (as specified in the RFC 3986) in the `path` attribute of the Service entity. [#6183](https://github.com/Kong/kong/pull/6183) ##### Migrations - Fix issue in Cassandra migrations where empty values in some entities would be incorrectly migrated. [#6171](https://github.com/Kong/kong/pull/6171) ##### Admin API - Fix issue where consumed worker memory as reported by the `kong.node.get_memory_stats()` PDK method would be incorrectly reported in kilobytes, rather than bytes, leading to inaccurate values in the `/status` Admin API endpoint (and other users of said PDK method). [#6170](https://github.com/Kong/kong/pull/6170) ##### Plugins - rate-limiting: fix issue where rate-limiting by Service would result in a global limit, rather than per Service. [#6157](https://github.com/Kong/kong/pull/6157) - rate-limiting: fix issue where a TTL would not be set to some Redis keys. [#6150](https://github.com/Kong/kong/pull/6150) [Back to TOC](#table-of-contents) ## [2.1.0] > Released 2020/07/16 :red_circle: **Post-release note (as of 2020/08/13)**: A faulty behavior has been observed with this change. When Kong proxies using the balancer and a request to one of the upstream `Target` fails, Kong might send the same request to another healthy `Target` in a different request later, causing response for the failed request to be returned. This bug could be mitigated temporarily by disabling upstream keepalive pools. It can be achieved by either: 1. In `kong.conf`, set `upstream_keepalive_pool_size=0`, or 2. Setting the environment `KONG_UPSTREAM_KEEPALIVE_POOL_SIZE=0` when starting Kong with the CLI. Then restart/reload the Kong instance. Thanks Nham Le (@nhamlh) for reporting it in [#6212](https://github.com/Kong/kong/issues/6212). :white_check_mark: **Update (2020/08/13)**: A fix to this regression has been released as part of [2.1.2](#212). See the section of the Changelog related to this release for more details. ### Distributions - :gift: Introduce package for Ubuntu 20.04. [#6006](https://github.com/Kong/kong/pull/6006) - Add `ca-certificates` to the Alpine Docker image. [#373](https://github.com/Kong/docker-kong/pull/373) - :warning: The [go-pluginserver](https://github.com/Kong/go-pluginserver) no longer ships with Kong packages; users are encouraged to build it along with their Go plugins. For more info, check out the [Go Guide](https://docs.konghq.com/latest/go/). ### Dependencies - :warning: In order to use all Kong features, including the new dynamic upstream keepalive behavior, the required OpenResty version is [1.15.8.3](http://openresty.org/en/changelog-1015008.html). If you are installing Kong from one of our distribution packages, this version and all required patches and modules are included. If you are building from source, you must apply Kong's [OpenResty patches](https://github.com/Kong/kong-build-tools/tree/master/openresty-build-tools/openresty-patches) as well as include [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module). Our [kong-build-tools](https://github.com/Kong/kong-build-tools) repository allows you to do both easily. - Bump OpenSSL version from `1.1.1f` to `1.1.1g`. [#5820](https://github.com/Kong/kong/pull/5810) - Bump [lua-resty-dns-client](https://github.com/Kong/lua-resty-dns-client) from `4.1.3` to `5.0.1`. [#5499](https://github.com/Kong/kong/pull/5499) - Bump [lyaml](https://github.com/gvvaughan/lyaml) from `0.2.4` to `0.2.5`. [#5984](https://github.com/Kong/kong/pull/5984) - Bump [lua-resty-openssl](https://github.com/fffonion/lua-resty-openssl) from `0.6.0` to `0.6.2`. [#5941](https://github.com/Kong/kong/pull/5941) ### Changes ##### Core - Increase maximum allowed payload size in hybrid mode. [#5654](https://github.com/Kong/kong/pull/5654) - Targets now support a weight range of 0-65535. [#5871](https://github.com/Kong/kong/pull/5871) ##### Configuration - :warning: The configuration properties `router_consistency` and `router_update_frequency` have been renamed to `worker_consistency` and `worker_state_update_frequency`, respectively. The new properties allow for configuring the consistency settings of additional internal structures, see below for details. [#5325](https://github.com/Kong/kong/pull/5325) - :warning: The `nginx_upstream_keepalive_*` configuration properties have been renamed to `upstream_keepalive_*`. This is due to the introduction of dynamic upstream keepalive pools, see below for details. [#5771](https://github.com/Kong/kong/pull/5771) - :warning: The default value of `worker_state_update_frequency` (previously `router_update_frequency`) was changed from `1` to `5`. [#5325](https://github.com/Kong/kong/pull/5325) ##### Plugins - :warning: Change authentication plugins to standardize on `allow` and `deny` as terms for access control. Previous nomenclature is deprecated and support will be removed in Kong 3.0. * ACL: use `allow` and `deny` instead of `whitelist` and `blacklist` * bot-detection: use `allow` and `deny` instead of `whitelist` and `blacklist` * ip-restriction: use `allow` and `deny` instead of `whitelist` and `blacklist` [#6014](https://github.com/Kong/kong/pull/6014) ### Additions ##### Core - :fireworks: **Asynchronous upstream updates**: Kong's load balancer is now able to update its internal structures asynchronously instead of onto the request/stream path. This change required the introduction of new configuration properties and the deprecation of older ones: - New properties: * `worker_consistency` * `worker_state_update_frequency` - Deprecated properties: * `router_consistency` * `router_update_frequency` The new `worker_consistency` property is similar to `router_consistency` and accepts either of `strict` (default, synchronous) or `eventual` (asynchronous). Unlike its deprecated counterpart, this new property aims at configuring the consistency of *all* internal structures of Kong, and not only the router. [#5325](https://github.com/Kong/kong/pull/5325) - :fireworks: **Read-Only Postgres**: Kong users are now able to configure a read-only Postgres replica. When configured, Kong will attempt to fulfill read operations through the read-only replica instead of the main Postgres connection. [#5584](https://github.com/Kong/kong/pull/5584) - Introducing **dynamic upstream keepalive pools**. This change prevents virtual host confusion when Kong proxies traffic to virtual services (hosted on the same IP/port) over TLS. Keepalive pools are now created by the `upstream IP/upstream port/SNI/client certificate` tuple instead of `IP/port` only. Users running Kong in front of virtual services should consider adjusting their keepalive settings appropriately. This change required the introduction of new configuration properties and the deprecation of older ones: - New properties: * `upstream_keepalive_pool_size` * `upstream_keepalive_max_requests` * `upstream_keepalive_idle_timeout` - Deprecated properties: * `nginx_upstream_keepalive` * `nginx_upstream_keepalive_requests` * `nginx_upstream_keepalive_timeout` Additionally, this change allows for specifying an indefinite amount of max requests and idle timeout threshold for upstream keepalive connections, a capability that was previously removed by Nginx 1.15.3. [#5771](https://github.com/Kong/kong/pull/5771) - The default certificate for the proxy can now be configured via Admin API using the `/certificates` endpoint. A special `*` SNI has been introduced which stands for the default certificate. [#5404](https://github.com/Kong/kong/pull/5404) - Add support for PKI in Hybrid Mode mTLS. [#5396](https://github.com/Kong/kong/pull/5396) - Add `X-Forwarded-Prefix` to set of headers forwarded to upstream requests. [#5620](https://github.com/Kong/kong/pull/5620) - Introduce a `_transform` option to declarative configuration, which allows importing basicauth credentials with and without hashed passwords. This change is only supported in declarative configuration format version `2.1`. [#5835](https://github.com/Kong/kong/pull/5835) - Add capability to define different consistency levels for read and write operations in Cassandra. New configuration properties `cassandra_write_consistency` and `cassandra_read_consistency` were introduced and the existing `cassandra_consistency` property was deprecated. Thanks [Abhishekvrshny](https://github.com/Abhishekvrshny) for the patch! [#5812](https://github.com/Kong/kong/pull/5812) - Introduce certificate expiry and CA constraint checks to Hybrid Mode certificates (`cluster_cert` and `cluster_ca_cert`). [#6000](https://github.com/Kong/kong/pull/6000) - Introduce new attributes to the Services entity, allowing for customizations in TLS verification parameters: [#5976](https://github.com/Kong/kong/pull/5976) * `tls_verify`: whether TLS verification is enabled while handshaking with the upstream Service * `tls_verify_depth`: the maximum depth of verification when validating upstream Service's TLS certificate * `ca_certificates`: the CA trust store to use when validating upstream Service's TLS certificate - Introduce new attribute `client_certificate` in Upstreams entry, used for supporting mTLS in active health checks. [#5838](https://github.com/Kong/kong/pull/5838) ##### CLI - Migrations: add a new `--force` flag to `kong migrations bootstrap`. [#5635](https://github.com/Kong/kong/pull/5635) ##### Configuration - Introduce configuration property `db_cache_neg_ttl`, allowing the configuration of negative TTL for DB entities. Thanks [ealogar](https://github.com/ealogar) for the patch! [#5397](https://github.com/Kong/kong/pull/5397) ##### PDK - Support `kong.response.exit` in Stream (L4) proxy mode. [#5524](https://github.com/Kong/kong/pull/5524) - Introduce `kong.request.get_forwarded_path` method, which returns the path component of the request's URL, but also considers `X-Forwarded-Prefix` if it comes from a trusted source. [#5620](https://github.com/Kong/kong/pull/5620) - Introduce `kong.response.error` method, that allows PDK users to exit with an error while honoring the Accept header or manually forcing a content-type. [#5562](https://github.com/Kong/kong/pull/5562) - Introduce `kong.client.tls` module, which provides the following methods for interacting with downstream mTLS: * `kong.client.tls.request_client_certificate()`: request client to present its client-side certificate to initiate mutual TLS authentication between server and client. * `kong.client.tls.disable_session_reuse()`: prevent the TLS session for the current connection from being reused by disabling session ticket and session ID for the current TLS connection. * `kong.client.tls.get_full_client_certificate_chain()`: return the PEM encoded downstream client certificate chain with the client certificate at the top and intermediate certificates (if any) at the bottom. [#5890](https://github.com/Kong/kong/pull/5890) - Introduce `kong.log.serialize` method. [#5995](https://github.com/Kong/kong/pull/5995) - Introduce new methods to the `kong.service` PDK module: * `kong.service.set_tls_verify()`: set whether TLS verification is enabled while handshaking with the upstream Service * `kong.service.set_tls_verify_depth()`: set the maximum depth of verification when validating upstream Service's TLS certificate * `kong.service.set_tls_verify_store()`: set the CA trust store to use when validating upstream Service's TLS certificate ##### Plugins - :fireworks: **New Plugin**: introduce the [grpc-web plugin](https://github.com/Kong/kong-plugin-grpc-web), allowing clients to consume gRPC services via the gRPC-Web protocol. [#5607](https://github.com/Kong/kong/pull/5607) - :fireworks: **New Plugin**: introduce the [grpc-gateway plugin](https://github.com/Kong/kong-plugin-grpc-gateway), allowing access to upstream gRPC services through a plain HTTP request. [#5939](https://github.com/Kong/kong/pull/5939) - Go: add getter and setter methods for `kong.ctx.shared`. [#5496](https://github.com/Kong/kong/pull/5496/) - Add `X-Credential-Identifier` header to the following authentication plugins: * basic-auth * key-auth * ldap-auth * oauth2 [#5516](https://github.com/Kong/kong/pull/5516) - Rate-Limiting: auto-cleanup expired rate-limiting metrics in Postgres. [#5498](https://github.com/Kong/kong/pull/5498) - OAuth2: add ability to persist refresh tokens throughout their life cycle. Thanks [amberheilman](https://github.com/amberheilman) for the patch! [#5264](https://github.com/Kong/kong/pull/5264) - IP-Restriction: add support for IPv6. [#5640](https://github.com/Kong/kong/pull/5640) - OAuth2: add support for PKCE. Thanks [amberheilman](https://github.com/amberheilman) for the patch! [#5268](https://github.com/Kong/kong/pull/5268) - OAuth2: allow optional hashing of client secrets. [#5610](https://github.com/Kong/kong/pull/5610) - aws-lambda: bump from v3.1.0 to v3.4.0 * Add `host` configuration to allow for custom Lambda endpoints. [#35](https://github.com/Kong/kong-plugin-aws-lambda/pull/35) - zipkin: bump from 0.2 to 1.1.0 * Add support for B3 single header [#66](https://github.com/Kong/kong-plugin-zipkin/pull/66) * Add `traceid_byte_count` config option [#74](https://github.com/Kong/kong-plugin-zipkin/pull/74) * Add support for W3C header [#75](https://github.com/Kong/kong-plugin-zipkin/pull/75) * Add new option `header_type` [#75](https://github.com/Kong/kong-plugin-zipkin/pull/75) - serverless-functions: bump from 0.3.1 to 1.0.0 * Add ability to run functions in each request processing phase. [#21](https://github.com/Kong/kong-plugin-serverless-functions/pull/21) - prometheus: bump from 0.7.1 to 0.9.0 * Performance: significant improvements in throughput and CPU usage. [#79](https://github.com/Kong/kong-plugin-prometheus/pull/79) * Expose healthiness of upstreams targets. Thanks [carnei-ro](https://github.com/carnei-ro) for the patch! [#88](https://github.com/Kong/kong-plugin-prometheus/pull/88) - rate-limiting: allow rate-limiting by custom header. Thanks [carnei-ro](https://github.com/carnei-ro) for the patch! [#5969](https://github.com/Kong/kong/pull/5969) - session: bumped from 2.3.0 to 2.4.0. [#5868](https://github.com/Kong/kong/pull/5868) ### Fixes ##### Core - Fix memory leak when loading a declarative configuration that fails schema validation. [#5759](https://github.com/Kong/kong/pull/5759) - Fix migration issue where the index for the `ca_certificates` table would fail to be created. [#5764](https://github.com/Kong/kong/pull/5764) - Fix issue where DNS resolution would fail in DB-less mode. [#5831](https://github.com/Kong/kong/pull/5831) ##### Admin API - Disallow `PATCH` on `/upstreams/:upstreams/targets/:targets` ##### Plugins - Go: fix issue where instances of the same Go plugin applied to different Routes would get mixed up. [#5597](https://github.com/Kong/kong/pull/5597) - Strip `Authorization` value from logged headers. Values are now shown as `REDACTED`. [#5628](https://github.com/Kong/kong/pull/5628). - ACL: respond with HTTP 401 rather than 403 if credentials are not provided. [#5452](https://github.com/Kong/kong/pull/5452) - ldap-auth: set credential ID upon authentication, allowing subsequent plugins (e.g., rate-limiting) to act on said value. [#5497](https://github.com/Kong/kong/pull/5497) - ldap-auth: hash the cache key generated by the plugin. [#5497](https://github.com/Kong/kong/pull/5497) - zipkin: bump from 0.2 to 1.1.0 * Stopped tagging non-erroneous spans with `error=false`. [#63](https://github.com/Kong/kong-plugin-zipkin/pull/63) * Changed the structure of `localEndpoint` and `remoteEndpoint`. [#63](https://github.com/Kong/kong-plugin-zipkin/pull/63) * Store annotation times in microseconds. [#71](https://github.com/Kong/kong-plugin-zipkin/pull/71) * Prevent an error triggered when timing-related kong variables were not present. [#71](https://github.com/Kong/kong-plugin-zipkin/pull/71) - aws-lambda: AWS regions are no longer validated against a hardcoded list; if an invalid region name is provided, a proxy Internal Server Error is raised, and a DNS resolution error message is logged. [#33](https://github.com/Kong/kong-plugin-aws-lambda/pull/33) [Back to TOC](#table-of-contents) ## [2.0.5] > Released 2020/06/30 ### Dependencies - Bump OpenSSL version from `1.1.1f` to `1.1.1g`. [#5820](https://github.com/Kong/kong/pull/5810) - Bump [go-pluginserver](https://github.com/Kong/go-pluginserver) from version from `0.2.0` to `0.3.2`, leveraging [go-pdk](https://github.com/Kong/go-pdk) `0.3.1`. See the [go-pdk changelog](https://github.com/Kong/go-pdk/blob/master/CHANGELOG.md#v031). ### Fixes ##### Core - Fix a race condition leading to random config fetching failure in DB-less mode. [#5833](https://github.com/Kong/kong/pull/5833) - Fix issue where a respawned worker would not use the existing configuration in DB-less mode. [#5850](https://github.com/Kong/kong/pull/5850) - Fix issue where declarative configuration would fail with the error: `Cannot serialise table: excessively sparse array`. [#5768](https://github.com/Kong/kong/pull/5865) - Targets now support a weight range of 0-65535. [#5871](https://github.com/Kong/kong/pull/5871) - Make kong.ctx.plugin light-thread safe Thanks [tdelaune](https://github.com/tdelaune) for the assistance! [#5873](https://github.com/Kong/kong/pull/5873) - Go: fix issue with Go plugins where the plugin instance would be intermittently killed. Thanks [primableatom](https://github.com/primableatom) for the patch! [#5903](https://github.com/Kong/kong/pull/5903) - Auto-convert `config.anonymous` from empty string to the `ngx.null` value. [#5906](https://github.com/Kong/kong/pull/5906) - Fix issue where DB-less wouldn't correctly validate input with missing IDs, names, or cache key. [#5929](https://github.com/Kong/kong/pull/5929) - Fix issue where a request to the upstream health endpoint would fail with HTTP 500 Internal Server Error. [#5943](https://github.com/Kong/kong/pull/5943) - Fix issue where providing a declarative configuration file containing fields with explicit null values would result in an error. [#5999](https://github.com/Kong/kong/pull/5999) - Fix issue where the balancer wouldn't be built for all workers. [#5931](https://github.com/Kong/kong/pull/5931) - Fix issue where a declarative configuration file with primary keys specified as numbers would result in an error. [#6005](https://github.com/Kong/kong/pull/6005) ##### CLI ##### Configuration - Fix issue where the Postgres password from the Kong configuration file would be truncated if it contained a `#` character. [#5822](https://github.com/Kong/kong/pull/5822) ##### Admin API - Fix issue where a `PUT` request on `/upstreams/:upstreams/targets/:targets` would result in HTTP 500 Internal Server Error. [#6012](https://github.com/Kong/kong/pull/6012) ##### PDK - Stop request processing flow if body encoding fails. [#5829](https://github.com/Kong/kong/pull/5829) - Ensure `kong.service.set_target()` includes the port number if a non-default port is used. [#5996](https://github.com/Kong/kong/pull/5996) ##### Plugins - Go: fix issue where the go-pluginserver would not reload Go plugins' configurations. Thanks [wopol](https://github.com/wopol) for the patch! [#5866](https://github.com/Kong/kong/pull/5866) - basic-auth: avoid fetching credentials when password is not given. Thanks [Abhishekvrshny](https://github.com/Abhishekvrshny) for the patch! [#5880](https://github.com/Kong/kong/pull/5880) - cors: avoid overwriting upstream response `Vary` header; new values are now added as additional `Vary` headers. Thanks [aldor007](https://github.com/aldor007) for the patch! [#5794](https://github.com/Kong/kong/pull/5794) [Back to TOC](#table-of-contents) ## [2.0.4] > Released 2020/04/22 ### Fixes ##### Core - Disable JIT mlcache:get_bulk() on ARM64 [#5797](https://github.com/Kong/kong/pull/5797) - Don't incrementing log counters on unexpected errors [#5783](https://github.com/Kong/kong/pull/5783) - Invalidate target history at cleanup so balancers stay synced [#5775](https://github.com/Kong/kong/pull/5775) - Set a log prefix with the upstream name [#5773](https://github.com/Kong/kong/pull/5773) - Fix memory leaks when loading a declarative config that fails schema validation [#5766](https://github.com/Kong/kong/pull/5766) - Fix some balancer and cluster_events issues [#5804](https://github.com/Kong/kong/pull/5804) ##### Configuration - Send declarative config updates to stream subsystem via Unix domain [#5786](https://github.com/Kong/kong/pull/5786) - Now when using declarative configurations the cache is purged on reload, cleaning any references to removed entries [#5769](https://github.com/Kong/kong/pull/5769) [Back to TOC](#table-of-contents) ## [2.0.3] > Released 2020/04/06 This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes. ### Fixes ##### Core - Setting the target weight to 0 does not automatically remove the upstream. [#5710](https://github.com/Kong/kong/pull/5710). - The plugins iterator is now always fully built, even if the initialization of any of them fails. [#5692](https://github.com/Kong/kong/pull/5692). - Fixed the load of `dns_not_found_ttl` and `dns_error_ttl` configuration options. [#5684](https://github.com/Kong/kong/pull/5684). - Consumers and tags are properly warmed-up from the plugins' perspective, i.e. they are loaded to the cache space that plugins access. [#5669](https://github.com/Kong/kong/pull/5669). - Customized error messages don't affect subsequent default error responses now. [#5673](https://github.com/Kong/kong/pull/5673). ##### CLI - Fixed the `lua_package_path` option precedence over `LUA_PATH` environment variable. [#5729](https://github.com/Kong/kong/pull/5729). - Support to Nginx binary upgrade by correctly handling the `USR2` signal. [#5657](https://github.com/Kong/kong/pull/5657). ##### Configuration - Fixed the logrotate configuration file with the right line terminators. [#243](https://github.com/Kong/kong-build-tools/pull/243). Thanks, [WALL-E](https://github.com/WALL-E) ##### Admin API - Fixed the `sni is duplicated` error when sending multiple `SNIs` as body arguments and an `SNI` on URL that matched one from the body. [#5660](https://github.com/Kong/kong/pull/5660). [Back to TOC](#table-of-contents) ## [2.0.2] > Released 2020/02/27 This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes. ### Fixes ##### Core - Fix issue related to race condition in Cassandra select each method [#5564](https://github.com/Kong/kong/pull/5564). Thanks, [vasuharish](https://github.com/vasuharish)! - Fix issue related to running control plane under multiple Nginx workers [#5612](https://github.com/Kong/kong/pull/5612). - Don't change route paths when marshaling [#5587](https://github.com/Kong/kong/pull/5587). - Fix propagation of posted health across workers [#5539](https://github.com/Kong/kong/pull/5539). - Use proper units for timeouts with cassandra [#5571](https://github.com/Kong/kong/pull/5571). - Fix broken SNI based routing in L4 proxy mode [#5533](https://github.com/Kong/kong/pull/5533). ##### Plugins - Enable the ACME plugin by default [#5555](https://github.com/Kong/kong/pull/5555). - Accept consumer username in anonymous field [#5552](https://github.com/Kong/kong/pull/5552). [Back to TOC](#table-of-contents) ## [2.0.1] > Released 2020/02/04 This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes. ### Fixes ##### Core - Migrations include the configured Lua path now [#5509](https://github.com/Kong/kong/pull/5509). - Hop-by-hop headers to not clear upgrade header on upgrade [#5495](https://github.com/Kong/kong/pull/5495). - Balancers now properly check if a response is produced by an upstream [#5493](https://github.com/Kong/kong/pull/5493). Thanks, [onematchfox](https://github.com/onematchfox)! - Kong correctly logs an error message when the Lua VM cannot allocate memory [#5479](https://github.com/Kong/kong/pull/5479) Thanks, [pamiel](https://github.com/pamiel)! - Schema validations work again in DB-less mode [#5464](https://github.com/Kong/kong/pull/5464). ##### Plugins - oauth2: handle `Authorization` headers with missing `access_token` correctly. [#5514](https://github.com/Kong/kong/pull/5514). Thanks, [jeremyjpj0916](https://github.com/jeremyjpj0916)! - oauth2: hash oauth2_tokens cache key via the DAO [#5507](https://github.com/Kong/kong/pull/5507) [Back to TOC](#table-of-contents) ## [2.0.0] > Released 2020/01/20 This is a new major release of Kong, including new features such as **Hybrid mode**, **Go language support for plugins** and **buffered proxying**, and much more. Kong 2.0.0 removes the deprecated service mesh functionality, which was been retired in favor of [Kuma](https://kuma.io), as Kong continues to focus on its core gateway capabilities. Please note that Kong 2.0.0 also removes support for migrating from versions below 1.0.0. If you are running Kong 0.x versions below 0.14.1, you need to migrate to 0.14.1 first, and once you are running 0.14.1, you can migrate to Kong 1.5.0, which includes special provisions for migrating from Kong 0.x, such as the `kong migrations migrate-apis` command, and then finally to Kong 2.0.0. ### Dependencies - :warning: The required OpenResty version is [1.15.8.2](http://openresty.org/en/changelog-1015008.html), and the the set of patches included has changed, including the latest release of [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module). If you are installing Kong from one of our distribution packages, you are not affected by this change. **Note:** if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's [OpenResty patches](https://github.com/Kong/kong-build-tools/tree/master/openresty-build-tools/openresty-patches) (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our [kong-build-tools](https://github.com/Kong/kong-build-tools) repository will allow you to do both easily. ### Packaging - RPM packages are now signed with our own GPG keys. You can download our public key at https://bintray.com/user/downloadSubjectPublicKey?username=kong - Kong now ships with a systemd unit file ### Additions ##### Core - :fireworks: **Hybrid mode** for management of control-plane and data-plane nodes. This allows running control-plane nodes using a database and have them deliver configuration updates to DB-less data-plane nodes. [#5294](https://github.com/Kong/kong/pull/5294) - :fireworks: **Buffered proxying** - plugins can now request buffered reading of the service response (as opposed to the streaming default), allowing them to modify headers based on the contents of the body [#5234](https://github.com/Kong/kong/pull/5234) - The `transformations` in DAO schemas now also support `on_read`, allowing for two-way (read/write) data transformations between Admin API input/output and database storage. [#5100](https://github.com/Kong/kong/pull/5100) - Added `threshold` attribute for health checks [#5206](https://github.com/Kong/kong/pull/5206) - Caches for core entities and plugin-controlled entities (such as credentials, etc.) are now separated, protecting the core entities from cache eviction caused by plugin behavior. [#5114](https://github.com/Kong/kong/pull/5114) - Cipher suite was updated to the Mozilla v5 release. [#5342](https://github.com/Kong/kong/pull/5342) - Better support for using already existing Cassandra keyspaces when migrating [#5361](https://github.com/Kong/kong/pull/5361) - Better log messages when plugin modules fail to load [#5357](https://github.com/Kong/kong/pull/5357) - `stream_listen` now supports the `backlog` option. [#5346](https://github.com/Kong/kong/pull/5346) - The internal cache was split into two independent segments, `kong.core_cache` and `kong.cache`. The `core_cache` region is used by the Kong core to store configuration data that doesn't change often. The other region is used to store plugin runtime data that is dependent on traffic pattern and user behavior. This change should decrease the cache contention between Kong core and plugins and result in better performance overall. - :warning: Note that both structures rely on the already existent `mem_cache_size` configuration option to set their size, so when upgrading from a previous Kong version, the cache memory consumption might double if this value is not adjusted [#5114](https://github.com/Kong/kong/pull/5114) ##### CLI - `kong config init` now accepts a filename argument [#4451](https://github.com/Kong/kong/pull/4451) ##### Configuration - :fireworks: **Extended support for Nginx directive injections** via Kong configurations, reducing the needs for custom Nginx templates. New injection contexts were added: `nginx_main_`, `nginx_events` and `nginx_supstream_` (`upstream` in `stream` mode). [#5390](https://github.com/Kong/kong/pull/5390) - Enable `reuseport` option in the listen directive by default and allow specifying both `reuseport` and `backlog=N` in the listener flags. [#5332](https://github.com/Kong/kong/pull/5332) - Check existence of `lua_ssl_trusted_certificate` at startup [#5345](https://github.com/Kong/kong/pull/5345) ##### Admin API - Added `/upstreams//health?balancer_health=1` attribute for detailed information about balancer health based on health threshold configuration [#5206](https://github.com/Kong/kong/pull/5206) ##### PDK - New functions `kong.service.request.enable_buffering`, `kong.service.response.get_raw_body` and `kong.service.response.get_body` for use with buffered proxying [#5315](https://github.com/Kong/kong/pull/5315) ##### Plugins - :fireworks: **Go plugin support** - plugins can now be written in Go as well as Lua, through the use of an out-of-process Go plugin server. [#5326](https://github.com/Kong/kong/pull/5326) - The lifecycle of the Plugin Server daemon for Go language support is managed by Kong itself. [#5366](https://github.com/Kong/kong/pull/5366) - :fireworks: **New plugin: ACME** - Let's Encrypt and ACMEv2 integration with Kong [#5333](https://github.com/Kong/kong/pull/5333) - :fireworks: aws-lambda: bumped version to 3.0.1, with a number of new features! [#5083](https://github.com/Kong/kong/pull/5083) - :fireworks: prometheus: bumped to version 0.7.0 including major performance improvements [#5295](https://github.com/Kong/kong/pull/5295) - zipkin: bumped to version 0.2.1 [#5239](https://github.com/Kong/kong/pull/5239) - session: bumped to version 2.2.0, adding `authenticated_groups` support [#5108](https://github.com/Kong/kong/pull/5108) - rate-limiting: added experimental support for standardized headers based on the ongoing [RFC draft](https://tools.ietf.org/html/draft-polli-ratelimit-headers-01) [#5335](https://github.com/Kong/kong/pull/5335) - rate-limiting: added Retry-After header on HTTP 429 responses [#5329](https://github.com/Kong/kong/pull/5329) - datadog: report metrics with tags -- Thanks [mvanholsteijn](https://github.com/mvanholsteijn) for the patch! [#5154](https://github.com/Kong/kong/pull/5154) - request-size-limiting: added `size_unit` configuration option. [#5214](https://github.com/Kong/kong/pull/5214) - request-termination: add extra check for `conf.message` before sending response back with body object included. [#5202](https://github.com/Kong/kong/pull/5202) - jwt: add `X-Credential-Identifier` header in response -- Thanks [davinwang](https://github.com/davinwang) for the patch! [#4993](https://github.com/Kong/kong/pull/4993) ### Fixes ##### Core - Correct detection of update upon deleting Targets -- Thanks [pyrl247](https://github.com/pyrl247) for the patch! - Fix declarative config loading of entities with abstract records [#5343](https://github.com/Kong/kong/pull/5343) - Fix sort priority when matching routes by longest prefix [#5430](https://github.com/Kong/kong/pull/5430) - Detect changes in Routes that happen halfway through a router update [#5431](https://github.com/Kong/kong/pull/5431) ##### Admin API - Corrected the behavior when overwriting a Service configuration using the `url` shorthand [#5315](https://github.com/Kong/kong/pull/5315) ##### Core - :warning: **Removed Service Mesh support** - That has been deprecated in Kong 1.4 and made off-by-default already, and the code is now gone in 2.0. For Service Mesh, we now have [Kuma](https://kuma.io), which is something designed for Mesh patterns from day one, so we feel at peace with removing Kong's native Service Mesh functionality and focus on its core capabilities as a gateway. ##### Configuration - Routes using `tls` are now supported in stream mode by adding an entry in `stream_listen` with the `ssl` keyword enabled. [#5346](https://github.com/Kong/kong/pull/5346) - As part of service mesh removal, serviceless proxying was removed. You can still set `service = null` when creating a route for use with serverless plugins such as `aws-lambda`, or `request-termination`. [#5353](https://github.com/Kong/kong/pull/5353) - Removed the `origins` property which was used for service mesh. [#5351](https://github.com/Kong/kong/pull/5351) - Removed the `transparent` property which was used for service mesh. [#5350](https://github.com/Kong/kong/pull/5350) - Removed the `nginx_optimizations` property; the equivalent settings can be performed via Nginx directive injections. [#5390](https://github.com/Kong/kong/pull/5390) - The Nginx directive injection prefixes `nginx_http_upstream_` and `nginx_http_status_` were renamed to `nginx_upstream_` and `nginx_status_` respectively. [#5390](https://github.com/Kong/kong/pull/5390) ##### Plugins - Removed the Sidecar Injector plugin which was used for service mesh. [#5199](https://github.com/Kong/kong/pull/5199) [Back to TOC](#table-of-contents) ## [1.5.1] > Released 2020/02/19 This is a patch release over 1.5.0, fixing a minor issue in the `kong migrations migrate-apis` command, which assumed execution in a certain order in the migration process. This now allows the command to be executed prior to running the migrations from 0.x to 1.5.1. ### Fixes ##### CLI - Do not assume new fields are already available when running `kong migrations migrate-apis` [#5572](https://github.com/Kong/kong/pull/5572) [Back to TOC](#table-of-contents) ## [1.5.0] > Released 2020/01/20 Kong 1.5.0 is the last release in the Kong 1.x series, and it was designed to help Kong 0.x users upgrade out of that series and into more current releases. Kong 1.5.0 includes two features designed to ease the transition process: the new `kong migrations migrate-apis` commands, to help users migrate away from old `apis` entities which were deprecated in Kong 0.13.0 and removed in Kong 1.0.0, and a compatibility flag to provide better router compatibility across Kong versions. ### Additions ##### Core - New `path_handling` attribute in Routes entities, which selects the behavior the router will have when combining the Service Path, the Route Path, and the Request path into a single path sent to the upstream. This attribute accepts two values, `v0` or `v1`, making the router behave as in Kong 0.x or Kong 1.x, respectively. [#5360](https://github.com/Kong/kong/pull/5360) ##### CLI - New command `kong migrations migrate-apis`, which converts any existing `apis` from an old Kong 0.x installation and generates Route, Service and Plugin entities with equivalent configurations. The converted routes are set to use `path_handling = v0`, to ensure compatibility. [#5176](https://github.com/Kong/kong/pull/5176) ### Fixes ##### Core - Fixed the routing prioritization that could lead to a match in a lower priority path. [#5443](https://github.com/Kong/kong/pull/5443) - Changes in router or plugins entities while the rebuild is in progress now are treated in the next rebuild, avoiding to build invalid iterators. [#5431](https://github.com/Kong/kong/pull/5431) - Fixed invalid incorrect calculation of certificate validity period. [#5449](https://github.com/Kong/kong/pull/5449) -- Thanks [Bevisy](https://github.com/Bevisy) for the patch! [Back to TOC](#table-of-contents) ## [1.4.3] > Released 2020/01/09 :warning: This release includes a security fix to address potentially sensitive information being written to the error log file. This affects certain uses of the Admin API for DB-less mode, described below. This is a patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes. ### Fixes ##### Core - Fix the detection of the need for balancer updates when deleting targets [#5352](https://github.com/kong/kong/issues/5352) -- Thanks [zeeshen](https://github.com/zeeshen) for the patch! - Fix behavior of longest-path criteria when matching routes [#5383](https://github.com/kong/kong/issues/5383) - Fix incorrect use of cache when using header-based routing [#5267](https://github.com/kong/kong/issues/5267) -- Thanks [marlonfan](https://github.com/marlonfan) for the patch! ##### Admin API - Do not make a debugging dump of the declarative config input into `error.log` when posting it with `/config` and using `_format_version` as a top-level parameter (instead of embedded in the `config` parameter). [#5411](https://github.com/kong/kong/issues/5411) - Fix incorrect behavior of PUT for /certificates [#5321](https://github.com/kong/kong/issues/5321) ##### Plugins - acl: fixed an issue where getting ACLs by group failed when multiple consumers share the same group [#5322](https://github.com/kong/kong/issues/5322) [Back to TOC](#table-of-contents) ## [1.4.2] > Released 2019/12/10 This is another patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes. ### Fixes ##### Core - Fixes some corner cases in the balancer behavior [#5318](https://github.com/Kong/kong/pull/5318) ##### Plugins - http-log: disable queueing when using the default settings, to avoid memory consumption issues [#5323](https://github.com/Kong/kong/pull/5323) - prometheus: restore compatibility with version 0.6.0 [#5303](https://github.com/Kong/kong/pull/5303) [Back to TOC](#table-of-contents) ## [1.4.1] > Released 2019/12/03 This is a patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes. ### Fixes ##### Core - Fixed a memory leak in the balancer [#5229](https://github.com/Kong/kong/pull/5229) -- Thanks [zeeshen](https://github.com/zeeshen) for the patch! - Removed arbitrary limit on worker connections. [#5148](https://github.com/Kong/kong/pull/5148) - Fixed `preserve_host` behavior for gRPC routes [#5225](https://github.com/Kong/kong/pull/5225) - Fix migrations for ttl for OAuth2 tokens [#5253](https://github.com/Kong/kong/pull/5253) - Improve handling of errors when creating balancers [#5284](https://github.com/Kong/kong/pull/5284) ##### CLI - Fixed an issue with `kong config db_export` when reading entities that are ttl-enabled and whose ttl value is `null`. [#5185](https://github.com/Kong/kong/pull/5185) ##### Admin API - Various fixes for Admin API behavior [#5174](https://github.com/Kong/kong/pull/5174), [#5178](https://github.com/Kong/kong/pull/5178), [#5191](https://github.com/Kong/kong/pull/5191), [#5186](https://github.com/Kong/kong/pull/5186) ##### Plugins - http-log: do not impose a retry delay on successful sends [#5282](https://github.com/Kong/kong/pull/5282) [Back to TOC](#table-of-contents) ## [1.4.0] > Released on 2019/10/22 ### Installation - :warning: All Bintray assets have been renamed from `.all.` / `.noarch.` to be architecture specific namely `.arm64.` and `.amd64.` ### Additions ##### Core - :fireworks: New configuration option `cassandra_refresh_frequency` to set the frequency that Kong will check for Cassandra cluster topology changes, avoiding restarts when Cassandra nodes are added or removed. [#5071](https://github.com/Kong/kong/pull/5071) - New `transformations` property in DAO schemas, which allows adding functions that run when database rows are inserted or updated. [#5047](https://github.com/Kong/kong/pull/5047) - The new attribute `hostname` has been added to `upstreams` entities. This attribute is used as the `Host` header when proxying requests through Kong to servers that are listening on server names that are different from the names to which they resolve. [#4959](https://github.com/Kong/kong/pull/4959) - New status interface has been introduced. It exposes insensitive health, metrics and error read-only information from Kong, which can be consumed by other services in the infrastructure to monitor Kong's health. This removes the requirement of the long-used workaround to monitor Kong's health by injecting a custom server block. [#4977](https://github.com/Kong/kong/pull/4977) - New Admin API response header `X-Kong-Admin-Latency`, reporting the time taken by Kong to process an Admin API request. [#4966](https://github.com/Kong/kong/pull/4996/files) ##### Configuration - :warning: New configuration option `service_mesh` which enables or disables the Service Mesh functionality. The Service Mesh is being deprecated and will not be available in the next releases of Kong. [#5124](https://github.com/Kong/kong/pull/5124) - New configuration option `router_update_frequency` that allows setting the frequency that router and plugins will be checked for changes. This new option avoids performance degradation when Kong routes or plugins are frequently changed. [#4897](https://github.com/Kong/kong/pull/4897) ##### Plugins - rate-limiting: in addition to consumer, credential, and IP levels, now rate-limiting plugin has service-level support. Thanks [wuguangkuo](https://github.com/wuguangkuo) for the patch! [#5031](https://github.com/Kong/kong/pull/5031) - Now rate-limiting `local` policy counters expire using the shared dictionary's TTL, avoiding to keep unnecessary counters in memory. Thanks [cb372](https://github.com/cb372) for the patch! [#5029](https://github.com/Kong/kong/pull/5029) - Authentication plugins have support for tags now. [#4945](https://github.com/Kong/kong/pull/4945) - response-transformer plugin now supports renaming response headers. Thanks [aalmazanarbs](https://github.com/aalmazanarbs) for the patch! [#5040](https://github.com/Kong/kong/pull/5040) ### Fixes ##### Core - :warning: Service Mesh is known to cause HTTPS requests to upstream to ignore `proxy_ssl*` directives, so it is being discontinued in the next major release of Kong. In this release it is disabled by default, avoiding this issue, and it can be enabled as aforementioned in the configuration section. [#5124](https://github.com/Kong/kong/pull/5124) - Fixed an issue on reporting the proper request method and URL arguments on NGINX-produced errors in logging plugins. [#5073](https://github.com/Kong/kong/pull/5073) - Fixed an issue where targets were not properly updated in all Kong workers when they were removed. [#5041](https://github.com/Kong/kong/pull/5041) - Deadlocks cases in database access functions when using Postgres and cleaning up `cluster_events` in high-changing scenarios were fixed. [#5118](https://github.com/Kong/kong/pull/5118) - Fixed issues with tag-filtered GETs on Cassandra-backed nodes. [#5105](https://github.com/Kong/kong/pull/5105) ##### Configuration - Fixed Lua parsing and error handling in declarative configurations. [#5019](https://github.com/Kong/kong/pull/5019) - Automatically escape any unescaped `#` characters in parsed `KONG_*` environment variables. [#5062](https://github.com/Kong/kong/pull/5062) ##### Plugins - file-log: creates log file with proper permissions when Kong uses declarative config. [#5028](https://github.com/Kong/kong/pull/5028) - basic-auth: fixed credentials parsing when using DB-less configurations. [#5080](https://github.com/Kong/kong/pull/5080) - jwt: plugin handles empty claims and return the correct error message. [#5123](https://github.com/Kong/kong/pull/5123) Thanks to [@jeremyjpj0916](https://github.com/jeremyjpj0916) for the patch! - serverless-functions: Lua code in declarative configurations is validated and loaded correctly. [#24](https://github.com/Kong/kong-plugin-serverless-functions/pull/24) - request-transformer: fixed bug on removing and then adding request headers with the same name. [#9](https://github.com/Kong/kong-plugin-request-transformer/pull/9) [Back to TOC](#table-of-contents) ## [1.3.0] > Released on 2019/08/21 Kong 1.3 is the first version to officially support **gRPC proxying**! Following our vision for Kong to proxy modern Web services protocols, we are excited for this newest addition to the family of protocols already supported by Kong (HTTP(s), WebSockets, and TCP). As we have recently stated in our latest [Community Call](https://konghq.com/community-call/), more protocols are to be expected in the future. Additionally, this release includes several highly-requested features such as support for upstream **mutual TLS**, **header-based routing** (not only `Host`), **database export**, and **configurable upstream keepalive timeouts**. ### Changes ##### Dependencies - :warning: The required OpenResty version has been bumped to [1.15.8.1](http://openresty.org/en/changelog-1015008.html). If you are installing Kong from one of our distribution packages, you are not affected by this change. See [#4382](https://github.com/Kong/kong/pull/4382). With this new version comes a number of improvements: 1. The new [ngx\_http\_grpc\_module](https://nginx.org/en/docs/http/ngx_http_grpc_module.html). 2. Configurable of upstream keepalive connections by timeout or number of requests. 3. Support for ARM64 architectures. 4. LuaJIT GC64 mode for x86_64 architectures, raising the LuaJIT GC-managed memory limit from 2GB to 128TB and producing more predictable GC performance. - :warning: From this version on, the new [lua-kong-nginx-module](https://github.com/Kong/lua-kong-nginx-module) Nginx module is **required** to be built into OpenResty for Kong to function properly. This new module allows Kong to support new features such as mutual TLS authentication. If you are installing Kong from one of our distribution packages, you are not affected by this change. [openresty-build-tools#26](https://github.com/Kong/openresty-build-tools/pull/26) **Note:** if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's [OpenResty patches](https://github.com/kong/openresty-patches) (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our new [openresty-build-tools](https://github.com/Kong/openresty-build-tools) repository will allow you to do both easily. ##### Core - :warning: Bugfixes in the router *may, in some edge-cases*, result in different Routes being matched. It was reported to us that the router behaved incorrectly in some cases when configuring wildcard Hosts and regex paths (e.g. [#3094](https://github.com/Kong/kong/issues/3094)). It may be so that you are subject to these bugs without realizing it. Please ensure that wildcard Hosts and regex paths Routes you have configured are matching as expected before upgrading. See [9ca4dc0](https://github.com/Kong/kong/commit/9ca4dc09fdb12b340531be8e0f9d1560c48664d5), [2683b86](https://github.com/Kong/kong/commit/2683b86c2f7680238e3fe85da224d6f077e3425d), and [6a03e1b](https://github.com/Kong/kong/commit/6a03e1bd95594716167ccac840ff3e892ed66215) for details. - Upstream connections are now only kept-alive for 100 requests or 60 seconds (idle) by default. Previously, upstream connections were not actively closed by Kong. This is a (non-breaking) change in behavior, inherited from Nginx 1.15, and configurable via new configuration properties (see below). ##### Configuration - :warning: The `upstream_keepalive` configuration property is deprecated, and replaced by the new `nginx_http_upstream_keepalive` property. Its behavior is almost identical, but the notable difference is that the latter leverages the [injected Nginx directives](https://konghq.com/blog/kong-ce-nginx-injected-directives/) feature added in Kong 0.14.0. In future releases, we will gradually increase support for injected Nginx directives. We have high hopes that this will remove the occasional need for custom Nginx configuration templates. [#4382](https://github.com/Kong/kong/pull/4382) ### Additions ##### Core - :fireworks: **Native gRPC proxying.** Two new protocol types; `grpc` and `grpcs` correspond to gRPC over h2c and gRPC over h2. They can be specified on a Route or a Service's `protocol` attribute (e.g. `protocol = grpcs`). When an incoming HTTP/2 request matches a Route with a `grpc(s)` protocol, the request will be handled by the [ngx\_http\_grpc\_module](https://nginx.org/en/docs/http/ngx_http_grpc_module.html), and proxied to the upstream Service according to the gRPC protocol specifications. :warning: Note that not all Kong plugins are compatible with gRPC requests yet. [#4801](https://github.com/Kong/kong/pull/4801) - :fireworks: **Mutual TLS** handshake with upstream services. The Service entity now has a new `client_certificate` attribute, which is a foreign key to a Certificate entity. If specified, Kong will use the Certificate as a client TLS cert during the upstream TLS handshake. [#4800](https://github.com/Kong/kong/pull/4800) - :fireworks: **Route by any request header**. The router now has the ability to match Routes by any request header (not only `Host`). The Route entity now has a new `headers` attribute, which is a map of headers names and values. E.g. `{ "X-Forwarded-Host": ["example.org"], "Version": ["2", "3"] }`. [#4758](https://github.com/Kong/kong/pull/4758) - :fireworks: **Least-connection load-balancing**. A new `algorithm` attribute has been added to the Upstream entity. It can be set to `"round-robin"` (default), `"consistent-hashing"`, or `"least-connections"`. [#4528](https://github.com/Kong/kong/pull/4528) - A new core entity, "CA Certificates" has been introduced and can be accessed via the new `/ca_certificates` Admin API endpoint. CA Certificates entities will be used as CA trust store by Kong. Certificates stored by this entity need not include their private key. [#4798](https://github.com/Kong/kong/pull/4798) - Healthchecks now use the combination of IP + Port + Hostname when storing upstream health information. Previously, only IP + Port were used. This means that different virtual hosts served behind the same IP/port will be treated differently with regards to their health status. New endpoints were added to the Admin API to manually set a Target's health status. [#4792](https://github.com/Kong/kong/pull/4792) ##### Configuration - :fireworks: A new section in the `kong.conf` file describes [injected Nginx directives](https://konghq.com/blog/kong-ce-nginx-injected-directives/) (added to Kong 0.14.0) and specifies a few default ones. In future releases, we will gradually increase support for injected Nginx directives. We have high hopes that this will remove the occasional need for custom Nginx configuration templates. [#4382](https://github.com/Kong/kong/pull/4382) - :fireworks: New configuration properties allow for controlling the behavior of upstream keepalive connections. `nginx_http_upstream_keepalive_requests` and `nginx_http_upstream_keepalive_timeout` respectively control the maximum number of proxied requests and idle timeout of an upstream connection. [#4382](https://github.com/Kong/kong/pull/4382) - New flags have been added to the `*_listen` properties: `deferred`, `bind`, and `reuseport`. [#4692](https://github.com/Kong/kong/pull/4692) ##### CLI - :fireworks: **Database export** via the new `kong config db_export` CLI command. This command will export the configuration present in the database Kong is connected to (Postgres or Cassandra) as a YAML file following Kong's declarative configuration syntax. This file can thus be imported later on in a DB-less Kong node or in another database via `kong config db_import`. [#4809](https://github.com/Kong/kong/pull/4809) ##### Admin API - Many endpoints now support more levels of nesting for ease of access. For example: `/services/:services/routes/:routes` is now a valid API endpoint. [#4713](https://github.com/Kong/kong/pull/4713) - The API now accepts `form-urlencoded` payloads with deeply nested data structures. Previously, it was only possible to send such data structures via JSON payloads. [#4768](https://github.com/Kong/kong/pull/4768) ##### Plugins - :fireworks: **New bundled plugin**: the [session plugin](https://github.com/Kong/kong-plugin-session) is now bundled in Kong. It can be used to manage browser sessions for APIs proxied and authenticated by Kong. [#4685](https://github.com/Kong/kong/pull/4685) - ldap-auth: A new `config.ldaps` property allows configuring the plugin to connect to the LDAP server via TLS. It provides LDAPS support instead of only relying on STARTTLS. [#4743](https://github.com/Kong/kong/pull/4743) - jwt-auth: The new `header_names` property accepts an array of header names the JWT plugin should inspect when authenticating a request. It defaults to `["Authorization"]`. [#4757](https://github.com/Kong/kong/pull/4757) - [azure-functions](https://github.com/Kong/kong-plugin-azure-functions): Bumped to 0.4 for minor fixes and performance improvements. - [kubernetes-sidecar-injector](https://github.com/Kong/kubernetes-sidecar-injector): The plugin is now more resilient to Kubernetes schema changes. - [serverless-functions](https://github.com/Kong/kong-plugin-serverless-functions): - Bumped to 0.3 for minor performance improvements. - Functions can now have upvalues. - [prometheus](https://github.com/Kong/kong-plugin-prometheus): Bumped to 0.4.1 for minor performance improvements. - cors: add OPTIONS, TRACE and CONNECT to default allowed methods [#4899](https://github.com/Kong/kong/pull/4899) Thanks to [@eshepelyuk](https://github.com/eshepelyuk) for the patch! ##### PDK - New function `kong.service.set_tls_cert_key()`. This functions sets the client TLS certificate used while handshaking with the upstream service. [#4797](https://github.com/Kong/kong/pull/4797) ### Fixes ##### Core - Fix WebSocket protocol upgrades in some cases due to case-sensitive comparisons of the `Upgrade` header. [#4780](https://github.com/Kong/kong/pull/4780) - Router: Fixed a bug causing invalid matches when configuring two or more Routes with a plain `hosts` attribute shadowing another Route's wildcard `hosts` attribute. Details of the issue can be seen in [01b1cb8](https://github.com/Kong/kong/pull/4775/commits/01b1cb871b1d84e5e93c5605665b68c2f38f5a31). [#4775](https://github.com/Kong/kong/pull/4775) - Router: Ensure regex paths always have priority over plain paths. Details of the issue can be seen in [2683b86](https://github.com/Kong/kong/commit/2683b86c2f7680238e3fe85da224d6f077e3425d). [#4775](https://github.com/Kong/kong/pull/4775) - Cleanup of expired rows in PostgreSQL is now much more efficient thanks to a new query plan. [#4716](https://github.com/Kong/kong/pull/4716) - Improved various query plans against Cassandra instances by increasing the default page size. [#4770](https://github.com/Kong/kong/pull/4770) ##### Plugins - cors: ensure non-preflight OPTIONS requests can be proxied. [#4899](https://github.com/Kong/kong/pull/4899) Thanks to [@eshepelyuk](https://github.com/eshepelyuk) for the patch! - Consumer references in various plugin entities are now properly marked as required, avoiding credentials that map to no Consumer. [#4879](https://github.com/Kong/kong/pull/4879) - hmac-auth: Correct the encoding of HTTP/1.0 requests. [#4839](https://github.com/Kong/kong/pull/4839) - oauth2: empty client_id wasn't checked, causing a server error. [#4884](https://github.com/Kong/kong/pull/4884) - response-transformer: preserve empty arrays correctly. [#4901](https://github.com/Kong/kong/pull/4901) ##### CLI - Fixed an issue when running `kong restart` and Kong was not running, causing stdout/stderr logging to turn off. [#4772](https://github.com/Kong/kong/pull/4772) ##### Admin API - Ensure PUT works correctly when applied to plugin configurations. [#4882](https://github.com/Kong/kong/pull/4882) ##### PDK - Prevent PDK calls from failing in custom content blocks. This fixes a misbehavior affecting the Prometheus plugin. [#4904](https://github.com/Kong/kong/pull/4904) - Ensure `kong.response.add_header` works in the `rewrite` phase. [#4888](https://github.com/Kong/kong/pull/4888) [Back to TOC](#table-of-contents) ## [1.2.2] > Released on 2019/08/14 :warning: This release includes patches to the NGINX core (1.13.6) fixing vulnerabilities in the HTTP/2 module (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516). This is a patch release in the 1.2 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes. ### Fixes ##### Core - Case sensitivity fix when clearing the Upgrade header. [#4779](https://github.com/kong/kong/issues/4779) ### Performance ##### Core - Speed up cascade deletes in Cassandra. [#4770](https://github.com/kong/kong/pull/4770) ## [1.2.1] > Released on 2019/06/26 This is a patch release in the 1.2 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes. ### Fixes ##### Core - Fix an issue preventing WebSocket connections from being established by clients. This issue was introduced in Kong 1.1.2, and would incorrectly clear the `Upgrade` response header. [#4719](https://github.com/Kong/kong/pull/4719) - Fix a memory usage growth issue in the `/config` endpoint when configuring Upstream entities. This issue was mostly observed by users of the [Kong Ingress Controller](https://github.com/Kong/kubernetes-ingress-controller). [#4733](https://github.com/Kong/kong/pull/4733) - Cassandra: ensure serial consistency is `LOCAL_SERIAL` when a datacenter-aware load balancing policy is in use. This fixes unavailability exceptions sometimes experienced when connecting to a multi-datacenter cluster with cross-datacenter connectivity issues. [#4734](https://github.com/Kong/kong/pull/4734) - Schemas: fix an issue in the schema validator that would not allow specifying `false` in some schema rules, such a `{ type = "boolean", eq = false }`. [#4708](https://github.com/Kong/kong/pull/4708) [#4727](https://github.com/Kong/kong/pull/4727) - Fix an underlying issue with regards to database entities cache keys generation. [#4717](https://github.com/Kong/kong/pull/4717) ##### Configuration - Ensure the `cassandra_local_datacenter` configuration property is specified when a datacenter-aware Cassandra load balancing policy is in use. [#4734](https://github.com/Kong/kong/pull/4734) ##### Plugins - request-transformer: fix an issue that would prevent adding a body to requests without one. [Kong/kong-plugin-request-transformer#4](https://github.com/Kong/kong-plugin-request-transformer/pull/4) - kubernetes-sidecar-injector: fix an issue causing mutating webhook calls to fail. [Kong/kubernetes-sidecar-injector#9](https://github.com/Kong/kubernetes-sidecar-injector/pull/9) [Back to TOC](#table-of-contents) ## [1.2.0] > Released on: 2019/06/07 This release brings **improvements to reduce long latency tails**, **consolidates declarative configuration support**, and comes with **newly open sourced plugins** previously only available to Enterprise customers. It also ships with new features improving observability and usability. This release includes database migrations. Please take a few minutes to read the [1.2 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md) for more details regarding changes and migrations before planning to upgrade your Kong cluster. ### Installation - :warning: All Bintray repositories have been renamed from `kong-community-edition-*` to `kong-*`. - :warning: All Kong packages have been renamed from `kong-community-edition` to `kong`. For more details about the updated installation, please visit the official docs: [https://konghq.com/install](https://konghq.com/install/). ### Additions ##### Core - :fireworks: Support for **wildcard SNI matching**: the `ssl_certificate_by_lua` phase and the stream `preread` phase) is now able to match a client hello SNI against any registered wildcard SNI. This is particularly helpful for deployments serving a certificate for multiple subdomains. [#4457](https://github.com/Kong/kong/pull/4457) - :fireworks: **HTTPS Routes can now be matched by SNI**: the `snis` Route attribute (previously only available for `tls` Routes) can now be set for `https` Routes and is evaluated by the HTTP router. [#4633](https://github.com/Kong/kong/pull/4633) - :fireworks: **Native support for HTTPS redirects**: Routes have a new `https_redirect_status_code` attribute specifying the status code to send back to the client if a plain text request was sent to an `https` Route. [#4424](https://github.com/Kong/kong/pull/4424) - The loading of declarative configuration is now done atomically, and with a safety check to verify that the new configuration fits in memory. [#4579](https://github.com/Kong/kong/pull/4579) - Schema fields can now be marked as immutable. [#4381](https://github.com/Kong/kong/pull/4381) - Support for loading custom DAO strategies from plugins. [#4518](https://github.com/Kong/kong/pull/4518) - Support for IPv6 to `tcp` and `tls` Routes. [#4333](https://github.com/Kong/kong/pull/4333) ##### Configuration - :fireworks: **Asynchronous router updates**: a new configuration property `router_consistency` accepts two possible values: `strict` and `eventual`. The former is the default setting and makes router rebuilds highly consistent between Nginx workers. It can result in long tail latency if frequent Routes and Services updates are expected. The latter helps preventing long tail latency issues by instructing Kong to rebuild the router asynchronously (with eventual consistency between Nginx workers). [#4639](https://github.com/Kong/kong/pull/4639) - :fireworks: **Database cache warmup**: Kong can now preload entities during its initialization. A new configuration property (`db_cache_warmup_entities`) was introduced, allowing users to specify which entities should be preloaded. DB cache warmup allows for ahead-of-time DNS resolution for Services with a hostname. This feature reduces first requests latency, improving the overall P99 latency tail. [#4565](https://github.com/Kong/kong/pull/4565) - Improved PostgreSQL connection management: two new configuration properties have been added: `pg_max_concurrent_queries` sets the maximum number of concurrent queries to the database, and `pg_semaphore_timeout` allows for tuning the timeout when acquiring access to a database connection. The default behavior remains the same, with no concurrency limitation. [#4551](https://github.com/Kong/kong/pull/4551) ##### Admin API - :fireworks: Add declarative configuration **hash checking** avoiding reloading if the configuration has not changed. The `/config` endpoint now accepts a `check_hash` query argument. Hash checking only happens if this argument's value is set to `1`. [#4609](https://github.com/Kong/kong/pull/4609) - :fireworks: Add a **schema validation endpoint for entities**: a new endpoint `/schemas/:entity_name/validate` can be used to validate an instance of any entity type in Kong without creating the entity itself. [#4413](https://github.com/Kong/kong/pull/4413) - :fireworks: Add **memory statistics** to the `/status` endpoint. The response now includes a `memory` field, which contains the `lua_shared_dicts` and `workers_lua_vms` fields with statistics on shared dictionaries and workers Lua VM memory usage. [#4592](https://github.com/Kong/kong/pull/4592) ##### PDK - New function `kong.node.get_memory_stats()`. This function returns statistics on shared dictionaries and workers Lua VM memory usage, and powers the memory statistics newly exposed by the `/status` endpoint. [#4632](https://github.com/Kong/kong/pull/4632) ##### Plugins - :fireworks: **Newly open-sourced plugin**: the HTTP [proxy-cache plugin](https://github.com/kong/kong-plugin-proxy-cache) (previously only available in Enterprise) is now bundled in Kong. [#4650](https://github.com/Kong/kong/pull/4650) - :fireworks: **Newly open-sourced plugin capabilities**: The [request-transformer plugin](https://github.com/Kong/kong-plugin-request-transformer) now includes capabilities previously only available in Enterprise, among which templating and variables interpolation. [#4658](https://github.com/Kong/kong/pull/4658) - Logging plugins: log request TLS version, cipher, and verification status. [#4581](https://github.com/Kong/kong/pull/4581) [#4626](https://github.com/Kong/kong/pull/4626) - Plugin development: inheriting from `BasePlugin` is now optional. Avoiding the inheritance paradigm improves plugins' performance. [#4590](https://github.com/Kong/kong/pull/4590) ### Fixes ##### Core - Active healthchecks: `http` checks are not performed for `tcp` and `tls` Services anymore; only `tcp` healthchecks are performed against such Services. [#4616](https://github.com/Kong/kong/pull/4616) - Fix an issue where updates in migrations would not correctly populate default values. [#4635](https://github.com/Kong/kong/pull/4635) - Improvements in the reentrancy of Cassandra migrations. [#4611](https://github.com/Kong/kong/pull/4611) - Fix an issue causing the PostgreSQL strategy to not bootstrap the schema when using a PostgreSQL account with limited permissions. [#4506](https://github.com/Kong/kong/pull/4506) ##### CLI - Fix `kong db_import` to support inserting entities without specifying a UUID for their primary key. Entities with a unique identifier (e.g. `name` for Services) can have their primary key omitted. [#4657](https://github.com/Kong/kong/pull/4657) - The `kong migrations [up|finish] -f` commands does not run anymore if there are no previously executed migrations. [#4617](https://github.com/Kong/kong/pull/4617) ##### Plugins - ldap-auth: ensure TLS connections are reused. [#4620](https://github.com/Kong/kong/pull/4620) - oauth2: ensured access tokens preserve their `token_expiration` value when migrating from previous Kong versions. [#4572](https://github.com/Kong/kong/pull/4572) [Back to TOC](#table-of-contents) ## [1.1.2] > Released on: 2019/04/24 This is a patch release in the 1.0 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes. ### Fixes - core: address issue where field type "record" nested values reset on update [#4495](https://github.com/Kong/kong/pull/4495) - core: correctly manage primary keys of type "foreign" [#4429](https://github.com/Kong/kong/pull/4429) - core: declarative config is not parsed on db-mode anymore [#4487](https://github.com/Kong/kong/pull/4487) [#4509](https://github.com/Kong/kong/pull/4509) - db-less: Fixed a problem in Kong balancer timing out. [#4534](https://github.com/Kong/kong/pull/4534) - db-less: Accept declarative config directly in JSON requests. [#4527](https://github.com/Kong/kong/pull/4527) - db-less: do not mis-detect mesh mode [#4498](https://github.com/Kong/kong/pull/4498) - db-less: fix crash when field has same name as entity [#4478](https://github.com/Kong/kong/pull/4478) - basic-auth: ignore password if nil on basic auth credential patch [#4470](https://github.com/Kong/kong/pull/4470) - http-log: Simplify queueing mechanism. Fixed a bug where traces were lost in some cases. [#4510](https://github.com/Kong/kong/pull/4510) - request-transformer: validate header values in plugin configuration. Thanks, [@rune-chan](https://github.com/rune-chan)! [#4512](https://github.com/Kong/kong/pull/4512). - rate-limiting: added index on rate-limiting metrics. Thanks, [@mvanholsteijn](https://github.com/mvanholsteijn)! [#4486](https://github.com/Kong/kong/pull/4486) [Back to TOC](#table-of-contents) ## [1.1.1] > Released on: 2019/03/28 This release contains a fix for 0.14 Kong clusters using Cassandra to safely migrate to Kong 1.1. ### Fixes - Ensure the 0.14 -> 1.1 migration path for Cassandra does not corrupt the database schema. [#4450](https://github.com/Kong/kong/pull/4450) - Allow the `kong config init` command to run without a pointing to a prefix directory. [#4451](https://github.com/Kong/kong/pull/4451) [Back to TOC](#table-of-contents) ## [1.1.0] > Released on: 2019/03/27 This release introduces new features such as **Declarative Configuration**, **DB-less Mode**, **Bulk Database Import**, **Tags**, as well as **Transparent Proxying**. It contains a large number of other features and fixes, listed below. Also, the Plugin Development kit also saw a minor updated, bumped to version 1.1. This release includes database migrations. Please take a few minutes to read the [1.1 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md) for more details regarding changes and migrations before planning to upgrade your Kong cluster. :large_orange_diamond: **Post-release note (as of 2019/03/28):** an issue has been found when migrating from a 0.14 Kong cluster to 1.1.0 when running on top of Cassandra. Kong 1.1.1 has been released to address this issue. Kong clusters running on top of PostgreSQL are not affected by this issue, and can migrate to 1.1.0 or 1.1.1 safely. ### Additions ##### Core - :fireworks: Kong can now run **without a database**, using in-memory storage only. When running Kong in DB-less mode, entities are loaded via a **declarative configuration** file, specified either through Kong's configuration file, or uploaded via the Admin API. [#4315](https://github.com/Kong/kong/pull/4315) - :fireworks: **Transparent proxying** - the `service` attribute on Routes is now optional; a Route without an assigned Service will proxy transparently [#4286](https://github.com/Kong/kong/pull/4286) - Support for **tags** in entities [#4275](https://github.com/Kong/kong/pull/4275) - Every core entity now adds a `tags` field - New `protocols` field in the Plugin entity, allowing plugin instances to be set for specific protocols only (`http`, `https`, `tcp` or `tls`). [#4248](https://github.com/Kong/kong/pull/4248) - It filters out plugins during execution according to their `protocols` field - It throws an error when trying to associate a Plugin to a Route which is not compatible, protocols-wise, or to a Service with no compatible routes. ##### Configuration - New option in `kong.conf`: `database=off` to start Kong without a database - New option in `kong.conf`: `declarative_config=kong.yml` to load a YAML file using Kong's new [declarative config format](https://discuss.konghq.com/t/rfc-kong-native-declarative-config-format/2719) - New option in `kong.conf`: `pg_schema` to specify Postgres schema to be used - The Stream subsystem now supports Nginx directive injections [#4148](https://github.com/Kong/kong/pull/4148) - `nginx_stream_*` (or `KONG_NGINX_STREAM_*` environment variables) for injecting entries to the `stream` block - `nginx_sproxy_*` (or `KONG_NGINX_SPROXY_*` environment variables) for injecting entries to the `server` block inside `stream` ##### CLI - :fireworks: **Bulk database import** using the same declarative configuration format as the in-memory mode, using the new command: `kong config db_import kong.yml`. This command upserts all entities specified in the given `kong.yml` file in bulk [#4284](https://github.com/Kong/kong/pull/4284) - New command: `kong config init` to generate a template `kong.yml` file to get you started - New command: `kong config parse kong.yml` to verify the syntax of the `kong.yml` file before using it - New option `--wait` in `kong quit` to ease graceful termination when using orchestration tools [#4201](https://github.com/Kong/kong/pull/4201) ##### Admin API - New Admin API endpoint: `/config` to replace the configuration of Kong entities entirely, replacing it with the contents of a new declarative config file - When using the new `database=off` configuration option, the Admin API endpoints for entities (such as `/routes` and `/services`) are read-only, since the configuration can only be updated via `/config` [#4308](https://github.com/Kong/kong/pull/4308) - Admin API endpoints now support searching by tag (for example, `/consumers?tags=example_tag`) - You can search by multiple tags: - `/services?tags=serv1,mobile` to search for services matching tags `serv1` and `mobile` - `/services?tags=serv1/serv2` to search for services matching tags `serv1` or `serv2` - New Admin API endpoint `/tags/` for listing entities by tag: `/tags/example_tag` ##### PDK - New PDK function: `kong.client.get_protocol` for obtaining the protocol in use during the current request [#4307](https://github.com/Kong/kong/pull/4307) - New PDK function: `kong.nginx.get_subsystem`, so plugins can detect whether they are running on the HTTP or Stream subsystem [#4358](https://github.com/Kong/kong/pull/4358) ##### Plugins - :fireworks: Support for ACL **authenticated groups**, so that authentication plugins that use a 3rd party (other than Kong) to store credentials can benefit from using a central ACL plugin to do authorization for them [#4013](https://github.com/Kong/kong/pull/4013) - The Kubernetes Sidecar Injection plugin is now bundled into Kong for a smoother K8s experience [#4304](https://github.com/Kong/kong/pull/4304) - aws-lambda: includes AWS China region. Thanks [@wubins](https://github.com/wubins) for the patch! [#4176](https://github.com/Kong/kong/pull/4176) ### Changes ##### Dependencies - The required OpenResty version is still 1.13.6.2, but for a full feature set including stream routing and Service Mesh abilities with mutual TLS, Kong's [openresty-patches](https://github.com/kong/openresty-patches) must be applied (those patches are already bundled with our official distribution packages). The openresty-patches bundle was updated in Kong 1.1.0 to include the `stream_realip_module` as well. Kong in HTTP(S) Gateway scenarios does not require these patches. [#4163](https://github.com/Kong/kong/pull/4163) - Service Mesh abilities require at least OpenSSL version 1.1.1. In our official distribution packages, OpenSSL has been bumped to 1.1.1b. [#4345](https://github.com/Kong/kong/pull/4345), [#4440](https://github.com/Kong/kong/pull/4440) ### Fixes ##### Core - Resolve hostnames properly during initialization of Cassandra contact points [#4296](https://github.com/Kong/kong/pull/4296), [#4378](https://github.com/Kong/kong/pull/4378) - Fix health checks for Targets that need two-level DNS resolution (e.g. SRV → A → IP) [#4386](https://github.com/Kong/kong/pull/4386) - Fix serialization of map types in the Cassandra backend [#4383](https://github.com/Kong/kong/pull/4383) - Fix target cleanup and cascade-delete for Targets [#4319](https://github.com/Kong/kong/pull/4319) - Avoid crash when failing to obtain list of Upstreams [#4301](https://github.com/Kong/kong/pull/4301) - Disallow invalid timeout value of 0ms for attributes in Services [#4430](https://github.com/Kong/kong/pull/4430) - DAO fix for foreign fields used as primary keys [#4387](https://github.com/Kong/kong/pull/4387) ##### Admin API - Proper support for `PUT /{entities}/{entity}/plugins/{plugin}` [#4288](https://github.com/Kong/kong/pull/4288) - Fix Admin API inferencing of map types using form-encoded [#4368](https://github.com/Kong/kong/pull/4368) - Accept UUID-like values in `/consumers?custom_id=` [#4435](https://github.com/Kong/kong/pull/4435) ##### Plugins - basic-auth, ldap-auth, key-auth, jwt, hmac-auth: fixed status code for unauthorized requests: they now return HTTP 401 instead of 403 [#4238](https://github.com/Kong/kong/pull/4238) - tcp-log: remove spurious trailing carriage return Thanks [@cvuillemez](https://github.com/cvuillemez) for the patch! [#4158](https://github.com/Kong/kong/pull/4158) - jwt: fix `typ` handling for supporting JOSE (JSON Object Signature and Validation) Thanks [@cdimascio](https://github.com/cdimascio) for the patch! [#4256](https://github.com/Kong/kong/pull/4256) - Fixes to the best-effort auto-converter for legacy plugin schemas [#4396](https://github.com/Kong/kong/pull/4396) [Back to TOC](#table-of-contents) ## [1.0.3] > Released on: 2019/01/31 This is a patch release addressing several regressions introduced some plugins, and improving the robustness of our migrations and core components. ### Core - Improve Cassandra schema consensus logic when running migrations. [#4233](https://github.com/Kong/kong/pull/4233) - Ensure Routes that don't have a `regex_priority` (e.g. if it was removed as part of a `PATCH`) don't prevent the router from being built. [#4255](https://github.com/Kong/kong/pull/4255) - Reduce rebuild time of the load balancer by retrieving larger sized pages of Target entities. [#4206](https://github.com/Kong/kong/pull/4206) - Ensure schema definitions of Arrays and Sets with `default = {}` are JSON-encoded as `[]`. [#4257](https://github.com/Kong/kong/pull/4257) ##### Plugins - request-transformer: fix a regression causing the upstream Host header to be unconditionally set to that of the client request (effectively, as if the Route had `preserve_host` enabled). [#4253](https://github.com/Kong/kong/pull/4253) - cors: fix a regression that prevented regex origins from being matched. Regexes such as `(.*[.])?example\.org` can now be used to match all sub-domains, while regexes containing `:` will be evaluated against the scheme and port of an origin (i.e. `^https?://(.*[.])?example\.org(:8000)?$`). [#4261](https://github.com/Kong/kong/pull/4261) - oauth2: fix a runtime error when using a global token against a plugin not configured as global (i.e. with `global_credentials = false`). [#4262](https://github.com/Kong/kong/pull/4262) ##### Admin API - Improve performance of the `PUT` method in auth plugins endpoints (e.g. `/consumers/:consumers/basic-auth/:basicauth_credentials`) by preventing a unnecessary read-before-write. [#4206](https://github.com/Kong/kong/pull/4206) [Back to TOC](#table-of-contents) ## [1.0.2] > Released on: 2019/01/18 This is a hotfix release mainly addressing an issue when connecting to the datastore over TLS (Cassandra and PostgreSQL). ### Fixes ##### Core - Fix an issue that would prevent Kong from starting when connecting to its datastore over TLS. [#4214](https://github.com/Kong/kong/pull/4214) [#4218](https://github.com/Kong/kong/pull/4218) - Ensure plugins added via `PUT` get enabled without requiring a restart. [#4220](https://github.com/Kong/kong/pull/4220) ##### Plugins - zipkin - Fix a logging failure when DNS is not resolved. [kong-plugin-zipkin@a563f51](https://github.com/Kong/kong-plugin-zipkin/commit/a563f513f943ba0a30f3c69373d9092680a8f670) - Avoid sending redundant tags. [kong-plugin-zipkin/pull/28](https://github.com/Kong/kong-plugin-zipkin/pull/28) - Move `run_on` field to top level plugin schema instead of its config. [kong-plugin-zipkin/pull/38](https://github.com/Kong/kong-plugin-zipkin/pull/38) [Back to TOC](#table-of-contents) ## [1.0.1] > Released on: 2019/01/16 This is a patch release in the 1.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes. :red_circle: **Post-release note (as of 2019/01/17)**: A regression has been observed with this version, preventing Kong from starting when connecting to its datastore over TLS. Installing this version is discouraged; consider upgrading to [1.0.2](#102). ### Changes ##### Core - :rocket: Assorted changes for warmup time improvements over Kong 1.0.0 [#4138](https://github.com/kong/kong/issues/4138), [#4164](https://github.com/kong/kong/issues/4164), [#4178](https://github.com/kong/kong/pull/4178), [#4179](https://github.com/kong/kong/pull/4179), [#4182](https://github.com/kong/kong/pull/4182) ### Fixes ##### Configuration - Ensure `lua_ssl_verify_depth` works even when `lua_ssl_trusted_certificate` is not set [#4165](https://github.com/kong/kong/pull/4165). Thanks [@rainest](https://github.com/rainest) for the patch. - Ensure Kong starts when only a `stream` listener is enabled [#4195](https://github.com/kong/kong/pull/4195) - Ensure Postgres works with non-`public` schemas [#4198](https://github.com/kong/kong/pull/4198) ##### Core - Fix an artifact in upstream migrations where `created_at` timestamps would occasionally display fractional values [#4183](https://github.com/kong/kong/issues/4183), [#4204](https://github.com/kong/kong/pull/4204) - Fixed issue with HTTP/2 support advertisement [#4203](https://github.com/kong/kong/pull/4203) ##### Admin API - Fixed handling of invalid targets in `/upstreams` endpoints for health checks [#4132](https://github.com/kong/kong/issues/4132), [#4205](https://github.com/kong/kong/pull/4205) - Fixed the `/plugins/schema/:name` endpoint, as it was failing in some cases (e.g. the `datadog` plugin) and producing incorrect results in others (e.g. `request-transformer`). [#4136](https://github.com/kong/kong/issues/4136), [#4137](https://github.com/kong/kong/issues/4137) [#4151](https://github.com/kong/kong/pull/4151), [#4162](https://github.com/kong/kong/pull/4151) ##### Plugins - Fix PDK memory leaks in `kong.service.response` and `kong.ctx` [#4143](https://github.com/kong/kong/pull/4143), [#4172](https://github.com/kong/kong/pull/4172) [Back to TOC](#table-of-contents) ## [1.0.0] > Released on: 2018/12/18 This is a major release, introducing new features such as **Service Mesh** and **Stream Routing** support, as well as a **New Migrations** framework. It also includes version 1.0.0 of the **Plugin Development Kit**. It contains a large number of other features and fixes, listed below. Also, all plugins included with Kong 1.0 are updated to use version 1.0 of the PDK. As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the [1.0 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md) for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster. Being a major version, all entities and concepts that were marked as deprecated in Kong 0.x are now removed in Kong 1.0. The deprecated features are retained in [Kong 0.15](#0150), the final entry in the Kong 0.x series, which is being released simultaneously to Kong 1.0. ### Changes Kong 1.0 includes all breaking changes from 0.15, as well as the removal of deprecated concepts. ##### Dependencies - The required OpenResty version is still 1.13.6.2, but for a full feature set including stream routing and Service Mesh abilities with mutual TLS, Kong's [openresty-patches](https://github.com/kong/openresty-patches) must be applied (those patches are already bundled with our official distribution packages). Kong in HTTP(S) Gateway scenarios does not require these patches. - Service Mesh abilities require at least OpenSSL version 1.1.1. In our official distribution packages, OpenSSL has been bumped to 1.1.1. [#4005](https://github.com/Kong/kong/pull/4005) ##### Configuration - :warning: The `custom_plugins` directive is removed (deprecated since 0.14.0, July 2018). Use `plugins` instead. - Modifications must be applied to the Nginx configuration. You are not affected by this change if you do not use a custom Nginx template. See the [1.0 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md) for a diff of changes to apply. - The default value for `cassandra_lb_policy` changed from `RoundRobin` to `RequestRoundRobin`. This helps reducing the amount of new connections being opened during a request when using the Cassandra strategy. [#4004](https://github.com/Kong/kong/pull/4004) ##### Core - :warning: The **API** entity and related concepts such as the `/apis` endpoint, are removed (deprecated since 0.13.0, March 2018). Use **Routes** and **Services** instead. - :warning: The **old DAO** implementation is removed, along with the **old schema** validation library (`apis` was the last entity using it). Use the new schema format instead in custom plugins. To ease the transition of plugins, the plugin loader in 1.0 includes a _best-effort_ schema auto-translator, which should be sufficient for many plugins. - Timestamps now bear millisecond precision in their decimal part. [#3660](https://github.com/Kong/kong/pull/3660) - The PDK function `kong.request.get_body` will now return `nil, err, mime` when the body is valid JSON but neither an object nor an array. [#4063](https://github.com/Kong/kong/pull/4063) ##### CLI - :warning: The new migrations framework (detailed below) has a different usage (and subcommands) compared to its predecessor. [#3802](https://github.com/Kong/kong/pull/3802) ##### Admin API - :warning: In the 0.14.x release, Upstreams, Targets, and Plugins were still implemented using the old DAO and Admin API. In 0.15.0 and 1.0.0, all core entities use the new `kong.db` DAO, and their endpoints have been upgraded to the new Admin API (see below for details). [#3689](https://github.com/Kong/kong/pull/3689) [#3739](https://github.com/Kong/kong/pull/3739) [#3778](https://github.com/Kong/kong/pull/3778) A summary of the changes introduced in the new Admin API: - Pagination has been included in all "multi-record" endpoints, and pagination control fields are different than in 0.14.x. - Filtering now happens via URL path changes (`/consumers/x/plugins`) instead of querystring fields (`/plugins?consumer_id=x`). - Array values can't be coerced from comma-separated strings anymore. They must now be "proper" JSON values on JSON requests, or use a new syntax on form-url-encoded or multipart requests. - Error messages have been been reworked from the ground up to be more consistent, precise and informative. - The `PUT` method has been reimplemented with idempotent behavior and has been added to some entities that didn't have it. For more details about the new Admin API, please visit the official docs: https://docs.konghq.com/ ##### Plugins - :warning: The `galileo` plugin has been removed (deprecated since 0.13.0). [#3960](https://github.com/Kong/kong/pull/3960) - :warning: Some internal modules that were occasionally used by plugin authors before the introduction of the Plugin Development Kit (PDK) in 0.14.0 are now removed: - The `kong.tools.ip` module was removed. Use `kong.ip` from the PDK instead. - The `kong.tools.public` module was removed. Use the various equivalent features from the PDK instead. - The `kong.tools.responses` module was removed. Please use `kong.response.exit` from the PDK instead. You might want to use `kong.log.err` to log internal server errors as well. - The `kong.api.crud_helpers` module was removed (deprecated since the introduction of the new DAO in 0.13.0). Use `kong.api.endpoints` instead if you need to customize the auto-generated endpoints. - All bundled plugins' schemas and custom entities have been updated to the new `kong.db` module, and their APIs have been updated to the new Admin API, which is described in the above section. [#3766](https://github.com/Kong/kong/pull/3766) [#3774](https://github.com/Kong/kong/pull/3774) [#3778](https://github.com/Kong/kong/pull/3778) [#3839](https://github.com/Kong/kong/pull/3839) - :warning: All plugins migrations have been converted to the new migration framework. Custom plugins must use the new migration framework from 0.15 onwards. ### Additions ##### :fireworks: Service Mesh and Stream Routes Kong's Service Mesh support resulted in a number of additions to Kong's configuration, Admin API, and plugins that deserve their own section in this changelog. - **Support for TCP & TLS Stream Routes** via the new `stream_listen` config option. [#4009](https://github.com/Kong/kong/pull/4009) - A new `origins` config property allows overriding hosts from Kong. [#3679](https://github.com/Kong/kong/pull/3679) - A `transparent` suffix added to stream listeners allows for setting up a dynamic Service Mesh with `iptables`. [#3884](https://github.com/Kong/kong/pull/3884) - Kong instances can now create a shared internal Certificate Authority, which is used for Service Mesh TLS traffic. [#3906](https://github.com/Kong/kong/pull/3906) [#3861](https://github.com/Kong/kong/pull/3861) - Plugins get a new `run_on` field to control how they behave in a Service Mesh environment. [#3930](https://github.com/Kong/kong/pull/3930) [#4066](https://github.com/Kong/kong/pull/4066) - There is a new phase called `preread`. This is where stream traffic routing is done. ##### Configuration - A new `dns_valid_ttl` property can be set to forcefully override the TTL value of all resolved DNS records. [#3730](https://github.com/Kong/kong/pull/3730) - A new `pg_timeout` property can be set to configure the timeout of PostgreSQL connections. [#3808](https://github.com/Kong/kong/pull/3808) - `upstream_keepalive` can now be disabled when set to 0. Thanks [@pryorda](https://github.com/pryorda) for the patch. [#3716](https://github.com/Kong/kong/pull/3716) - The new `transparent` suffix also applies to the `proxy_listen` directive. ##### CLI - :fireworks: **New migrations framework**. This new implementation supports no-downtime, Blue/Green migrations paths that will help sustain Kong 1.0's stability. It brings a considerable number of other improvements, such as new commands, better support for automation, improved CLI logging, and many more. Additionally, this new framework alleviates the old limitation around multiple nodes running concurrent migrations. See the related PR for a complete list of improvements. [#3802](https://github.com/Kong/kong/pull/3802) ##### Core - :fireworks: **Support for TLS 1.3**. The support for OpenSSL 1.1.1 (bumped in our official distribution packages) not only enabled Service Mesh features, but also unlocks support for the latest version of the TLS protocol. - :fireworks: **Support for HTTPS in active healthchecks**. [#3815](https://github.com/Kong/kong/pull/3815) - :fireworks: Improved router rebuilds resiliency by reducing database accesses in high concurrency scenarios. [#3782](https://github.com/Kong/kong/pull/3782) - :fireworks: Significant performance improvements in the core's plugins runloop. [#3794](https://github.com/Kong/kong/pull/3794) - PDK improvements: - New `kong.node` module. [#3826](https://github.com/Kong/kong/pull/3826) - New functions `kong.response.get_path_with_query()` and `kong.request.get_start_time()`. [#3842](https://github.com/Kong/kong/pull/3842) - Getters and setters for Service, Route, Consumer, and Credential. [#3916](https://github.com/Kong/kong/pull/3916) - `kong.response.get_source()` returns `error` on nginx-produced errors. [#4006](https://github.com/Kong/kong/pull/4006) - `kong.response.exit()` can be used in the `header_filter` phase, but only without a body. [#4039](https://github.com/Kong/kong/pull/4039) - Schema improvements: - New field validators: `distinct`, `ne`, `is_regex`, `contains`, `gt`. - Adding a new field which has a default value to a schema no longer requires a migration. [#3756](https://github.com/Kong/kong/pull/3756) ##### Admin API - :fireworks: **Routes now have a `name` field (like Services)**. [#3764](https://github.com/Kong/kong/pull/3764) - Multipart parsing support. [#3776](https://github.com/Kong/kong/pull/3776) - Admin API errors expose the name of the current strategy. [#3612](https://github.com/Kong/kong/pull/3612) ##### Plugins - :fireworks: aws-lambda: **Support for Lambda Proxy Integration** with the new `is_proxy_integration` property. Thanks [@aloisbarreras](https://github.com/aloisbarreras) for the patch! [#3427](https://github.com/Kong/kong/pull/3427/). - http-log: Support for buffering logging messages in a configurable logging queue. [#3604](https://github.com/Kong/kong/pull/3604) - Most plugins' logic has been rewritten with the PDK instead of using internal Kong functions or ngx_lua APIs. ### Fixes ##### Core - Fix an issue which would insert an extra `/` in the upstream URL when the request path was longer than the configured Route's `path` attribute. [#3780](https://github.com/kong/kong/pull/3780) - Ensure better backwards-compatibility between the new DAO and existing core runloop code regarding null values. [#3772](https://github.com/Kong/kong/pull/3772) [#3710](https://github.com/Kong/kong/pull/3710) - Ensure support for Datastax Enterprise 6.x. Thanks [@gchristidis](https://github.com/gchristidis) for the patch! [#3873](https://github.com/Kong/kong/pull/3873) - Various issues with the PostgreSQL DAO strategy were addressed. - Various issues related to the new schema library bundled with the new DAO were addressed. - PDK improvements: - `kong.request.get_path()` and other functions now properly handle cases when `$request_uri` is nil. [#3842](https://github.com/Kong/kong/pull/3842) ##### Admin API - Ensure the `/certificates` endpoints properly returns all SNIs configured on a given certificate. [#3722](https://github.com/Kong/kong/pull/3722) - Ensure the `upstreams/:upstream/targets/...` endpoints returns an empty JSON array (`[]`) instead of an empty object (`{}`) when no targets exist. [#4058](https://github.com/Kong/kong/pull/4058) - Improved inferring of arguments with `application/x-www-form-urlencoded`. [#3770](https://github.com/Kong/kong/pull/3770) - Fix the handling of defaults values in some cases when using `PATCH`. [#3910](https://github.com/Kong/kong/pull/3910) ##### Plugins - cors: - Ensure `Vary: Origin` is set when `config.credentials` is enabled. Thanks [@marckhouzam](https://github.com/marckhouzam) for the patch! [#3765](https://github.com/Kong/kong/pull/3765) - Return HTTP 200 instead of 204 for preflight requests. Thanks [@aslafy-z](https://github.com/aslafy-z) for the patch! [#4029](https://github.com/Kong/kong/pull/4029) - Ensure request origins specified as flat strings are safely validated. [#3872](https://github.com/Kong/kong/pull/3872) - acl: Minor performance improvements by ensuring proper caching of computed values. [#4040](https://github.com/Kong/kong/pull/4040) - correlation-id: Prevent an error to be thrown when the access phase was skipped, such as on nginx-produced errors. [#4006](https://github.com/Kong/kong/issues/4006) - aws-lambda: When the client uses HTTP/2, strip response headers that are disallowed by the protocols. [#4032](https://github.com/Kong/kong/pull/4032) - rate-limiting & response-ratelimiting: Improve efficiency by avoiding unnecessary Redis `SELECT` operations. [#3973](https://github.com/Kong/kong/pull/3973) [Back to TOC](#table-of-contents) ## [0.15.0] > Released on: 2018/12/18 This is the last release in the 0.x series, giving users one last chance to upgrade while still using some of the options and concepts that were marked as deprecated in Kong 0.x and were removed in Kong 1.0. For a list of additions and fixes in Kong 0.15, see the [1.0.0](#100) changelog. This release includes all new features included in 1.0 (Service Mesh, Stream Routes and New Migrations), but unlike Kong 1.0, it retains a lot of the deprecated functionality, like the **API** entity, around. Still, Kong 0.15 does have a number of breaking changes related to functionality that has changed since version 0.14 (see below). If you are starting with Kong, we recommend you to use 1.0.0 instead of this release. If you are already using Kong 0.14, our recommendation is to plan to move to 1.0 -- see the [1.0 Upgrade Path](https://github.com/kong/kong/blob/master/UPGRADE.md) document for details. Upgrading to 0.15.0 is only recommended if you can't do away with the deprecated features but you need some fixes or new features right now. ### Changes ##### Dependencies - The required OpenResty version is still 1.13.6.2, but for a full feature set including stream routing and Service Mesh abilities with mutual TLS, Kong's [openresty-patches](https://github.com/kong/openresty-patches) must be applied (those patches are already bundled with our official distribution packages). Kong in HTTP(S) Gateway scenarios does not require these patches. - Service Mesh abilities require at least OpenSSL version 1.1.1. In our official distribution packages, OpenSSL has been bumped to 1.1.1. [#4005](https://github.com/Kong/kong/pull/4005) ##### Configuration - The default value for `cassandra_lb_policy` changed from `RoundRobin` to `RequestRoundRobin`. This helps reducing the amount of new connections being opened during a request when using the Cassandra strategy. [#4004](https://github.com/Kong/kong/pull/4004) ##### Core - Timestamps now bear millisecond precision in their decimal part. [#3660](https://github.com/Kong/kong/pull/3660) - The PDK function `kong.request.get_body` will now return `nil, err, mime` when the body is valid JSON but neither an object nor an array. [#4063](https://github.com/Kong/kong/pull/4063) ##### CLI - :warning: The new migrations framework (detailed in the [1.0.0 changelog](#100)) has a different usage (and subcommands) compared to its predecessor. [#3802](https://github.com/Kong/kong/pull/3802) ##### Admin API - :warning: In the 0.14.x release, Upstreams, Targets, and Plugins were still implemented using the old DAO and Admin API. In 0.15.0 and 1.0.0, all core entities use the new `kong.db` DAO, and their endpoints have been upgraded to the new Admin API (see below for details). [#3689](https://github.com/Kong/kong/pull/3689) [#3739](https://github.com/Kong/kong/pull/3739) [#3778](https://github.com/Kong/kong/pull/3778) A summary of the changes introduced in the new Admin API: - Pagination has been included in all "multi-record" endpoints, and pagination control fields are different than in 0.14.x. - Filtering now happens via URL path changes (`/consumers/x/plugins`) instead of querystring fields (`/plugins?consumer_id=x`). - Array values can't be coherced from comma-separated strings. They must be "proper" JSON values on JSON requests, or use a new syntax on form-url-encoded or multipart requests. - Error messages have been been reworked from the ground up to be more consistent, precise and informative. - The `PUT` method has been reimplemented with idempotent behavior and has been added to some entities that didn't have it. For more details about the new Admin API, please visit the official docs: https://docs.konghq.com/ ##### Plugins - All bundled plugins' schemas and custom entities have been updated to the new `kong.db` module, and their APIs have been updated to the new Admin API, which is described in the above section. [#3766](https://github.com/Kong/kong/pull/3766) [#3774](https://github.com/Kong/kong/pull/3774) [#3778](https://github.com/Kong/kong/pull/3778) [#3839](https://github.com/Kong/kong/pull/3839) - :warning: All plugins migrations have been converted to the new migration framework. Custom plugins must use the new migration framework from 0.15 onwards. ### Additions Kong 0.15.0 contains the same additions as 1.0.0. See the [1.0.0 changelog](#100) for a complete list. ### Fixes Kong 0.15.0 contains the same fixes as 1.0.0. See the [1.0.0 changelog](#100) for a complete list. [Back to TOC](#table-of-contents) ## [0.14.1] > Released on: 2018/08/21 ### Additions ##### Plugins - jwt: Support for tokens signed with HS384 and HS512. Thanks [@kepkin](https://github.com/kepkin) for the patch. [#3589](https://github.com/Kong/kong/pull/3589) - acl: Add a new `hide_groups_header` configuration option. If enabled, this option prevents the plugin from injecting the `X-Consumer-Groups` header into the upstream request. Thanks [@jeremyjpj0916](https://github.com/jeremyjpj0916) for the patch! [#3703](https://github.com/Kong/kong/pull/3703) ### Fixes ##### Core - Prevent some plugins from breaking in subtle ways when manipulating some entities and their attributes. An example of such breaking behavior could be observed when Kong was wrongly injecting `X-Consumer-Username: userdata: NULL` in upstream requests headers, instead of not injecting this header at all. [#3714](https://github.com/Kong/kong/pull/3714) - Fix an issue which, in some cases, prevented the use of Kong with Cassandra in environments where DNS load-balancing is in effect for contact points provided as hostnames (e.g. Kubernetes with `cassandra_contact_points = cassandra`). [#3693](https://github.com/Kong/kong/pull/3693) - Fix an issue which prevented the use of UNIX domain sockets in some logging plugins, and custom plugins making use of such sockets. Thanks [@rucciva](https://github.com/rucciva) for the patch. [#3633](https://github.com/Kong/kong/pull/3633) - Avoid logging false-negative error messages related to worker events. [#3692](https://github.com/Kong/kong/pull/3692) ##### CLI - Database connectivity errors are properly prefixed with the database name again (e.g. `[postgres]`). [#3648](https://github.com/Kong/kong/pull/3648) ##### Plugins - zipkin - Allow usage of the plugin with the deprecated "API" entity, and introduce a new `kong.api` tag. [kong-plugin-zipkin/commit/4a645e9](https://github.com/Kong/kong-plugin-zipkin/commit/4a645e940e560f2e50567e0360b5df3b38f74853) - Properly report the `kong.credential` tag. [kong-plugin-zipkin/commit/c627c36](https://github.com/Kong/kong-plugin-zipkin/commit/c627c36402c9a14cc48011baa773f4ee08efafcf) - Ensure the plugin does not throw errors when no Route was matched. [kong-plugin-zipkin#19](https://github.com/Kong/kong-plugin-zipkin/issues/19) - basic-auth: Passwords with whitespaces are not trimmed anymore. Thanks [@aloisbarreras](https://github.com/aloisbarreras) for the patch. [#3650](https://github.com/Kong/kong/pull/3650) - hmac-auth: Ensure backward compatibility for clients generating signatures without the request's querystring, as is the case for Kong versions prior to 0.14.0, which broke this behavior. Users of this plugin on previous versions of Kong can now safely upgrade to the 0.14 family. Thanks [@mlehner616](https://github.com/mlehner616) for the patch! [#3699](https://github.com/Kong/kong/pull/3699) - ldap-auth - Set the WWW-Authenticate header authentication scheme accordingly with the `conf.header_type` property, which allows browsers to show the authentication popup automatically. Thanks [@francois-maillard](https://github.com/francois-maillard) for the patch. [#3656](https://github.com/Kong/kong/pull/3656) - Invalid authentication attempts do not block subsequent valid attempts anymore. [#3677](https://github.com/Kong/kong/pull/3677) [Back to TOC](#table-of-contents) ## [0.14.0] - 2018/07/05 This release introduces the first version of the **Plugin Development Kit**: a Lua SDK, comprised of a set of functions to ease the development of custom plugins. Additionally, it contains several major improvements consolidating Kong's feature set and flexibility, such as the support for `PUT` endpoints on the Admin API for idempotent workflows, the execution of plugins during Nginx-produced errors, and the injection of **Nginx directives** without having to rely on the custom Nginx configuration pattern! Finally, new bundled plugins allow Kong to better integrate with **Cloud Native** environments, such as Zipkin and Prometheus. As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the [0.14 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-014x) for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster. ### Breaking Changes ##### Dependencies - :warning: The required OpenResty version has been bumped to 1.13.6.2. If you are installing Kong from one of our distribution packages, you are not affected by this change. [#3498](https://github.com/Kong/kong/pull/3498) - :warning: Support for PostgreSQL 9.4 (deprecated in 0.12.0) is now dropped. [#3490](https://github.com/Kong/kong/pull/3490) - :warning: Support for Cassandra 2.1 (deprecated in 0.12.0) is now dropped. [#3490](https://github.com/Kong/kong/pull/3490) ##### Configuration - :warning: The `server_tokens` and `latency_tokens` configuration properties have been removed. Instead, a new `headers` configuration properties replaces them and allows for more granular settings of injected headers (e.g. `Server`, `Via`, `X-Kong-*-Latency`, etc...). [#3300](https://github.com/Kong/kong/pull/3300) - :warning: New required `lua_shared_dict` entries must be added to the Nginx configuration. You are not affected by this change if you do not use a custom Nginx template. [#3557](https://github.com/Kong/kong/pull/3557) - :warning: Other important modifications must be applied to the Nginx configuration. You are not affected by this change if you do not use a custom Nginx template. [#3533](https://github.com/Kong/kong/pull/3533) ##### Plugins - :warning: The Runscope plugin has been dropped, based on the EoL announcement made by Runscope about their Traffic Inspector product. [#3495](https://github.com/Kong/kong/pull/3495) ##### Admin API - :warning: The SSL Certificates and SNI entities have moved to the new DAO implementation. As such, the `/certificates` and `/snis` endpoints have received notable usability improvements, but suffer from a few breaking changes. [#3386](https://github.com/Kong/kong/pull/3386) - :warning: The Consumers entity has moved to the new DAO implementation. As such, the `/consumers` endpoint has received notable usability improvements, but suffers from a few breaking changes. [#3437](https://github.com/Kong/kong/pull/3437) ### Changes ##### Configuration - The default value of `db_cache_ttl` is now `0` (disabled). Now that our level of confidence around the new caching mechanism introduced in 0.11.0 is high enough, we consider `0` (no TTL) to be an appropriate default for production environments, as it offers a smoother cache consumption behavior and reduces database pressure. [#3492](https://github.com/Kong/kong/pull/3492) ##### Core - :fireworks: Serve stale data from the database cache when the datastore cannot be reached. Such stale items are "resurrected" for `db_resurrect_ttl` seconds (see configuration section). [#3579](https://github.com/Kong/kong/pull/3579) - Reduce LRU churning in the database cache against some workloads. [#3550](https://github.com/Kong/kong/pull/3550) ### Additions ##### Configuration - :fireworks: **Support for injecting Nginx directives via configuration properties** (in the `kong.conf` file or via environment variables)! This new way of customizing the Nginx configuration should render obsolete the old way of maintaining a custom Nginx template in most cases! [#3530](https://github.com/Kong/kong/pull/3530) - :fireworks: **Support for selectively disabling bundled plugins**. A new `plugins` configuration property is introduced, and is used to specify which plugins should be loaded by the node. Custom plugins should now be specified in this new property, and the `custom_plugins` property is **deprecated**. If desired, Kong administrators can specify a minimal set of plugins to load (instead of the default, bundled plugins), and **improve P99 latency** thanks to the resulting decrease in database traffic. [#3387](https://github.com/Kong/kong/pull/3387) - The new `headers` configuration property allows for specifying the injection of a new header: `X-Kong-Upstream-Status`. When enabled, Kong will inject this header containing the HTTP status code of the upstream response in the client response. This is particularly useful for clients to distinguish upstream statuses upon rewriting of the response by Kong. [#3263](https://github.com/Kong/kong/pull/3263) - A new `db_resurrect_ttl` configuration property can be set to customize the amount of time stale data can be resurrected for when it cannot be refreshed. Defaults to 30 seconds. [#3579](https://github.com/Kong/kong/pull/3579) - Two new Cassandra load balancing policies are available: `RequestRoundRobin` and `RequestDCAwareRoundRobin`. Both policies guarantee that the same peer will be reused across several queries during the lifetime of a request, thus guaranteeing no new connection will be opened against a peer during this request. [#3545](https://github.com/Kong/kong/pull/3545) ##### Core - :fireworks: **Execute plugins on Nginx-produced errors.** Now, when Nginx produces a 4xx error (upon invalid requests) or 5xx (upon failure from the load balancer to connect to a Service), Kong will execute the response phases of its plugins (`header_filter`, `body_filter`, `log`). As such, Kong logging plugins are not blind to such Nginx-produced errors anymore, and will start properly reporting them. Plugins should be built defensively against cases where their `rewrite` or `access` phases were not executed. [#3533](https://github.com/Kong/kong/pull/3533) - :fireworks: **Support for cookie-based load balancing!** [#3472](https://github.com/Kong/kong/pull/3472) ##### Plugins - :fireworks: **Introduction of the Plugin Development Kit!** A set of Lua functions and variables that will greatly ease and speed up the task of developing custom plugins. The Plugin Development Kit (PDK) allows the retrieval and manipulation of the request and response objects, as well as interacting with various core components (e.g. logging, load balancing, DAO, etc...) without having to rely on OpenResty functions, and with the guarantee of their forward-compatibility with future versions of Kong. [#3556](https://github.com/Kong/kong/pull/3556) - :fireworks: **New bundled plugin: Zipkin**! This plugin allows Kong to sample traces and report them to a running Zipkin instance. (See: https://github.com/Kong/kong-plugin-zipkin) [#3434](https://github.com/Kong/kong/pull/3434) - :fireworks: **New bundled plugin: Prometheus**! This plugin allows Kong to expose metrics in the Prometheus Exposition format. Available metrics include HTTP status codes, latencies histogram, bandwidth, and more... (See: https://github.com/Kong/kong-plugin-prometheus) [#3547](https://github.com/Kong/kong/pull/3547) - :fireworks: **New bundled plugin: Azure Functions**! This plugin can be used to invoke [Microsoft Azure Functions](https://azure.microsoft.com/en-us/services/functions/), similarly to the already existing AWS Lambda and OpenWhisk plugins. (See: https://github.com/Kong/kong-plugin-azure-functions) [#3428](https://github.com/Kong/kong/pull/3428) - :fireworks: **New bundled plugin: Serverless Functions**! Dynamically run Lua without having to write a full-fledged plugin. Lua code snippets can be uploaded via the Admin API and be executed during Kong's `access` phase. (See: https://github.com/Kong/kong-plugin-serverless-functions) [#3551](https://github.com/Kong/kong/pull/3551) - jwt: Support for limiting the allowed expiration period of JWT tokens. A new `config.maximum_expiration` property can be set to indicate the maximum number of seconds the `exp` claim may be ahead in the future. Thanks [@mvanholsteijn](https://github.com/mvanholsteijn) for the patch! [#3331](https://github.com/Kong/kong/pull/3331) - aws-lambda: Add `us-gov-west-1` to the list of allowed regions. [#3529](https://github.com/Kong/kong/pull/3529) ##### Admin API - :fireworks: Support for `PUT` in new endpoints (e.g. `/services/{id or name}`, `/routes/{id}`, `/consumers/{id or username}`), allowing the development of idempotent configuration workflows when scripting the Admin API. [#3416](https://github.com/Kong/kong/pull/3416) - Support for `PATCH` and `DELETE` on the `/services/{name}`, `/consumers/{username}`, and `/snis/{name}` endpoints. [#3416](https://github.com/Kong/kong/pull/3416) ### Fixes ##### Configuration - Properly support IPv6 addresses in `proxy_listen` and `admin_listen` configuration properties. [#3508](https://github.com/Kong/kong/pull/3508) ##### Core - IPv6 nameservers with a scope are now ignored by the DNS resolver. [#3478](https://github.com/Kong/kong/pull/3478) - SRV records without a port number now returns the default port instead of `0`. [#3478](https://github.com/Kong/kong/pull/3478) - Ensure DNS-based round robin load balancing starts at a randomized position to prevent all Nginx workers from starting with the same peer. [#3478](https://github.com/Kong/kong/pull/3478) - Properly report timeouts in passive health checks. Previously, connection timeouts were counted as `tcp_failures`, and upstream timeouts were ignored. Health check users should ensure that their `timeout` settings reflect their intended behavior. [#3539](https://github.com/Kong/kong/pull/3539) - Ensure active health check probe requests send the `Host` header. [#3496](https://github.com/Kong/kong/pull/3496) - Overall, more reliable health checks healthiness counters behavior. [#3496](https://github.com/Kong/kong/pull/3496) - Do not set `Content-Type` headers on HTTP 204 No Content responses. [#3351](https://github.com/Kong/kong/pull/3351) - Ensure the PostgreSQL connector of the new DAO (used by Services, Routes, Consumers, and SSL certs/SNIs) is now fully re-entrant and properly behaves in busy workloads (e.g. scripting requests to the Admin API). [#3423](https://github.com/Kong/kong/pull/3423) - Properly route HTTP/1.0 requests without a Host header when using the old deprecated "API" entity. [#3438](https://github.com/Kong/kong/pull/3438) - Ensure that all Kong-produced errors respect the `headers` configuration setting (previously `server_tokens`) and do not include the `Server` header if not configured. [#3511](https://github.com/Kong/kong/pull/3511) - Harden an existing Cassandra migration. [#3532](https://github.com/Kong/kong/pull/3532) - Prevent the load balancer from needlessly rebuilding its state when creating Targets. [#3477](https://github.com/Kong/kong/pull/3477) - Prevent some harmless error logs to be printed during startup when initialization takes more than a few seconds. [#3443](https://github.com/Kong/kong/pull/3443) ##### Plugins - hmac: Ensure that empty request bodies do not pass validation if there is no digest header. Thanks [@mvanholsteijn](https://github.com/mvanholsteijn) for the patch! [#3347](https://github.com/Kong/kong/pull/3347) - response-transformer: Prevent the plugin from throwing an error when its `access` handler did not get a chance to run (e.g. on short-circuited, unauthorized requests). [#3524](https://github.com/Kong/kong/pull/3524) - aws-lambda: Ensure logging plugins subsequently run when this plugin terminates. [#3512](https://github.com/Kong/kong/pull/3512) - request-termination: Ensure logging plugins subsequently run when this plugin terminates. [#3513](https://github.com/Kong/kong/pull/3513) ##### Admin API - Requests to `/healthy` and `/unhealthy` endpoints for upstream health checks now properly propagate the new state to other nodes of a Kong cluster. [#3464](https://github.com/Kong/kong/pull/3464) - Do not produce an HTTP 500 error when POST-ing to `/services` with an empty `url` argument. [#3452](https://github.com/Kong/kong/pull/3452) - Ensure foreign keys are required when creating child entities (e.g. `service.id` when creating a Route). Previously some rows could have an empty `service_id` field. [#3548](https://github.com/Kong/kong/pull/3548) - Better type inference in new endpoints (e.g. `/services`, `/routes`, `/consumers`) when using `application/x-www-form-urlencoded` MIME type. [#3416](https://github.com/Kong/kong/pull/3416) [Back to TOC](#table-of-contents) ## [0.13.1] - 2018/04/23 This release contains numerous bug fixes and a few convenience features. Notably, a best-effort/backwards-compatible approach is followed to resolve `no memory` errors caused by the fragmentation of shared memory between the core and plugins. ### Added ##### Core - Cache misses are now stored in a separate shared memory zone from hits if such a zone is defined. This reduces cache turnover and can increase the cache hit ratio quite considerably. Users with a custom Nginx template are advised to define such a zone to benefit from this behavior: `lua_shared_dict kong_db_cache_miss 12m;`. - We now ensure that the Cassandra or PostgreSQL instance Kong is connecting to falls within the supported version range. Deprecated versions result in warning logs. As a reminder, Kong 0.13.x supports Cassandra 2.2+, and PostgreSQL 9.5+. Cassandra 2.1 and PostgreSQL 9.4 are supported, but deprecated. [#3310](https://github.com/Kong/kong/pull/3310) - HTTP 494 errors thrown by Nginx are now caught by Kong and produce a native, Kong-friendly response. Thanks [@ti-mo](https://github.com/ti-mo) for the contribution! [#3112](https://github.com/Kong/kong/pull/3112) ##### CLI - Report errors when compiling custom Nginx templates. [#3294](https://github.com/Kong/kong/pull/3294) ##### Admin API - Friendlier behavior of Routes schema validation: PATCH requests can be made without specifying all three of `methods`, `hosts`, or `paths` if at least one of the three is specified in the body. [#3364](https://github.com/Kong/kong/pull/3364) ##### Plugins - jwt: Support for identity providers using JWKS by ensuring the `config.key_claim_name` values is looked for in the token header. Thanks [@brycehemme](https://github.com/brycehemme) for the contribution! [#3313](https://github.com/Kong/kong/pull/3313) - basic-auth: Allow specifying empty passwords. Thanks [@zhouzhuojie](https://github.com/zhouzhuojie) and [@perryao](https://github.com/perryao) for the contributions! [#3243](https://github.com/Kong/kong/pull/3243) ### Fixed ##### Core - Numerous users have reported `no memory` errors which were caused by circumstantial memory fragmentation. Such errors, while still possible if plugin authors are not careful, should now mostly be addressed. [#3311](https://github.com/Kong/kong/pull/3311) **If you are using a custom Nginx template, be sure to define the following shared memory zones to benefit from these fixes**: ``` lua_shared_dict kong_db_cache_miss 12m; lua_shared_dict kong_rate_limiting_counters 12m; ``` ##### CLI - Redirect Nginx's stdout and stderr output to `kong start` when `nginx_daemon` is enabled (such as when using the Kong Docker image). This also prevents growing log files when Nginx redirects logs to `/dev/stdout` and `/dev/stderr` but `nginx_daemon` is disabled. [#3297](https://github.com/Kong/kong/pull/3297) ##### Admin API - Set a Service's `port` to `443` when the `url` convenience parameter uses the `https://` scheme. [#3358](https://github.com/Kong/kong/pull/3358) - Ensure PATCH requests do not return an error when un-setting foreign key fields with JSON `null`. [#3355](https://github.com/Kong/kong/pull/3355) - Ensure the `/plugin/schema/:name` endpoint does not corrupt plugins' schemas. [#3348](https://github.com/Kong/kong/pull/3348) - Properly URL-decode path segments of plugins endpoints accepting spaces (e.g. `/consumers//basic-auth/John%20Doe/`). [#3250](https://github.com/Kong/kong/pull/3250) - Properly serialize boolean filtering values when using Cassandra. [#3362](https://github.com/Kong/kong/pull/3362) ##### Plugins - rate-limiting/response-rate-limiting: - If defined in the Nginx configuration, will use a dedicated `lua_shared_dict` instead of using the `kong_cache` shared memory zone. This prevents memory fragmentation issues resulting in `no memory` errors observed by numerous users. Users with a custom Nginx template are advised to define such a zone to benefit from this fix: `lua_shared_dict kong_rate_limiting_counters 12m;`. [#3311](https://github.com/Kong/kong/pull/3311) - When using the Redis strategy, ensure the correct Redis database is selected. This issue could occur when several request and response rate-limiting were configured using different Redis databases. Thanks [@mengskysama](https://github.com/mengskysama) for the patch! [#3293](https://github.com/Kong/kong/pull/3293) - key-auth: Respect request MIME type when re-encoding the request body if both `config.key_in_body` and `config.hide_credentials` are enabled. Thanks [@p0pr0ck5](https://github.com/p0pr0ck5) for the patch! [#3213](https://github.com/Kong/kong/pull/3213) - oauth2: Return HTTP 400 on invalid `scope` type. Thanks [@Gman98ish](https://github.com/Gman98ish) for the patch! [#3206](https://github.com/Kong/kong/pull/3206) - ldap-auth: Ensure the plugin does not throw errors when configured as a global plugin. [#3354](https://github.com/Kong/kong/pull/3354) - hmac-auth: Verify signature against non-normalized (`$request_uri`) request line (instead of `$uri`). [#3339](https://github.com/Kong/kong/pull/3339) - aws-lambda: Fix a typo in upstream headers sent to the function. We now properly send the `X-Amz-Log-Type` header. [#3398](https://github.com/Kong/kong/pull/3398) [Back to TOC](#table-of-contents) ## [0.13.0] - 2018/03/22 This release introduces two new core entities that will improve the way you configure Kong: **Routes** & **Services**. Those entities replace the "API" entity and simplify the setup of non-naive use-cases by providing better separation of concerns and allowing for plugins to be applied to specific **endpoints**. As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the [0.13 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-013x) for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster. ### Breaking Changes ##### Configuration - :warning: The `proxy_listen` and `admin_listen` configuration values have a new syntax. This syntax is more aligned with that of NGINX and is more powerful while also simpler. As a result, the following configuration values have been removed because superfluous: `ssl`, `admin_ssl`, `http2`, `admin_http2`, `proxy_listen_ssl`, and `admin_listen_ssl`. [#3147](https://github.com/Kong/kong/pull/3147) ##### Plugins - :warning: galileo: As part of the Galileo deprecation path, the galileo plugin is not enabled by default anymore, although still bundled with 0.13. Users are advised to stop using the plugin, but for the time being can keep enabling it by adding it to the `custom_plugin` configuration value. [#3233](https://github.com/Kong/kong/pull/3233) - :warning: rate-limiting (Cassandra): The default migration for including Routes and Services in plugins will remove and re-create the Cassandra rate-limiting counters table. This means that users that were rate-limited because of excessive API consumption will be able to consume the API until they reach their limit again. There is no such data deletion in PostgreSQL. [def201f](https://github.com/Kong/kong/commit/def201f566ccf2dd9b670e2f38e401a0450b1cb5) ### Changes ##### Dependencies - **Note to Docker users**: The `latest` tag on Docker Hub now points to the **alpine** image instead of CentOS. This also applies to the `0.13.0` tag. - The OpenResty version shipped with our default packages has been bumped to `1.13.6.1`. The 0.13.0 release should still be compatible with the OpenResty `1.11.2.x` series for the time being. - Bumped [lua-resty-dns-client](https://github.com/Kong/lua-resty-dns-client) to `2.0.0`. [#3220](https://github.com/Kong/kong/pull/3220) - Bumped [lua-resty-http](https://github.com/pintsized/lua-resty-http) to `0.12`. [#3196](https://github.com/Kong/kong/pull/3196) - Bumped [lua-multipart](https://github.com/Kong/lua-multipart) to `0.5.5`. [#3318](https://github.com/Kong/kong/pull/3318) - Bumped [lua-resty-healthcheck](https://github.com/Kong/lua-resty-healthcheck) to `0.4.0`. [#3321](https://github.com/Kong/kong/pull/3321) ### Additions ##### Configuration - :fireworks: Support for **control-plane** and **data-plane** modes. The new syntax of `proxy_listen` and `admin_listen` supports `off`, which disables either one of those interfaces. It is now simpler than ever to make a Kong node "Proxy only" (data-plane) or "Admin only" (control-plane). [#3147](https://github.com/Kong/kong/pull/3147) ##### Core - :fireworks: This release introduces two new entities: **Routes** and **Services**. Those entities will provide a better separation of concerns than the "API" entity offers. Routes will define rules for matching a client's request (e.g., method, host, path...), and Services will represent upstream services (or backends) that Kong should proxy those requests to. Plugins can also be added to both Routes and Services, enabling use-cases to apply plugins more granularly (e.g., per endpoint). Following this addition, the API entity and related Admin API endpoints are now deprecated. This release is backwards-compatible with the previous model and all of your currently defined APIs and matching rules are still supported, although we advise users to migrate to Routes and Services as soon as possible. [#3224](https://github.com/Kong/kong/pull/3224) ##### Admin API - :fireworks: New endpoints: `/routes` and `/services` to interact with the new core entities. More specific endpoints are also available such as `/services/{service id or name}/routes`, `/services/{service id or name}/plugins`, and `/routes/{route id}/plugins`. [#3224](https://github.com/Kong/kong/pull/3224) - :fireworks: Our new endpoints (listed above) provide much better responses with regards to producing responses for incomplete entities, errors, etc... In the future, existing endpoints will gradually be moved to using this new Admin API content producer. [#3224](https://github.com/Kong/kong/pull/3224) - :fireworks: Improved argument parsing in form-urlencoded requests to the new endpoints as well. Kong now expects the following syntaxes for representing arrays: `hosts[]=a.com&hosts[]=b.com`, `hosts[1]=a.com&hosts[2]=b.com`, which avoid comma-separated arrays and related issues that can arise. In the future, existing endpoints will gradually be moved to using this new Admin API content parser. [#3224](https://github.com/Kong/kong/pull/3224) ##### Plugins - jwt: `ngx.ctx.authenticated_jwt_token` is available for other plugins to use. [#2988](https://github.com/Kong/kong/pull/2988) - statsd: The fields `host`, `port` and `metrics` are no longer marked as "required", since they have a default value. [#3209](https://github.com/Kong/kong/pull/3209) ### Fixes ##### Core - Fix an issue causing nodes in a cluster to use the default health checks configuration when the user configured them from another node (event propagated via the cluster). [#3319](https://github.com/Kong/kong/pull/3319) - Increase the default load balancer wheel size from 100 to 10.000. This allows for a better distribution of the load between Targets in general. [#3296](https://github.com/Kong/kong/pull/3296) ##### Admin API - Fix several issues with application/multipart MIME type parsing of payloads. [#3318](https://github.com/Kong/kong/pull/3318) - Fix several issues with the parsing of health checks configuration values. [#3306](https://github.com/Kong/kong/pull/3306) [#3321](https://github.com/Kong/kong/pull/3321) [Back to TOC](#table-of-contents) ## [0.12.3] - 2018/03/12 ### Fixed - Suppress a memory leak in the core introduced in 0.12.2. Thanks [@mengskysama](https://github.com/mengskysama) for the report. [#3278](https://github.com/Kong/kong/pull/3278) [Back to TOC](#table-of-contents) ## [0.12.2] - 2018/02/28 ### Added ##### Core - Load balancers now log DNS errors to facilitate debugging. [#3177](https://github.com/Kong/kong/pull/3177) - Reports now can include custom immutable values. [#3180](https://github.com/Kong/kong/pull/3180) ##### CLI - The `kong migrations reset` command has a new `--yes` flag. This flag makes the command run non-interactively, and ensures no confirmation prompt will occur. [#3189](https://github.com/Kong/kong/pull/3189) ##### Admin API - A new endpoint `/upstreams/:upstream_id/health` will return the health of the specified upstream. [#3232](https://github.com/Kong/kong/pull/3232) - The `/` endpoint in the Admin API now exposes the `node_id` field. [#3234](https://github.com/Kong/kong/pull/3234) ### Fixed ##### Core - HTTP/1.0 requests without a Host header are routed instead of being rejected. HTTP/1.1 requests without a Host are considered invalid and will still be rejected. Thanks to [@rainiest](https://github.com/rainest) for the patch! [#3216](https://github.com/Kong/kong/pull/3216) - Fix the load balancer initialization when some Targets would contain hostnames. [#3187](https://github.com/Kong/kong/pull/3187) - Fix incomplete handling of errors when initializing DAO objects. [637532e](https://github.com/Kong/kong/commit/637532e05d8ed9a921b5de861cc7f463e96c6e04) - Remove bogus errors in the logs provoked by healthcheckers between the time they are unregistered and the time they are garbage-collected ([#3207](https://github.com/Kong/kong/pull/3207)) and when receiving an HTTP status not tracked by healthy or unhealthy lists ([c8eb5ae](https://github.com/Kong/kong/commit/c8eb5ae28147fc02473c05a7b1dbf502fbb64242)). - Fix soft errors not being handled correctly inside the Kong cache. [#3150](https://github.com/Kong/kong/pull/3150) ##### Migrations - Better handling of already existing Cassandra keyspaces in migrations. [#3203](https://github.com/Kong/kong/pull/3203). Thanks to [@pamiel](https://github.com/pamiel) for the patch! ##### Admin API - Ensure `GET /certificates/{uuid}` does not return HTTP 500 when the given identifier does not exist. Thanks to [@vdesjardins](https://github.com/vdesjardins) for the patch! [#3148](https://github.com/Kong/kong/pull/3148) [Back to TOC](#table-of-contents) ## [0.12.1] - 2018/01/18 This release addresses a few issues encountered with 0.12.0, including one which would prevent upgrading from a previous version. The [0.12 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md) is still relevant for upgrading existing clusters to 0.12.1. ### Fixed - Fix a migration between previous Kong versions and 0.12.0. [#3159](https://github.com/Kong/kong/pull/3159) - Ensure Lua errors are propagated when thrown in the `access` handler by plugins. [38580ff](https://github.com/Kong/kong/commit/38580ff547cbd4a557829e3ad135cd6a0f821f7c) [Back to TOC](#table-of-contents) ## [0.12.0] - 2018/01/16 This major release focuses on two new features we are very excited about: **health checks** and **hash based load balancing**! We also took this as an opportunity to fix a few prominent issues, sometimes at the expense of breaking changes but overall improving the flexibility and usability of Kong! Do keep in mind that this is a major release, and as such, that we require of you to run the **migrations step**, via the `kong migrations up` command. Please take a few minutes to thoroughly read the [0.12 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-012x) for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster. ### Deprecation notices Starting with 0.12.0, we are announcing the deprecation of older versions of our supported databases: - Support for PostgreSQL 9.4 is deprecated. Users are advised to upgrade to 9.5+ - Support for Cassandra 2.1 and below is deprecated. Users are advised to upgrade to 2.2+ Note that the above deprecated versions are still supported in this release, but will be dropped in subsequent ones. ### Breaking changes ##### Core - :warning: The required OpenResty version has been bumped to 1.11.2.5. If you are installing Kong from one of our distribution packages, you are not affected by this change. [#3097](https://github.com/Kong/kong/pull/3097) - :warning: As Kong now executes subsequent plugins when a request is being short-circuited (e.g. HTTP 401 responses from auth plugins), plugins that run in the header or body filter phases will be run upon such responses from the access phase. We consider this change a big improvement in the Kong run-loop as it allows for more flexibility for plugins. However, it is unlikely, but possible that some of these plugins (e.g. your custom plugins) now run in scenarios where they were not previously expected to run. [#3079](https://github.com/Kong/kong/pull/3079) ##### Admin API - :warning: By default, the Admin API now only listens on the local interface. We consider this change to be an improvement in the default security policy of Kong. If you are already using Kong, and your Admin API still binds to all interfaces, consider updating it as well. You can do so by updating the `admin_listen` configuration value, like so: `admin_listen = 127.0.0.1:8001`. Thanks [@pduldig-at-tw](https://github.com/pduldig-at-tw) for the suggestion and the patch. [#3016](https://github.com/Kong/kong/pull/3016) :red_circle: **Note to Docker users**: Beware of this change as you may have to ensure that your Admin API is reachable via the host's interface. You can use the `-e KONG_ADMIN_LISTEN` argument when provisioning your container(s) to update this value; for example, `-e KONG_ADMIN_LISTEN=0.0.0.0:8001`. - :warning: To reduce confusion, the `/upstreams/:upstream_name_or_id/targets/` has been updated to not show the full list of Targets anymore, but only the ones that are currently active in the load balancer. To retrieve the full history of Targets, you can now query `/upstreams/:upstream_name_or_id/targets/all`. The `/upstreams/:upstream_name_or_id/targets/active` endpoint has been removed. Thanks [@hbagdi](https://github.com/hbagdi) for tackling this backlog item! [#3049](https://github.com/Kong/kong/pull/3049) - :warning: The `orderlist` property of Upstreams has been removed, along with any confusion it may have brought. The balancer is now able to fully function without it, yet with the same level of entropy in its load distribution. [#2748](https://github.com/Kong/kong/pull/2748) ##### CLI - :warning: The `$ kong compile` command which was deprecated in 0.11.0 has been removed. [#3069](https://github.com/Kong/kong/pull/3069) ##### Plugins - :warning: In logging plugins, the `request.request_uri` field has been renamed to `request.url`. [#2445](https://github.com/Kong/kong/pull/2445) [#3098](https://github.com/Kong/kong/pull/3098) ### Added ##### Core - :fireworks: Support for **health checks**! Kong can now short-circuit some of your upstream Targets (replicas) from its load balancer when it encounters too many TCP or HTTP errors. You can configure the number of failures, or the HTTP status codes that should be considered invalid, and Kong will monitor the failures and successes of proxied requests to each upstream Target. We call this feature **passive health checks**. Additionally, you can configure **active health checks**, which will make Kong perform periodic HTTP test requests to actively monitor the health of your upstream services, and pre-emptively short-circuit them. Upstream Targets can be manually taken up or down via two new Admin API endpoints: `/healthy` and `/unhealthy`. [#3096](https://github.com/Kong/kong/pull/3096) - :fireworks: Support for **hash based load balancing**! Kong now offers consistent hashing/sticky sessions load balancing capabilities via the new `hash_*` attributes of the Upstream entity. Hashes can be based off client IPs, request headers, or Consumers! [#2875](https://github.com/Kong/kong/pull/2875) - :fireworks: Logging plugins now log requests that were short-circuited by Kong! (e.g. HTTP 401 responses from auth plugins or HTTP 429 responses from rate limiting plugins, etc.) Kong now executes any subsequent plugins once a request has been short-circuited. Your plugin must be using the `kong.tools.responses` module for this behavior to be respected. [#3079](https://github.com/Kong/kong/pull/3079) - Kong is now compatible with OpenResty up to version 1.13.6.1. Be aware that the recommended (and default) version shipped with this release is still 1.11.2.5. [#3070](https://github.com/Kong/kong/pull/3070) ##### CLI - `$ kong start` now considers the commonly used `/opt/openresty` prefix when searching for the `nginx` executable. [#3074](https://github.com/Kong/kong/pull/3074) ##### Admin API - Two new endpoints, `/healthy` and `/unhealthy` can be used to manually bring upstream Targets up or down, as part of the new health checks feature of the load balancer. [#3096](https://github.com/Kong/kong/pull/3096) ##### Plugins - logging plugins: A new field `upstream_uri` now logs the value of the upstream request's path. This is useful to help debugging plugins or setups that aim at rewriting a request's URL during proxying. Thanks [@shiprabehera](https://github.com/shiprabehera) for the patch! [#2445](https://github.com/Kong/kong/pull/2445) - tcp-log: Support for TLS handshake with the logs recipients for secure transmissions of logging data. [#3091](https://github.com/Kong/kong/pull/3091) - jwt: Support for JWTs passed in cookies. Use the new `config.cookie_names` property to configure the behavior to your liking. Thanks [@mvanholsteijn](https://github.com/mvanholsteijn) for the patch! [#2974](https://github.com/Kong/kong/pull/2974) - oauth2 - New `config.auth_header_name` property to customize the authorization header's name. Thanks [@supraja93](https://github.com/supraja93) [#2928](https://github.com/Kong/kong/pull/2928) - New `config.refresh_ttl` property to customize the TTL of refresh tokens, previously hard-coded to 14 days. Thanks [@bob983](https://github.com/bob983) for the patch! [#2942](https://github.com/Kong/kong/pull/2942) - Avoid an error in the logs when trying to retrieve an access token from a request without a body. Thanks [@WALL-E](https://github.com/WALL-E) for the patch. [#3063](https://github.com/Kong/kong/pull/3063) - ldap: New `config.header_type` property to customize the authorization method in the `Authorization` header. Thanks [@francois-maillard](https://github.com/francois-maillard) for the patch! [#2963](https://github.com/Kong/kong/pull/2963) ### Fixed ##### CLI - Fix a potential vulnerability in which an attacker could read the Kong configuration file with insufficient permissions for a short window of time while Kong is being started. [#3057](https://github.com/Kong/kong/pull/3057) - Proper log message upon timeout in `$ kong quit`. [#3061](https://github.com/Kong/kong/pull/3061) ##### Admin API - The `/certificates` endpoint now properly supports the `snis` parameter in PUT and PATCH requests. Thanks [@hbagdi](https://github.com/hbagdi) for the contribution! [#3040](https://github.com/Kong/kong/pull/3040) - Avoid sending the `HTTP/1.1 415 Unsupported Content Type` response when receiving a request with a valid `Content-Type`, but with an empty payload. [#3077](https://github.com/Kong/kong/pull/3077) ##### Plugins - basic-auth: - Accept passwords containing `:`. Thanks [@nico-acidtango](https://github.com/nico-acidtango) for the patch! [#3014](https://github.com/Kong/kong/pull/3014) - Performance improvements, courtesy of [@nico-acidtango](https://github.com/nico-acidtango) [#3014](https://github.com/Kong/kong/pull/3014) [Back to TOC](#table-of-contents) ## [0.11.2] - 2017/11/29 ### Added ##### Plugins - key-auth: New endpoints to manipulate API keys. Thanks [@hbagdi](https://github.com/hbagdi) for the contribution. [#2955](https://github.com/Kong/kong/pull/2955) - `/key-auths/` to paginate through all keys. - `/key-auths/:credential_key_or_id/consumer` to retrieve the Consumer associated with a key. - basic-auth: New endpoints to manipulate basic-auth credentials. Thanks [@hbagdi](https://github.com/hbagdi) for the contribution. [#2998](https://github.com/Kong/kong/pull/2998) - `/basic-auths/` to paginate through all basic-auth credentials. - `/basic-auths/:credential_username_or_id/consumer` to retrieve the Consumer associated with a credential. - jwt: New endpoints to manipulate JWTs. Thanks [@hbagdi](https://github.com/hbagdi) for the contribution. [#3003](https://github.com/Kong/kong/pull/3003) - `/jwts/` to paginate through all JWTs. - `/jwts/:jwt_key_or_id/consumer` to retrieve the Consumer associated with a JWT. - hmac-auth: New endpoints to manipulate hmac-auth credentials. Thanks [@hbagdi](https://github.com/hbagdi) for the contribution. [#3009](https://github.com/Kong/kong/pull/3009) - `/hmac-auths/` to paginate through all hmac-auth credentials. - `/hmac-auths/:hmac_username_or_id/consumer` to retrieve the Consumer associated with a credential. - acl: New endpoints to manipulate ACLs. Thanks [@hbagdi](https://github.com/hbagdi) for the contribution. [#3039](https://github.com/Kong/kong/pull/3039) - `/acls/` to paginate through all ACLs. - `/acls/:acl_id/consumer` to retrieve the Consumer associated with an ACL. ### Fixed ##### Core - Avoid logging some unharmful error messages related to clustering. [#3002](https://github.com/Kong/kong/pull/3002) - Improve performance and memory footprint when parsing multipart request bodies. [Kong/lua-multipart#13](https://github.com/Kong/lua-multipart/pull/13) ##### Configuration - Add a format check for the `admin_listen_ssl` property, ensuring it contains a valid port. [#3031](https://github.com/Kong/kong/pull/3031) ##### Admin API - PUT requests with payloads containing non-existing primary keys for entities now return HTTP 404 Not Found, instead of HTTP 200 OK without a response body. [#3007](https://github.com/Kong/kong/pull/3007) - On the `/` endpoint, ensure `enabled_in_cluster` shows up as an empty JSON Array (`[]`), instead of an empty JSON Object (`{}`). Thanks [@hbagdi](https://github.com/hbagdi) for the patch! [#2982](https://github.com/Kong/kong/issues/2982) ##### Plugins - hmac-auth: Better parsing of the `Authorization` header to avoid internal errors resulting in HTTP 500. Thanks [@mvanholsteijn](https://github.com/mvanholsteijn) for the patch! [#2996](https://github.com/Kong/kong/pull/2996) - Improve the performance of the rate-limiting and response-rate-limiting plugins when using the Redis policy. [#2956](https://github.com/Kong/kong/pull/2956) - Improve the performance of the response-transformer plugin. [#2977](https://github.com/Kong/kong/pull/2977) ## [0.11.1] - 2017/10/24 ### Changed ##### Configuration - Drop the `lua_code_cache` configuration property. This setting has been considered harmful since 0.11.0 as it interferes with Kong's internals. [#2854](https://github.com/Kong/kong/pull/2854) ### Fixed ##### Core - DNS: SRV records pointing to an A record are now properly handled by the load balancer when `preserve_host` is disabled. Such records used to throw Lua errors on the proxy code path. [Kong/lua-resty-dns-client#19](https://github.com/Kong/lua-resty-dns-client/pull/19) - Fixed an edge-case where `preserve_host` would sometimes craft an upstream request with a Host header from a previous client request instead of the current one. [#2832](https://github.com/Kong/kong/pull/2832) - Ensure APIs with regex URIs are evaluated in the order that they are created. [#2924](https://github.com/Kong/kong/pull/2924) - Fixed a typo that caused the load balancing components to ignore the Upstream slots property. [#2747](https://github.com/Kong/kong/pull/2747) ##### CLI - Fixed the verification of self-signed SSL certificates for PostgreSQL and Cassandra in the `kong migrations` command. Self-signed SSL certificates are now properly verified during migrations according to the `lua_ssl_trusted_certificate` configuration property. [#2908](https://github.com/Kong/kong/pull/2908) ##### Admin API - The `/upstream/{upstream}/targets/active` endpoint used to return HTTP `405 Method Not Allowed` when called with a trailing slash. Both notations (with and without the trailing slash) are now supported. [#2884](https://github.com/Kong/kong/pull/2884) ##### Plugins - bot-detection: Fixed an issue which would prevent the plugin from running and result in an HTTP `500` error if configured globally. [#2906](https://github.com/Kong/kong/pull/2906) - ip-restriction: Fixed support for the `0.0.0.0/0` CIDR block. This block is now supported and won't trigger an error when used in this plugin's properties. [#2918](https://github.com/Kong/kong/pull/2918) ### Added ##### Plugins - aws-lambda: Added support to forward the client request's HTTP method, headers, URI, and body to the Lambda function. [#2823](https://github.com/Kong/kong/pull/2823) - key-auth: New `run_on_preflight` configuration option to control authentication on preflight requests. [#2857](https://github.com/Kong/kong/pull/2857) - jwt: New `run_on_preflight` configuration option to control authentication on preflight requests. [#2857](https://github.com/Kong/kong/pull/2857) ##### Plugin development - Ensure migrations have valid, unique names to avoid conflicts between custom plugins. Thanks [@ikogan](https://github.com/ikogan) for the patch! [#2821](https://github.com/Kong/kong/pull/2821) ### Improved ##### Migrations & Deployments - Improve migrations reliability for future major releases. [#2869](https://github.com/Kong/kong/pull/2869) ##### Plugins - Improve the performance of the acl and oauth2 plugins. [#2736](https://github.com/Kong/kong/pull/2736) [#2806](https://github.com/Kong/kong/pull/2806) [Back to TOC](#table-of-contents) ## [0.10.4] - 2017/10/24 ### Fixed ##### Core - DNS: SRV records pointing to an A record are now properly handled by the load balancer when `preserve_host` is disabled. Such records used to throw Lua errors on the proxy code path. [Kong/lua-resty-dns-client#19](https://github.com/Kong/lua-resty-dns-client/pull/19) - HTTP `400` errors thrown by Nginx are now correctly caught by Kong and return a native, Kong-friendly response. [#2476](https://github.com/Mashape/kong/pull/2476) - Fix an edge-case where an API with multiple `uris` and `strip_uri = true` would not always strip the client URI. [#2562](https://github.com/Mashape/kong/issues/2562) - Fix an issue where Kong would match an API with a shorter URI (from its `uris` value) as a prefix instead of a longer, matching prefix from another API. [#2662](https://github.com/Mashape/kong/issues/2662) - Fixed a typo that caused the load balancing components to ignore the Upstream `slots` property. [#2747](https://github.com/Mashape/kong/pull/2747) ##### Configuration - Octothorpes (`#`) can now be escaped (`\#`) and included in the Kong configuration values such as your datastore passwords or usernames. [#2411](https://github.com/Mashape/kong/pull/2411) ##### Admin API - The `data` response field of the `/upstreams/{upstream}/targets/active` Admin API endpoint now returns a list (`[]`) instead of an object (`{}`) when no active targets are present. [#2619](https://github.com/Mashape/kong/pull/2619) ##### Plugins - datadog: Avoid a runtime error if the plugin is configured as a global plugin but the downstream request did not match any configured API. Thanks [@kjsteuer](https://github.com/kjsteuer) for the fix! [#2702](https://github.com/Mashape/kong/pull/2702) - ip-restriction: Fixed support for the `0.0.0.0/0` CIDR block. This block is now supported and won't trigger an error when used in this plugin's properties. [#2918](https://github.com/Mashape/kong/pull/2918) [Back to TOC](#table-of-contents) ## [0.11.0] - 2017/08/16 The latest and greatest version of Kong features improvements all over the board for a better and easier integration with your infrastructure! The highlights of this release are: - Support for **regex URIs** in routing, one of the oldest requested features from the community. - Support for HTTP/2 traffic from your clients. - Kong does not depend on Serf anymore, which makes deployment and networking requirements **considerably simpler**. - A better integration with orchestration tools thanks to the support for **non FQDNs** in Kong's DNS resolver. As per usual, our major releases include datastore migrations which are considered **breaking changes**. Additionally, this release contains numerous breaking changes to the deployment process and proxying behavior that you should be familiar with. We strongly advise that you read this changeset thoroughly, as well as the [0.11 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-011x) if you are planning to upgrade a Kong cluster. ### Breaking changes ##### Configuration - :warning: Numerous updates were made to the Nginx configuration template. If you are using a custom template, you **must** apply those modifications. See the [0.11 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-011x) for a complete list of changes to apply. ##### Migrations & Deployment - :warning: Migrations are **not** executed automatically by `kong start` anymore. Migrations are now a **manual** process, which must be executed via the `kong migrations` command. In practice, this means that you have to run `kong migrations up [-c kong.conf]` in one of your nodes **before** starting your Kong nodes. This command should be run from a **single** node/container to avoid several nodes running migrations concurrently and potentially corrupting your database. Once the migrations are up-to-date, it is considered safe to start multiple Kong nodes concurrently. [#2421](https://github.com/Kong/kong/pull/2421) - :warning: :fireworks: Serf is **not** a dependency anymore. Kong nodes now handle cache invalidation events via a built-in database polling mechanism. See the new "Datastore Cache" section of the configuration file which contains 3 new documented properties: `db_update_frequency`, `db_update_propagation`, and `db_cache_ttl`. If you are using Cassandra, you **should** pay a particular attention to the `db_update_propagation` setting, as you **should not** use the default value of `0`. [#2561](https://github.com/Kong/kong/pull/2561) ##### Core - :warning: Kong now requires OpenResty `1.11.2.4`. OpenResty's LuaJIT can now be built with Lua 5.2 compatibility. [#2489](https://github.com/Kong/kong/pull/2489) [#2790](https://github.com/Kong/kong/pull/2790) - :warning: Previously, the `X-Forwarded-*` and `X-Real-IP` headers were trusted from any client by default, and forwarded upstream. With the introduction of the new `trusted_ips` property (see the below "Added" section) and to enforce best security practices, Kong *does not* trust any client IP address by default anymore. This will make Kong *not* forward incoming `X-Forwarded-*` headers if not coming from configured, trusted IP addresses blocks. This setting also affects the API `check_https` field, which itself relies on *trusted* `X-Forwarded-Proto` headers **only**. [#2236](https://github.com/Kong/kong/pull/2236) - :warning: The API Object property `http_if_terminated` is now set to `false` by default. For Kong to evaluate the client `X-Forwarded-Proto` header, you must now configure Kong to trust the client IP (see above change), **and** you must explicitly set this value to `true`. This affects you if you are doing SSL termination somewhere before your requests hit Kong, and if you have configured `https_only` on the API, or if you use a plugin that requires HTTPS traffic (e.g. OAuth2). [#2588](https://github.com/Kong/kong/pull/2588) - :warning: The internal DNS resolver now honours the `search` and `ndots` configuration options of your `resolv.conf` file. Make sure that DNS resolution is still consistent in your environment, and consider eventually not using FQDNs anymore. [#2425](https://github.com/Kong/kong/pull/2425) ##### Admin API - :warning: As a result of the Serf removal, Kong is now entirely stateless, and as such, the `/cluster` endpoint has disappeared. [#2561](https://github.com/Kong/kong/pull/2561) - :warning: The Admin API `/status` endpoint does not return a count of the database entities anymore. Instead, it now returns a `database.reachable` boolean value, which reflects the state of the connection between Kong and the underlying database. Please note that this flag **does not** reflect the health of the database itself. [#2567](https://github.com/Kong/kong/pull/2567) ##### Plugin development - :warning: The upstream URI is now determined via the Nginx `$upstream_uri` variable. Custom plugins using the `ngx.req.set_uri()` API will not be taken into consideration anymore. One must now set the `ngx.var.upstream_uri` variable from the Lua land. [#2519](https://github.com/Kong/kong/pull/2519) - :warning: The `hooks.lua` module for custom plugins is dropped, along with the `database_cache.lua` module. Database entities caching and eviction has been greatly improved to simplify and automate most caching use-cases. See the [Plugins Development Guide](https://getkong.org/docs/0.11.x/plugin-development/entities-cache/) and the [0.11 Upgrade Path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-011x) for more details. [#2561](https://github.com/Kong/kong/pull/2561) - :warning: To ensure that the order of execution of plugins is still the same for vanilla Kong installations, we had to update the `PRIORITY` field of some of our bundled plugins. If your custom plugin must run after or before a specific bundled plugin, you might have to update your plugin's `PRIORITY` field as well. The complete list of plugins and their priorities is available on the [Plugins Development Guide](https://getkong.org/docs/0.11.x/plugin-development/custom-logic/). [#2489](https://github.com/Kong/kong/pull/2489) [#2813](https://github.com/Kong/kong/pull/2813) ### Deprecated ##### CLI - The `kong compile` command has been deprecated. Instead, prefer using the new `kong prepare` command. [#2706](https://github.com/Kong/kong/pull/2706) ### Changed ##### Core - Performance around DNS resolution has been greatly improved in some cases. [#2625](https://github.com/Kong/kong/pull/2425) - Secret values are now generated with a kernel-level, Cryptographically Secure PRNG. [#2536](https://github.com/Kong/kong/pull/2536) - The `.kong_env` file created by Kong in its running prefix is now written without world-read permissions. [#2611](https://github.com/Kong/kong/pull/2611) ##### Plugin development - The `marshall_event` function on schemas is now ignored by Kong, and can be safely removed as the new cache invalidation mechanism natively handles safer events broadcasting. [#2561](https://github.com/Kong/kong/pull/2561) ### Added ##### Core - :fireworks: Support for regex URIs! You can now define regexes in your APIs `uris` property. Those regexes can have capturing groups which can be extracted by Kong during a request, and accessed later in the plugins (useful for URI rewriting). See the [Proxy Guide](https://getkong.org/docs/0.11.x/proxy/#using-regexes-in-uris) for documentation on how to use regex URIs. [#2681](https://github.com/Kong/kong/pull/2681) - :fireworks: Support for HTTP/2. A new `http2` directive now enables HTTP/2 traffic on the `proxy_listen_ssl` address. [#2541](https://github.com/Kong/kong/pull/2541) - :fireworks: Support for the `search` and `ndots` configuration options of your `resolv.conf` file. [#2425](https://github.com/Kong/kong/pull/2425) - Kong now forwards new headers to your upstream services: `X-Forwarded-Host`, `X-Forwarded-Port`, and `X-Forwarded-Proto`. [#2236](https://github.com/Kong/kong/pull/2236) - Support for the PROXY protocol. If the new `real_ip_header` configuration property is set to `real_ip_header = proxy_protocol`, then Kong will append the `proxy_protocol` parameter to the Nginx `listen` directive of the Kong proxy port. [#2236](https://github.com/Kong/kong/pull/2236) - Support for BDR compatibility in the PostgreSQL migrations. Thanks [@AlexBloor](https://github.com/AlexBloor) for the patch! [#2672](https://github.com/Kong/kong/pull/2672) ##### Configuration - Support for DNS nameservers specified in IPv6 format. [#2634](https://github.com/Kong/kong/pull/2634) - A few new DNS configuration properties allow you to tweak the Kong DNS resolver, and in particular, how it handles the resolution of different record types or the eviction of stale records. [#2625](https://github.com/Kong/kong/pull/2625) - A new `trusted_ips` configuration property allows you to define a list of trusted IP address blocks that are known to send trusted `X-Forwarded-*` headers. Requests from trusted IPs will make Kong forward those headers upstream. Requests from non-trusted IP addresses will make Kong override the `X-Forwarded-*` headers with its own values. In addition, this property also sets the ngx_http_realip_module `set_real_ip_from` directive(s), which makes Kong trust the incoming `X-Real-IP` header as well, which is used for operations such as rate-limiting by IP address, and that Kong forwards upstream as well. [#2236](https://github.com/Kong/kong/pull/2236) - You can now configure the ngx_http_realip_module from the Kong configuration. In addition to `trusted_ips` which sets the `set_real_ip_from` directives(s), two new properties, `real_ip_header` and `real_ip_recursive` allow you to configure the ngx_http_realip_module directives bearing the same name. [#2236](https://github.com/Kong/kong/pull/2236) - Ability to hide Kong-specific response headers. Two new configuration fields: `server_tokens` and `latency_tokens` will respectively toggle whether the `Server` and `X-Kong-*-Latency` headers should be sent to downstream clients. [#2259](https://github.com/Kong/kong/pull/2259) - New configuration property to tune handling request body data via the `client_max_body_size` and `client_body_buffer_size` directives (mirroring their Nginx counterparts). Note these settings are only defined for proxy requests; request body handling in the Admin API remains unchanged. [#2602](https://github.com/Kong/kong/pull/2602) - New `error_default_type` configuration property. This setting is to specify a MIME type that will be used as the error response body format when Nginx encounters an error, but no `Accept` header was present in the request. The default value is `text/plain` for backwards compatibility. Thanks [@therealgambo](https://github.com/therealgambo) for the contribution! [#2500](https://github.com/Kong/kong/pull/2500) - New `nginx_user` configuration property, which interfaces with the Nginx `user` directive. Thanks [@depay](https://github.com/depay) for the contribution! [#2180](https://github.com/Kong/kong/pull/2180) ##### CLI - New `kong prepare` command to prepare the Kong running prefix (creating log files, SSL certificates, etc...) and allow for Kong to be started via the `nginx` binary. This is useful for environments like containers, where the foreground process should be the Nginx master process. The `kong compile` command has been deprecated as a result of this addition. [#2706](https://github.com/Kong/kong/pull/2706) ##### Admin API - Ability to retrieve plugins added to a Consumer via two new endpoints: `/consumers/:username_or_id/plugins/` and `/consumers/:username_or_id/plugins/:plugin_id`. [#2714](https://github.com/Kong/kong/pull/2714) - Support for JSON `null` in `PATCH` requests to unset a value on any entity. [#2700](https://github.com/Kong/kong/pull/2700) ##### Plugins - jwt: Support for RS512 signed tokens. Thanks [@sarraz1](https://github.com/sarraz1) for the patch! [#2666](https://github.com/Kong/kong/pull/2666) - rate-limiting/response-ratelimiting: Optionally hide informative response headers. [#2087](https://github.com/Kong/kong/pull/2087) - aws-lambda: Define a custom response status when the upstream `X-Amz-Function-Error` header is "Unhandled". Thanks [@erran](https://github.com/erran) for the contribution! [#2587](https://github.com/Kong/kong/pull/2587) - aws-lambda: Add new AWS regions that were previously unsupported. [#2769](https://github.com/Kong/kong/pull/2769) - hmac: New option to validate the client-provided SHA-256 of the request body. Thanks [@vaibhavatul47](https://github.com/vaibhavatul47) for the contribution! [#2419](https://github.com/Kong/kong/pull/2419) - hmac: Added support for `enforce_headers` option and added HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 support. [#2644](https://github.com/Kong/kong/pull/2644) - statsd: New metrics and more flexible configuration. Support for prefixes, configurable stat type, and added metrics. [#2400](https://github.com/Kong/kong/pull/2400) - datadog: New metrics and more flexible configuration. Support for prefixes, configurable stat type, and added metrics. [#2394](https://github.com/Kong/kong/pull/2394) ### Fixed ##### Core - Kong now ensures that your clients URIs are transparently proxied upstream. No percent-encoding/decoding or querystring stripping will occur anymore. [#2519](https://github.com/Kong/kong/pull/2519) - Fix an issue where Kong would match an API with a shorter URI (from its `uris` value) as a prefix instead of a longer, matching prefix from another API. [#2662](https://github.com/Kong/kong/issues/2662) - Fix an edge-case where an API with multiple `uris` and `strip_uri = true` would not always strip the client URI. [#2562](https://github.com/Kong/kong/issues/2562) - HTTP `400` errors thrown by Nginx are now correctly caught by Kong and return a native, Kong-friendly response. [#2476](https://github.com/Kong/kong/pull/2476) ##### Configuration - Octothorpes (`#`) can now be escaped (`\#`) and included in the Kong configuration values such as your datastore passwords or usernames. [#2411](https://github.com/Kong/kong/pull/2411) ##### Admin API - The `data` response field of the `/upstreams/{upstream}/targets/active` Admin API endpoint now returns a list (`[]`) instead of an object (`{}`) when no active targets are present. [#2619](https://github.com/Kong/kong/pull/2619) ##### Plugins - The `unique` constraint on OAuth2 `client_secrets` has been removed. [#2447](https://github.com/Kong/kong/pull/2447) - The `unique` constraint on JWT Credentials `secrets` has been removed. [#2548](https://github.com/Kong/kong/pull/2548) - oauth2: When requesting a token from `/oauth2/token`, one can now pass the `client_id` as a request body parameter, while `client_id:client_secret` is passed via the Authorization header. This allows for better integration with some OAuth2 flows proposed out there, such as from Cloudflare Apps. Thanks [@cedum](https://github.com/cedum) for the patch! [#2577](https://github.com/Kong/kong/pull/2577) - datadog: Avoid a runtime error if the plugin is configured as a global plugin but the downstream request did not match any configured API. Thanks [@kjsteuer](https://github.com/kjsteuer) for the fix! [#2702](https://github.com/Kong/kong/pull/2702) - Logging plugins: the produced logs `latencies.kong` field used to omit the time Kong spent in its Load Balancing logic, which includes DNS resolution time. This latency is now included in `latencies.kong`. [#2494](https://github.com/Kong/kong/pull/2494) [Back to TOC](#table-of-contents) ## [0.10.3] - 2017/05/24 ### Changed - We noticed that some distribution packages were not building OpenResty against a JITable PCRE library. This happened on Ubuntu and RHEL environments where OpenResty was built against the system's PCRE installation. We now compile OpenResty against a JITable PCRE source for those platforms, which should result in significant performance improvements in regex matching. [Mashape/kong-distributions #9](https://github.com/Kong/kong-distributions/pull/9) - TLS connections are now handled with a modern list of accepted ciphers, as per the Mozilla recommended TLS ciphers list. See https://wiki.mozilla.org/Security/Server_Side_TLS. This behavior is configurable via the newly introduced configuration properties described in the below "Added" section. - Plugins: - rate-limiting: Performance improvements when using the `cluster` policy. The number of round trips to the database has been limited to the number of configured limits. [#2488](https://github.com/Kong/kong/pull/2488) ### Added - New `ssl_cipher_suite` and `ssl_ciphers` configuration properties to configure the desired set of accepted ciphers, based on the Mozilla recommended TLS ciphers list. [#2555](https://github.com/Kong/kong/pull/2555) - New `proxy_ssl_certificate` and `proxy_ssl_certificate_key` configuration properties. These properties configure the Nginx directives bearing the same name, to set client certificates to Kong when connecting to your upstream services. [#2556](https://github.com/Kong/kong/pull/2556) - Proxy and Admin API access and error log paths are now configurable. Access logs can be entirely disabled if desired. [#2552](https://github.com/Kong/kong/pull/2552) - Plugins: - Logging plugins: The produced logs include a new `tries` field which contains, which includes the upstream connection successes and failures of the load-balancer. [#2429](https://github.com/Kong/kong/pull/2429) - key-auth: Credentials can now be sent in the request body. [#2493](https://github.com/Kong/kong/pull/2493) - cors: Origins can now be defined as regular expressions. [#2482](https://github.com/Kong/kong/pull/2482) ### Fixed - APIs matching: prioritize APIs with longer `uris` when said APIs also define `hosts` and/or `methods` as well. Thanks [@leonzz](https://github.com/leonzz) for the patch. [#2523](https://github.com/Kong/kong/pull/2523) - SSL connections to Cassandra can now properly verify the certificate in use (when `cassandra_ssl_verify` is enabled). [#2531](https://github.com/Kong/kong/pull/2531) - The DNS resolver no longer sends a A or AAAA DNS queries for SRV records. This should improve performance by avoiding unnecessary lookups. [#2563](https://github.com/Kong/kong/pull/2563) & [Mashape/lua-resty-dns-client #12](https://github.com/Kong/lua-resty-dns-client/pull/12) - Plugins - All authentication plugins don't throw an error anymore when invalid credentials are given and the `anonymous` user isn't configured. [#2508](https://github.com/Kong/kong/pull/2508) - rate-limiting: Effectively use the desired Redis database when the `redis` policy is in use and the `config.redis_database` property is set. [#2481](https://github.com/Kong/kong/pull/2481) - cors: The regression introduced in 0.10.1 regarding not sending the `*` wildcard when `conf.origin` was not specified has been fixed. [#2518](https://github.com/Kong/kong/pull/2518) - oauth2: properly check the client application ownership of a token before refreshing it. [#2461](https://github.com/Kong/kong/pull/2461) [Back to TOC](#table-of-contents) ## [0.10.2] - 2017/05/01 ### Changed - The Kong DNS resolver now honors the `MAXNS` setting (3) when parsing the nameservers specified in `resolv.conf`. [#2290](https://github.com/Kong/kong/issues/2290) - Kong now matches incoming requests via the `$request_uri` property, instead of `$uri`, in order to better handle percent-encoded URIS. A more detailed explanation will be included in the below "Fixed" section. [#2377](https://github.com/Kong/kong/pull/2377) - Upstream calls do not unconditionally include a trailing `/` anymore. See the below "Added" section for more details. [#2315](https://github.com/Kong/kong/pull/2315) - Admin API: - The "active targets" endpoint now only return the most recent nonzero weight Targets, instead of all nonzero weight targets. This is to provide a better picture of the Targets currently in use by the Kong load balancer. [#2310](https://github.com/Kong/kong/pull/2310) ### Added - :fireworks: Plugins can implement a new `rewrite` handler to execute code in the Nginx rewrite phase. This phase is executed prior to matching a registered Kong API, and prior to any authentication plugin. As such, only global plugins (neither tied to an API or Consumer) will execute this phase. [#2354](https://github.com/Kong/kong/pull/2354) - Ability for the client to chose whether the upstream request (Kong <-> upstream) should contain a trailing slash in its URI. Prior to this change, Kong 0.10 would unconditionally append a trailing slash to all upstream requests. The added functionality is described in [#2211](https://github.com/Kong/kong/issues/2211), and was implemented in [#2315](https://github.com/Kong/kong/pull/2315). - Ability to hide Kong-specific response headers. Two new configuration fields: `server_tokens` and `latency_tokens` will respectively toggle whether the `Server` and `X-Kong-*-Latency` headers should be sent to downstream clients. [#2259](https://github.com/Kong/kong/pull/2259) - New `cassandra_schema_consensus_timeout` configuration property, to allow for Kong to wait for the schema consensus of your Cassandra cluster during migrations. [#2326](https://github.com/Kong/kong/pull/2326) - Serf commands executed by a running Kong node are now logged in the Nginx error logs with a `DEBUG` level. [#2410](https://github.com/Kong/kong/pull/2410) - Ensure the required shared dictionaries are defined in the Nginx configuration. This will prevent custom Nginx templates from potentially resulting in a breaking upgrade for users. [#2466](https://github.com/Kong/kong/pull/2466) - Admin API: - Target Objects can now be deleted with their ID as well as their name. The endpoint becomes: `/upstreams/:name_or_id/targets/:target_or_id`. [#2304](https://github.com/Kong/kong/pull/2304) - Plugins: - :fireworks: **New Request termination plugin**. This plugin allows to temporarily disable an API and return a pre-configured response status and body to your client. Useful for use-cases such as maintenance mode for your upstream services. Thanks to [@pauldaustin](https://github.com/pauldaustin) for the contribution. [#2051](https://github.com/Kong/kong/pull/2051) - Logging plugins: The produced logs include two new fields: a `consumer` field, which contains the properties of the authenticated Consumer (`id`, `custom_id`, and `username`), if any, and a `tries` field, which includes the upstream connection successes and failures of the load- balancer. [#2367](https://github.com/Kong/kong/pull/2367) [#2429](https://github.com/Kong/kong/pull/2429) - http-log: Now set an upstream HTTP basic access authentication header if the configured `conf.http_endpoint` parameter includes an authentication section. Thanks [@amir](https://github.com/amir) for the contribution. [#2432](https://github.com/Kong/kong/pull/2432) - file-log: New `config.reopen` property to close and reopen the log file on every request, in order to effectively rotate the logs. [#2348](https://github.com/Kong/kong/pull/2348) - jwt: Returns `401 Unauthorized` on invalid claims instead of the previous `403 Forbidden` status. [#2433](https://github.com/Kong/kong/pull/2433) - key-auth: Allow setting API key header names with an underscore. [#2370](https://github.com/Kong/kong/pull/2370) - cors: When `config.credentials = true`, we do not send an ACAO header with value `*`. The ACAO header value will be that of the request's `Origin: ` header. [#2451](https://github.com/Kong/kong/pull/2451) ### Fixed - Upstream connections over TLS now set their Client Hello SNI field. The SNI value is taken from the upstream `Host` header value, and thus also depends on the `preserve_host` setting of your API. Thanks [@konrade](https://github.com/konrade) for the original patch. [#2225](https://github.com/Kong/kong/pull/2225) - Correctly match APIs with percent-encoded URIs in their `uris` property. Generally, this change also avoids normalizing (and thus, potentially altering) the request URI when trying to match an API's `uris` value. Instead of relying on the Nginx `$uri` variable, we now use `$request_uri`. [#2377](https://github.com/Kong/kong/pull/2377) - Handle a routing edge-case under some conditions with the `uris` matching rule of APIs that would falsely lead Kong into believing no API was matched for what would actually be a valid request. [#2343](https://github.com/Kong/kong/pull/2343) - If no API was configured with a `hosts` matching rule, then the `preserve_host` flag would never be honored. [#2344](https://github.com/Kong/kong/pull/2344) - The `X-Forwarded-For` header sent to your upstream services by Kong is not set from the Nginx `$proxy_add_x_forwarded_for` variable anymore. Instead, Kong uses the `$realip_remote_addr` variable to append the real IP address of a client, instead of `$remote_addr`, which can come from a previous proxy hop. [#2236](https://github.com/Kong/kong/pull/2236) - CNAME records are now properly being cached by the DNS resolver. This results in a performance improvement over previous 0.10 versions. [#2303](https://github.com/Kong/kong/pull/2303) - When using Cassandra, some migrations would not be performed on the same coordinator as the one originally chosen. The same migrations would also require a response from other replicas in a cluster, but were not waiting  for a schema consensus beforehand, causing indeterministic failures in the migrations, especially if the cluster's inter-nodes communication is slow. [#2326](https://github.com/Kong/kong/pull/2326) - The `cassandra_timeout` configuration property is now correctly taken into consideration by Kong. [#2326](https://github.com/Kong/kong/pull/2326) - Correctly trigger plugins configured on the anonymous Consumer for anonymous requests (from auth plugins with the new `config.anonymous` parameter). [#2424](https://github.com/Kong/kong/pull/2424) - When multiple auth plugins were configured with the recent `config.anonymous` parameter for "OR" authentication, such plugins would override each other's results and response headers, causing false negatives. [#2222](https://github.com/Kong/kong/pull/2222) - Ensure the `cassandra_contact_points` property does not contain any port information. Those should be specified in `cassandra_port`. Thanks [@Vermeille](https://github.com/Vermeille) for the contribution. [#2263](https://github.com/Kong/kong/pull/2263) - Prevent an upstream or legitimate internal error in the load balancing code from throwing a Lua-land error as well. [#2327](https://github.com/Kong/kong/pull/2327) - Allow backwards compatibility with custom Nginx configurations that still define the `resolver ${{DNS_RESOLVER}}` directive. Vales from the Kong `dns_resolver` property will be flattened to a string and appended to the directive. [#2386](https://github.com/Kong/kong/pull/2386) - Plugins: - hmac: Better handling of invalid base64-encoded signatures. Previously Kong would return an HTTP 500 error. We now properly return HTTP 403 Forbidden. [#2283](https://github.com/Kong/kong/pull/2283) - Admin API: - Detect conflicts between SNI Objects in the `/snis` and `/certificates` endpoint. [#2285](https://github.com/Kong/kong/pull/2285) - The `/certificates` route used to not return the `total` and `data` JSON fields. We now send those fields back instead of a root list of certificate objects. [#2463](https://github.com/Kong/kong/pull/2463) - Endpoints with path parameters like `/xxx_or_id` will now also yield the proper result if the `xxx` field is formatted as a UUID. Most notably, this fixes a problem for Consumers whose `username` is a UUID, that could not be found when requesting `/consumers/{username_as_uuid}`. [#2420](https://github.com/Kong/kong/pull/2420) - The "active targets" endpoint does not require a trailing slash anymore. [#2307](https://github.com/Kong/kong/pull/2307) - Upstream Objects can now be deleted properly when using Cassandra. [#2404](https://github.com/Kong/kong/pull/2404) [Back to TOC](#table-of-contents) ## [0.10.1] - 2017/03/27 ### Changed - :warning: Serf has been downgraded to version 0.7 in our distributions, although versions up to 0.8.1 are still supported. This fixes a problem when automatically detecting the first non-loopback private IP address, which was defaulted to `127.0.0.1` in Kong 0.10.0. Greater versions of Serf can still be used, but the IP address needs to be manually specified in the `cluster_advertise` configuration property. - :warning: The [CORS Plugin](https://getkong.org/plugins/cors/) parameter `config.origin` is now `config.origins`. [#2203](https://github.com/Kong/kong/pull/2203) :red_circle: **Post-release note (as of 2017/05/12)**: A faulty behavior has been observed with this change. Previously, the plugin would send the `*` wildcard when `config.origin` was not specified. With this change, the plugin **does not** send the `*` wildcard by default anymore. You will need to specify it manually when configuring the plugin, with `config.origins=*`. This behavior is to be fixed in a future release. :white_check_mark: **Update (2017/05/24)**: A fix to this regression has been released as part of 0.10.3. See the section of the Changelog related to this release for more details. - Admin API: - Disable support for TLS/1.0. [#2212](https://github.com/Kong/kong/pull/2212) ### Added - Admin API: - Active targets can be pulled with `GET /upstreams/{name}/targets/active`. [#2230](https://github.com/Kong/kong/pull/2230) - Provide a convenience endpoint to disable targets at: `DELETE /upstreams/{name}/targets/{target}`. Under the hood, this creates a new target with `weight = 0` (the correct way of disabling targets, which used to cause confusion). [#2256](https://github.com/Kong/kong/pull/2256) - Plugins: - cors: Support for configuring multiple Origin domains. [#2203](https://github.com/Kong/kong/pull/2203) ### Fixed - Use an LRU cache for Lua-land entities caching to avoid exhausting the Lua VM memory in long-running instances. [#2246](https://github.com/Kong/kong/pull/2246) - Avoid potential deadlocks upon callback errors in the caching module for database entities. [#2197](https://github.com/Kong/kong/pull/2197) - Relax multipart MIME type parsing. A space is allowed in between values of the Content-Type header. [#2215](https://github.com/Kong/kong/pull/2215) - Admin API: - Better handling of non-supported HTTP methods on endpoints of the Admin API. In some cases this used to throw an internal error. Calling any endpoint with a non-supported HTTP method now always returns `405 Method Not Allowed` as expected. [#2213](https://github.com/Kong/kong/pull/2213) - CLI: - Better error handling when missing Serf executable. [#2218](https://github.com/Kong/kong/pull/2218) - Fix a bug in the `kong migrations` command that would prevent it to run correctly. [#2238](https://github.com/Kong/kong/pull/2238) - Trim list values specified in the configuration file. [#2206](https://github.com/Kong/kong/pull/2206) - Align the default configuration file's values to the actual, hard-coded default values to avoid confusion. [#2254](https://github.com/Kong/kong/issues/2254) - Plugins: - hmac: Generate an HMAC secret value if none is provided. [#2158](https://github.com/Kong/kong/pull/2158) - oauth2: Don't try to remove credential values from request bodies if the MIME type is multipart, since such attempts would result in an error. [#2176](https://github.com/Kong/kong/pull/2176) - ldap: This plugin should not be applied to a single Consumer, however, this was not properly enforced. It is now impossible to apply this plugin to a single Consumer (as per all authentication plugin). [#2237](https://github.com/Kong/kong/pull/2237) - aws-lambda: Support for `us-west-2` region in schema. [#2257](https://github.com/Kong/kong/pull/2257) [Back to TOC](#table-of-contents) ## [0.10.0] - 2017/03/07 Kong 0.10 is one of most significant releases to this day. It ships with exciting new features that have been heavily requested for the last few months, such as load balancing, Cassandra 3.0 compatibility, Websockets support, internal DNS resolution (A and SRV records without Dnsmasq), and more flexible matching capabilities for APIs routing. On top of those new features, this release received a particular attention to performance, and brings many improvements and refactors that should make it perform significantly better than any previous version. ### Changed - :warning: API Objects (as configured via the Admin API) do **not** support the `request_host` and `request_uri` fields anymore. The 0.10 migrations should upgrade your current API Objects, but make sure to read the new [0.10 Proxy Guide](https://getkong.org/docs/0.10.x/proxy) to learn the new routing capabilities of Kong. On the good side, this means that Kong can now route incoming requests according to a combination of Host headers, URIs, and HTTP methods. - :warning: Final slashes in `upstream_url` are no longer allowed. [#2115](https://github.com/Kong/kong/pull/2115) - :warning: The SSL plugin has been removed and dynamic SSL capabilities have been added to Kong core, and are configurable via new properties on the API entity. See the related PR for a detailed explanation of this change. [#1970](https://github.com/Kong/kong/pull/1970) - :warning: Drop the Dnsmasq dependency. We now internally resolve both A and SRV DNS records. [#1587](https://github.com/Kong/kong/pull/1587) - :warning: Dropping support for insecure `TLS/1.0` and defaulting `Upgrade` responses to `TLS/1.2`. [#2119](https://github.com/Kong/kong/pull/2119) - Bump the compatible OpenResty version to `1.11.2.1` and `1.11.2.2`. Support for OpenResty `1.11.2.2` requires the `--without-luajit-lua52` compilation flag. - Separate Admin API and Proxy error logs. Admin API logs are now written to `logs/admin_access.log`. [#1782](https://github.com/Kong/kong/pull/1782) - Auto-generates stronger SHA-256 with RSA encryption SSL certificates. [#2117](https://github.com/Kong/kong/pull/2117) ### Added - :fireworks: Support for Cassandra 3.x. [#1709](https://github.com/Kong/kong/pull/1709) - :fireworks: SRV records resolution. [#1587](https://github.com/Kong/kong/pull/1587) - :fireworks: Load balancing. When an A or SRV record resolves to multiple entries, Kong now rotates those upstream targets with a Round-Robin algorithm. This is a first step towards implementing more load balancing algorithms. Another way to specify multiple upstream targets is to use the newly introduced `/upstreams` and `/targets` entities of the Admin API. [#1587](https://github.com/Kong/kong/pull/1587) [#1735](https://github.com/Kong/kong/pull/1735) - :fireworks: Multiple hosts and paths per API. Kong can now route incoming requests to your services based on a combination of Host headers, URIs and HTTP methods. See the related PR for a detailed explanation of the new properties and capabilities of the new router. [#1970](https://github.com/Kong/kong/pull/1970) - :fireworks: Maintain upstream connection pools which should greatly improve performance, especially for HTTPS upstream connections. We now use HTTP/1.1 for upstream connections as well as an nginx `upstream` block with a configurable`keepalive` directive, thanks to the new `nginx_keepalive` configuration property. [#1587](https://github.com/Kong/kong/pull/1587) [#1827](https://github.com/Kong/kong/pull/1827) - :fireworks: Websockets support. Kong can now upgrade client connections to use the `ws` protocol when `Upgrade: websocket` is present. [#1827](https://github.com/Kong/kong/pull/1827) - Use an in-memory caching strategy for database entities in order to reduce CPU load during requests proxying. [#1688](https://github.com/Kong/kong/pull/1688) - Provide negative-caching for missed database entities. This should improve performance in some cases. [#1914](https://github.com/Kong/kong/pull/1914) - Support for serving the Admin API over SSL. This introduces new properties in the configuration file: `admin_listen_ssl`, `admin_ssl`, `admin_ssl_cert` and `admin_ssl_cert_key`. [#1706](https://github.com/Kong/kong/pull/1706) - Support for upstream connection timeouts. APIs now have 3 new fields: `upstream_connect_timeout`, `upstream_send_timeout`, `upstream_read_timeout` to specify, in milliseconds, a timeout value for requests between Kong and your APIs. [#2036](https://github.com/Kong/kong/pull/2036) - Support for clustering key rotation in the underlying Serf process: - new `cluster_keyring_file` property in the configuration file. - new `kong cluster keys ..` CLI commands that expose the underlying `serf keys ..` commands. [#2069](https://github.com/Kong/kong/pull/2069) - Support for `lua_socket_pool_size` property in configuration file. [#2109](https://github.com/Kong/kong/pull/2109) - Plugins: - :fireworks: **New AWS Lambda plugin**. Thanks Tim Erickson for his collaboration on this new addition. [#1777](https://github.com/Kong/kong/pull/1777) [#1190](https://github.com/Kong/kong/pull/1190) - Anonymous authentication for auth plugins. When such plugins receive the `config.anonymous=` property, even non-authenticated requests will be proxied by Kong, with the traditional Consumer headers set to the designated anonymous consumer, but also with a `X-Anonymous-Consumer` header. Multiple auth plugins will work in a logical `OR` fashion. [#1666](https://github.com/Kong/kong/pull/1666) and [#2035](https://github.com/Kong/kong/pull/2035) - request-transformer: Ability to change the HTTP method of the upstream request. [#1635](https://github.com/Kong/kong/pull/1635) - jwt: Support for ES256 signatures. [#1920](https://github.com/Kong/kong/pull/1920) - rate-limiting: Ability to select the Redis database to use via the new `config.redis_database` plugin property. [#1941](https://github.com/Kong/kong/pull/1941) ### Fixed - Looking for Serf in known installation paths. [#1997](https://github.com/Kong/kong/pull/1997) - Including port in upstream `Host` header. [#2045](https://github.com/Kong/kong/pull/2045) - Clarify the purpose of the `cluster_listen_rpc` property in the configuration file. Thanks Jeremy Monin for the patch. [#1860](https://github.com/Kong/kong/pull/1860) - Admin API: - Properly Return JSON responses (instead of HTML) on HTTP 409 Conflict when adding Plugins. [#2014](https://github.com/Kong/kong/issues/2014) - CLI: - Avoid double-prefixing migration error messages with the database name (PostgreSQL/Cassandra). - Plugins: - Fix fault tolerance logic and error reporting in rate-limiting plugins. - CORS: Properly return `Access-Control-Allow-Credentials: false` if `Access-Control-Allow-Origin: *`. [#2104](https://github.com/Kong/kong/pull/2104) - key-auth: enforce `key_names` to be proper header names according to Nginx. [#2142](https://github.com/Kong/kong/pull/2142) [Back to TOC](#table-of-contents) ## [0.9.9] - 2017/02/02 ### Fixed - Correctly put Cassandra sockets into the Nginx connection pool for later reuse. This greatly improves the performance for rate-limiting and response-ratelimiting plugins. [f8f5306](https://github.com/Kong/kong/commit/f8f53061207de625a29bbe5d80f1807da468a1bc) - Correct length of a year in seconds for rate-limiting and response-ratelimiting plugins. A year was wrongly assumed to only be 360 days long. [e4fdb2a](https://github.com/Kong/kong/commit/e4fdb2a3af4a5f2bf298c7b6488d88e67288c98b) - Prevent misinterpretation of the `%` character in proxied URLs encoding. Thanks Thomas Jouannic for the patch. [#1998](https://github.com/Kong/kong/pull/1998) [#2040](https://github.com/Kong/kong/pull/2040) [Back to TOC](#table-of-contents) ## [0.9.8] - 2017/01/19 ### Fixed - Properly set the admin IP in the Serf script. ### Changed - Provide negative-caching for missed database entities. This should improve performance in some cases. [#1914](https://github.com/Kong/kong/pull/1914) ### Fixed - Plugins: - Fix fault tolerance logic and error reporting in rate-limiting plugins. [Back to TOC](#table-of-contents) ## [0.9.7] - 2016/12/21 ### Fixed - Fixed a performance issue in Cassandra by removing an old workaround that was forcing Cassandra to use LuaSocket instead of cosockets. [#1916](https://github.com/Kong/kong/pull/1916) - Fixed an issue that was causing a recursive attempt to stop Kong's services when an error was occurring. [#1877](https://github.com/Kong/kong/pull/1877) - Custom plugins are now properly loaded again. [#1910](https://github.com/Kong/kong/pull/1910) - Plugins: - Galileo: properly encode empty arrays. [#1909](https://github.com/Kong/kong/pull/1909) - OAuth 2: implements a missing Postgres migration for `redirect_uri` in every OAuth 2 credential. [#1911](https://github.com/Kong/kong/pull/1911) - OAuth 2: safely parse the request body even when no data has been sent. [#1915](https://github.com/Kong/kong/pull/1915) [Back to TOC](#table-of-contents) ## [0.9.6] - 2016/11/29 ### Fixed - Resolve support for PostgreSQL SSL connections. [#1720](https://github.com/Kong/kong/issues/1720) - Ensure `kong start` honors the `--conf` flag is a config file already exists at one of the default locations (`/etc/kong.conf`, `/etc/kong/kong.conf`). [#1681](https://github.com/Kong/kong/pull/1681) - Obfuscate sensitive properties from the `/` Admin API route which returns the current node's configuration. [#1650](https://github.com/Kong/kong/pull/1650) [Back to TOC](#table-of-contents) ## [0.9.5] - 2016/11/07 ### Changed - Dropping support for OpenResty 1.9.15.1 in favor of 1.11.2.1 [#1797](https://github.com/Kong/kong/pull/1797) ### Fixed - Fixed an error (introduced in 0.9.4) in the auto-clustering event [Back to TOC](#table-of-contents) ## [0.9.4] - 2016/11/02 ### Fixed - Fixed the random string generator that was causing some problems, especially in Serf for clustering. [#1754](https://github.com/Kong/kong/pull/1754) - Seed random number generator in CLI. [#1641](https://github.com/Kong/kong/pull/1641) - Reducing log noise in the Admin API. [#1781](https://github.com/Kong/kong/pull/1781) - Fixed the reports lock implementation that was generating a periodic error message. [#1783](https://github.com/Kong/kong/pull/1783) [Back to TOC](#table-of-contents) ## [0.9.3] - 2016/10/07 ### Added - Added support for Serf 0.8. [#1693](https://github.com/Kong/kong/pull/1693) ### Fixed - Properly invalidate global plugins. [#1723](https://github.com/Kong/kong/pull/1723) [Back to TOC](#table-of-contents) ## [0.9.2] - 2016/09/20 ### Fixed - Correctly report migrations errors. This was caused by an error being thrown from the error handler, and superseding the actual error. [#1605] (https://github.com/Kong/kong/pull/1605) - Prevent Kong from silently failing to start. This would be caused by an erroneous error handler. [28f5d10] (https://github.com/Kong/kong/commit/28f5d10) - Only report a random number generator seeding error when it is not already seeded. [#1613](https://github.com/Kong/kong/pull/1613) - Reduce intra-cluster noise by not propagating keepalive requests events. [#1660](https://github.com/Kong/kong/pull/1660) - Admin API: - Obfuscates sensitive configuration settings from the `/` route. [#1650](https://github.com/Kong/kong/pull/1650) - CLI: - Prevent a failed `kong start` to stop an already running Kong node. [#1645](https://github.com/Kong/kong/pull/1645) - Remove unset configuration placeholders from the nginx configuration template. This would occur when no Internet connection would be available and would cause Kong to compile an erroneous nginx config. [#1606](https://github.com/Kong/kong/pull/1606) - Properly count the number of executed migrations. [#1649](https://github.com/Kong/kong/pull/1649) - Plugins: - OAuth2: remove the "Kong" mentions in missing `provision_key` error messages. [#1633](https://github.com/Kong/kong/pull/1633) - OAuth2: allow to correctly delete applications when using Cassandra. [#1659](https://github.com/Kong/kong/pull/1659) - galileo: provide a default `bodySize` value when `log_bodies=true` but the current request/response has no body. [#1657](https://github.com/Kong/kong/pull/1657) [Back to TOC](#table-of-contents) ## [0.9.1] - 2016/09/02 ### Added - Plugins: - ACL: allow to retrieve/update/delete an ACL by group name. [#1544](https://github.com/Kong/kong/pull/1544) - Basic Authentication: allow to retrieve/update/delete a credential by `username`. [#1570](https://github.com/Kong/kong/pull/1570) - HMAC Authentication: allow to retrieve/update/delete a credential by `username`. [#1570](https://github.com/Kong/kong/pull/1570) - JWT Authentication: allow to retrieve/update/delete a credential by `key`. [#1570](https://github.com/Kong/kong/pull/1570) - Key Authentication: allow to retrieve/update/delete a credential by `key`. [#1570](https://github.com/Kong/kong/pull/1570) - OAuth2 Authentication: allow to retrieve/update/delete a credential by `client_id` and tokens by `access_token`. [#1570](https://github.com/Kong/kong/pull/1570) ### Fixed - Correctly parse configuration file settings containing comments. [#1569](https://github.com/Kong/kong/pull/1569) - Prevent third-party Lua modules (and plugins) to override the seed for random number generation. This prevents the creation of conflicting UUIDs. [#1558](https://github.com/Kong/kong/pull/1558) - Use [pgmoon-mashape](https://github.com/Kong/pgmoon) `2.0.0` which properly namespaces our fork, avoiding conflicts with other versions of pgmoon, such as the one installed by Lapis. [#1582](https://github.com/Kong/kong/pull/1582) - Avoid exposing OpenResty's information on HTTP `4xx` errors. [#1567](https://github.com/Kong/kong/pull/1567) - ulimit with `unlimited` value is now properly handled. [#1545](https://github.com/Kong/kong/pull/1545) - CLI: - Stop third-party services (Dnsmasq/Serf) when Kong could not start. [#1588](https://github.com/Kong/kong/pull/1588) - Prefix database migration errors (such as Postgres' `connection refused`) with the database name (`postgres`/`cassandra`) to avoid confusions. [#1583](https://github.com/Kong/kong/pull/1583) - Plugins: - galileo: Use `Content-Length` header to get request/response body size when `log_bodies` is disabled. [#1584](https://github.com/Kong/kong/pull/1584) - Admin API: - Revert the `/plugins/enabled` endpoint's response to be a JSON array, and not an Object. [#1529](https://github.com/Kong/kong/pull/1529) [Back to TOC](#table-of-contents) ## [0.9.0] - 2016/08/18 The main focus of this release is Kong's new CLI. With a simpler configuration file, new settings, environment variables support, new commands as well as a new interpreter, the new CLI gives more power and flexibility to Kong users and allow for an easier integration in your deployment workflow, as well as better testing for developers and plugins authors. Additionally, some new plugins and performance improvements are included as well as the regular bug fixes. ### Changed - :warning: PostgreSQL is the new default datastore for Kong. If you were using Cassandra and you are upgrading, you need to explicitly set `cassandra` as your `database`. - :warning: New CLI, with new commands and refined arguments. This new CLI uses the `resty-cli` interpreter (see [lua-resty-cli](https://github.com/openresty/resty-cli)) instead of LuaJIT. As a result, the `resty` executable must be available in your `$PATH` (resty-cli is shipped in the OpenResty bundle) as well as the `bin/kong` executable. Kong does not rely on Luarocks installing the `bin/kong` executable anymore. This change of behavior is taken care of if you are using one of the official Kong packages. - :warning: Kong uses a new configuration file, with an easier syntax than the previous YAML file. - New arguments for the CLI, such as verbose, debug and tracing flags. We also avoid requiring the configuration file as an argument to each command as per the previous CLI. - Customization of the Nginx configuration can now be taken care of using two different approaches: with a custom Nginx configuration template and using `kong start --template `, or by using `kong compile` to generate the Kong Nginx sub-configuration, and `include` it in a custom Nginx instance. - Plugins: - Rate Limiting: the `continue_on_error` property is now called `fault_tolerant`. - Response Rate Limiting: the `continue_on_error` property is now called `fault_tolerant`. ### Added - :fireworks: Support for overriding configuration settings with environment variables. - :fireworks: Support for SSL connections between Kong and PostgreSQL. [#1425](https://github.com/Kong/kong/pull/1425) - :fireworks: Ability to apply plugins with more granularity: per-consumer, and global plugins are now possible. [#1403](https://github.com/Kong/kong/pull/1403) - New `kong check` command: validates a Kong configuration file. - Better version check for third-party dependencies (OpenResty, Serf, Dnsmasq). [#1307](https://github.com/Kong/kong/pull/1307) - Ability to configure the validation depth of database SSL certificates from the configuration file. [#1420](https://github.com/Kong/kong/pull/1420) - `request_host`: internationalized url support; utf-8 domain names through punycode support and paths through %-encoding. [#1300](https://github.com/Kong/kong/issues/1300) - Implements caching locks when fetching database configuration (APIs, Plugins...) to avoid dog pile effect on cold nodes. [#1402](https://github.com/Kong/kong/pull/1402) - Plugins: - :fireworks: **New bot-detection plugin**: protect your APIs by detecting and rejecting common bots and crawlers. [#1413](https://github.com/Kong/kong/pull/1413) - correlation-id: new "tracker" generator, identifying requests per worker and connection. [#1288](https://github.com/Kong/kong/pull/1288) - request/response-transformer: ability to add strings including colon characters. [#1353](https://github.com/Kong/kong/pull/1353) - rate-limiting: support for new rate-limiting policies (`cluster`, `local` and `redis`), and for a new `limit_by` property to force rate-limiting by `consumer`, `credential` or `ip`. - response-rate-limiting: support for new rate-limiting policies (`cluster`, `local` and `redis`), and for a new `limit_by` property to force rate-limiting by `consumer`, `credential` or `ip`. - galileo: performance improvements of ALF serialization. ALFs are not discarded when exceeding 20MBs anymore. [#1463](https://github.com/Kong/kong/issues/1463) - statsd: new `upstream_stream` latency metric. [#1466](https://github.com/Kong/kong/pull/1466) - datadog: new `upstream_stream` latency metric and tagging support for each metric. [#1473](https://github.com/Kong/kong/pull/1473) ### Removed - We now use [lua-resty-jit-uuid](https://github.com/thibaultCha/lua-resty-jit-uuid) for UUID generation, which is a pure Lua implementation of [RFC 4122](https://www.ietf.org/rfc/rfc4122.txt). As a result, libuuid is not a dependency of Kong anymore. ### Fixed - Sensitive configuration settings are not printed to stdout anymore. [#1256](https://github.com/Kong/kong/issues/1256) - Fixed bug that caused nodes to remove themselves from the database when they attempted to join the cluster. [#1437](https://github.com/Kong/kong/pull/1437) - Plugins: - request-size-limiting: use proper constant for MB units while setting the size limit. [#1416](https://github.com/Kong/kong/pull/1416) - OAuth2: security and config validation fixes. [#1409](https://github.com/Kong/kong/pull/1409) [#1112](https://github.com/Kong/kong/pull/1112) - request/response-transformer: better validation of fields provided without a value. [#1399](https://github.com/Kong/kong/pull/1399) - JWT: handle some edge-cases that could result in HTTP 500 errors. [#1362](https://github.com/Kong/kong/pull/1362) > **internal** > - new test suite using resty-cli and removing the need to monkey-patch the `ngx` global. > - custom assertions and new helper methods (`wait_until()`) to gracefully fail in case of timeout. > - increase atomicity of the testing environment. > - lighter testing instance, only running 1 worker and not using Dnsmasq by default. [Back to TOC](#table-of-contents) ## [0.8.3] - 2016/06/01 This release includes some bugfixes: ### Changed - Switched the log level of the "No nodes found in cluster" warning to `INFO`, that was printed when starting up the first Kong node in a new cluster. - Kong now requires OpenResty `1.9.7.5`. ### Fixed - New nodes are now properly registered into the `nodes` table when running on the same machine. [#1281](https://github.com/Kong/kong/pull/1281) - Fixed a failed error parsing on Postgres. [#1269](https://github.com/Kong/kong/pull/1269) - Plugins: - Response Transformer: Slashes are now encoded properly, and fixed a bug that hang the execution of the plugin. [#1257](https://github.com/Kong/kong/pull/1257) and [#1263](https://github.com/Kong/kong/pull/1263) - JWT: If a value for `algorithm` is missing, it's now `HS256` by default. This problem occurred when migrating from older versions of Kong. - OAuth 2.0: Fixed a Postgres problem that was preventing an application from being created, and fixed a check on the `redirect_uri` field. [#1264](https://github.com/Kong/kong/pull/1264) and [#1267](https://github.com/Kong/kong/issues/1267) [Back to TOC](#table-of-contents) ## [0.8.2] - 2016/05/25 This release includes bugfixes and minor updates: ### Added - Support for a simple slash in `request_path`. [#1227](https://github.com/Kong/kong/pull/1227) - Plugins: - Response Rate Limiting: it now appends usage headers to the upstream requests in the form of `X-Ratelimit-Remaining-{limit_name}` and introduces a new `config.block_on_first_violation` property. [#1235](https://github.com/Kong/kong/pull/1235) #### Changed - Plugins: - **Mashape Analytics: The plugin is now called "Galileo", and added support for Galileo v3. [#1159](https://github.com/Kong/kong/pull/1159)** #### Fixed - Postgres now relies on the `search_path` configured on the database and its default value `$user, public`. [#1196](https://github.com/Kong/kong/issues/1196) - Kong now properly encodes an empty querystring parameter like `?param=` when proxying the request. [#1210](https://github.com/Kong/kong/pull/1210) - The configuration now checks that `cluster.ttl_on_failure` is at least 60 seconds. [#1199](https://github.com/Kong/kong/pull/1199) - Plugins: - Loggly: Fixed an issue that was triggering 400 and 500 errors. [#1184](https://github.com/Kong/kong/pull/1184) - JWT: The `TYP` value in the header is not optional and case-insensitive. [#1192](https://github.com/Kong/kong/pull/1192) - Request Transformer: Fixed a bug when transforming request headers. [#1202](https://github.com/Kong/kong/pull/1202) - OAuth 2.0: Multiple redirect URIs are now supported. [#1112](https://github.com/Kong/kong/pull/1112) - IP Restriction: Fixed that prevented the plugin for working properly when added on an API. [#1245](https://github.com/Kong/kong/pull/1245) - CORS: Fixed an issue when `config.preflight_continue` was enabled. [#1240](https://github.com/Kong/kong/pull/1240) [Back to TOC](#table-of-contents) ## [0.8.1] - 2016/04/27 This release includes some fixes and minor updates: ### Added - Adds `X-Forwarded-Host` and `X-Forwarded-Prefix` to the upstream request headers. [#1180](https://github.com/Kong/kong/pull/1180) - Plugins: - Datadog: Added two new metrics, `unique_users` and `request_per_user`, that log the consumer information. [#1179](https://github.com/Kong/kong/pull/1179) ### Fixed - Fixed a DAO bug that affected full entity updates. [#1163](https://github.com/Kong/kong/pull/1163) - Fixed a bug when setting the authentication provider in Cassandra. - Updated the Cassandra driver to v0.5.2. - Properly enforcing required fields in PUT requests. [#1177](https://github.com/Kong/kong/pull/1177) - Fixed a bug that prevented to retrieve the hostname of the local machine on certain systems. [#1178](https://github.com/Kong/kong/pull/1178) [Back to TOC](#table-of-contents) ## [0.8.0] - 2016/04/18 This release includes support for PostgreSQL as Kong's primary datastore! ### Breaking changes - Remove support for the long deprecated `/consumers/:consumer/keyauth/` and `/consumers/:consumer/basicauth/` routes (deprecated in `0.5.0`). The new routes (available since `0.5.0` too) use the real name of the plugin: `/consumers/:consumer/key-auth` and `/consumers/:consumer/basic-auth`. ### Added - Support for PostgreSQL 9.4+ as Kong's primary datastore. [#331](https://github.com/Kong/kong/issues/331) [#1054](https://github.com/Kong/kong/issues/1054) - Configurable Cassandra reading/writing consistency. [#1026](https://github.com/Kong/kong/pull/1026) - Admin API: including pending and running timers count in the response to `/`. [#992](https://github.com/Kong/kong/pull/992) - Plugins - **New correlation-id plugin**: assign unique identifiers to the requests processed by Kong. Courtesy of [@opyate](https://github.com/opyate). [#1094](https://github.com/Kong/kong/pull/1094) - LDAP: add support for LDAP authentication. [#1133](https://github.com/Kong/kong/pull/1133) - StatsD: add support for StatsD logging. [#1142](https://github.com/Kong/kong/pull/1142) - JWT: add support for RS256 signed tokens thanks to [@kdstew](https://github.com/kdstew)! [#1053](https://github.com/Kong/kong/pull/1053) - ACL: appends `X-Consumer-Groups` to the request, so the upstream service can check what groups the consumer belongs to. [#1154](https://github.com/Kong/kong/pull/1154) - Galileo (mashape-analytics): increase batch sending timeout to 30s. [#1091](https://github.com/Kong/kong/pull/1091) - Added `ttl_on_failure` option in the cluster configuration, to configure the TTL of failed nodes. [#1125](https://github.com/Kong/kong/pull/1125) ### Fixed - Introduce a new `port` option when connecting to your Cassandra cluster instead of using the CQL default (9042). [#1139](https://github.com/Kong/kong/issues/1139) - Plugins - Request/Response Transformer: add missing migrations for upgrades from ` <= 0.5.x`. [#1064](https://github.com/Kong/kong/issues/1064) - OAuth2 - Error responses comply to RFC 6749. [#1017](https://github.com/Kong/kong/issues/1017) - Handle multipart requests. [#1067](https://github.com/Kong/kong/issues/1067) - Make access_tokens correctly expire. [#1089](https://github.com/Kong/kong/issues/1089) > **internal** > - replace globals with singleton pattern thanks to [@mars](https://github.com/mars). > - fixed resolution mismatches when using deep paths in the path resolver. [Back to TOC](#table-of-contents) ## [0.7.0] - 2016/02/24 ### Breaking changes Due to the NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747), OpenResty was bumped to `1.9.7.3` which is not backwards compatible, and thus requires changes to be made to the `nginx` property of Kong's configuration file. See the [0.7 upgrade path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-07x) for instructions. However by upgrading the underlying OpenResty version, source installations do not have to patch the NGINX core and use the old `ssl-cert-by-lua` branch of ngx_lua anymore. This will make source installations much easier. ### Added - Support for OpenResty `1.9.7.*`. This includes NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). [#906](https://github.com/Kong/kong/pull/906) - Plugins - **New Runscope plugin**: Monitor your APIs from Kong with Runscope. Courtesy of [@mansilladev](https://github.com/mansilladev). [#924](https://github.com/Kong/kong/pull/924) - Datadog: New `response.size` metric. [#923](https://github.com/Kong/kong/pull/923) - Rate-Limiting and Response Rate-Limiting - New `config.async` option to asynchronously increment counters to reduce latency at the cost of slightly reducing the accuracy. [#912](https://github.com/Kong/kong/pull/912) - New `config.continue_on_error` option to keep proxying requests in case the datastore is unreachable. rate-limiting operations will be disabled until the datastore is responsive again. [#953](https://github.com/Kong/kong/pull/953) - CLI - Perform a simple permission check on the NGINX working directory when starting, to prevent errors during execution. [#939](https://github.com/Kong/kong/pull/939) - Send 50x errors with the appropriate format. [#927](https://github.com/Kong/kong/pull/927) [#970](https://github.com/Kong/kong/pull/970) ### Fixed - Plugins - OAuth2 - Better handling of `redirect_uri` (prevent the use of fragments and correctly handle querystrings). Courtesy of [@PGBI](https://github.com/PGBI). [#930](https://github.com/Kong/kong/pull/930) - Add `PUT` support to the `/auth2_tokens` route. [#897](https://github.com/Kong/kong/pull/897) - Better error message when the `access_token` is missing. [#1003](https://github.com/Kong/kong/pull/1003) - IP restriction: Fix an issue that could arise when restarting Kong. Now Kong does not need to be restarted for the ip-restriction configuration to take effect. [#782](https://github.com/Kong/kong/pull/782) [#960](https://github.com/Kong/kong/pull/960) - ACL: Properly invalidating entities when assigning a new ACL group. [#996](https://github.com/Kong/kong/pull/996) - SSL: Replace shelled out openssl calls with native `ngx.ssl` conversion utilities, which preserve the certificate chain. [#968](https://github.com/Kong/kong/pull/968) - Avoid user warning on start when the user is not root. [#964](https://github.com/Kong/kong/pull/964) - Store Serf logs in NGINX working directory to prevent eventual permission issues. [#975](https://github.com/Kong/kong/pull/975) - Allow plugins configured on a Consumer *without* being configured on an API to run. [#978](https://github.com/Kong/kong/issues/978) [#980](https://github.com/Kong/kong/pull/980) - Fixed an edge-case where Kong nodes would not be registered in the `nodes` table. [#1008](https://github.com/Kong/kong/pull/1008) [Back to TOC](#table-of-contents) ## [0.6.1] - 2016/02/03 This release contains tiny bug fixes that were especially annoying for complex Cassandra setups and power users of the Admin API! ### Added - A `timeout` property for the Cassandra configuration. In ms, this timeout is effective as a connection and a reading timeout. [#937](https://github.com/Kong/kong/pull/937) ### Fixed - Correctly set the Cassandra SSL certificate in the Nginx configuration while starting Kong. [#921](https://github.com/Kong/kong/pull/921) - Rename the `user` Cassandra property to `username` (Kong looks for `username`, hence `user` would fail). [#922](https://github.com/Kong/kong/pull/922) - Allow Cassandra authentication with arbitrary plain text auth providers (such as Instaclustr uses), fixing authentication with them. [#937](https://github.com/Kong/kong/pull/937) - Admin API - Fix the `/plugins/:id` route for `PATCH` method. [#941](https://github.com/Kong/kong/pull/941) - Plugins - HTTP logging: remove the additional `\r\n` at the end of the logging request body. [#926](https://github.com/Kong/kong/pull/926) - Galileo: catch occasional internal errors happening when a request was cancelled by the client and fix missing shm for the retry policy. [#931](https://github.com/Kong/kong/pull/931) [Back to TOC](#table-of-contents) ## [0.6.0] - 2016/01/22 ### Breaking changes We would recommended to consult the suggested [0.6 upgrade path](https://github.com/Kong/kong/blob/master/UPGRADE.md#upgrade-to-06x) for this release. - [Serf](https://www.serf.io/) is now a Kong dependency. It allows Kong nodes to communicate between each other opening the way to many features and improvements. - The configuration file changed. Some properties were renamed, others were moved, and some are new. We would recommend checking out the new default configuration file. - Drop the Lua 5.1 dependency which was only used by the CLI. The CLI now runs with LuaJIT, which is consistent with other Kong components (Luarocks and OpenResty) already relying on LuaJIT. Make sure the LuaJIT interpreter is included in your `$PATH`. [#799](https://github.com/Kong/kong/pull/799) ### Added One of the biggest new features of this release is the cluster-awareness added to Kong in [#729](https://github.com/Kong/kong/pull/729), which deserves its own section: - Each Kong node is now aware of belonging to a cluster through Serf. Nodes automatically join the specified cluster according to the configuration file's settings. - The datastore cache is not invalidated by expiration time anymore, but following an invalidation strategy between the nodes of a same cluster, leading to improved performance. - Admin API - Expose a `/cache` endpoint for retrieving elements stored in the in-memory cache of a node. - Expose a `/cluster` endpoint used to add/remove/list members of the cluster, and also used internally for data propagation. - CLI - New `kong cluster` command for cluster management. - New `kong status` command for cluster healthcheck. Other additions include: - New Cassandra driver which makes Kong aware of the Cassandra cluster. Kong is now unaffected if one of your Cassandra nodes goes down as long as a replica is available on another node. Load balancing policies also improve the performance along with many other smaller improvements. [#803](https://github.com/Kong/kong/pull/803) - Admin API - A new `total` field in API responses, that counts the total number of entities in the datastore. [#635](https://github.com/Kong/kong/pull/635) - Configuration - Possibility to configure the keyspace replication strategy for Cassandra. It will be taken into account by the migrations when the configured keyspace does not already exist. [#350](https://github.com/Kong/kong/issues/350) - Dnsmasq is now optional. You can specify a custom DNS resolver address that Kong will use when resolving hostnames. This can be configured in `kong.yml`. [#625](https://github.com/Kong/kong/pull/625) - Plugins - **New "syslog" plugin**: send logs to local system log. [#698](https://github.com/Kong/kong/pull/698) - **New "loggly" plugin**: send logs to Loggly over UDP. [#698](https://github.com/Kong/kong/pull/698) - **New "datadog" plugin**: send logs to Datadog server. [#758](https://github.com/Kong/kong/pull/758) - OAuth2 - Add support for `X-Forwarded-Proto` header. [#650](https://github.com/Kong/kong/pull/650) - Expose a new `/oauth2_tokens` endpoint with the possibility to retrieve, update or delete OAuth 2.0 access tokens. [#729](https://github.com/Kong/kong/pull/729) - JWT - Support for base64 encoded secrets. [#838](https://github.com/Kong/kong/pull/838) [#577](https://github.com/Kong/kong/issues/577) - Support to configure the claim in which the key is given into the token (not `iss` only anymore). [#838](https://github.com/Kong/kong/pull/838) - Request transformer - Support for more transformation options: `remove`, `replace`, `add`, `append` motivated by [#393](https://github.com/Kong/kong/pull/393). See [#824](https://github.com/Kong/kong/pull/824) - Support JSON body transformation. [#569](https://github.com/Kong/kong/issues/569) - Response transformer - Support for more transformation options: `remove`, `replace`, `add`, `append` motivated by [#393](https://github.com/Kong/kong/pull/393). See [#822](https://github.com/Kong/kong/pull/822) ### Changed - As mentioned in the breaking changes section, a new configuration file format and validation. All properties are now documented and commented out with their default values. This allows for a lighter configuration file and more clarity as to what properties relate to. It also catches configuration mistakes. [#633](https://github.com/Kong/kong/pull/633) - Replace the UUID generator library with a new implementation wrapping lib-uuid, fixing eventual conflicts happening in cases such as described in [#659](https://github.com/Kong/kong/pull/659). See [#695](https://github.com/Kong/kong/pull/695) - Admin API - Increase the maximum body size to 10MB in order to handle configuration requests with heavy payloads. [#700](https://github.com/Kong/kong/pull/700) - Disable access logs for the `/status` endpoint. - The `/status` endpoint now includes `database` statistics, while the previous stats have been moved to a `server` response field. [#635](https://github.com/Kong/kong/pull/635) ### Fixed - Behaviors described in [#603](https://github.com/Kong/kong/issues/603) related to the failure of Cassandra nodes thanks to the new driver. [#803](https://github.com/Kong/kong/issues/803) - Latency headers are now properly included in responses sent to the client. [#708](https://github.com/Kong/kong/pull/708) - `strip_request_path` does not add a trailing slash to the API's `upstream_url` anymore before proxying. [#675](https://github.com/Kong/kong/issues/675) - Do not URL decode querystring before proxying the request to the upstream service. [#749](https://github.com/Kong/kong/issues/749) - Handle cases when the request would be terminated prior to the Kong execution (that is, before ngx_lua reaches the `access_by_lua` context) in cases such as the use of a custom nginx module. [#594](https://github.com/Kong/kong/issues/594) - Admin API - The PUT method now correctly updates boolean fields (such as `strip_request_path`). [#765](https://github.com/Kong/kong/pull/765) - The PUT method now correctly resets a plugin configuration. [#720](https://github.com/Kong/kong/pull/720) - PATCH correctly set previously unset fields. [#861](https://github.com/Kong/kong/pull/861) - In the responses, the `next` link is not being displayed anymore if there are no more entities to be returned. [#635](https://github.com/Kong/kong/pull/635) - Prevent the update of `created_at` fields. [#820](https://github.com/Kong/kong/pull/820) - Better `request_path` validation for APIs. "/" is not considered a valid path anymore. [#881](https://github.com/Kong/kong/pull/881) - Plugins - Galileo: ensure the `mimeType` value is always a string in ALFs. [#584](https://github.com/Kong/kong/issues/584) - JWT: allow to update JWT credentials using the PATCH method. It previously used to reply with `405 Method not allowed` because the PATCH method was not implemented. [#667](https://github.com/Kong/kong/pull/667) - Rate limiting: fix a warning when many periods are configured. [#681](https://github.com/Kong/kong/issues/681) - Basic Authentication: do not re-hash the password field when updating a credential. [#726](https://github.com/Kong/kong/issues/726) - File log: better permissions for on file creation for file-log plugin. [#877](https://github.com/Kong/kong/pull/877) - OAuth2 - Implement correct responses when the OAuth2 challenges are refused. [#737](https://github.com/Kong/kong/issues/737) - Handle querystring on `/authorize` and `/token` URLs. [#687](https://github.com/Kong/kong/pull/667) - Handle punctuation in scopes on `/authorize` and `/token` endpoints. [#658](https://github.com/Kong/kong/issues/658) > ***internal*** > - Event bus for local and cluster-wide events propagation. Plans for this event bus is to be widely used among Kong in the future. > - The Kong Public Lua API (Lua helpers integrated in Kong such as DAO and Admin API helpers) is now documented with [ldoc](http://stevedonovan.github.io/ldoc/). > - Work has been done to restore the reliability of the CI platforms. > - Migrations can now execute DML queries (instead of DDL queries only). Handy for migrations implying plugin configuration changes, plugins renamings etc... [#770](https://github.com/Kong/kong/pull/770) [Back to TOC](#table-of-contents) ## [0.5.4] - 2015/12/03 ### Fixed - Mashape Analytics plugin (renamed Galileo): - Improve stability under heavy load. [#757](https://github.com/Kong/kong/issues/757) - base64 encode ALF request/response bodies, enabling proper support for Galileo bodies inspection capabilities. [#747](https://github.com/Kong/kong/pull/747) - Do not include JSON bodies in ALF `postData.params` field. [#766](https://github.com/Kong/kong/pull/766) [Back to TOC](#table-of-contents) ## [0.5.3] - 2015/11/16 ### Fixed - Avoids additional URL encoding when proxying to an upstream service. [#691](https://github.com/Kong/kong/pull/691) - Potential timing comparison bug in HMAC plugin. [#704](https://github.com/Kong/kong/pull/704) ### Added - The Galileo plugin now supports arbitrary host, port and path values. [#721](https://github.com/Kong/kong/pull/721) [Back to TOC](#table-of-contents) ## [0.5.2] - 2015/10/21 A few fixes requested by the community! ### Fixed - Kong properly search the `nginx` in your $PATH variable. - Plugins: - OAuth2: can detect that the originating protocol for a request was HTTPS through the `X-Forwarded-Proto` header and work behind another reverse proxy (load balancer). [#650](https://github.com/Kong/kong/pull/650) - HMAC signature: support for `X-Date` header to sign the request for usage in browsers (since the `Date` header is protected). [#641](https://github.com/Kong/kong/issues/641) [Back to TOC](#table-of-contents) ## [0.5.1] - 2015/10/13 Fixing a few glitches we let out with 0.5.0! ### Added - Basic Authentication and HMAC Authentication plugins now also send the `X-Credential-Username` to the upstream server. - Admin API now accept JSON when receiving a CORS request. [#580](https://github.com/Kong/kong/pull/580) - Add a `WWW-Authenticate` header for HTTP 401 responses for basic-auth and key-auth. [#588](https://github.com/Kong/kong/pull/588) ### Changed - Protect Kong from POODLE SSL attacks by omitting SSLv3 (CVE-2014-3566). [#563](https://github.com/Kong/kong/pull/563) - Remove support for key-auth key in body. [#566](https://github.com/Kong/kong/pull/566) ### Fixed - Plugins - HMAC - The migration for this plugin is now correctly being run. [#611](https://github.com/Kong/kong/pull/611) - Wrong username doesn't return HTTP 500 anymore, but 403. [#602](https://github.com/Kong/kong/pull/602) - JWT: `iss` not being found doesn't return HTTP 500 anymore, but 403. [#578](https://github.com/Kong/kong/pull/578) - OAuth2: client credentials flow does not include a refresh token anymore. [#562](https://github.com/Kong/kong/issues/562) - Fix an occasional error when updating a plugin without a config. [#571](https://github.com/Kong/kong/pull/571) [Back to TOC](#table-of-contents) ## [0.5.0] - 2015/09/25 With new plugins, many improvements and bug fixes, this release comes with breaking changes that will require your attention. ### Breaking changes Several breaking changes are introduced. You will have to slightly change your configuration file and a migration script will take care of updating your database cluster. **Please follow the instructions in [UPGRADE.md](/UPGRADE.md#update-to-kong-050) for an update without downtime.** - Many plugins were renamed due to new naming conventions for consistency. [#480](https://github.com/Kong/kong/issues/480) - In the configuration file, the Cassandra `hosts` property was renamed to `contact_points`. [#513](https://github.com/Kong/kong/issues/513) - Properties belonging to APIs entities have been renamed for clarity. [#513](https://github.com/Kong/kong/issues/513) - `public_dns` -> `request_host` - `path` -> `request_path` - `strip_path` -> `strip_request_path` - `target_url` -> `upstream_url` - `plugins_configurations` have been renamed to `plugins`, and their `value` property has been renamed to `config` to avoid confusions. [#513](https://github.com/Kong/kong/issues/513) - The database schema has been updated to handle the separation of plugins outside of the core repository. - The Key authentication and Basic authentication plugins routes have changed: ``` Old route New route /consumers/:consumer/keyauth -> /consumers/:consumer/key-auth /consumers/:consumer/keyauth/:id -> /consumers/:consumer/key-auth/:id /consumers/:consumer/basicauth -> /consumers/:consumer/basic-auth /consumers/:consumer/basicauth/:id -> /consumers/:consumer/basic-auth/:id ``` The old routes are still maintained but will be removed in upcoming versions. Consider them **deprecated**. - Admin API - The route to retrieve enabled plugins is now under `/plugins/enabled`. - The route to retrieve a plugin's configuration schema is now under `/plugins/schema/{plugin name}`. #### Added - Plugins - **New Response Rate Limiting plugin**: Give a usage quota to your users based on a parameter in your response. [#247](https://github.com/Kong/kong/pull/247) - **New ACL (Access Control) plugin**: Configure authorizations for your Consumers. [#225](https://github.com/Kong/kong/issues/225) - **New JWT (JSON Web Token) plugin**: Verify and authenticate JWTs. [#519](https://github.com/Kong/kong/issues/519) - **New HMAC signature plugin**: Verify and authenticate HMAC signed HTTP requests. [#549](https://github.com/Kong/kong/pull/549) - Plugins migrations. Each plugin can now have its own migration scripts if it needs to store data in your cluster. This is a step forward to improve Kong's pluggable architecture. [#443](https://github.com/Kong/kong/pull/443) - Basic Authentication: the password field is now sha1 encrypted. [#33](https://github.com/Kong/kong/issues/33) - Basic Authentication: now supports credentials in the `Proxy-Authorization` header. [#460](https://github.com/Kong/kong/issues/460) #### Changed - Basic Authentication and Key Authentication now require authentication parameters even when the `Expect: 100-continue` header is being sent. [#408](https://github.com/Kong/kong/issues/408) - Key Auth plugin does not support passing the key in the request payload anymore. [#566](https://github.com/Kong/kong/pull/566) - APIs' names cannot contain characters from the RFC 3986 reserved list. [#589](https://github.com/Kong/kong/pull/589) #### Fixed - Resolver - Making a request with a querystring will now correctly match an API's path. [#496](https://github.com/Kong/kong/pull/496) - Admin API - Data associated to a given API/Consumer will correctly be deleted if related Consumer/API is deleted. [#107](https://github.com/Kong/kong/issues/107) [#438](https://github.com/Kong/kong/issues/438) [#504](https://github.com/Kong/kong/issues/504) - The `/api/{api_name_or_id}/plugins/{plugin_name_or_id}` changed to `/api/{api_name_or_id}/plugins/{plugin_id}` to avoid requesting the wrong plugin if two are configured for one API. [#482](https://github.com/Kong/kong/pull/482) - APIs created without a `name` but with a `request_path` will now have a name which defaults to the set `request_path`. [#547](https://github.com/Kong/kong/issues/547) - Plugins - Mashape Analytics: More robust buffer and better error logging. [#471](https://github.com/Kong/kong/pull/471) - Mashape Analytics: Several ALF (API Log Format) serialization fixes. [#515](https://github.com/Kong/kong/pull/515) - Oauth2: A response is now returned on `http://kong:8001/consumers/{consumer}/oauth2/{oauth2_id}`. [#469](https://github.com/Kong/kong/issues/469) - Oauth2: Saving `authenticated_userid` on Password Grant. [#476](https://github.com/Kong/kong/pull/476) - Oauth2: Proper handling of the `/oauth2/authorize` and `/oauth2/token` endpoints in the OAuth 2.0 Plugin when an API with a `path` is being consumed using the `public_dns` instead. [#503](https://github.com/Kong/kong/issues/503) - OAuth2: Properly returning `X-Authenticated-UserId` in the `client_credentials` and `password` flows. [#535](https://github.com/Kong/kong/issues/535) - Response-Transformer: Properly handling JSON responses that have a charset specified in their `Content-Type` header. [Back to TOC](#table-of-contents) ## [0.4.2] - 2015/08/10 #### Added - Cassandra authentication and SSL encryption. [#405](https://github.com/Kong/kong/pull/405) - `preserve_host` flag on APIs to preserve the Host header when a request is proxied. [#444](https://github.com/Kong/kong/issues/444) - Added the Resource Owner Password Credentials Grant to the OAuth 2.0 Plugin. [#448](https://github.com/Kong/kong/issues/448) - Auto-generation of default SSL certificate. [#453](https://github.com/Kong/kong/issues/453) #### Changed - Remove `cassandra.port` property in configuration. Ports are specified by having `cassandra.hosts` addresses using the `host:port` notation (RFC 3986). [#457](https://github.com/Kong/kong/pull/457) - Default SSL certificate is now auto-generated and stored in the `nginx_working_dir`. - OAuth 2.0 plugin now properly forces HTTPS. #### Fixed - Better handling of multi-nodes Cassandra clusters. [#450](https://github.com/Kong/kong/pull/405) - mashape-analytics plugin: handling of numerical values in querystrings. [#449](https://github.com/Kong/kong/pull/405) - Path resolver `strip_path` option wrongfully matching the `path` property multiple times in the request URI. [#442](https://github.com/Kong/kong/issues/442) - File Log Plugin bug that prevented the file creation in some environments. [#461](https://github.com/Kong/kong/issues/461) - Clean output of the Kong CLI. [#235](https://github.com/Kong/kong/issues/235) [Back to TOC](#table-of-contents) ## [0.4.1] - 2015/07/23 #### Fixed - Issues with the Mashape Analytics plugin. [#425](https://github.com/Kong/kong/pull/425) - Handle hyphens when executing path routing with `strip_path` option enabled. [#431](https://github.com/Kong/kong/pull/431) - Adding the Client Credentials OAuth 2.0 flow. [#430](https://github.com/Kong/kong/issues/430) - A bug that prevented "dnsmasq" from being started on some systems, including Debian. [f7da790](https://github.com/Kong/kong/commit/f7da79057ce29c7d1f6d90f4bc160cc3d9c8611f) - File Log plugin: optimizations by avoiding the buffered I/O layer. [20bb478](https://github.com/Kong/kong/commit/20bb478952846faefec6091905bd852db24a0289) [Back to TOC](#table-of-contents) ## [0.4.0] - 2015/07/15 #### Added - Implement wildcard subdomains for APIs' `public_dns`. [#381](https://github.com/Kong/kong/pull/381) [#297](https://github.com/Kong/kong/pull/297) - Plugins - **New OAuth 2.0 plugin.** [#341](https://github.com/Kong/kong/pull/341) [#169](https://github.com/Kong/kong/pull/169) - **New Mashape Analytics plugin.** [#360](https://github.com/Kong/kong/pull/360) [#272](https://github.com/Kong/kong/pull/272) - **New IP restriction plugin.** [#379](https://github.com/Kong/kong/pull/379) - Ratelimiting: support for multiple limits. [#382](https://github.com/Kong/kong/pull/382) [#205](https://github.com/Kong/kong/pull/205) - HTTP logging: support for HTTPS endpoint. [#342](https://github.com/Kong/kong/issues/342) - Logging plugins: new properties for logs timing. [#351](https://github.com/Kong/kong/issues/351) - Key authentication: now auto-generates a key if none is specified. [#48](https://github.com/Kong/kong/pull/48) - Resolver - `path` property now accepts arbitrary depth. [#310](https://github.com/Kong/kong/issues/310) - Admin API - Enable CORS by default. [#371](https://github.com/Kong/kong/pull/371) - Expose a new endpoint to get a plugin configuration's schema. [#376](https://github.com/Kong/kong/pull/376) [#309](https://github.com/Kong/kong/pull/309) - Expose a new endpoint to retrieve a node's status. [417c137](https://github.com/Kong/kong/commit/417c1376c08d3562bebe0c0816c6b54df045f515) - CLI - `$ kong migrations reset` now asks for confirmation. [#365](https://github.com/Kong/kong/pull/365) #### Fixed - Plugins - Basic authentication not being executed if added to an API with default configuration. [6d732cd](https://github.com/Kong/kong/commit/6d732cd8b0ec92ef328faa843215d8264f50fb75) - SSL plugin configuration parsing. [#353](https://github.com/Kong/kong/pull/353) - SSL plugin doesn't accept a `consumer_id` anymore, as this wouldn't make sense. [#372](https://github.com/Kong/kong/pull/372) [#322](https://github.com/Kong/kong/pull/322) - Authentication plugins now return `401` when missing credentials. [#375](https://github.com/Kong/kong/pull/375) [#354](https://github.com/Kong/kong/pull/354) - Admin API - Non supported HTTP methods now return `405` instead of `500`. [38f1b7f](https://github.com/Kong/kong/commit/38f1b7fa9f45f60c4130ef5ff9fe2c850a2ba586) - Prevent PATCH requests from overriding a plugin's configuration if partially updated. [9a7388d](https://github.com/Kong/kong/commit/9a7388d695c9de105917cde23a684a7d6722a3ca) - Handle occasionally missing `schema_migrations` table. [#365](https://github.com/Kong/kong/pull/365) [#250](https://github.com/Kong/kong/pull/250) > **internal** > - DAO: > - Complete refactor. No more need for hard-coded queries. [#346](https://github.com/Kong/kong/pull/346) > - Schemas: > - New `self_check` test for schema definitions. [5bfa7ca](https://github.com/Kong/kong/commit/5bfa7ca13561173161781f872244d1340e4152c1) [Back to TOC](#table-of-contents) ## [0.3.2] - 2015/06/08 #### Fixed - Uppercase Cassandra keyspace bug that prevented Kong to work with [kongdb.org](http://kongdb.org/) - Multipart requests not properly parsed in the admin API. [#344](https://github.com/Kong/kong/issues/344) [Back to TOC](#table-of-contents) ## [0.3.1] - 2015/06/07 #### Fixed - Schema migrations are now automatic, which was missing from previous releases. [#303](https://github.com/Kong/kong/issues/303) [Back to TOC](#table-of-contents) ## [0.3.0] - 2015/06/04 #### Added - Support for SSL. - Plugins - New HTTP logging plugin. [#226](https://github.com/Kong/kong/issues/226) [#251](https://github.com/Kong/kong/pull/251) - New SSL plugin. - New request size limiting plugin. [#292](https://github.com/Kong/kong/pull/292) - Default logging format improvements. [#226](https://github.com/Kong/kong/issues/226) [#262](https://github.com/Kong/kong/issues/262) - File logging now logs to a custom file. [#202](https://github.com/Kong/kong/issues/202) - Keyauth plugin now defaults `key_names` to "apikey". - Admin API - RESTful routing. Much nicer Admin API routing. Ex: `/apis/{name_or_id}/plugins`. [#98](https://github.com/Kong/kong/issues/98) [#257](https://github.com/Kong/kong/pull/257) - Support `PUT` method for endpoints such as `/apis/`, `/apis/plugins/`, `/consumers/` - Support for `application/json` and `x-www-form-urlencoded` Content Types for all `PUT`, `POST` and `PATCH` endpoints by passing a `Content-Type` header. [#236](https://github.com/Kong/kong/pull/236) - Resolver - Support resolving APIs by Path as well as by Header. [#192](https://github.com/Kong/kong/pull/192) [#282](https://github.com/Kong/kong/pull/282) - Support for `X-Host-Override` as an alternative to `Host` for browsers. [#203](https://github.com/Kong/kong/issues/203) [#246](https://github.com/Kong/kong/pull/246) - Auth plugins now send user informations to your upstream services. [#228](https://github.com/Kong/kong/issues/228) - Invalid `target_url` value are now being caught when creating an API. [#149](https://github.com/Kong/kong/issues/149) #### Fixed - Uppercase Cassandra keyspace causing migration failure. [#249](https://github.com/Kong/kong/issues/249) - Guarantee that ratelimiting won't allow requests in case the atomicity of the counter update is not guaranteed. [#289](https://github.com/Kong/kong/issues/289) > **internal** > - Schemas: > - New property type: `array`. [#277](https://github.com/Kong/kong/pull/277) > - Entities schemas now live in their own files and are starting to be unit tested. > - Subfields are handled better: (notify required subfields and auto-vivify is subfield has default values). > - Way faster unit tests. Not resetting the DB anymore between tests. > - Improved coverage computation (exclude `vendor/`). > - Travis now lints `kong/`. > - Way faster Travis setup. > - Added a new HTTP client for in-nginx usage, using the cosocket API. > - Various refactorings. > - Fix [#196](https://github.com/Kong/kong/issues/196). > - Disabled ipv6 in resolver. [Back to TOC](#table-of-contents) ## [0.2.1] - 2015/05/12 This is a maintenance release including several bug fixes and usability improvements. #### Added - Support for local DNS resolution. [#194](https://github.com/Kong/kong/pull/194) - Support for Debian 8 and Ubuntu 15.04. - DAO - Cassandra version bumped to 2.1.5 - Support for Cassandra downtime. If Cassandra goes down and is brought back up, Kong will not need to restart anymore, statements will be re-prepared on-the-fly. This is part of an ongoing effort from [jbochi/lua-resty-cassandra#47](https://github.com/jbochi/lua-resty-cassandra/pull/47), [#146](https://github.com/Kong/kong/pull/146) and [#187](https://github.com/Kong/kong/pull/187). Queries effectuated during the downtime will still be lost. [#11](https://github.com/Kong/kong/pull/11) - Leverage reused sockets. If the DAO reuses a socket, it will not re-set their keyspace. This should give a small but appreciable performance improvement. [#170](https://github.com/Kong/kong/pull/170) - Cascade delete plugins configurations when deleting a Consumer or an API associated with it. [#107](https://github.com/Kong/kong/pull/107) - Allow Cassandra hosts listening on different ports than the default. [#185](https://github.com/Kong/kong/pull/185) - CLI - Added a notice log when Kong tries to connect to Cassandra to avoid user confusion. [#168](https://github.com/Kong/kong/pull/168) - The CLI now tests if the ports are already being used before starting and warns. - Admin API - `name` is now an optional property for APIs. If none is being specified, the name will be the API `public_dns`. [#181](https://github.com/Kong/kong/pull/181) - Configuration - The memory cache size is now configurable. [#208](https://github.com/Kong/kong/pull/208) #### Fixed - Resolver - More explicit "API not found" message from the resolver if the Host was not found in the system. "API not found with Host: %s". - If multiple hosts headers are being sent, Kong will test them all to see if one of the API is in the system. [#186](https://github.com/Kong/kong/pull/186) - Admin API: responses now have a new line after the body. [#164](https://github.com/Kong/kong/issues/164) - DAO: keepalive property is now properly passed when Kong calls `set_keepalive` on Cassandra sockets. - Multipart dependency throwing error at startup. [#213](https://github.com/Kong/kong/pull/213) > **internal** > - Separate Migrations from the DAO factory. > - Update dev config + Makefile rules (`run` becomes `start`). > - Introducing an `ngx` stub for unit tests and CLI. > - Switch many PCRE regexes to using patterns. [Back to TOC](#table-of-contents) ## [0.2.0-2] - 2015/04/27 First public release of Kong. This version brings a lot of internal improvements as well as more usability and a few additional plugins. #### Added - Plugins - CORS plugin. - Request transformation plugin. - NGINX plus monitoring plugin. - Configuration - New properties: `proxy_port` and `api_admin_port`. [#142](https://github.com/Kong/kong/issues/142) - CLI - Better info, help and error messages. [#118](https://github.com/Kong/kong/issues/118) [#124](https://github.com/Kong/kong/issues/124) - New commands: `kong reload`, `kong quit`. [#114](https://github.com/Kong/kong/issues/114) Alias of `version`: `kong --version` [#119](https://github.com/Kong/kong/issues/119) - `kong restart` simply starts Kong if not previously running + better pid file handling. [#131](https://github.com/Kong/kong/issues/131) - Package distributions: .rpm, .deb and .pkg for easy installs on most common platforms. #### Fixed - Admin API: trailing slash is not necessary anymore for core resources such as `/apis` or `/consumers`. - Leaner default configuration. [#156](https://github.com/Kong/kong/issues/156) > **internal** > - All scripts moved to the CLI as "hidden" commands (`kong db`, `kong config`). > - More tests as always, and they are structured better. The coverage went down mainly because of plugins which will later move to their own repos. We are all eagerly waiting for that! > - `src/` was renamed to `kong/` for ease of development > - All system dependencies versions for package building and travis-ci are now listed in `versions.sh` > - DAO doesn't need to `:prepare()` prior to run queries. Queries can be prepared at runtime. [#146](https://github.com/Kong/kong/issues/146) [Back to TOC](#table-of-contents) ## [0.1.1beta-2] - 2015/03/30 #### Fixed - Wrong behavior of auto-migration in `kong start`. [Back to TOC](#table-of-contents) ## [0.1.0beta-3] - 2015/03/25 First public beta. Includes caching and better usability. #### Added - Required Openresty is now `1.7.10.1`. - Freshly built CLI, rewritten in Lua - `kong start` using a new DB keyspace will automatically migrate the schema. [#68](https://github.com/Kong/kong/issues/68) - Anonymous error reporting on Proxy and API. [#64](https://github.com/Kong/kong/issues/64) - Configuration - Simplified configuration file (unified in `kong.yml`). - In configuration, `plugins_installed` was renamed to `plugins_available`. [#59](https://github.com/Kong/kong/issues/59) - Order of `plugins_available` doesn't matter anymore. [#17](https://github.com/Kong/kong/issues/17) - Better handling of plugins: Kong now detects which plugins are configured and if they are installed on the current machine. - `bin/kong` now defaults on `/etc/kong.yml` for config and `/var/logs/kong` for output. [#71](https://github.com/Kong/kong/issues/71) - Proxy: APIs/Consumers caching with expiration for faster authentication. - Admin API: Plugins now use plain form parameters for configuration. [#70](https://github.com/Kong/kong/issues/70) - Keep track of already executed migrations. `rollback` now behaves as expected. [#8](https://github.com/Kong/kong/issues/8) #### Fixed - `Server` header now sends Kong. [#57](https://github.com/Kong/kong/issues/57) - migrations not being executed in order on Linux. This issue wasn't noticed until unit testing the migrations because for now we only have 1 migration file. - Admin API: Errors responses are now sent as JSON. [#58](https://github.com/Kong/kong/issues/58) > **internal** > - We now have code linting and coverage. > - Faker and Migrations instances don't live in the DAO Factory anymore, they are only used in scripts and tests. > - `scripts/config.lua` allows environment based configurations. `make dev` generates a `kong.DEVELOPMENT.yml` and `kong_TEST.yml`. Different keyspaces and ports. > - `spec_helpers.lua` allows tests to not rely on the `Makefile` anymore. Integration tests can run 100% from `busted`. > - Switch integration testing from [httpbin.org] to [mockbin.com]. > - `core` plugin was renamed to `resolver`. [Back to TOC](#table-of-contents) ## [0.0.1alpha-1] - 2015/02/25 First version running with Cassandra. #### Added - Basic proxying. - Built-in authentication plugin (api key, HTTP basic). - Built-in ratelimiting plugin. - Built-in TCP logging plugin. - Configuration API (for consumers, apis, plugins). - CLI `bin/kong` script. - Database migrations (using `db.lua`). [2.8.1]: https://github.com/Kong/kong/compare/2.8.0...2.8.1 [2.8.0]: https://github.com/Kong/kong/compare/2.7.0...2.8.0 [2.7.1]: https://github.com/Kong/kong/compare/2.7.0...2.7.1 [2.7.0]: https://github.com/Kong/kong/compare/2.6.0...2.7.0 [2.6.0]: https://github.com/Kong/kong/compare/2.5.1...2.6.0 [2.5.1]: https://github.com/Kong/kong/compare/2.5.0...2.5.1 [2.5.0]: https://github.com/Kong/kong/compare/2.4.1...2.5.0 [2.4.1]: https://github.com/Kong/kong/compare/2.4.0...2.4.1 [2.4.0]: https://github.com/Kong/kong/compare/2.3.3...2.4.0 [2.3.3]: https://github.com/Kong/kong/compare/2.3.2...2.3.3 [2.3.2]: https://github.com/Kong/kong/compare/2.3.1...2.3.2 [2.3.1]: https://github.com/Kong/kong/compare/2.3.0...2.3.1 [2.3.0]: https://github.com/Kong/kong/compare/2.2.0...2.3.0 [2.2.2]: https://github.com/Kong/kong/compare/2.2.1...2.2.2 [2.2.1]: https://github.com/Kong/kong/compare/2.2.0...2.2.1 [2.2.0]: https://github.com/Kong/kong/compare/2.1.3...2.2.0 [2.1.4]: https://github.com/Kong/kong/compare/2.1.3...2.1.4 [2.1.3]: https://github.com/Kong/kong/compare/2.1.2...2.1.3 [2.1.2]: https://github.com/Kong/kong/compare/2.1.1...2.1.2 [2.1.1]: https://github.com/Kong/kong/compare/2.1.0...2.1.1 [2.1.0]: https://github.com/Kong/kong/compare/2.0.5...2.1.0 [2.0.5]: https://github.com/Kong/kong/compare/2.0.4...2.0.5 [2.0.4]: https://github.com/Kong/kong/compare/2.0.3...2.0.4 [2.0.3]: https://github.com/Kong/kong/compare/2.0.2...2.0.3 [2.0.2]: https://github.com/Kong/kong/compare/2.0.1...2.0.2 [2.0.1]: https://github.com/Kong/kong/compare/2.0.0...2.0.1 [2.0.0]: https://github.com/Kong/kong/compare/1.5.0...2.0.0 [1.5.1]: https://github.com/Kong/kong/compare/1.5.0...1.5.1 [1.5.0]: https://github.com/Kong/kong/compare/1.4.3...1.5.0 [1.4.3]: https://github.com/Kong/kong/compare/1.4.2...1.4.3 [1.4.2]: https://github.com/Kong/kong/compare/1.4.1...1.4.2 [1.4.1]: https://github.com/Kong/kong/compare/1.4.0...1.4.1 [1.4.0]: https://github.com/Kong/kong/compare/1.3.0...1.4.0 [1.3.0]: https://github.com/Kong/kong/compare/1.2.2...1.3.0 [1.2.2]: https://github.com/Kong/kong/compare/1.2.1...1.2.2 [1.2.1]: https://github.com/Kong/kong/compare/1.2.0...1.2.1 [1.2.0]: https://github.com/Kong/kong/compare/1.1.2...1.2.0 [1.1.2]: https://github.com/Kong/kong/compare/1.1.1...1.1.2 [1.1.1]: https://github.com/Kong/kong/compare/1.1.0...1.1.1 [1.1.0]: https://github.com/Kong/kong/compare/1.0.3...1.1.0 [1.0.3]: https://github.com/Kong/kong/compare/1.0.2...1.0.3 [1.0.2]: https://github.com/Kong/kong/compare/1.0.1...1.0.2 [1.0.1]: https://github.com/Kong/kong/compare/1.0.0...1.0.1 [1.0.0]: https://github.com/Kong/kong/compare/0.15.0...1.0.0 [0.15.0]: https://github.com/Kong/kong/compare/0.14.1...0.15.0 [0.14.1]: https://github.com/Kong/kong/compare/0.14.0...0.14.1 [0.14.0]: https://github.com/Kong/kong/compare/0.13.1...0.14.0 [0.13.1]: https://github.com/Kong/kong/compare/0.13.0...0.13.1 [0.13.0]: https://github.com/Kong/kong/compare/0.12.3...0.13.0 [0.12.3]: https://github.com/Kong/kong/compare/0.12.2...0.12.3 [0.12.2]: https://github.com/Kong/kong/compare/0.12.1...0.12.2 [0.12.1]: https://github.com/Kong/kong/compare/0.12.0...0.12.1 [0.12.0]: https://github.com/Kong/kong/compare/0.11.2...0.12.0 [0.11.2]: https://github.com/Kong/kong/compare/0.11.1...0.11.2 [0.11.1]: https://github.com/Kong/kong/compare/0.11.0...0.11.1 [0.10.4]: https://github.com/Kong/kong/compare/0.10.3...0.10.4 [0.11.0]: https://github.com/Kong/kong/compare/0.10.3...0.11.0 [0.10.3]: https://github.com/Kong/kong/compare/0.10.2...0.10.3 [0.10.2]: https://github.com/Kong/kong/compare/0.10.1...0.10.2 [0.10.1]: https://github.com/Kong/kong/compare/0.10.0...0.10.1 [0.10.0]: https://github.com/Kong/kong/compare/0.9.9...0.10.0 [0.9.9]: https://github.com/Kong/kong/compare/0.9.8...0.9.9 [0.9.8]: https://github.com/Kong/kong/compare/0.9.7...0.9.8 [0.9.7]: https://github.com/Kong/kong/compare/0.9.6...0.9.7 [0.9.6]: https://github.com/Kong/kong/compare/0.9.5...0.9.6 [0.9.5]: https://github.com/Kong/kong/compare/0.9.4...0.9.5 [0.9.4]: https://github.com/Kong/kong/compare/0.9.3...0.9.4 [0.9.3]: https://github.com/Kong/kong/compare/0.9.2...0.9.3 [0.9.2]: https://github.com/Kong/kong/compare/0.9.1...0.9.2 [0.9.1]: https://github.com/Kong/kong/compare/0.9.0...0.9.1 [0.9.0]: https://github.com/Kong/kong/compare/0.8.3...0.9.0 [0.8.3]: https://github.com/Kong/kong/compare/0.8.2...0.8.3 [0.8.2]: https://github.com/Kong/kong/compare/0.8.1...0.8.2 [0.8.1]: https://github.com/Kong/kong/compare/0.8.0...0.8.1 [0.8.0]: https://github.com/Kong/kong/compare/0.7.0...0.8.0 [0.7.0]: https://github.com/Kong/kong/compare/0.6.1...0.7.0 [0.6.1]: https://github.com/Kong/kong/compare/0.6.0...0.6.1 [0.6.0]: https://github.com/Kong/kong/compare/0.5.4...0.6.0 [0.5.4]: https://github.com/Kong/kong/compare/0.5.3...0.5.4 [0.5.3]: https://github.com/Kong/kong/compare/0.5.2...0.5.3 [0.5.2]: https://github.com/Kong/kong/compare/0.5.1...0.5.2 [0.5.1]: https://github.com/Kong/kong/compare/0.5.0...0.5.1 [0.5.0]: https://github.com/Kong/kong/compare/0.4.2...0.5.0 [0.4.2]: https://github.com/Kong/kong/compare/0.4.1...0.4.2 [0.4.1]: https://github.com/Kong/kong/compare/0.4.0...0.4.1 [0.4.0]: https://github.com/Kong/kong/compare/0.3.2...0.4.0 [0.3.2]: https://github.com/Kong/kong/compare/0.3.1...0.3.2 [0.3.1]: https://github.com/Kong/kong/compare/0.3.0...0.3.1 [0.3.0]: https://github.com/Kong/kong/compare/0.2.1...0.3.0 [0.2.1]: https://github.com/Kong/kong/compare/0.2.0-2...0.2.1 [0.2.0-2]: https://github.com/Kong/kong/compare/0.1.1beta-2...0.2.0-2 [0.1.1beta-2]: https://github.com/Kong/kong/compare/0.1.0beta-3...0.1.1beta-2 [0.1.0beta-3]: https://github.com/Kong/kong/compare/2236374d5624ad98ea21340ca685f7584ec35744...0.1.0beta-3 [0.0.1alpha-1]: https://github.com/Kong/kong/compare/ffd70b3101ba38d9acc776038d124f6e2fccac3c...2236374d5624ad98ea21340ca685f7584ec35744 ================================================ FILE: CHANGELOG.md ================================================ # Table of Contents - [3.9.1](#391) - [3.9.0](#390) - [3.8.1](#381) - [3.8.0](#380) - [3.7.1](#371) - [3.7.0](#370) - [3.6.1](#361) - [3.6.0](#360) - [3.5.0](#350) - [3.4.2](#342) - [3.4.1](#341) - [3.4.0](#340) - [3.3.0](#330) - [3.2.0](#320) - [3.1.0](#310) - [3.0.1](#301) - [3.0.0](#300) - [Previous releases](#previous-releases) ## Unreleased Individual unreleased changelog entries can be located at [changelog/unreleased](changelog/unreleased). They will be assembled into [CHANGELOG.md](CHANGELOG.md) once released. ## 3.9.1 ### Kong #### Dependencies ##### Core - Bumped libexpat from 2.6.2 to 2.6.4 to fix a crash in the XML_ResumeParser function caused by XML_StopParser stopping an uninitialized parser. [#14208](https://github.com/Kong/kong/issues/14208) - Bump lua-kong-nginx-module from 0.13.0 to 0.13.2 [#14047](https://github.com/Kong/kong/issues/14047) #### Features ##### Plugin - **ai**: Added support for boto3 SDKs for the Bedrock provider, and for Google GenAI SDKs for the Gemini provider. [#14579](https://github.com/Kong/kong/issues/14579) #### Fixes ##### Core - Added support for the new Ollama streaming content type in AI driver. [#14579](https://github.com/Kong/kong/issues/14579) ##### Plugin - **ai-proxy**: Fixed a bug in the Azure provider where `model.options.upstream_path` overrides would always return a 404 error. [#14185](https://github.com/Kong/kong/issues/14185) - **ai-proxy**: Fixed a bug where Azure streaming responses would be missing individual tokens. [#14172](https://github.com/Kong/kong/issues/14172) - **ai-proxy**: Fixed a bug where response streaming in Gemini and Bedrock providers was returning whole chat responses in one chunk. [#14579](https://github.com/Kong/kong/issues/14579) - **ai-proxy**: Fixed a bug where multimodal requests (in OpenAI format) would not transform properly, when using the Gemini provider. [#14579](https://github.com/Kong/kong/issues/14579) - **ai-proxy**: Fixed Gemini streaming responses getting truncated and/or missing tokens. [#14579](https://github.com/Kong/kong/issues/14579) - **ai-proxy**: Fixed an incorrect error thrown when trying to log streaming responses. [#14579](https://github.com/Kong/kong/issues/14579) - **ai-proxy**: Fixed a issue where tool calls weren't working in streaming mode for the Bedrock and Gemini providers. [#14579](https://github.com/Kong/kong/issues/14579) - **ai-proxy**: Fixed an issue where AI Proxy would use corrupted plugin config. [#14579](https://github.com/Kong/kong/issues/14579) - **ai-proxy**: Fixed preserve mode. [#14579](https://github.com/Kong/kong/issues/14579) - **AI Plugins**: Fixed AI upstream URL trailing being empty. [#14578](https://github.com/Kong/kong/issues/14578) - **AI Plugins**: Fixed an issue where the template wasn't being resolved correctly and supported nested fields. [#14579](https://github.com/Kong/kong/issues/14579) ## 3.9.0 ### Kong #### Deprecations ##### Core - `node_id` in configuration has been deprecated. [#13687](https://github.com/Kong/kong/issues/13687) #### Dependencies ##### Core - Bumped lua-kong-nginx-module from 0.11.0 to 0.11.1 to fix an issue where the upstream cert chain wasn't properly set. [#12752](https://github.com/Kong/kong/issues/12752) - Bumped lua-resty-events to 0.3.1. Optimized the memory usage. [#13097](https://github.com/Kong/kong/issues/13097) - Bumped lua-resty-lmdb to 1.6.0. Allowing page_size to be 1. [#13908](https://github.com/Kong/kong/issues/13908) - Bumped lua-resty-lmdb to 1.5.0. Added page_size parameter to allow overriding page size from caller side. [#12786](https://github.com/Kong/kong/issues/12786) ##### Default - Kong Gateway now supports Ubuntu 24.04 (Noble Numbat) with both open-source and Enterprise packages. [#13626](https://github.com/Kong/kong/issues/13626) - Bumped rpm dockerfile default base UBI 8 -> 9 [#13574](https://github.com/Kong/kong/issues/13574) - Bumped lua-resty-aws to 1.5.4 to fix a bug inside region prefix generation. [#12846](https://github.com/Kong/kong/issues/12846) - Bumped lua-resty-ljsonschema to 1.2.0, adding support for `null` as a valid option in `enum` types and properly calculation of utf8 string length instead of byte count [#13783](https://github.com/Kong/kong/issues/13783) - Bumped `ngx_wasm_module` to `9136e463a6f1d80755ce66c88c3ddecd0eb5e25d` [#12011](https://github.com/Kong/kong/issues/12011) - Bumped `Wasmtime` version to `26.0.0` [#12011](https://github.com/Kong/kong/issues/12011) - Bumped OpenSSL to 3.2.3 to fix unbounded memory growth with session handling in TLSv1.3 and other CVEs. [#13448](https://github.com/Kong/kong/issues/13448) - **Wasm**: Removed the experimental datakit Wasm filter [#14012](https://github.com/Kong/kong/issues/14012) #### Features ##### CLI Command - Added the `kong drain` CLI command to make the `/status/ready` endpoint return a `503 Service Unavailable` response. [#13838](https://github.com/Kong/kong/issues/13838) ##### Core - Added a new feature for Kong Manager that supports multiple domains, enabling dynamic cross-origin access for Admin API requests. [#13664](https://github.com/Kong/kong/issues/13664) - Added an ADA dependency: WHATWG-compliant and fast URL parser. [#13120](https://github.com/Kong/kong/issues/13120) - Addded a new LLM driver for interfacing with the Hugging Face inference API. The driver supports both serverless and dedicated LLM instances hosted by Hugging Face for conversational and text generation tasks. [#13484](https://github.com/Kong/kong/issues/13484) - Increased the priority order of the correlation id to 100001 from 1 so that the plugin can be used with other plugins especially custom auth plugins. [#13581](https://github.com/Kong/kong/issues/13581) - Added a `tls.disable_http2_alpn()` function patch for disabling HTTP/2 ALPN when performing a TLS handshake. [#13709](https://github.com/Kong/kong/issues/13709) - Improved the output of the request debugger: - The resolution of field `total_time` is now in microseconds. - A new field, `total_time_without_upstream`, shows the latency only introduced by Kong. [#13460](https://github.com/Kong/kong/issues/13460) - **proxy-wasm**: Added support for Wasm filters to be configured via the `/plugins` Admin API. [#13843](https://github.com/Kong/kong/issues/13843) ##### PDK - Added `kong.service.request.clear_query_arg(name)` to PDK. [#13619](https://github.com/Kong/kong/issues/13619) - Array and Map type span attributes are now supported by the tracing PDK [#13818](https://github.com/Kong/kong/issues/13818) ##### Plugin - **Prometheus**: Increased the upper limit of `KONG_LATENCY_BUCKETS` to 6000 to enhance latency tracking precision. [#13588](https://github.com/Kong/kong/issues/13588) - **ai-proxy**: Disabled HTTP/2 ALPN handshake for connections on routes configured with AI-proxy. [#13735](https://github.com/Kong/kong/issues/13735) - **Redirect**: Added a new plugin to redirect requests to another location. [#13900](https://github.com/Kong/kong/issues/13900) - **Prometheus**: Added support for Proxy-Wasm metrics. [#13681](https://github.com/Kong/kong/issues/13681) ##### Admin API - **Admin API**: Added support for official YAML media-type (`application/yaml`) to the `/config` endpoint. [#13713](https://github.com/Kong/kong/issues/13713) ##### Clustering - Added a remote procedure call (RPC) framework for Hybrid mode deployments. [#12320](https://github.com/Kong/kong/issues/12320) #### Fixes ##### Core - Fixed an issue where the `ngx.balancer.recreate_request` API did not refresh the body buffer when `ngx.req.set_body_data` is used in the balancer phase. [#13882](https://github.com/Kong/kong/issues/13882) - Fix to always pass `ngx.ctx` to `log_init_worker_errors` as otherwise it may runtime crash. [#13731](https://github.com/Kong/kong/issues/13731) - Fixed an issue where the workspace ID was not included in the plugin config in the plugins iterator. [#13377](https://github.com/Kong/kong/issues/13377) - Fixed an issue where the workspace id was not included in the plugin config in the plugins iterator. [#13872](https://github.com/Kong/kong/issues/13872) - Fixed a 500 error triggered by unhandled nil fields during schema validation. [#13861](https://github.com/Kong/kong/issues/13861) - **Vault**: Fixed an issue where array-like configuration fields cannot contain vault reference. [#13953](https://github.com/Kong/kong/issues/13953) - **Vault**: Fixed an issue where updating a vault entity in a non-default workspace wouldn't take effect. [#13610](https://github.com/Kong/kong/issues/13610) - **Vault**: Fixed an issue where vault reference in kong configuration cannot be dereferenced when both http and stream subsystems are enabled. [#13953](https://github.com/Kong/kong/issues/13953) - **proxy-wasm:** Added a check that prevents Kong from starting when the database contains invalid Wasm filters. [#13764](https://github.com/Kong/kong/issues/13764) - Fixed an issue where the `kong.request.enable_buffering` couldn't be used when the downstream used HTTP/2. [#13614](https://github.com/Kong/kong/issues/13614) ##### PDK - Lined up the `kong.log.inspect` function to log at `notice` level as documented [#13642](https://github.com/Kong/kong/issues/13642) - Fix error message for invalid retries variable [#13605](https://github.com/Kong/kong/issues/13605) ##### Plugin - **ai-proxy**: Fixed a bug where tools (function) calls to Anthropic would return empty results. [#13760](https://github.com/Kong/kong/issues/13760) - **ai-proxy**: Fixed a bug where tools (function) calls to Bedrock would return empty results. [#13760](https://github.com/Kong/kong/issues/13760) - **ai-proxy**: Fixed a bug where Bedrock Guardrail config was ignored. [#13760](https://github.com/Kong/kong/issues/13760) - **ai-proxy**: Fixed a bug where tools (function) calls to Cohere would return empty results. [#13760](https://github.com/Kong/kong/issues/13760) - **ai-proxy**: Fixed a bug where Gemini provider would return an error if content safety failed in AI Proxy. [#13760](https://github.com/Kong/kong/issues/13760) - **ai-proxy**: Fixed a bug where tools (function) calls to Gemini (or via Vertex) would return empty results. [#13760](https://github.com/Kong/kong/issues/13760) - **ai-proxy**: Fixed an issue where AI Transformer plugins always returned a 404 error when using 'Google One' Gemini subscriptions. [#13703](https://github.com/Kong/kong/issues/13703) - **ai-transformers**: Fixed a bug where the correct LLM error message was not propagated to the caller. [#13703](https://github.com/Kong/kong/issues/13703) - **AI-Proxy**: Fixed an issue where multi-modal requests were blocked on the Azure AI provider. [#13702](https://github.com/Kong/kong/issues/13702) - Fixed an bug that AI semantic cache can't use request provided models [#13627](https://github.com/Kong/kong/issues/13627) - **AWS-Lambda**: Fixed an issue in proxy integration mode that caused an internal server error when the `multiValueHeaders` was null. [#13533](https://github.com/Kong/kong/issues/13533) - **jwt**: ensure `rsa_public_key` isn't base64-decoded. [#13717](https://github.com/Kong/kong/issues/13717) - **key-auth**: Fixed an issue with the order of query arguments, ensuring that arguments retain order when hiding the credentials. [#13619](https://github.com/Kong/kong/issues/13619) - **rate-limiting**: Fixed a bug where the returned values from `get_redis_connection()` were incorrect. [#13613](https://github.com/Kong/kong/issues/13613) - **rate-limiting**: Fixed an issue that caused an HTTP 500 error when `hide_client_headers` was set to `true` and the request exceeded the rate limit. [#13722](https://github.com/Kong/kong/issues/13722) ##### Admin API - Fix for querying admin API entities with empty tags [#13723](https://github.com/Kong/kong/issues/13723) - Fixed an issue where nested parameters couldn't be parsed correctly when using `form-urlencoded` requests. [#13668](https://github.com/Kong/kong/issues/13668) ##### Clustering - **Clustering**: Adjusted error log levels for control plane connections. [#13863](https://github.com/Kong/kong/issues/13863) ##### Default - **Loggly**: Fixed an issue where `/bin/hostname` missing caused an error warning on startup. [#13788](https://github.com/Kong/kong/issues/13788) ### Kong-Manager #### Fixes ##### Default - Kong Manager will now hide the scope change field when creating/editing a scoped plugin from another entity. [#297](https://github.com/Kong/kong-manager/issues/297) - Improved the user experience in Kong Manager by fixing various UI-related issues. [#277](https://github.com/Kong/kong-manager/issues/277) [#283](https://github.com/Kong/kong-manager/issues/283) [#286](https://github.com/Kong/kong-manager/issues/286) [#287](https://github.com/Kong/kong-manager/issues/287) [#288](https://github.com/Kong/kong-manager/issues/288) [#291](https://github.com/Kong/kong-manager/issues/291) [#293](https://github.com/Kong/kong-manager/issues/293) [#295](https://github.com/Kong/kong-manager/issues/295) [#298](https://github.com/Kong/kong-manager/issues/298) [#302](https://github.com/Kong/kong-manager/issues/302) [#304](https://github.com/Kong/kong-manager/issues/304) [#306](https://github.com/Kong/kong-manager/issues/306) [#309](https://github.com/Kong/kong-manager/issues/309) [#317](https://github.com/Kong/kong-manager/issues/317) [#319](https://github.com/Kong/kong-manager/issues/319) [#322](https://github.com/Kong/kong-manager/issues/322) [#325](https://github.com/Kong/kong-manager/issues/325) [#329](https://github.com/Kong/kong-manager/issues/329) [#330](https://github.com/Kong/kong-manager/issues/330) - Unified the redirection logic in Kong Manager upon entity operations. [#289](https://github.com/Kong/kong-manager/issues/289) ## 3.8.1 ## Kong #### Dependencies ##### Core - Bumped lua-kong-nginx-module from 0.11.0 to 0.11.1 to fix an issue where the upstream cert chain wasn't properly set. [#12752](https://github.com/Kong/kong/issues/12752) ##### Default - Bumped lua-resty-aws to 1.5.4, to fix a bug inside region prefix generating [#12846](https://github.com/Kong/kong/issues/12846) #### Features ##### Plugin - **Prometheus**: Bumped KONG_LATENCY_BUCKETS bucket's maximal capacity to 6000 [#13797](https://github.com/Kong/kong/issues/13797) #### Fixes ##### Core - **Vault**: Fixed an issue where updating a vault entity in a non-default workspace will not take effect. [#13670](https://github.com/Kong/kong/issues/13670) ##### Plugin - **ai-proxy**: Fixed an issue where AI Transformer plugins always returned a 404 error when using 'Google One' Gemini subscriptions. [#13753](https://github.com/Kong/kong/issues/13753) - **ai-transformers**: Fixed a bug where the correct LLM error message was not propagated to the caller. [#13753](https://github.com/Kong/kong/issues/13753) - Fixed an bug that AI semantic cache can't use request provided models [#13633](https://github.com/Kong/kong/issues/13633) - **Rate-Limiting**: Fixed an issue that caused a 500 error when using the rate-limiting plugin. When the `hide_client_headers` option is set to true and a 429 error is triggered, it should return a 429 error code instead of a 500 error code. [#13759](https://github.com/Kong/kong/issues/13759) ##### Admin API - Fixed an issue where sending `tags= `(empty parameter) resulted in 500 error. Now, Kong returns a 400 error, as empty explicit tags are not allowed. [#13813](https://github.com/Kong/kong/issues/13813) ## 3.8.0 ### Kong #### Performance ##### Performance - Fixed an inefficiency issue in the Luajit hashing algorithm [#13240](https://github.com/Kong/kong/issues/13240) ##### Core - Removed unnecessary DNS client initialization [#13479](https://github.com/Kong/kong/issues/13479) - Improved latency performance when gzipping/gunzipping large data (such as CP/DP config data). [#13338](https://github.com/Kong/kong/issues/13338) #### Deprecations ##### Default - Debian 10, CentOS 7, and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of version 3.8.0.0 onward, Kong is not building installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems. [#13468](https://github.com/Kong/kong/issues/13468) #### Dependencies ##### Core - Bumped lua-resty-acme to 0.15.0 to support username/password auth with redis. [#12909](https://github.com/Kong/kong/issues/12909) - Bumped lua-resty-aws to 1.5.3 to fix a bug related to STS regional endpoint. [#12846](https://github.com/Kong/kong/issues/12846) - Bumped lua-resty-healthcheck from 3.0.1 to 3.1.0 to fix an issue that was causing high memory usage [#13038](https://github.com/Kong/kong/issues/13038) - Bumped lua-resty-lmdb to 1.4.3 to get fixes from the upstream (lmdb 0.9.33), which resolved numerous race conditions and fixed a cursor issue. [#12786](https://github.com/Kong/kong/issues/12786) - Bumped lua-resty-openssl to 1.5.1 to fix some issues including a potential use-after-free issue. [#12665](https://github.com/Kong/kong/issues/12665) - Bumped OpenResty to 1.25.3.2 to improve the performance of the LuaJIT hash computation. [#12327](https://github.com/Kong/kong/issues/12327) - Bumped PCRE2 to 10.44 to fix some bugs and tidy-up the release (nothing important) [#12366](https://github.com/Kong/kong/issues/12366) - Introduced a yieldable JSON library `lua-resty-simdjson`, which would improve the latency significantly. [#13421](https://github.com/Kong/kong/issues/13421) ##### Default - Bumped lua-protobuf 0.5.2 [#12834](https://github.com/Kong/kong/issues/12834) - Bumped LuaRocks from 3.11.0 to 3.11.1 [#12662](https://github.com/Kong/kong/issues/12662) - Bumped `ngx_wasm_module` to `96b4e27e10c63b07ed40ea88a91c22f23981db35` [#12011](https://github.com/Kong/kong/issues/12011) - Bumped `Wasmtime` version to `23.0.2` [#13567](https://github.com/Kong/kong/pull/13567) - Made the RPM package relocatable with the default prefix set to `/`. [#13468](https://github.com/Kong/kong/issues/13468) #### Features ##### Configuration - Configure Wasmtime module cache when Wasm is enabled [#12930](https://github.com/Kong/kong/issues/12930) ##### Core - **prometheus**: Added `ai_requests_total`, `ai_cost_total` and `ai_tokens_total` metrics in the Prometheus plugin to start counting AI usage. [#13148](https://github.com/Kong/kong/issues/13148) - Added a new configuration `concurrency_limit`(integer, default to 1) for Queue to specify the number of delivery timers. Note that setting `concurrency_limit` to `-1` means no limit at all, and each HTTP log entry would create an individual timer for sending. [#13332](https://github.com/Kong/kong/issues/13332) - Append gateway info to upstream `Via` header like `1.1 kong/3.8.0`, and optionally to response `Via` header if it is present in the `headers` config of "kong.conf", like `2 kong/3.8.0`, according to `RFC7230` and `RFC9110`. [#12733](https://github.com/Kong/kong/issues/12733) - Starting from this version, a new DNS client library has been implemented and added into Kong, which is disabled by default. The new DNS client library has the following changes - Introduced global caching for DNS records across workers, significantly reducing the query load on DNS servers. - Introduced observable statistics for the new DNS client, and a new Status API `/status/dns` to retrieve them. - Simplified the logic and make it more standardized [#12305](https://github.com/Kong/kong/issues/12305) ##### PDK - Added `0` to support unlimited body size. When parameter `max_allowed_file_size` is `0`, `get_raw_body` will return the entire body, but the size of this body will still be limited by Nginx's `client_max_body_size`. [#13431](https://github.com/Kong/kong/issues/13431) - Extend kong.request.get_body and kong.request.get_raw_body to read from buffered file [#13158](https://github.com/Kong/kong/issues/13158) - Added a new PDK module `kong.telemetry` and function: `kong.telemetry.log` to generate log entries to be reported via the OpenTelemetry plugin. [#13329](https://github.com/Kong/kong/issues/13329) ##### Plugin - **acl:** Added a new config `always_use_authenticated_groups` to support using authenticated groups even when an authenticated consumer already exists. [#13184](https://github.com/Kong/kong/issues/13184) - AI plugins: retrieved latency data and pushed it to logs and metrics. [#13428](https://github.com/Kong/kong/issues/13428) - Allow AI plugin to read request from buffered file [#13158](https://github.com/Kong/kong/pull/13158) - **AI-proxy-plugin**: Add `allow_override` option to allow overriding the upstream model auth parameter or header from the caller's request. [#13158](https://github.com/Kong/kong/issues/13158) - **AI-proxy-plugin**: Replace the lib and use cycle_aware_deep_copy for the `request_table` object. [#13582](https://github.com/Kong/kong/issues/13582) - Kong AI Gateway (AI Proxy and associated plugin family) now supports all AWS Bedrock "Converse API" models. [#12948](https://github.com/Kong/kong/issues/12948) - Kong AI Gateway (AI Proxy and associated plugin family) now supports the Google Gemini "chat" (generateContent) interface. [#12948](https://github.com/Kong/kong/issues/12948) - **ai-proxy**: Allowed mistral provider to use mistral.ai managed service by omitting upstream_url [#13481](https://github.com/Kong/kong/issues/13481) - **ai-proxy**: Added a new response header X-Kong-LLM-Model that displays the name of the language model used in the AI-Proxy plugin. [#13472](https://github.com/Kong/kong/issues/13472) - **AI-Prompt-Guard**: add `match_all_roles` option to allow match all roles in addition to `user`. [#13183](https://github.com/Kong/kong/issues/13183) - "**AWS-Lambda**: Added support for a configurable STS endpoint with the new configuration field `aws_sts_endpoint_url`. [#13388](https://github.com/Kong/kong/issues/13388) - **AWS-Lambda**: A new configuration field `empty_arrays_mode` is now added to control whether Kong should send `[]` empty arrays (returned by Lambda function) as `[]` empty arrays or `{}` empty objects in JSON responses.` [#13084](https://github.com/Kong/kong/issues/13084) - Added support for json_body rename in response-transformer plugin [#13131](https://github.com/Kong/kong/issues/13131) - **OpenTelemetry:** Added support for OpenTelemetry formatted logs. [#13291](https://github.com/Kong/kong/issues/13291) - **standard-webhooks**: Added standard webhooks plugin. [#12757](https://github.com/Kong/kong/issues/12757) - **Request-Transformer**: Fixed an issue where renamed query parameters, url-encoded body parameters, and json body parameters were not handled properly when target name is the same as the source name in the request. [#13358](https://github.com/Kong/kong/issues/13358) ##### Admin API - Added support for brackets syntax for map fields configuration via the Admin API [#13313](https://github.com/Kong/kong/issues/13313) #### Fixes ##### CLI Command - Fixed an issue where some debug level error logs were not being displayed by the CLI. [#13143](https://github.com/Kong/kong/issues/13143) ##### Configuration - Re-enabled the Lua DNS resolver from proxy-wasm by default. [#13424](https://github.com/Kong/kong/issues/13424) ##### Core - Fixed an issue where luarocks-admin was not available in /usr/local/bin. [#13372](https://github.com/Kong/kong/issues/13372) - Fixed an issue where 'read' was not always passed to Postgres read-only database operations. [#13530](https://github.com/Kong/kong/issues/13530) - Deprecated shorthand fields don't take precedence over replacement fields when both are specified. [#13486](https://github.com/Kong/kong/issues/13486) - Fixed an issue where `lua-nginx-module` context was cleared when `ngx.send_header()` triggered `filter_finalize` [openresty/lua-nginx-module#2323](https://github.com/openresty/lua-nginx-module/pull/2323). [#13316](https://github.com/Kong/kong/issues/13316) - Changed the way deprecated shorthand fields are used with new fields. If the new field contains null it allows for deprecated field to overwrite it if both are present in the request. [#13592](https://github.com/Kong/kong/issues/13592) - Fixed an issue where unnecessary uninitialized variable error log is reported when 400 bad requests were received. [#13201](https://github.com/Kong/kong/issues/13201) - Fixed an issue where the URI captures are unavailable when the first capture group is absent. [#13024](https://github.com/Kong/kong/issues/13024) - Fixed an issue where the priority field can be set in a traditional mode route When 'router_flavor' is configured as 'expressions'. [#13142](https://github.com/Kong/kong/issues/13142) - Fixed an issue where setting `tls_verify` to `false` didn't override the global level `proxy_ssl_verify`. [#13470](https://github.com/Kong/kong/issues/13470) - Fixed an issue where the sni cache isn't invalidated when a sni is updated. [#13165](https://github.com/Kong/kong/issues/13165) - The kong.logrotate configuration file will no longer be overwritten during upgrade. When upgrading, set the environment variable `DEBIAN_FRONTEND=noninteractive` on Debian/Ubuntu to avoid any interactive prompts and enable fully automatic upgrades. [#13348](https://github.com/Kong/kong/issues/13348) - Fixed an issue where the Vault secret cache got refreshed during `resurrect_ttl` time and could not be fetched by other workers. [#13561](https://github.com/Kong/kong/issues/13561) - Error logs during Vault secret rotation are now logged at the `notice` level instead of `warn`. [#13540](https://github.com/Kong/kong/issues/13540) - Fix a bug that the `host_header` attribute of upstream entity can not be set correctly in requests to upstream as Host header when retries to upstream happen. [#13135](https://github.com/Kong/kong/issues/13135) - Moved internal Unix sockets to a subdirectory (`sockets`) of the Kong prefix. [#13409](https://github.com/Kong/kong/issues/13409) - Changed the behaviour of shorthand fields that are used to describe deprecated fields. If both fields are sent in the request and their values mismatch - the request will be rejected. [#13594](https://github.com/Kong/kong/issues/13594) - Reverted DNS client to original behaviour of ignoring ADDITIONAL SECTION in DNS responses. [#13278](https://github.com/Kong/kong/issues/13278) - Shortened names of internal Unix sockets to avoid exceeding the socket name limit. [#13571](https://github.com/Kong/kong/issues/13571) ##### PDK - **PDK**: Fixed a bug that log serializer will log `upstream_status` as nil in the requests that contains subrequest [#12953](https://github.com/Kong/kong/issues/12953) - **Vault**: Reference ending with slash when parsed should not return a key. [#13538](https://github.com/Kong/kong/issues/13538) - Fixed an issue that pdk.log.serialize() will throw an error when JSON entity set by serialize_value contains json.null [#13376](https://github.com/Kong/kong/issues/13376) ##### Plugin - **AI-proxy-plugin**: Fixed a bug where certain Azure models would return partial tokens/words when in response-streaming mode. [#13000](https://github.com/Kong/kong/issues/13000) - **AI-Transformer-Plugins**: Fixed a bug where cloud identity authentication was not used in `ai-request-transformer` and `ai-response-transformer` plugins. [#13487](https://github.com/Kong/kong/issues/13487) - **AI-proxy-plugin**: Fixed a bug where Cohere and Anthropic providers don't read the `model` parameter properly from the caller's request body. [#13000](https://github.com/Kong/kong/issues/13000) - **AI-proxy-plugin**: Fixed a bug where using "OpenAI Function" inference requests would log a request error, and then hang until timeout. [#13000](https://github.com/Kong/kong/issues/13000) - **AI-proxy-plugin**: Fixed a bug where AI Proxy would still allow callers to specify their own model, ignoring the plugin-configured model name. [#13000](https://github.com/Kong/kong/issues/13000) - **AI-proxy-plugin**: Fixed a bug where AI Proxy would not take precedence of the plugin's configured model tuning options, over those in the user's LLM request. [#13000](https://github.com/Kong/kong/issues/13000) - **AI-proxy-plugin**: Fixed a bug where setting OpenAI SDK model parameter "null" caused analytics to not be written to the logging plugin(s). [#13000](https://github.com/Kong/kong/issues/13000) - **ACME**: Fixed an issue of DP reporting that deprecated config fields are used when configuration from CP is pushed [#13069](https://github.com/Kong/kong/issues/13069) - **ACME**: Fixed an issue where username and password were not accepted as valid authentication methods. [#13496](https://github.com/Kong/kong/issues/13496) - **AI-Proxy**: Fixed issue when response is gzipped even if client doesn't accept. [#13155](https://github.com/Kong/kong/issues/13155) - **Prometheus**: Fixed an issue where CP/DP compatibility check was missing for the new configuration field `ai_metrics`. [#13417](https://github.com/Kong/kong/issues/13417) - Fixed certain AI plugins cannot be applied per consumer or per service. [#13209](https://github.com/Kong/kong/issues/13209) - **AI-Prompt-Guard**: Fixed an issue when `allow_all_conversation_history` is set to false, the first user request is selected instead of the last one. [#13183](https://github.com/Kong/kong/issues/13183) - **AI-Proxy**: Resolved a bug where the object constructor would set data on the class instead of the instance [#13028](https://github.com/Kong/kong/issues/13028) - **AWS-Lambda**: Fixed an issue that the plugin does not work with multiValueHeaders defined in proxy integration and legacy empty_arrays_mode. [#12971](https://github.com/Kong/kong/issues/12971) - **AWS-Lambda**: Fixed an issue that the `version` field is not set in the request payload when `awsgateway_compatible` is enabled. [#13018](https://github.com/Kong/kong/issues/13018) - **correlation-id**: Fixed an issue where the plugin would not work if we explicitly set the `generator` to `null`. [#13439](https://github.com/Kong/kong/issues/13439) - **CORS**: Fixed an issue where the `Access-Control-Allow-Origin` header was not sent when `conf.origins` has multiple entries but includes `*`. [#13334](https://github.com/Kong/kong/issues/13334) - **grpc-gateway**: When there is a JSON decoding error, respond with status 400 and error information in the body instead of status 500. [#12971](https://github.com/Kong/kong/issues/12971) - **HTTP-Log**: Fix an issue where the plugin doesn't include port information in the HTTP host header when sending requests to the log server. [#13116](https://github.com/Kong/kong/issues/13116) - "**AI Plugins**: Fixed an issue for multi-modal inputs are not properly validated and calculated. [#13445](https://github.com/Kong/kong/issues/13445) - **OpenTelemetry:** Fixed an issue where migration fails when upgrading from below version 3.3 to 3.7. [#13391](https://github.com/Kong/kong/issues/13391) - **OpenTelemetry / Zipkin**: remove redundant deprecation warnings [#13220](https://github.com/Kong/kong/issues/13220) - **Basic-Auth**: Fix an issue of realm field not recognized for older kong versions (before 3.6) [#13042](https://github.com/Kong/kong/issues/13042) - **Key-Auth**: Fix an issue of realm field not recognized for older kong versions (before 3.7) [#13042](https://github.com/Kong/kong/issues/13042) - **Request Size Limiting**: Fixed an issue where the body size doesn't get checked when the request body is buffered to a temporary file. [#13303](https://github.com/Kong/kong/issues/13303) - **Response-RateLimiting**: Fixed an issue of DP reporting that deprecated config fields are used when configuration from CP is pushed [#13069](https://github.com/Kong/kong/issues/13069) - **Rate-Limiting**: Fixed an issue of DP reporting that deprecated config fields are used when configuration from CP is pushed [#13069](https://github.com/Kong/kong/issues/13069) - **OpenTelemetry:** Improved accuracy of sampling decisions. [#13275](https://github.com/Kong/kong/issues/13275) - **hmac-auth**: Add WWW-Authenticate headers to 401 responses. [#11791](https://github.com/Kong/kong/issues/11791) - **Prometheus**: Improved error logging when having inconsistent labels count. [#13020](https://github.com/Kong/kong/issues/13020) - **jwt**: Add WWW-Authenticate headers to 401 responses. [#11792](https://github.com/Kong/kong/issues/11792) - **ldap-auth**: Add WWW-Authenticate headers to all 401 responses. [#11820](https://github.com/Kong/kong/issues/11820) - **OAuth2**: Add WWW-Authenticate headers to all 401 responses and realm option. [#11833](https://github.com/Kong/kong/issues/11833) - **proxy-cache**: Fixed an issue where the Age header was not being updated correctly when serving cached responses. [#13387](https://github.com/Kong/kong/issues/13387) - Fixed an bug that AI semantic cache can't use request provided models [#13633](https://github.com/Kong/kong/issues/13633) ##### Admin API - Fixed an issue where validation of the certificate schema failed if the `snis` field was present in the request body. [#13357](https://github.com/Kong/kong/issues/13357) ##### Clustering - Fixed an issue where hybrid mode not working if the forward proxy password contains special character(#). Note that the `proxy_server` configuration parameter still needs to be url-encoded. [#13457](https://github.com/Kong/kong/issues/13457) ##### Default - **AI-proxy**: A configuration validation is added to prevent from enabling `log_statistics` upon providers not supporting statistics. Accordingly, the default of `log_statistics` is changed from `true` to `false`, and a database migration is added as well for disabling `log_statistics` if it has already been enabled upon unsupported providers. [#12860](https://github.com/Kong/kong/issues/12860) ### Kong-Manager #### Features ##### Default - Improved accessibility in Kong Manager. [#13522](https://github.com/Kong/kong-manager/issues/13522) - Enhanced entity lists so that you can resize or hide list columns. [#13522](https://github.com/Kong/kong-manager/issues/13522) - Added an SNIs field to the certificate form. [#264](https://github.com/Kong/kong-manager/issues/264) #### Fixes ##### Default - Improved the user experience in Kong Manager by fixing various UI-related issues. [#232](https://github.com/Kong/kong-manager/issues/232) [#233](https://github.com/Kong/kong-manager/issues/233) [#234](https://github.com/Kong/kong-manager/issues/234) [#237](https://github.com/Kong/kong-manager/issues/237) [#238](https://github.com/Kong/kong-manager/issues/238) [#240](https://github.com/Kong/kong-manager/issues/240) [#244](https://github.com/Kong/kong-manager/issues/244) [#250](https://github.com/Kong/kong-manager/issues/250) [#252](https://github.com/Kong/kong-manager/issues/252) [#255](https://github.com/Kong/kong-manager/issues/255) [#257](https://github.com/Kong/kong-manager/issues/257) [#263](https://github.com/Kong/kong-manager/issues/263) [#264](https://github.com/Kong/kong-manager/issues/264) [#267](https://github.com/Kong/kong-manager/issues/267) [#272](https://github.com/Kong/kong-manager/issues/272) ## 3.7.1 ### Kong #### Performance ##### Performance - Fixed an inefficiency issue in the Luajit hashing algorithm [#13240](https://github.com/Kong/kong/issues/13240) ## 3.7.0 ### Kong #### Performance ##### Performance - Improved proxy performance by refactoring internal hooking mechanism. [#12784](https://github.com/Kong/kong/issues/12784) - Sped up the router matching when the `router_flavor` is `traditional_compatible` or `expressions`. [#12467](https://github.com/Kong/kong/issues/12467) ##### Plugin - **Opentelemetry**: Increased queue max batch size to 200. [#12488](https://github.com/Kong/kong/issues/12488) #### Breaking Changes ##### Plugin - **AI Proxy**: To support the new messages API of `Anthropic`, the upstream path of the `Anthropic` for `llm/v1/chat` route type has changed from `/v1/complete` to `/v1/messages`. [#12699](https://github.com/Kong/kong/issues/12699) #### Dependencies ##### Core - Bumped atc-router from v1.6.0 to v1.6.2 [#12231](https://github.com/Kong/kong/issues/12231) - Bumped libexpat to 2.6.2 [#12910](https://github.com/Kong/kong/issues/12910) - Bumped lua-kong-nginx-module from 0.8.0 to 0.11.0 [#12752](https://github.com/Kong/kong/issues/12752) - Bumped lua-protobuf to 0.5.1 [#12834](https://github.com/Kong/kong/issues/12834) - Bumped lua-resty-acme to 0.13.0 [#12909](https://github.com/Kong/kong/issues/12909) - Bumped lua-resty-aws from 1.3.6 to 1.4.1 [#12846](https://github.com/Kong/kong/issues/12846) - Bumped lua-resty-lmdb from 1.4.1 to 1.4.2 [#12786](https://github.com/Kong/kong/issues/12786) - Bumped lua-resty-openssl from 1.2.0 to 1.3.1 [#12665](https://github.com/Kong/kong/issues/12665) - Bumped lua-resty-timer-ng to 0.2.7 [#12756](https://github.com/Kong/kong/issues/12756) - Bumped PCRE from the legacy libpcre 8.45 to libpcre2 10.43 [#12366](https://github.com/Kong/kong/issues/12366) - Bumped penlight to 1.14.0 [#12862](https://github.com/Kong/kong/issues/12862) ##### Default - Added package `tzdata` to DEB Docker image for convenient timezone setting. [#12609](https://github.com/Kong/kong/issues/12609) - Bumped lua-resty-http to 0.17.2. [#12908](https://github.com/Kong/kong/issues/12908) - Bumped LuaRocks from 3.9.2 to 3.11.0 [#12662](https://github.com/Kong/kong/issues/12662) - Bumped `ngx_wasm_module` to `91d447ffd0e9bb08f11cc69d1aa9128ec36b4526` [#12011](https://github.com/Kong/kong/issues/12011) - Bumped `V8` version to `12.0.267.17` [#12704](https://github.com/Kong/kong/issues/12704) - Bumped `Wasmtime` version to `19.0.0` [#12011](https://github.com/Kong/kong/issues/12011) - Improved the robustness of lua-cjson when handling unexpected input. [#12904](https://github.com/Kong/kong/issues/12904) #### Features ##### Configuration - TLSv1.1 and lower versions are disabled by default in OpenSSL 3.x. [#12420](https://github.com/Kong/kong/issues/12420) - Introduced `nginx_wasm_main_shm_kv` configuration parameter, which enables Wasm filters to use the Proxy-Wasm operations `get_shared_data` and `set_shared_data` without namespaced keys. [#12663](https://github.com/Kong/kong/issues/12663) - **Schema**: Added a deprecation field attribute to identify deprecated fields [#12686](https://github.com/Kong/kong/issues/12686) - Added the `wasm_filters` configuration parameter for enabling individual filters [#12843](https://github.com/Kong/kong/issues/12843) ##### Core - Added `events:ai:response_tokens`, `events:ai:prompt_tokens` and `events:ai:requests` to the anonymous report to start counting AI usage [#12924](https://github.com/Kong/kong/issues/12924) - Improved config handling when the CP runs with the router set to the `expressions` flavor: - If mixed config is detected and a lower DP is attached to the CP, no config will be sent at all - If the expression is invalid on the CP, no config will be sent at all - If the expression is invalid on a lower DP, it will be sent to the DP and DP validation will catch this and communicate back to the CP (this could result in partial config application) [#12967](https://github.com/Kong/kong/issues/12967) - The route entity now supports the following fields when the `router_flavor` is `expressions`: `methods`, `hosts`, `paths`, `headers`, `snis`, `sources`, `destinations`, and `regex_priority`. The meaning of these fields are consistent with the traditional route entity. [#12667](https://github.com/Kong/kong/issues/12667) ##### PDK - Added the `latencies.receive` property to the log serializer [#12730](https://github.com/Kong/kong/issues/12730) ##### Plugin - AI Proxy now reads most prompt tuning parameters from the client, while the plugin config parameters under `model_options` are now just defaults. This fixes support for using the respective provider's native SDK. [#12903](https://github.com/Kong/kong/issues/12903) - AI Proxy now has a `preserve` option for `route_type`, where the requests and responses are passed directly to the upstream LLM. This is to enable compatibility with any and all models and SDKs that may be used when calling the AI services. [#12903](https://github.com/Kong/kong/issues/12903) - **Prometheus**: Added workspace label to Prometheus plugin metrics. [#12836](https://github.com/Kong/kong/issues/12836) - **AI Proxy**: Added support for streaming event-by-event responses back to the client on supported providers. [#12792](https://github.com/Kong/kong/issues/12792) - **AI Prompt Guard**: Increased the maximum length of regex expressions to 500 for the allow and deny parameters. [#12731](https://github.com/Kong/kong/issues/12731) - Addded support for EdDSA algorithms in JWT plugin [#12726](https://github.com/Kong/kong/issues/12726) - Added support for ES512, PS256, PS384, PS512 algorithms in JWT plugin [#12638](https://github.com/Kong/kong/issues/12638) - **OpenTelemetry, Zipkin**: The propagation module has been reworked. The new options allow better control over the configuration of tracing headers propagation. [#12670](https://github.com/Kong/kong/issues/12670) ##### Default - Added support for debugging with EmmyLuaDebugger. This feature is a tech preview and not officially supported by Kong Inc. for now. [#12899](https://github.com/Kong/kong/issues/12899) #### Fixes ##### CLI Command - Fixed an issue where the `pg_timeout` was overridden to `60s` even if `--db-timeout` was not explicitly passed in CLI arguments. [#12981](https://github.com/Kong/kong/issues/12981) ##### Configuration - Fixed the default value in kong.conf.default documentation from 1000 to 10000 for the `upstream_keepalive_max_requests` option. [#12643](https://github.com/Kong/kong/issues/12643) - Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to apply a change to the plugin config via the Admin API. [#12718](https://github.com/Kong/kong/issues/12718) - Disabled usage of the Lua DNS resolver from proxy-wasm by default. [#12825](https://github.com/Kong/kong/issues/12825) - Set security level of gRPC's TLS to 0 when `ssl_cipher_suite` is set to `old`. [#12613](https://github.com/Kong/kong/issues/12613) ##### Core - Fixed an issue where `POST /config?flatten_errors=1` could not return a proper response if the input included duplicate upstream targets. [#12797](https://github.com/Kong/kong/issues/12797) - **DNS Client**: Ignore a non-positive values on resolv.conf for options timeout, and use a default value of 2 seconds instead. [#12640](https://github.com/Kong/kong/issues/12640) - Updated the file permission of `kong.logrotate` to 644. [#12629](https://github.com/Kong/kong/issues/12629) - Fixed a problem on hybrid mode DPs, where a certificate entity configured with a vault reference may not get refreshed on time. [#12868](https://github.com/Kong/kong/issues/12868) - Fixed the missing router section for the output of the request-debugging. [#12234](https://github.com/Kong/kong/issues/12234) - Fixed an issue in the internal caching logic where mutexes could get never unlocked. [#12743](https://github.com/Kong/kong/issues/12743) - Fixed an issue where the router didn't work correctly when the route's configuration changed. [#12654](https://github.com/Kong/kong/issues/12654) - Fixed an issue where SNI-based routing didn't work using `tls_passthrough` and the `traditional_compatible` router flavor. [#12681](https://github.com/Kong/kong/issues/12681) - Fixed a bug that `X-Kong-Upstream-Status` didn't appear in the response headers even if it was set in the `headers` parameter in the `kong.conf` file when the response was hit and returned by the Proxy Cache plugin. [#12744](https://github.com/Kong/kong/issues/12744) - Fixed vault initialization by postponing vault reference resolving on init_worker [#12554](https://github.com/Kong/kong/issues/12554) - Fixed a bug that allowed vault secrets to refresh even when they had no TTL set. [#12877](https://github.com/Kong/kong/issues/12877) - **Vault**: do not use incorrect (default) workspace identifier when retrieving vault entity by prefix [#12572](https://github.com/Kong/kong/issues/12572) - **Core**: Fixed unexpected table nil panic in the balancer's stop_healthchecks function [#12865](https://github.com/Kong/kong/issues/12865) - Use `-1` as the worker ID of privileged agent to avoid access issues. [#12385](https://github.com/Kong/kong/issues/12385) - **Plugin Server**: Fixed an issue where Kong failed to properly restart MessagePack-based pluginservers (used in Python and Javascript plugins, for example). [#12582](https://github.com/Kong/kong/issues/12582) - Reverted the hard-coded limitation of the `ngx.read_body()` API in OpenResty upstreams' new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes. [#12658](https://github.com/Kong/kong/issues/12658) - Each Kong cache instance now utilizes its own cluster event channel. This approach isolates cache invalidation events and reducing the generation of unnecessary worker events. [#12321](https://github.com/Kong/kong/issues/12321) - Updated telemetry collection for AI Plugins to allow multiple plugins data to be set for the same request. [#12583](https://github.com/Kong/kong/issues/12583) ##### PDK - **PDK:** Fixed `kong.request.get_forwarded_port` to always return a number, which was caused by an incorrectly stored string value in `ngx.ctx.host_port`. [#12806](https://github.com/Kong/kong/issues/12806) - The value of `latencies.kong` in the log serializer payload no longer includes the response receive time, so it now has the same value as the `X-Kong-Proxy-Latency` response header. Response receive time is recorded in the new `latencies.receive` metric, so if desired, the old value can be calculated as `latencies.kong + latencies.receive`. **Note:** this also affects payloads from all logging plugins that use the log serializer: `file-log`, `tcp-log`, `udp-log`,`http-log`, `syslog`, and `loggly`, e.g. [descriptions of JSON objects for the HTTP Log Plugin's log format](https://docs.konghq.com/hub/kong-inc/http-log/log-format/#json-object-descriptions). [#12795](https://github.com/Kong/kong/issues/12795) - **Tracing**: enhanced robustness of trace ID parsing [#12848](https://github.com/Kong/kong/issues/12848) ##### Plugin - **AI-proxy-plugin**: Fixed the bug that the `route_type` `/llm/v1/chat` didn't include the analytics in the responses. [#12781](https://github.com/Kong/kong/issues/12781) - **ACME**: Fixed an issue where the certificate was not successfully renewed during ACME renewal. [#12773](https://github.com/Kong/kong/issues/12773) - **AWS-Lambda**: Fixed an issue where the latency attributed to AWS Lambda API requests was counted as part of the latency in Kong. [#12835](https://github.com/Kong/kong/issues/12835) - **Jwt**: Fixed an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms. [#12724](https://github.com/Kong/kong/issues/12724) - Added WWW-Authenticate headers to all 401 responses in the Key Auth plugin. [#11794](https://github.com/Kong/kong/issues/11794) - **Opentelemetry**: Fixed an OTEL sampling mode Lua panic bug, which happened when the `http_response_header_for_traceid` option was enabled. [#12544](https://github.com/Kong/kong/issues/12544) - Improve error handling in AI plugins. [#12991](https://github.com/Kong/kong/issues/12991) - **ACME**: Fixed migration of redis configuration. [#12989](https://github.com/Kong/kong/issues/12989) - **Response-RateLimiting**: Fixed migration of redis configuration. [#12989](https://github.com/Kong/kong/issues/12989) - **Rate-Limiting**: Fixed migration of redis configuration. [#12989](https://github.com/Kong/kong/issues/12989) ##### Admin API - **Admin API**: fixed an issue where calling the endpoint `POST /schemas/vaults/validate` was conflicting with the endpoint `/schemas/vaults/:name` which only has GET implemented, hence resulting in a 405. [#12607](https://github.com/Kong/kong/issues/12607) ##### Default - Fixed a bug where, if the the ulimit setting (open files) was low, Kong would fail to start as the `lua-resty-timer-ng` exhausted the available `worker_connections`. Decreased the concurrency range of the `lua-resty-timer-ng` library from `[512, 2048]` to `[256, 1024]` to fix this bug. [#12606](https://github.com/Kong/kong/issues/12606) - Fix an issue where external plugins using the protobuf-based protocol would fail to call the `kong.Service.SetUpstream` method with an error `bad argument #2 to 'encode' (table expected, got boolean)`. [#12727](https://github.com/Kong/kong/issues/12727) ### Kong-Manager #### Features ##### Default - Kong Manager now supports creating and editing Expressions routes with an interactive in-browser editor with syntax highlighting and autocompletion features for Kong's Expressions language. [#217](https://github.com/Kong/kong-manager/issues/217) - Kong Manager now groups the parameters to provide a better user experience while configuring plugins. Meanwhile, several issues with the plugin form page were fixed. [#195](https://github.com/Kong/kong-manager/issues/195) [#199](https://github.com/Kong/kong-manager/issues/199) [#201](https://github.com/Kong/kong-manager/issues/201) [#202](https://github.com/Kong/kong-manager/issues/202) [#207](https://github.com/Kong/kong-manager/issues/207) [#208](https://github.com/Kong/kong-manager/issues/208) [#209](https://github.com/Kong/kong-manager/issues/209) [#213](https://github.com/Kong/kong-manager/issues/213) [#216](https://github.com/Kong/kong-manager/issues/216) #### Fixes ##### Default - Improved the user experience in Kong Manager by fixing various UI-related issues. [#185](https://github.com/Kong/kong-manager/issues/185) [#188](https://github.com/Kong/kong-manager/issues/188) [#190](https://github.com/Kong/kong-manager/issues/190) [#195](https://github.com/Kong/kong-manager/issues/195) [#199](https://github.com/Kong/kong-manager/issues/199) [#201](https://github.com/Kong/kong-manager/issues/201) [#202](https://github.com/Kong/kong-manager/issues/202) [#207](https://github.com/Kong/kong-manager/issues/207) [#208](https://github.com/Kong/kong-manager/issues/208) [#209](https://github.com/Kong/kong-manager/issues/209) [#213](https://github.com/Kong/kong-manager/issues/213) [#216](https://github.com/Kong/kong-manager/issues/216) ## 3.6.1 ### Kong #### Performance ##### Plugin - **Opentelemetry**: increase queue max batch size to 200 [#12542](https://github.com/Kong/kong/issues/12542) #### Dependencies ##### Core - Bumped lua-resty-openssl to 1.2.1 [#12669](https://github.com/Kong/kong/issues/12669) #### Features ##### Configuration - now TLSv1.1 and lower is by default disabled in OpenSSL 3.x [#12556](https://github.com/Kong/kong/issues/12556) #### Fixes ##### Configuration - Fixed default value in kong.conf.default documentation from 1000 to 10000 for upstream_keepalive_max_requests option. [#12648](https://github.com/Kong/kong/issues/12648) - Set security level of gRPC's TLS to 0 when ssl_cipher_suite is set to old [#12616](https://github.com/Kong/kong/issues/12616) ##### Core - Fix the missing router section for the output of the request-debugging [#12649](https://github.com/Kong/kong/issues/12649) - revert the hard-coded limitation of the ngx.read_body() API in OpenResty upstreams' new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes. [#12666](https://github.com/Kong/kong/issues/12666) ##### Default - Fix a bug where the ulimit setting (open files) is low Kong will fail to start as the lua-resty-timer-ng exhausts the available worker_connections. Decrease the concurrency range of the lua-resty-timer-ng library from [512, 2048] to [256, 1024] to fix this bug. [#12608](https://github.com/Kong/kong/issues/12608) ### Kong-Manager ## 3.6.0 ### Kong #### Performance ##### Performance - Bumped the concurrency range of the lua-resty-timer-ng library from [32, 256] to [512, 2048]. [#12275](https://github.com/Kong/kong/issues/12275) - Cooperatively yield when building statistics of routes to reduce the impact to proxy path latency. [#12013](https://github.com/Kong/kong/issues/12013) ##### Configuration - Bump `dns_stale_ttl` default to 1 hour so stale DNS record can be used for longer time in case of resolver downtime. [#12087](https://github.com/Kong/kong/issues/12087) - Bumped default values of `nginx_http_keepalive_requests` and `upstream_keepalive_max_requests` to `10000`. These changes are optimized to work better in systems with high throughput. In a low-throughput setting, these new settings may have visible effects in loadbalancing - it can take more requests to start using all the upstreams than before. [#12223](https://github.com/Kong/kong/issues/12223) ##### Core - Reuse match context between requests to avoid frequent memory allocation/deallocation [#12258](https://github.com/Kong/kong/issues/12258) ##### PDK - Performance optimization to avoid unnecessary creations and garbage-collections of spans [#12080](https://github.com/Kong/kong/issues/12080) #### Breaking Changes ##### Core - **BREAKING:** To avoid ambiguity with other Wasm-related nginx.conf directives, the prefix for Wasm `shm_kv` nginx.conf directives was changed from `nginx_wasm_shm_` to `nginx_wasm_shm_kv_` [#11919](https://github.com/Kong/kong/issues/11919) - In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2. Which means security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled. [#7714](https://github.com/Kong/kong/issues/7714) ##### Plugin - **azure-functions**: azure-functions plugin now eliminates upstream/request URI and only use `routeprefix` configuration field to construct request path when requesting Azure API [#11850](https://github.com/Kong/kong/issues/11850) #### Deprecations ##### Plugin - **ACME**: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins. [#12300](https://github.com/Kong/kong/issues/12300) - **Rate Limiting**: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins. [#12301](https://github.com/Kong/kong/issues/12301) - **Response-RateLimiting**: Standardize redis configuration across plugins. The redis configuration right now follows common schema that is shared across other plugins. [#12301](https://github.com/Kong/kong/issues/12301) #### Dependencies ##### Core - Bumped atc-router from 1.2.0 to 1.6.0 [#12231](https://github.com/Kong/kong/issues/12231) - Bumped kong-lapis from 1.14.0.3 to 1.16.0.1 [#12064](https://github.com/Kong/kong/issues/12064) - Bumped LPEG from 1.0.2 to 1.1.0 [#11955](https://github.com/Kong/kong/issues/11955) [UTF-8](https://konghq.atlassian.net/browse/UTF-8) - Bumped lua-messagepack from 0.5.2 to 0.5.3 [#11956](https://github.com/Kong/kong/issues/11956) - Bumped lua-messagepack from 0.5.3 to 0.5.4 [#12076](https://github.com/Kong/kong/issues/12076) - Bumped lua-resty-aws from 1.3.5 to 1.3.6 [#12439](https://github.com/Kong/kong/issues/12439) - Bumped lua-resty-healthcheck from 3.0.0 to 3.0.1 [#12237](https://github.com/Kong/kong/issues/12237) - Bumped lua-resty-lmdb from 1.3.0 to 1.4.1 [#12026](https://github.com/Kong/kong/issues/12026) - Bumped lua-resty-timer-ng from 0.2.5 to 0.2.6 [#12275](https://github.com/Kong/kong/issues/12275) - Bumped OpenResty from 1.21.4.2 to 1.25.3.1 [#12327](https://github.com/Kong/kong/issues/12327) - Bumped OpenSSL from 3.1.4 to 3.2.1 [#12264](https://github.com/Kong/kong/issues/12264) - Bump resty-openssl from 0.8.25 to 1.2.0 [#12265](https://github.com/Kong/kong/issues/12265) - Bumped ngx_brotli to master branch, and disabled it on rhel7 rhel9-arm64 and amazonlinux-2023-arm64 due to toolchain issues [#12444](https://github.com/Kong/kong/issues/12444) - Bumped lua-resty-healthcheck from 1.6.3 to 3.0.0 [#11834](https://github.com/Kong/kong/issues/11834) ##### Default - Bump `ngx_wasm_module` to `a7087a37f0d423707366a694630f1e09f4c21728` [#12011](https://github.com/Kong/kong/issues/12011) - Bump `Wasmtime` version to `14.0.3` [#12011](https://github.com/Kong/kong/issues/12011) #### Features ##### Configuration - display a warning message when Kong Manager is enabled but the Admin API is not enabled [#12071](https://github.com/Kong/kong/issues/12071) - add DHE-RSA-CHACHA20-POLY1305 cipher to the intermediate configuration [#12133](https://github.com/Kong/kong/issues/12133) - The default value of `dns_no_sync` option has been changed to `off` [#11869](https://github.com/Kong/kong/issues/11869) - Allow to inject Nginx directives into Kong's proxy location block [#11623](https://github.com/Kong/kong/issues/11623) - Validate LMDB cache by Kong's version (major + minor), wiping the content if tag mismatch to avoid compatibility issues during minor version upgrade. [#12026](https://github.com/Kong/kong/issues/12026) ##### Core - Adds telemetry collection for AI Proxy, AI Request Transformer, and AI Response Transformer, pertaining to model and provider usage. [#12495](https://github.com/Kong/kong/issues/12495) - add ngx_brotli module to kong prebuild nginx [#12367](https://github.com/Kong/kong/issues/12367) - Allow primary key passed as a full entity to DAO functions. [#11695](https://github.com/Kong/kong/issues/11695) - Build deb packages for Debian 12. The debian variant of kong docker image is built using Debian 12 now. [#12218](https://github.com/Kong/kong/issues/12218) - The expressions route now supports the `!` (not) operator, which allows creating routes like `!(http.path =^ "/a")` and `!(http.path == "/a" || http.path == "/b")` [#12419](https://github.com/Kong/kong/issues/12419) - Add `source` property to log serializer, indicating the response is generated by `kong` or `upstream`. [#12052](https://github.com/Kong/kong/issues/12052) - Ensure Kong-owned directories are cleaned up after an uninstall using the system's package manager. [#12162](https://github.com/Kong/kong/issues/12162) - Support `http.path.segments.len` and `http.path.segments.*` fields in the expressions router which allows matching incoming (normalized) request path by individual segment or ranges of segments, plus checking the total number of segments. [#12283](https://github.com/Kong/kong/issues/12283) - `net.src.*` and `net.dst.*` match fields are now accessible in HTTP routes defined using expressions. [#11950](https://github.com/Kong/kong/issues/11950) - Extend support for getting and setting Gateway values via proxy-wasm properties in the `kong.*` namespace. [#11856](https://github.com/Kong/kong/issues/11856) ##### PDK - Increase the precision of JSON number encoding from 14 to 16 decimals [#12019](https://github.com/Kong/kong/issues/12019) ##### Plugin - Introduced the new **AI Prompt Decorator** plugin that enables prepending and appending llm/v1/chat messages onto consumer LLM requests, for prompt tuning. [#12336](https://github.com/Kong/kong/issues/12336) - Introduced the new **AI Prompt Guard** which can allow and/or block LLM requests based on pattern matching. [#12427](https://github.com/Kong/kong/issues/12427) - Introduced the new **AI Prompt Template** which can offer consumers and array of LLM prompt templates, with variable substitutions. [#12340](https://github.com/Kong/kong/issues/12340) - Introduced the new **AI Proxy** plugin that enables simplified integration with various AI provider Large Language Models. [#12323](https://github.com/Kong/kong/issues/12323) - Introduced the new **AI Request Transformer** plugin that enables passing mid-flight consumer requests to an LLM for transformation or sanitization. [#12426](https://github.com/Kong/kong/issues/12426) - Introduced the new **AI Response Transformer** plugin that enables passing mid-flight upstream responses to an LLM for transformation or sanitization. [#12426](https://github.com/Kong/kong/issues/12426) - Tracing Sampling Rate can now be set via the `config.sampling_rate` property of the OpenTelemetry plugin instead of it just being a global setting for the gateway. [#12054](https://github.com/Kong/kong/issues/12054) ##### Admin API - add gateway edition to the root endpoint of the admin api [#12097](https://github.com/Kong/kong/issues/12097) - Enable `status_listen` on `127.0.0.1:8007` by default [#12304](https://github.com/Kong/kong/issues/12304) ##### Clustering - **Clustering**: Expose data plane certificate expiry date on the control plane API. [#11921](https://github.com/Kong/kong/issues/11921) #### Fixes ##### Configuration - fix error data loss caused by weakly typed of function in declarative_config_flattened function [#12167](https://github.com/Kong/kong/issues/12167) - respect custom `proxy_access_log` [#12073](https://github.com/Kong/kong/issues/12073) ##### Core - prevent ca to be deleted when it's still referenced by other entities and invalidate the related ca store caches when a ca cert is updated. [#11789](https://github.com/Kong/kong/issues/11789) - Now cookie names are validated against RFC 6265, which allows more characters than the previous validation. [#11881](https://github.com/Kong/kong/issues/11881) - Remove nulls only if the schema has transformations definitions. Improve performance as most schemas does not define transformations. [#12284](https://github.com/Kong/kong/issues/12284) - Fix a bug that the error_handler can not provide the meaningful response body when the internal error code 494 is triggered. [#12114](https://github.com/Kong/kong/issues/12114) - Header value matching (`http.headers.*`) in `expressions` router flavor are now case sensitive. This change does not affect on `traditional_compatible` mode where header value match are always performed ignoring the case. [#11905](https://github.com/Kong/kong/issues/11905) - print error message correctly when plugin fails [#11800](https://github.com/Kong/kong/issues/11800) - fix ldoc intermittent failure caused by LuaJIT error. [#11983](https://github.com/Kong/kong/issues/11983) - use NGX_WASM_MODULE_BRANCH environment variable to set ngx_wasm_module repository branch when building Kong. [#12241](https://github.com/Kong/kong/issues/12241) - Eliminate asynchronous timer in syncQuery() to prevent hang risk [#11900](https://github.com/Kong/kong/issues/11900) - **tracing:** Fixed an issue where a DNS query failure would cause a tracing failure. [#11935](https://github.com/Kong/kong/issues/11935) - Expressions route in `http` and `stream` subsystem now have stricter validation. Previously they share the same validation schema which means admin can configure expressions route using fields like `http.path` even for stream routes. This is no longer allowed. [#11914](https://github.com/Kong/kong/issues/11914) - **Tracing**: dns spans are now correctly generated for upstream dns queries (in addition to cosocket ones) [#11996](https://github.com/Kong/kong/issues/11996) - Validate private and public key for `keys` entity to ensure they match each other. [#11923](https://github.com/Kong/kong/issues/11923) - **proxy-wasm**: Fixed "previous plan already attached" error thrown when a filter triggers re-entrancy of the access handler. [#12452](https://github.com/Kong/kong/issues/12452) ##### PDK - response.set_header support header argument with table array of string [#12164](https://github.com/Kong/kong/issues/12164) - Fix an issue that when using kong.response.exit, the Transfer-Encoding header set by user is not removed [#11936](https://github.com/Kong/kong/issues/11936) - **Plugin Server**: fix an issue where every request causes a new plugin instance to be created [#12020](https://github.com/Kong/kong/issues/12020) ##### Plugin - Add missing WWW-Authenticate headers to 401 response in basic auth plugin. [#11795](https://github.com/Kong/kong/issues/11795) - Enhance error responses for authentication failures in the Admin API [#12456](https://github.com/Kong/kong/issues/12456) - Expose metrics for serviceless routes [#11781](https://github.com/Kong/kong/issues/11781) - **Rate Limiting**: fix to provide better accuracy in counters when sync_rate is used with the redis policy. [#11859](https://github.com/Kong/kong/issues/11859) - **Rate Limiting**: fix an issuer where all counters are synced to the same DB at the same rate. [#12003](https://github.com/Kong/kong/issues/12003) - **Datadog**: Fix a bug that datadog plugin is not triggered for serviceless routes. In this fix, datadog plugin is always triggered, and the value of tag `name`(service_name) is set as an empty value. [#12068](https://github.com/Kong/kong/issues/12068) ##### Clustering - Fix a bug causing data-plane status updates to fail when an empty PING frame is received from a data-plane [#11917](https://github.com/Kong/kong/issues/11917) ### Kong-Manager #### Features ##### Default - Added a JSON/YAML format preview for all entity forms. [#157](https://github.com/Kong/kong-manager/issues/157) - Adopted resigned basic components for better UI/UX. [#131](https://github.com/Kong/kong-manager/issues/131) [#166](https://github.com/Kong/kong-manager/issues/166) - Kong Manager and Konnect now share the same UI for plugin selection page and plugin form page. [#143](https://github.com/Kong/kong-manager/issues/143) [#147](https://github.com/Kong/kong-manager/issues/147) #### Fixes ##### Default - Standardized notification text format. [#140](https://github.com/Kong/kong-manager/issues/140) ## 3.5.0 ### Kong #### Performance ##### Configuration - Bumped the default value of `upstream_keepalive_pool_size` to `512` and `upstream_keepalive_max_requests` to `1000` [#11515](https://github.com/Kong/kong/issues/11515) ##### Core - refactor workspace id and name retrieval [#11442](https://github.com/Kong/kong/issues/11442) #### Breaking Changes ##### Plugin - **Session**: a new configuration field `read_body_for_logout` was added with a default value of `false`, that changes behavior of `logout_post_arg` in a way that it is not anymore considered if the `read_body_for_logout` is not explicitly set to `true`. This is to avoid session plugin from reading request bodies by default on e.g. `POST` request for logout detection. [#10333](https://github.com/Kong/kong/issues/10333) #### Dependencies ##### Core - Bumped resty.openssl from 0.8.23 to 0.8.25 [#11518](https://github.com/Kong/kong/issues/11518) - Fix incorrect LuaJIT register allocation for IR_*LOAD on ARM64 [#11638](https://github.com/Kong/kong/issues/11638) - Fix LDP/STP fusing for unaligned accesses on ARM64 [#11639](https://github.com/Kong/kong/issues/11639) - Bump lua-kong-nginx-module from 0.6.0 to 0.8.0 [#11663](https://github.com/Kong/kong/issues/11663) - Fix incorrect LuaJIT LDP/STP fusion on ARM64 which may sometimes cause incorrect logic [#11537](https://github.com/Kong/kong/issues/11537) ##### Default - Bumped lua-resty-healthcheck from 1.6.2 to 1.6.3 [#11360](https://github.com/Kong/kong/issues/11360) - Bumped OpenResty from 1.21.4.1 to 1.21.4.2 [#11360](https://github.com/Kong/kong/issues/11360) - Bumped LuaSec from 1.3.1 to 1.3.2 [#11553](https://github.com/Kong/kong/issues/11553) - Bumped lua-resty-aws from 1.3.1 to 1.3.5 [#11613](https://github.com/Kong/kong/issues/11613) - bump OpenSSL from 3.1.1 to 3.1.4 [#11844](https://github.com/Kong/kong/issues/11844) - Bumped kong-lapis from 1.14.0.2 to 1.14.0.3 [#11849](https://github.com/Kong/kong/issues/11849) - Bumped ngx_wasm_module to latest rolling release version. [#11678](https://github.com/Kong/kong/issues/11678) - Bump Wasmtime version to 12.0.2 [#11738](https://github.com/Kong/kong/issues/11738) - Bumped lua-resty-aws from 1.3.0 to 1.3.1 [#11419](https://github.com/Kong/kong/pull/11419) - Bumped lua-resty-session from 4.0.4 to 4.0.5 [#11416](https://github.com/Kong/kong/pull/11416) #### Features ##### Core - Add a new endpoint `/schemas/vaults/:name` to retrieve the schema of a vault. [#11727](https://github.com/Kong/kong/issues/11727) - rename `privileged_agent` to `dedicated_config_processing. Enable `dedicated_config_processing` by default [#11784](https://github.com/Kong/kong/issues/11784) - Support observing the time consumed by some components in the given request. [#11627](https://github.com/Kong/kong/issues/11627) - Plugins can now implement `Plugin:configure(configs)` function that is called whenever there is a change in plugin entities. An array of current plugin configurations is passed to the function, or `nil` in case there is no active configurations for the plugin. [#11703](https://github.com/Kong/kong/issues/11703) - Add a request-aware table able to detect accesses from different requests. [#11017](https://github.com/Kong/kong/issues/11017) - A unique Request ID is now populated in the error log, access log, error templates, log serializer, and in a new X-Kong-Request-Id header (configurable for upstream/downstream using the `headers` and `headers_upstream` configuration options). [#11663](https://github.com/Kong/kong/issues/11663) - Add support for optional Wasm filter configuration schemas [#11568](https://github.com/Kong/kong/issues/11568) - Support JSON in Wasm filter configuration [#11697](https://github.com/Kong/kong/issues/11697) - Support HTTP query parameters in expression routes. [#11348](https://github.com/Kong/kong/pull/11348) ##### Plugin - **response-ratelimiting**: add support for secret rotation with redis connection [#10570](https://github.com/Kong/kong/issues/10570) - **CORS**: Support the `Access-Control-Request-Private-Network` header in crossing-origin pre-light requests [#11523](https://github.com/Kong/kong/issues/11523) - add scan_count to redis storage schema [#11532](https://github.com/Kong/kong/issues/11532) - **AWS-Lambda**: the AWS-Lambda plugin has been refactored by using `lua-resty-aws` as an underlying AWS library. The refactor simplifies the AWS-Lambda plugin code base and adding support for multiple IAM authenticating scenarios. [#11350](https://github.com/Kong/kong/pull/11350) - **OpenTelemetry** and **Zipkin**: Support GCP X-Cloud-Trace-Context header The field `header_type` now accepts the value `gcp` to propagate the Google Cloud trace header [#11254](https://github.com/Kong/kong/pull/11254) ##### Clustering - **Clustering**: Allow configuring DP metadata labels for on-premise CP Gateway [#11625](https://github.com/Kong/kong/issues/11625) #### Fixes ##### Configuration - The default value of `dns_no_sync` option has been changed to `on` [#11871](https://github.com/Kong/kong/issues/11871) ##### Core - Fix an issue that the TTL of the key-auth plugin didnt work in DB-less and Hybrid mode. [#11464](https://github.com/Kong/kong/issues/11464) - Fix a problem that abnormal socket connection will be reused when querying Postgres database. [#11480](https://github.com/Kong/kong/issues/11480) - Fix upstream ssl failure when plugins use response handler [#11502](https://github.com/Kong/kong/issues/11502) - Fix an issue that protocol `tls_passthrough` can not work with expressions flavor [#11538](https://github.com/Kong/kong/issues/11538) - Fix a bug that will cause a failure of sending tracing data to datadog when value of x-datadog-parent-id header in requests is a short dec string [#11599](https://github.com/Kong/kong/issues/11599) - Apply Nginx patch for detecting HTTP/2 stream reset attacks early (CVE-2023-44487) [#11743](https://github.com/Kong/kong/issues/11743) - fix the building failure when applying patches [#11696](https://github.com/Kong/kong/issues/11696) - Vault references can be used in Dbless mode in declarative config [#11845](https://github.com/Kong/kong/issues/11845) - Properly warmup Vault caches on init [#11827](https://github.com/Kong/kong/issues/11827) - Vault resurrect time is respected in case a vault secret is deleted from a vault [#11852](https://github.com/Kong/kong/issues/11852) - Fixed critical level logs when starting external plugin servers. Those logs cannot be suppressed due to the limitation of OpenResty. We choose to remove the socket availability detection feature. [#11372](https://github.com/Kong/kong/pull/11372) - Fix an issue where a crashing Go plugin server process would cause subsequent requests proxied through Kong to execute Go plugins with inconsistent configurations. The issue only affects scenarios where the same Go plugin is applied to different Route or Service entities. [#11306](https://github.com/Kong/kong/pull/11306) - Fix an issue where cluster_cert or cluster_ca_cert is inserted into lua_ssl_trusted_certificate before being base64 decoded. [#11385](https://github.com/Kong/kong/pull/11385) - Fix cache warmup mechanism not working in `acls` plugin groups config entity scenario. [#11414](https://github.com/Kong/kong/pull/11414) - Fix an issue that queue stops processing when a hard error is encountered in the handler function. [#11423](https://github.com/Kong/kong/pull/11423) - Fix an issue that query parameters are not forwarded in proxied request. Thanks [@chirag-manwani](https://github.com/chirag-manwani) for contributing this change. [#11328](https://github.com/Kong/kong/pull/11328) - Fix an issue that response status code is not real upstream status when using kong.response function. [#11437](https://github.com/Kong/kong/pull/11437) - Removed a hardcoded proxy-wasm isolation level setting that was preventing the `nginx_http_proxy_wasm_isolation` configuration value from taking effect. [#11407](https://github.com/Kong/kong/pull/11407) ##### PDK - Fix several issues in Vault and refactor the Vault code base: - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed [#11652](https://github.com/Kong/kong/issues/11652) - Fix response body gets repeated when `kong.response.get_raw_body()` is called multiple times in a request lifecycle. [#11424](https://github.com/Kong/kong/issues/11424) - Tracing: fix an issue that resulted in some parent spans to end before their children due to different precision of their timestamps [#11484](https://github.com/Kong/kong/issues/11484) - Fix a bug related to data interference between requests in the kong.log.serialize function. [#11566](https://github.com/Kong/kong/issues/11566) ##### Plugin - **Opentelemetry**: fix an issue that resulted in invalid parent IDs in the propagated tracing headers [#11468](https://github.com/Kong/kong/issues/11468) - **AWS-Lambda**: let plugin-level proxy take effect on EKS IRSA credential provider [#11551](https://github.com/Kong/kong/issues/11551) - Cache the AWS lambda service by those lambda service related fields [#11821](https://github.com/Kong/kong/issues/11821) - **Opentelemetry**: fix an issue that resulted in traces with invalid parent IDs when `balancer` instrumentation was enabled [#11830](https://github.com/Kong/kong/issues/11830) - **tcp-log**: fix an issue of unnecessary handshakes when reusing TLS connection [#11848](https://github.com/Kong/kong/issues/11848) - **OAuth2**: For OAuth2 plugin, `scope` has been taken into account as a new criterion of the request validation. When refreshing token with `refresh_token`, the scopes associated with the `refresh_token` provided in the request must be same with or a subset of the scopes configured in the OAuth2 plugin instance hit by the request. [#11342](https://github.com/Kong/kong/pull/11342) - When the worker is in shutdown mode and more data is immediately available without waiting for `max_coalescing_delay`, queues are now cleared in batches. Thanks [@JensErat](https://github.com/JensErat) for contributing this change. [#11376](https://github.com/Kong/kong/pull/11376) - A race condition in the plugin queue could potentially crash the worker when `max_entries` was set to `max_batch_size`. [#11378](https://github.com/Kong/kong/pull/11378) - **AWS-Lambda**: fix an issue that the AWS-Lambda plugin cannot extract a json encoded proxy integration response. [#11413](https://github.com/Kong/kong/pull/11413) ##### Default - Restore lapis & luarocks-admin bins [#11578](https://github.com/Kong/kong/issues/11578) ### Kong-Manager #### Features ##### Default - Add `JSON` and `YAML` formats in entity config cards. [#111](https://github.com/Kong/kong-manager/issues/111) - Plugin form fields now display descriptions from backend schema. [#66](https://github.com/Kong/kong-manager/issues/66) - Add the `protocols` field in plugin form. [#93](https://github.com/Kong/kong-manager/issues/93) - The upstream target list shows the `Mark Healthy` and `Mark Unhealthy` action items when certain conditions are met. [#86](https://github.com/Kong/kong-manager/issues/86) #### Fixes ##### Default - Fix incorrect port number in Port Details. [#103](https://github.com/Kong/kong-manager/issues/103) - Fix a bug where the `proxy-cache` plugin cannot be installed. [#104](https://github.com/Kong/kong-manager/issues/104) ## 3.4.2 ### Kong #### Fixes ##### Core - Apply Nginx patch for detecting HTTP/2 stream reset attacks early (CVE-2023-44487) [#11743](https://github.com/Kong/kong/issues/11743) [CVE-2023](https://konghq.atlassian.net/browse/CVE-2023) [nginx-1](https://konghq.atlassian.net/browse/nginx-1) [SIR-435](https://konghq.atlassian.net/browse/SIR-435) ## 3.4.1 ### Kong #### Additions ##### Core - Support HTTP query parameters in expression routes. [#11348](https://github.com/Kong/kong/pull/11348) #### Dependencies ##### Core - Fix incorrect LuaJIT LDP/STP fusion on ARM64 which may sometimes cause incorrect logic [#11537](https://github.com/Kong/kong-ee/issues/11537) #### Fixes ##### Core - Removed a hardcoded proxy-wasm isolation level setting that was preventing the `nginx_http_proxy_wasm_isolation` configuration value from taking effect. [#11407](https://github.com/Kong/kong/pull/11407) - Fix an issue that the TTL of the key-auth plugin didnt work in DB-less and Hybrid mode. [#11464](https://github.com/Kong/kong-ee/issues/11464) - Fix a problem that abnormal socket connection will be reused when querying Postgres database. [#11480](https://github.com/Kong/kong-ee/issues/11480) - Fix upstream ssl failure when plugins use response handler [#11502](https://github.com/Kong/kong-ee/issues/11502) - Fix an issue that protocol `tls_passthrough` can not work with expressions flavor [#11538](https://github.com/Kong/kong-ee/issues/11538) ##### PDK - Fix several issues in Vault and refactor the Vault code base: - Make DAOs to fallback to empty string when resolving Vault references fail - Use node level mutex when rotation references - Refresh references on config changes - Update plugin referenced values only once per request - Pass only the valid config options to vault implementations - Resolve multi-value secrets only once when rotating them - Do not start vault secrets rotation timer on control planes - Re-enable negative caching - Reimplement the kong.vault.try function - Remove references from rotation in case their configuration has changed [#11402](https://github.com/Kong/kong-ee/issues/11402) - Tracing: fix an issue that resulted in some parent spans to end before their children due to different precision of their timestamps [#11484](https://github.com/Kong/kong-ee/issues/11484) ##### Plugin - **Opentelemetry**: fix an issue that resulted in invalid parent IDs in the propagated tracing headers [#11468](https://github.com/Kong/kong-ee/issues/11468) ### Kong Manager #### Fixes - Fixed entity docs link. [#92](https://github.com/Kong/kong-manager/pull/92) ## 3.4.0 ### Breaking Changes - :warning: Alpine packages and Docker images based on Alpine are no longer supported [#10926](https://github.com/Kong/kong/pull/10926) - :warning: Cassandra as a datastore for Kong is no longer supported [#10931](https://github.com/Kong/kong/pull/10931) - Ubuntu 18.04 artifacts are no longer supported as it's EOL - AmazonLinux 2022 artifacts are renamed to AmazonLinux 2023 according to AWS's decision ### Deprecations - **CentOS packages are now removed from the release and are no longer supported in future versions.** ### Additions #### Core - Enable `expressions` and `traditional_compatible` router flavor in stream subsystem. [#11071](https://github.com/Kong/kong/pull/11071) - Make upstream `host_header` and router `preserve_host` config work in stream tls proxy. [#11244](https://github.com/Kong/kong/pull/11244) - Add beta support for WebAssembly/proxy-wasm [#11218](https://github.com/Kong/kong/pull/11218) - '/schemas' endpoint returns additional information about cross-field validation as part of the schema. This should help tools that use the Admin API to perform better client-side validation. [#11108](https://github.com/Kong/kong/pull/11108) #### Kong Manager - First release of the Kong Manager Open Source Edition. [#11131](https://github.com/Kong/kong/pull/11131) #### Plugins - **OpenTelemetry**: Support AWS X-Ray propagation header The field `header_type`now accepts the `aws` value to handle this specific propagation header. [11075](https://github.com/Kong/kong/pull/11075) - **Opentelemetry**: Support the `endpoint` parameter as referenceable. [#11220](https://github.com/Kong/kong/pull/11220) - **Ip-Restriction**: Add TCP support to the plugin. Thanks [@scrudge](https://github.com/scrudge) for contributing this change. [#10245](https://github.com/Kong/kong/pull/10245) #### Performance - In dbless mode, the declarative schema is now fully initialized at startup instead of on-demand in the request path. This is most evident in decreased response latency when updating configuration via the `/config` API endpoint. [#10932](https://github.com/Kong/kong/pull/10932) - The Prometheus plugin has been optimized to reduce proxy latency impacts during scraping. [#10949](https://github.com/Kong/kong/pull/10949) [#11040](https://github.com/Kong/kong/pull/11040) [#11065](https://github.com/Kong/kong/pull/11065) ### Fixes #### Core - Declarative config now performs proper uniqueness checks against its inputs: previously, it would silently drop entries with conflicting primary/endpoint keys, or accept conflicting unique fields silently. [#11199](https://github.com/Kong/kong/pull/11199) - Fixed a bug that causes `POST /config?flatten_errors=1` to throw an exception and return a 500 error under certain circumstances. [#10896](https://github.com/Kong/kong/pull/10896) - Fix a bug when worker consuming dynamic log level setting event and using a wrong reference for notice logging [#10897](https://github.com/Kong/kong/pull/10897) - Added a `User=` specification to the systemd unit definition so that Kong can be controlled by systemd again. [#11066](https://github.com/Kong/kong/pull/11066) - Fix a bug that caused sampling rate to be applied to individual spans producing split traces. [#11135](https://github.com/Kong/kong/pull/11135) - Fix a bug that caused spans to not be instrumented with http.status_code when the request was not proxied to an upstream. Thanks [@backjo](https://github.com/backjo) for contributing this change. [#11152](https://github.com/Kong/kong/pull/11152), [#11406](https://github.com/Kong/kong/pull/11406) - Fix a bug that caused the router to fail in `traditional_compatible` mode when a route with multiple paths and no service was created. [#11158](https://github.com/Kong/kong/pull/11158) - Fix an issue where the router of flavor `expressions` can not work correctly when `route.protocols` is set to `grpc` or `grpcs`. [#11082](https://github.com/Kong/kong/pull/11082) - Fix an issue where the router of flavor `expressions` can not configure https redirection. [#11166](https://github.com/Kong/kong/pull/11166) - Added new span attribute `net.peer.name` if balancer_data.hostname is available. Thanks [@backjo](https://github.com/backjo) for contributing this change. [#10723](https://github.com/Kong/kong/pull/10729) - Make `kong vault get` CLI command work in dbless mode by injecting the necessary directives into the kong cli nginx.conf. [#11127](https://github.com/Kong/kong/pull/11127) [#11291](https://github.com/Kong/kong/pull/11291) - Fix an issue where a crashing Go plugin server process would cause subsequent requests proxied through Kong to execute Go plugins with inconsistent configurations. The issue only affects scenarios where the same Go plugin is applied to different Route or Service entities. [#11306](https://github.com/Kong/kong/pull/11306) - Fix an issue where cluster_cert or cluster_ca_cert is inserted into lua_ssl_trusted_certificate before being base64 decoded. [#11385](https://github.com/Kong/kong/pull/11385) - Update the DNS client to follow configured timeouts in a more predictable manner. Also fix a corner case in its behavior that could cause it to resolve incorrectly during transient network and DNS server failures. [#11386](https://github.com/Kong/kong/pull/11386) #### Admin API - Fix an issue where `/schemas/plugins/validate` endpoint fails to validate valid plugin configuration when the key of `custom_fields_by_lua` contains dot character(s). [#11091](https://github.com/Kong/kong/pull/11091) - Fix an issue with the `/tags/:tag` Admin API returning a JSON object (`{}`) instead of an array (`[]`) for empty data sets. [#11213](https://github.com/Kong/kong/pull/11213) #### Plugins - **Response Transformer**: fix an issue that plugin does not transform the response body while upstream returns a Content-Type with +json suffix at subtype. [#10656](https://github.com/Kong/kong/pull/10656) - **grpc-gateway**: Fixed an issue that empty (all default value) messages can not be unframed correctly. [#10836](https://github.com/Kong/kong/pull/10836) - **ACME**: Fixed sanity test can't work with "kong" storage in Hybrid mode [#10852](https://github.com/Kong/kong/pull/10852) - **rate-limiting**: Fixed an issue that impact the accuracy with the `redis` policy. Thanks [@giovanibrioni](https://github.com/giovanibrioni) for contributing this change. [#10559](https://github.com/Kong/kong/pull/10559) - **Zipkin**: Fixed an issue that traces not being generated correctly when instrumentations are enabled. [#10983](https://github.com/Kong/kong/pull/10983) - **Acme**: Fixed string concatenation on cert renewal errors [#11364](https://github.com/Kong/kong/pull/11364) - Validation for queue related parameters has been improved. `max_batch_size`, `max_entries` and `max_bytes` are now `integer`s instead of `number`s. `initial_retry_delay` and `max_retry_delay` must now be `number`s greater than 0.001 (seconds). [#10840](https://github.com/Kong/kong/pull/10840) ### Changed #### Core - Tracing: new attribute `http.route` added to http request spans. [#10981](https://github.com/Kong/kong/pull/10981) - The default value of `lmdb_map_size` config has been bumped to `2048m` from `128m` to accommodate most commonly deployed config sizes in DB-less and Hybrid mode. [#11047](https://github.com/Kong/kong/pull/11047) - The default value of `cluster_max_payload` config has been bumped to `16m` from `4m` to accommodate most commonly deployed config sizes in Hybrid mode. [#11090](https://github.com/Kong/kong/pull/11090) - Remove kong branding from kong HTML error template. [#11150](https://github.com/Kong/kong/pull/11150) - Drop luasocket in cli [#11177](https://github.com/Kong/kong/pull/11177) #### Status API - Remove the database information from the status API when operating in dbless mode or data plane. [#10995](https://github.com/Kong/kong/pull/10995) ### Dependencies - Bumped lua-resty-openssl from 0.8.20 to 0.8.23 [#10837](https://github.com/Kong/kong/pull/10837) [#11099](https://github.com/Kong/kong/pull/11099) - Bumped kong-lapis from 1.8.3.1 to 1.14.0.2 [#10841](https://github.com/Kong/kong/pull/10841) - Bumped lua-resty-events from 0.1.4 to 0.2.0 [#10883](https://github.com/Kong/kong/pull/10883) [#11083](https://github.com/Kong/kong/pull/11083) [#11214](https://github.com/Kong/kong/pull/11214) - Bumped lua-resty-session from 4.0.3 to 4.0.4 [#11011](https://github.com/Kong/kong/pull/11011) - Bumped OpenSSL from 1.1.1t to 3.1.1 [#10180](https://github.com/Kong/kong/pull/10180) [#11140](https://github.com/Kong/kong/pull/11140) - Bumped pgmoon from 1.16.0 to 1.16.2 (Kong's fork) [#11181](https://github.com/Kong/kong/pull/11181) [#11229](https://github.com/Kong/kong/pull/11229) - Bumped atc-router from 1.0.5 to 1.2.0 [#10100](https://github.com/Kong/kong/pull/10100) [#11071](https://github.com/Kong/kong/pull/11071) - Bumped lua-resty-lmdb from 1.1.0 to 1.3.0 [#11227](https://github.com/Kong/kong/pull/11227) - Bumped lua-ffi-zlib from 0.5 to 0.6 [#11373](https://github.com/Kong/kong/pull/11373) ### Known Issues - Some referenceable configuration fields, such as the `http_endpoint` field of the `http-log` plugin and the `endpoint` field of the `opentelemetry` plugin, do not accept reference values due to incorrect field validation. ## 3.3.0 ### Breaking Changes #### Core - The `traditional_compatible` router mode has been made more compatible with the behavior of `traditional` mode by splitting routes with multiple paths into multiple atc routes with separate priorities. Since the introduction of the new router in Kong Gateway 3.0, `traditional_compatible` mode assigned only one priority to each route, even if different prefix path lengths and regular expressions were mixed in a route. This was not how multiple paths were handled in the `traditional` router and the behavior has now been changed so that a separate priority value is assigned to each path in a route. [#10615](https://github.com/Kong/kong/pull/10615) #### Plugins - **http-log, statsd, opentelemetry, datadog**: The queueing system has been reworked, causing some plugin parameters to not function as expected anymore. If you use queues on these plugin, new parameters must be configured. The module `kong.tools.batch_queue` has been renamed to `kong.tools.queue` in the process and the API was changed. If your custom plugin uses queues, it must be updated to use the new API. See [this blog post](https://konghq.com/blog/product-releases/reworked-plugin-queues-in-kong-gateway-3-3) for a tour of the new queues and how they are parametrized. [#10172](https://github.com/Kong/kong/pull/10172) - **http-log**: If the log server responds with a 3xx HTTP status code, the plugin will consider it to be an error and retry according to the retry configuration. Previously, 3xx status codes would be interpreted as success, causing the log entries to be dropped. [#10172](https://github.com/Kong/kong/pull/10172) - **Serverless Functions**: `kong.cache` now points to a cache instance that is dedicated to the Serverless Functions plugins: it does not provide access to the global kong cache. Access to certain fields in kong.configuration has also been restricted. [#10417](https://github.com/Kong/kong/pull/10417) - **Zipkin**: The zipkin plugin now uses queues for internal buffering. The standard queue parameter set is available to control queuing behavior. [#10753](https://github.com/Kong/kong/pull/10753) - Tracing: tracing_sampling_rate defaults to 0.01 (trace one of every 100 requests) instead of the previous 1 (trace all requests). Tracing all requests is inappropriate for most production systems [#10774](https://github.com/Kong/kong/pull/10774) - **Proxy Cache**: Add option to remove the proxy cache headers from the response [#10445](https://github.com/Kong/kong/pull/10445) ### Additions #### Core - Make runloop and init error response content types compliant with Accept header value [#10366](https://github.com/Kong/kong/pull/10366) - Add a new field `updated_at` for core entities ca_certificates, certificates, consumers, targets, upstreams, plugins, workspaces, clustering_data_planes and snis. [#10400](https://github.com/Kong/kong/pull/10400) - Allow configuring custom error templates [#10374](https://github.com/Kong/kong/pull/10374) - The maximum number of request headers, response headers, uri args, and post args that are parsed by default can now be configured with a new configuration parameters: `lua_max_req_headers`, `lua_max_resp_headers`, `lua_max_uri_args` and `lua_max_post_args` [#10443](https://github.com/Kong/kong/pull/10443) - Allow configuring Labels for data planes to provide metadata information. Labels are only compatible with hybrid mode deployments with Kong Konnect (SaaS) [#10471](https://github.com/Kong/kong/pull/10471) - Add Postgres triggers on the core entites and entities in bundled plugins to delete the expired rows in an efficient and timely manner. [#10389](https://github.com/Kong/kong/pull/10389) - Support for configurable Node IDs [#10385](https://github.com/Kong/kong/pull/10385) - Request and response buffering options are now enabled for incoming HTTP 2.0 requests too. Thanks [@PidgeyBE](https://github.com/PidgeyBE) for contributing this change. [#10595](https://github.com/Kong/kong/pull/10595) [#10204](https://github.com/Kong/kong/pull/10204) - Add `KONG_UPSTREAM_DNS_TIME` to `kong.ctx` so that we can record the time it takes for DNS resolution when Kong proxies to upstream. [#10355](https://github.com/Kong/kong/pull/10355) - Tracing: rename spans to simplify filtering on tracing backends. [#10577](https://github.com/Kong/kong/pull/10577) - Support timeout for dynamic log level [#10288](https://github.com/Kong/kong/pull/10288) - Added new span attribute `http.client_ip` to capture the client IP when behind a proxy. Thanks [@backjo](https://github.com/backjo) for this contribution! [#10723](https://github.com/Kong/kong/pull/10723) #### Admin API - The `/upstreams//health?balancer_health=1` endpoint always shows the balancer health, through a new attribute balancer_health, which always returns HEALTHY or UNHEALTHY (reporting the true state of the balancer), even if the overall upstream health status is HEALTHCHECKS_OFF. This is useful for debugging. [#5885](https://github.com/Kong/kong/pull/5885) #### Status API - The `status_listen` server has been enhanced with the addition of the `/status/ready` API for monitoring Kong's health. This endpoint provides a `200` response upon receiving a `GET` request, but only if a valid, non-empty configuration is loaded and Kong is prepared to process user requests. Load balancers frequently utilize this functionality to ascertain Kong's availability to distribute incoming requests. [#10610](https://github.com/Kong/kong/pull/10610) [#10787](https://github.com/Kong/kong/pull/10787) #### Plugins - **ACME**: acme plugin now supports configuring an `account_key` in `keys` and `key_sets` [#9746](https://github.com/Kong/kong/pull/9746) - **Proxy-Cache**: add `ignore_uri_case` to configuring cache-key uri to be handled as lowercase [#10453](https://github.com/Kong/kong/pull/10453) - **HTTP-Log**: add `application/json; charset=utf-8` option for the `Content-Type` header in the http-log plugin, for log collectors that require that character set declaration. [#10533](https://github.com/Kong/kong/pull/10533) - **DataDog**: supports value of `host` to be referenceable. [#10484](https://github.com/Kong/kong/pull/10484) - **Zipkin&Opentelemetry**: convert traceid in http response headers to hex format [#10534](https://github.com/Kong/kong/pull/10534) - **ACME**: acme plugin now supports configuring `namespace` for redis storage which is default to empty string for backward compatibility. [#10562](https://github.com/Kong/kong/pull/10562) - **AWS Lambda**: add a new field `disable_https` to support scheme config on lambda service api endpoint [#9799](https://github.com/Kong/kong/pull/9799) - **OpenTelemetry**: spans are now correctly correlated in downstream Datadog traces. [10531](https://github.com/Kong/kong/pull/10531) - **OpenTelemetry**: add `header_type` field in OpenTelemetry plugin. Previously, the `header_type` was hardcoded to `preserve`, now it can be set to one of the following values: `preserve`, `ignore`, `b3`, `b3-single`, `w3c`, `jaeger`, `ot`. [#10620](https://github.com/Kong/kong/pull/10620) #### PDK - PDK now supports getting plugins' ID with `kong.plugin.get_id`. [#9903](https://github.com/Kong/kong/pull/9903) ### Fixes #### Core - Fixed an issue where upstream keepalive pool has CRC32 collision. [#9856](https://github.com/Kong/kong/pull/9856) - Fix an issue where control plane does not downgrade config for `aws_lambda` and `zipkin` for older version of data planes. [#10346](https://github.com/Kong/kong/pull/10346) - Fix an issue where control plane does not rename fields correctly for `session` for older version of data planes. [#10352](https://github.com/Kong/kong/pull/10352) - Fix an issue where validation to regex routes may be skipped when the old-fashioned config is used for DB-less Kong. [#10348](https://github.com/Kong/kong/pull/10348) - Fix and issue where tracing may cause unexpected behavior. [#10364](https://github.com/Kong/kong/pull/10364) - Fix an issue where balancer passive healthcheck would use wrong status code when kong changes status code from upstream in `header_filter` phase. [#10325](https://github.com/Kong/kong/pull/10325) [#10592](https://github.com/Kong/kong/pull/10592) - Fix an issue where schema validations failing in a nested record did not propagate the error correctly. [#10449](https://github.com/Kong/kong/pull/10449) - Fixed an issue where dangling Unix sockets would prevent Kong from restarting in Docker containers if it was not cleanly stopped. [#10468](https://github.com/Kong/kong/pull/10468) - Fix an issue where sorting function for traditional router sources/destinations lead to "invalid order function for sorting" error. [#10514](https://github.com/Kong/kong/pull/10514) - Fix the UDP socket leak caused by frequent DNS queries. [#10691](https://github.com/Kong/kong/pull/10691) - Fix a typo of mlcache option `shm_set_tries`. [#10712](https://github.com/Kong/kong/pull/10712) - Fix an issue where slow start up of Go plugin server causes dead lock. [#10561](https://github.com/Kong/kong/pull/10561) - Tracing: fix an issue that caused the `sampled` flag of incoming propagation headers to be handled incorrectly and only affect some spans. [#10655](https://github.com/Kong/kong/pull/10655) - Tracing: fix an issue that was preventing `http_client` spans to be created for OpenResty HTTP client requests. [#10680](https://github.com/Kong/kong/pull/10680) - Tracing: fix an approximation issue that resulted in reduced precision of the balancer span start and end times. [#10681](https://github.com/Kong/kong/pull/10681) - Tracing: tracing_sampling_rate defaults to 0.01 (trace one of every 100 requests) instead of the previous 1 (trace all requests). Tracing all requests is inappropriate for most production systems [#10774](https://github.com/Kong/kong/pull/10774) - Fix issue when stopping a Kong could error out if using Vault references [#10775](https://github.com/Kong/kong/pull/10775) - Fix issue where Vault configuration stayed sticky and cached even when configurations were changed. [#10776](https://github.com/Kong/kong/pull/10776) - Backported the openresty `ngx.print` chunk encoding buffer double free bug fix that leads to the corruption of chunk-encoded response data. [#10816](https://github.com/Kong/kong/pull/10816) [#10824](https://github.com/Kong/kong/pull/10824) #### Admin API - Fix an issue where empty value of URI argument `custom_id` crashes `/consumer`. [#10475](https://github.com/Kong/kong/pull/10475) #### Plugins - **Request-Transformer**: fix an issue where requests would intermittently be proxied with incorrect query parameters. [10539](https://github.com/Kong/kong/pull/10539) - **Request Transformer**: honor value of untrusted_lua configuration parameter [#10327](https://github.com/Kong/kong/pull/10327) - **OAuth2**: fix an issue that OAuth2 token was being cached to nil while access to the wrong service first. [#10522](https://github.com/Kong/kong/pull/10522) - **OpenTelemetry**: fix an issue that reconfigure of OpenTelemetry does not take effect. [#10172](https://github.com/Kong/kong/pull/10172) - **OpenTelemetry**: fix an issue that caused spans to be propagated incorrectly resulting in a wrong hierarchy being rendered on tracing backends. [#10663](https://github.com/Kong/kong/pull/10663) - **gRPC gateway**: `null` in the JSON payload caused an uncaught exception to be thrown during pb.encode. [#10687](https://github.com/Kong/kong/pull/10687) - **Oauth2**: prevent an authorization code created by one plugin instance to be exchanged for an access token by a different plugin instance. [#10011](https://github.com/Kong/kong/pull/10011) - **gRPC gateway**: fixed an issue that empty arrays in JSON are incorrectly encoded as `"{}"`; they are now encoded as `"[]"` to comply with standard. [#10790](https://github.com/Kong/kong/pull/10790) #### PDK - Fixed an issue for tracing PDK where sample rate does not work. [#10485](https://github.com/Kong/kong/pull/10485) ### Changed #### Core - Postgres TTL cleanup timer will now only run on traditional and control plane nodes that have enabled the Admin API. [#10405](https://github.com/Kong/kong/pull/10405) - Postgres TTL cleanup timer now runs a batch delete loop on each ttl enabled table with a number of 50.000 rows per batch. [#10407](https://github.com/Kong/kong/pull/10407) - Postgres TTL cleanup timer now runs every 5 minutes instead of every 60 seconds. [#10389](https://github.com/Kong/kong/pull/10389) - Postgres TTL cleanup timer now deletes expired rows based on database server-side timestamp to avoid potential problems caused by the difference of clock time between Kong and database server. [#10389](https://github.com/Kong/kong/pull/10389) #### PDK - `request.get_uri_captures` now returns the unnamed part tagged as an array (for jsonification). [#10390](https://github.com/Kong/kong/pull/10390) #### Plugins - **Request-Termination**: If the echo option was used, it would not return the uri-captures. [#10390](https://github.com/Kong/kong/pull/10390) - **OpenTelemetry**: add `http_response_header_for_traceid` field in OpenTelemetry plugin. The plugin will set the corresponding header in the response if the field is specified with a string value. [#10379](https://github.com/Kong/kong/pull/10379) ### Dependencies - Bumped lua-resty-session from 4.0.2 to 4.0.3 [#10338](https://github.com/Kong/kong/pull/10338) - Bumped lua-protobuf from 0.3.3 to 0.5.0 [#10137](https://github.com/Kong/kong/pull/10413) [#10790](https://github.com/Kong/kong/pull/10790) - Bumped lua-resty-timer-ng from 0.2.3 to 0.2.5 [#10419](https://github.com/Kong/kong/pull/10419) [#10664](https://github.com/Kong/kong/pull/10664) - Bumped lua-resty-openssl from 0.8.17 to 0.8.20 [#10463](https://github.com/Kong/kong/pull/10463) [#10476](https://github.com/Kong/kong/pull/10476) - Bumped lua-resty-http from 0.17.0.beta.1 to 0.17.1 [#10547](https://github.com/Kong/kong/pull/10547) - Bumped LuaSec from 1.2.0 to 1.3.1 [#10528](https://github.com/Kong/kong/pull/10528) - Bumped lua-resty-acme from 0.10.1 to 0.11.0 [#10562](https://github.com/Kong/kong/pull/10562) - Bumped lua-resty-events from 0.1.3 to 0.1.4 [#10634](https://github.com/Kong/kong/pull/10634) - Bumped lua-kong-nginx-module from 0.5.1 to 0.6.0 [#10288](https://github.com/Kong/kong/pull/10288) - Bumped lua-resty-lmdb from 1.0.0 to 1.1.0 [#10766](https://github.com/Kong/kong/pull/10766) ## 3.2.0 ### Breaking Changes #### Plugins - **JWT**: JWT plugin now denies a request that has different tokens in the jwt token search locations. [#9946](https://github.com/Kong/kong/pull/9946) - **Session**: for sessions to work as expected it is required that all nodes run Kong >= 3.2.x. For that reason it is advisable that during upgrades mixed versions of proxy nodes run for as little as possible. During that time, the invalid sessions could cause failures and partial downtime. All existing sessions are invalidated when upgrading to this version. The parameter `idling_timeout` now has a default value of `900`: unless configured differently, sessions expire after 900 seconds (15 minutes) of idling. The parameter `absolute_timeout` has a default value of `86400`: unless configured differently, sessions expire after 86400 seconds (24 hours). [#10199](https://github.com/Kong/kong/pull/10199) - **Proxy Cache**: Add wildcard and parameter match support for content_type [#10209](https://github.com/Kong/kong/pull/10209) ### Additions #### Core - Expose postgres connection pool configuration. [#9603](https://github.com/Kong/kong/pull/9603) - When `router_flavor` is `traditional_compatible`, verify routes created using the Expression router instead of the traditional router to ensure created routes are actually compatible. [#9987](https://github.com/Kong/kong/pull/9987) - Nginx charset directive can now be configured with Nginx directive injections [#10111](https://github.com/Kong/kong/pull/10111) - Services upstream TLS config is extended to stream subsystem. [#9947](https://github.com/Kong/kong/pull/9947) - New configuration option `ssl_session_cache_size` to set the Nginx directive `ssl_session_cache`. This config defaults to `10m`. Thanks [Michael Kotten](https://github.com/michbeck100) for contributing this change. [#10021](https://github.com/Kong/kong/pull/10021) #### Balancer - Add a new load-balancing `algorithm` option `latency` to the `Upstream` entity. This algorithm will choose a target based on the response latency of each target from prior requests. [#9787](https://github.com/Kong/kong/pull/9787) #### Plugins - **Plugin**: add an optional field `instance_name` that identifies a particular plugin entity. [#10077](https://github.com/Kong/kong/pull/10077) - **Zipkin**: Add support to set the durations of Kong phases as span tags through configuration property `config.phase_duration_flavor`. [#9891](https://github.com/Kong/kong/pull/9891) - **HTTP logging**: Suppport value of `headers` to be referenceable. [#9948](https://github.com/Kong/kong/pull/9948) - **AWS Lambda**: Add `aws_imds_protocol_version` configuration parameter that allows the selection of the IMDS protocol version. Defaults to `v1`, can be set to `v2` to enable IMDSv2. [#9962](https://github.com/Kong/kong/pull/9962) - **OpenTelemetry**: Support scoping with services, routes and consumers. [#10096](https://github.com/Kong/kong/pull/10096) - **Statsd**: Add `tag_style` configuration parameter that allows to send metrics with [tags](https://github.com/prometheus/statsd_exporter#tagging-extensions). Defaults to `nil` which means do not add any tags to the metrics. [#10118](https://github.com/Kong/kong/pull/10118) - **Session**: now uses lua-resty-session v4.0.0 [#10199](https://github.com/Kong/kong/pull/10199) #### Admin API - In dbless mode, `/config` API endpoint can now flatten entity-related schema validation errors to a single array via the optional `flatten_errors` query parameter. Non-entity errors remain unchanged in this mode. [#10161](https://github.com/Kong/kong/pull/10161) [#10256](https://github.com/Kong/kong/pull/10256) #### PDK - Support for `upstream_status` field in log serializer. [#10296](https://github.com/Kong/kong/pull/10296) ### Fixes #### Core - Add back Postgres `FLOOR` function when calculating `ttl`, so the returned `ttl` is always a whole integer. [#9960](https://github.com/Kong/kong/pull/9960) - Fix an issue where after a valid declarative configuration is loaded, the configuration hash is incorrectly set to the value: `00000000000000000000000000000000`. [#9911](https://github.com/Kong/kong/pull/9911) - Update the batch queues module so that queues no longer grow without bounds if their consumers fail to process the entries. Instead, old batches are now dropped and an error is logged. [#10247](https://github.com/Kong/kong/pull/10247) - Fix an issue where 'X-Kong-Upstream-Status' cannot be emitted when response is buffered. [#10056](https://github.com/Kong/kong/pull/10056) #### Plugins - **Zipkin**: Fix an issue where the global plugin's sample ratio overrides route-specific. [#9877](https://github.com/Kong/kong/pull/9877) - **JWT**: Deny requests that have different tokens in the jwt token search locations. Thanks Jackson 'Che-Chun' Kuo from Latacora for reporting this issue. [#9946](https://github.com/Kong/kong/pull/9946) - **Statsd**: Fix a bug in the StatsD plugin batch queue processing where metrics are published multiple times. [#10052](https://github.com/Kong/kong/pull/10052) - **Datadog**: Fix a bug in the Datadog plugin batch queue processing where metrics are published multiple times. [#10044](https://github.com/Kong/kong/pull/10044) - **OpenTelemetry**: Fix non-compliances to specification: - For `http.uri` in spans. The field should be full HTTP URI. [#10069](https://github.com/Kong/kong/pull/10069) - For `http.status_code`. It should be present on spans for requests that have a status code. [#10160](https://github.com/Kong/kong/pull/10160) - For `http.flavor`. It should be a string value, not a double. [#10160](https://github.com/Kong/kong/pull/10160) - **OpenTelemetry**: Fix a bug that when getting the trace of other formats, the trace ID reported and propagated could be of incorrect length. [#10332](https://github.com/Kong/kong/pull/10332) - **OAuth2**: `refresh_token_ttl` is now limited between `0` and `100000000` by schema validator. Previously numbers that are too large causes requests to fail. [#10068](https://github.com/Kong/kong/pull/10068) ### Changed #### Core - Improve error message for invalid JWK entities. [#9904](https://github.com/Kong/kong/pull/9904) - Renamed two configuration properties: * `opentelemetry_tracing` => `tracing_instrumentations` * `opentelemetry_tracing_sampling_rate` => `tracing_sampling_rate` The old `opentelemetry_*` properties are considered deprecated and will be fully removed in a future version of Kong. [#10122](https://github.com/Kong/kong/pull/10122) [#10220](https://github.com/Kong/kong/pull/10220) #### Hybrid Mode - Revert the removal of WebSocket protocol support for configuration sync, and disable the wRPC protocol. [#9921](https://github.com/Kong/kong/pull/9921) ### Dependencies - Bumped luarocks from 3.9.1 to 3.9.2 [#9942](https://github.com/Kong/kong/pull/9942) - Bumped atc-router from 1.0.1 to 1.0.5 [#9925](https://github.com/Kong/kong/pull/9925) [#10143](https://github.com/Kong/kong/pull/10143) [#10208](https://github.com/Kong/kong/pull/10208) - Bumped lua-resty-openssl from 0.8.15 to 0.8.17 [#9583](https://github.com/Kong/kong/pull/9583) [#10144](https://github.com/Kong/kong/pull/10144) - Bumped lua-kong-nginx-module from 0.5.0 to 0.5.1 [#10181](https://github.com/Kong/kong/pull/10181) - Bumped lua-resty-session from 3.10 to 4.0.2 [#10199](https://github.com/Kong/kong/pull/10199) [#10230](https://github.com/Kong/kong/pull/10230) [#10308](https://github.com/Kong/kong/pull/10308) - Bumped OpenSSL from 1.1.1s to 1.1.1t [#10266](https://github.com/Kong/kong/pull/10266) - Bumped lua-resty-timer-ng from 0.2.0 to 0.2.3 [#10265](https://github.com/Kong/kong/pull/10265) ## 3.1.0 ### Breaking Changes #### Core - Change the reponse body for a TRACE method from `The upstream server responded with 405` to `Method not allowed`, make the reponse to show more clearly that Kong do not support TRACE method. [#9448](https://github.com/Kong/kong/pull/9448) - Add `allow_debug_header` Kong conf to allow use of the `Kong-Debug` header for debugging. This option defaults to `off`. [#10054](https://github.com/Kong/kong/pull/10054) [#10125](https://github.com/Kong/kong/pull/10125) ### Additions #### Core - Allow `kong.conf` ssl properties to be stored in vaults or environment variables. Allow such properties to be configured directly as content or base64 encoded content. [#9253](https://github.com/Kong/kong/pull/9253) - Add support for full entity transformations in schemas [#9431](https://github.com/Kong/kong/pull/9431) - Allow schema `map` type field being marked as referenceable. [#9611](https://github.com/Kong/kong/pull/9611) - Add support for dynamically changing the log level [#9744](https://github.com/Kong/kong/pull/9744) - Add `keys` entity to store and manage asymmetric keys. [#9737](https://github.com/Kong/kong/pull/9737) - Add `key-sets` entity to group and manage `keys` [#9737](https://github.com/Kong/kong/pull/9737) #### Plugins - **Rate-limiting**: The HTTP status code and response body for rate-limited requests can now be customized. Thanks, [@utix](https://github.com/utix)! [#8930](https://github.com/Kong/kong/pull/8930) - **Zipkin**: add `response_header_for_traceid` field in Zipkin plugin. The plugin will set the corresponding header in the response if the field is specified with a string value. [#9173](https://github.com/Kong/kong/pull/9173) - **AWS Lambda**: add `requestContext` field into `awsgateway_compatible` input data [#9380](https://github.com/Kong/kong/pull/9380) - **ACME**: add support for Redis SSL, through configuration properties `config.storage_config.redis.ssl`, `config.storage_config.redis.ssl_verify`, and `config.storage_config.redis.ssl_server_name`. [#9626](https://github.com/Kong/kong/pull/9626) - **Session**: Add new config `cookie_persistent` that allows browser to persist cookies even if browser is closed. This defaults to `false` which means cookies are not persistend across browser restarts. Thanks [@tschaume](https://github.com/tschaume) for this contribution! [#8187](https://github.com/Kong/kong/pull/8187) - **Response-rate-limiting**: add support for Redis SSL, through configuration properties `redis_ssl` (can be set to `true` or `false`), `ssl_verify`, and `ssl_server_name`. [#8595](https://github.com/Kong/kong/pull/8595) Thanks [@dominikkukacka](https://github.com/dominikkukacka)! - **OpenTelemetry**: add referenceable attribute to the `headers` field that could be stored in vaults. [#9611](https://github.com/Kong/kong/pull/9611) - **HTTP-Log**: Support `http_endpoint` field to be referenceable [#9714](https://github.com/Kong/kong/pull/9714) - **rate-limiting**: Add a new configuration `sync_rate` to the `redis` policy, which synchronizes metrics to redis periodically instead of on every request. [#9538](https://github.com/Kong/kong/pull/9538) #### Hybrid Mode - Data plane node IDs will now persist across restarts. [#9067](https://github.com/Kong/kong/pull/9067) - Add HTTP CONNECT forward proxy support for Hybrid Mode connections. New configuration options `cluster_use_proxy`, `proxy_server` and `proxy_server_ssl_verify` are added. [#9758](https://github.com/Kong/kong/pull/9758) [#9773](https://github.com/Kong/kong/pull/9773) #### Performance - Increase the default value of `lua_regex_cache_max_entries`, a warning will be thrown when there are too many regex routes and `router_flavor` is `traditional`. [#9624](https://github.com/Kong/kong/pull/9624) - Add batch queue into the Datadog and StatsD plugin to reduce timer usage. [#9521](https://github.com/Kong/kong/pull/9521) #### PDK - Extend `kong.client.tls.request_client_certificate` to support setting the Distinguished Name (DN) list hints of the accepted CA certificates. [#9768](https://github.com/Kong/kong/pull/9768) ### Fixes #### Core - Fix issue where external plugins crashing with unhandled exceptions would cause high CPU utilization after the automatic restart. [#9384](https://github.com/Kong/kong/pull/9384) - Fix issue where Zipkin plugin cannot parse OT baggage headers due to invalid OT baggage pattern. [#9280](https://github.com/Kong/kong/pull/9280) - Add `use_srv_name` options to upstream for balancer. [#9430](https://github.com/Kong/kong/pull/9430) - Fix issue in `header_filter` instrumentation where the span was not correctly created. [#9434](https://github.com/Kong/kong/pull/9434) - Fix issue in router building where when field contains an empty table, the generated expression is invalid. [#9451](https://github.com/Kong/kong/pull/9451) - Fix issue in router rebuilding where when paths field is invalid, the router's mutex is not released properly. [#9480](https://github.com/Kong/kong/pull/9480) - Fixed an issue where `kong docker-start` would fail if `KONG_PREFIX` was set to a relative path. [#9337](https://github.com/Kong/kong/pull/9337) - Fixed an issue with error-handling and process cleanup in `kong start`. [#9337](https://github.com/Kong/kong/pull/9337) #### Hybrid Mode - Fixed a race condition that can cause configuration push events to be dropped when the first data-plane connection is established with a control-plane worker. [#9616](https://github.com/Kong/kong/pull/9616) #### CLI - Fix slow CLI performance due to pending timer jobs [#9536](https://github.com/Kong/kong/pull/9536) #### Admin API - Increase the maximum request argument number from `100` to `1000`, and return `400` error if request parameters reach the limitation to avoid being truncated. [#9510](https://github.com/Kong/kong/pull/9510) - Paging size parameter is now propogated to next page if specified in current request. [#9503](https://github.com/Kong/kong/pull/9503) - Non-normalized prefix route path is now rejected. It will also suggest how to write the path in normalized form. [#9760](https://github.com/Kong/kong/pull/9760) #### PDK - Added support for `kong.request.get_uri_captures` (`kong.request.getUriCaptures`) [#9512](https://github.com/Kong/kong/pull/9512) - Fixed parameter type of `kong.service.request.set_raw_body` (`kong.service.request.setRawBody`), return type of `kong.service.response.get_raw_body`(`kong.service.request.getRawBody`), and body parameter type of `kong.response.exit` to bytes. Note that old version of go PDK is incompatible after this change. [#9526](https://github.com/Kong/kong/pull/9526) - Vault will not call `semaphore:wait` in `init` or `init_worker` phase. [#9851](https://github.com/Kong/kong/pull/9851) #### Plugins - Add missing `protocols` field to various plugin schemas. [#9525](https://github.com/Kong/kong/pull/9525) - **AWS Lambda**: Fix an issue that is causing inability to read environment variables in ECS environment. [#9460](https://github.com/Kong/kong/pull/9460) - **Request-Transformer**: fix a bug when header renaming will override existing header and cause unpredictable result. [#9442](https://github.com/Kong/kong/pull/9442) - **OpenTelemetry**: - Fix an issue that the default propagation header is not configured to `w3c` correctly. [#9457](https://github.com/Kong/kong/pull/9457) - Replace the worker-level table cache with `BatchQueue` to avoid data race. [#9504](https://github.com/Kong/kong/pull/9504) - Fix an issue that the `parent_id` is not set on the span when propagating w3c traceparent. [#9628](https://github.com/Kong/kong/pull/9628) - **Response-Transformer**: Fix the bug that Response-Transformer plugin breaks when receiving an unexcepted body. [#9463](https://github.com/Kong/kong/pull/9463) - **HTTP-Log**: Fix an issue where queue id serialization does not include `queue_size` and `flush_timeout`. [#9789](https://github.com/Kong/kong/pull/9789) ### Changed #### Hybrid Mode - The legacy hybrid configuration protocol has been removed in favor of the wRPC protocol introduced in 3.0. [#9740](https://github.com/Kong/kong/pull/9740) ### Dependencies - Bumped openssl from 1.1.1q to 1.1.1s [#9674](https://github.com/Kong/kong/pull/9674) - Bumped atc-router from 1.0.0 to 1.0.1 [#9558](https://github.com/Kong/kong/pull/9558) - Bumped lua-resty-openssl from 0.8.10 to 0.8.15 [#9583](https://github.com/Kong/kong/pull/9583) [#9600](https://github.com/Kong/kong/pull/9600) [#9675](https://github.com/Kong/kong/pull/9675) - Bumped lyaml from 6.2.7 to 6.2.8 [#9607](https://github.com/Kong/kong/pull/9607) - Bumped lua-resty-acme from 0.8.1 to 0.9.0 [#9626](https://github.com/Kong/kong/pull/9626) - Bumped resty.healthcheck from 1.6.1 to 1.6.2 [#9778](https://github.com/Kong/kong/pull/9778) - Bumped pgmoon from 1.15.0 to 1.16.0 [#9815](https://github.com/Kong/kong/pull/9815) ## [3.0.1] ### Fixes #### Core - Fix issue where Zipkin plugin cannot parse OT baggage headers due to invalid OT baggage pattern. [#9280](https://github.com/Kong/kong/pull/9280) - Fix issue in `header_filter` instrumentation where the span was not correctly created. [#9434](https://github.com/Kong/kong/pull/9434) - Fix issue in router building where when field contains an empty table, the generated expression is invalid. [#9451](https://github.com/Kong/kong/pull/9451) - Fix issue in router rebuilding where when paths field is invalid, the router's mutex is not released properly. [#9480](https://github.com/Kong/kong/pull/9480) - Fixed an issue where `kong docker-start` would fail if `KONG_PREFIX` was set to a relative path. [#9337](https://github.com/Kong/kong/pull/9337) - Fixed an issue with error-handling and process cleanup in `kong start`. [#9337](https://github.com/Kong/kong/pull/9337) ## [3.0.0] > Released 2022/09/12 This major release adds a new router written in Rust and a tracing API that is compatible with the OpenTelemetry API spec. Furthermore, various internal changes have been made to improve Kong's performance and memory consumption. As it is a major release, users are advised to review the list of braking changes to determine whether configuration changes are needed when upgrading. ### Breaking Changes #### Deployment - Blue-green deployment from Kong earlier than `2.1.0` is not supported, upgrade to `2.1.0` or later before upgrading to `3.0.0` to have blue-green deployment. Thank you [@marc-charpentier]((https://github.com/charpentier)) for reporting issue and proposing a pull-request. [#8896](https://github.com/Kong/kong/pull/8896) - Deprecate/stop producing Amazon Linux (1) containers and packages (EOLed December 31, 2020) [Kong/docs.konghq.com #3966](https://github.com/Kong/docs.konghq.com/pull/3966) - Deprecate/stop producing Debian 8 "Jessie" containers and packages (EOLed June 2020) [Kong/kong-build-tools #448](https://github.com/Kong/kong-build-tools/pull/448) [Kong/kong-distributions #766](https://github.com/Kong/kong-distributions/pull/766) #### Core - Kong schema library's `process_auto_fields` function will not any more make a deep copy of data that is passed to it when the given context is `"select"`. This was done to avoid excessive deep copying of tables where we believe the data most of the time comes from a driver like `pgmoon` or `lmdb`. If a custom plugin relied on `process_auto_fields` not overriding the given table, it must make its own copy before passing it to the function now. [#8796](https://github.com/Kong/kong/pull/8796) - The deprecated `shorthands` field in Kong Plugin or DAO schemas was removed in favor or the typed `shorthand_fields`. If your custom schemas still use `shorthands`, you need to update them to use `shorthand_fields`. [#8815](https://github.com/Kong/kong/pull/8815) - The support for `legacy = true/false` attribute was removed from Kong schemas and Kong field schemas. [#8958](https://github.com/Kong/kong/pull/8958) - The deprecated alias of `Kong.serve_admin_api` was removed. If your custom Nginx templates still use it, please change it to `Kong.admin_content`. [#8815](https://github.com/Kong/kong/pull/8815) - The Kong singletons module `"kong.singletons"` was removed in favor of the PDK `kong.*`. [#8874](https://github.com/Kong/kong/pull/8874) - The dataplane config cache was removed. The config persistence is now done automatically with LMDB. [#8704](https://github.com/Kong/kong/pull/8704) - `ngx.ctx.balancer_address` does not exist anymore, please use `ngx.ctx.balancer_data` instead. [#9043](https://github.com/Kong/kong/pull/9043) - We have changed the normalization rules for `route.path`: Kong stores the unnormalized path, but regex path always pattern matches with the normalized URI. We used to replace percent-encoding in regex path pattern to ensure different forms of URI matches. That is no longer supported. Except for reserved characters defined in [rfc3986](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), we should write all other characters without percent-encoding. [#9024](https://github.com/Kong/kong/pull/9024) - Kong will no longer use an heuristic to guess whether a `route.path` is a regex pattern. From now 3.0 onwards, all regex paths must start with the `"~"` prefix, and all paths that don't start with `"~"` will be considered plain text. The migration process should automatically convert the regex paths when upgrading from 2.x to 3.0 [#9027](https://github.com/Kong/kong/pull/9027) - Bumping version number (`_format_version`) of declarative configuration to "3.0" for changes on `route.path`. Declaritive configuration with older version are upgraded to "3.0" on the fly. [#9078](https://github.com/Kong/kong/pull/9078) - Removed deprecated `config.functions` from serverless-functions plugin's schema, please use `config.access` phase instead. [#8559](https://github.com/Kong/kong/pull/8559) - Tags may now contain space characters. [#9143](https://github.com/Kong/kong/pull/9143) - The [Secrets Management](https://docs.konghq.com/gateway/latest/plan-and-deploy/security/secrets-management/) feature, which has been in beta since release 2.8.0, is now included as a regular feature. [#8871](https://github.com/Kong/kong/pull/8871) [#9217](https://github.com/Kong/kong/pull/9217) #### Admin API - `POST` requests on Targets endpoint are no longer able to update existing entities, they are only able to create new ones. [#8596](https://github.com/Kong/kong/pull/8596), [#8798](https://github.com/Kong/kong/pull/8798). If you have scripts that use `POST` requests to modify Targets, you should change them to `PUT` requests to the appropriate endpoints before updating to Kong 3.0. - Insert and update operations on duplicated Targets returns 409. [#8179](https://github.com/Kong/kong/pull/8179), [#8768](https://github.com/Kong/kong/pull/8768) - The list of reported plugins available on the server now returns a table of metadata per plugin instead of a boolean `true`. [#8810](https://github.com/Kong/kong/pull/8810) #### PDK - The `kong.request.get_path()` PDK function now performs path normalization on the string that is returned to the caller. The raw, non-normalized version of the request path can be fetched via `kong.request.get_raw_path()`. [#8823](https://github.com/Kong/kong/pull/8823) - `pdk.response.set_header()`, `pdk.response.set_headers()`, `pdk.response.exit()` now ignore and emit warnings for manually set `Transfer-Encoding` headers. [#8698](https://github.com/Kong/kong/pull/8698) - The PDK is no longer versioned [#8585](https://github.com/Kong/kong/pull/8585) - The JavaScript PDK now returns `Uint8Array` for `kong.request.getRawBody`, `kong.response.getRawBody` and `kong.service.response.getRawBody`. The Python PDK returns `bytes` for `kong.request.get_raw_body`, `kong.response.get_raw_body`, `kong.service.response.get_raw_body`. All these funtions used to return strings in the past. [#8623](https://github.com/Kong/kong/pull/8623) #### Plugins - DAOs in plugins must be listed in an array, so that their loading order is explicit. Loading them in a hash-like table is no longer supported. [#8988](https://github.com/Kong/kong/pull/8988) - Plugins MUST now have a valid `PRIORITY` (integer) and `VERSION` ("x.y.z" format) field in their `handler.lua` file, otherwise the plugin will fail to load. [#8836](https://github.com/Kong/kong/pull/8836) - The old `kong.plugins.log-serializers.basic` library was removed in favor of the PDK function `kong.log.serialize`, please upgrade your plugins to use PDK. [#8815](https://github.com/Kong/kong/pull/8815) - The support for deprecated legacy plugin schemas was removed. If your custom plugins still use the old (`0.x era`) schemas, you are now forced to upgrade them. [#8815](https://github.com/Kong/kong/pull/8815) - Some plugins received new priority values. This is important for those who run custom plugins as it may affect the sequence your plugins are executed. Note that this does not change the order of execution for plugins in a standard kong installation. List of plugins and their old and new priority value: - `acme` changed from 1007 to 1705 - `basic-auth` changed from 1001 to 1100 - `hmac-auth` changed from 1000 to 1030 - `jwt` changed from 1005 to 1450 - `key-auth` changed from 1003 to 1250 - `ldap-auth` changed from 1002 to 1200 - `oauth2` changed from 1004 to 1400 - `rate-limiting` changed from 901 to 910 - **HTTP-log**: `headers` field now only takes a single string per header name, where it previously took an array of values [#6992](https://github.com/Kong/kong/pull/6992) - **AWS Lambda**: `aws_region` field must be set through either plugin config or environment variables, allow both `host` and `aws_region` fields, and always apply SigV4 signature. [#8082](https://github.com/Kong/kong/pull/8082) - **Serverless Functions** Removed deprecated `config.functions`, please use `config.access` instead. [#8559](https://github.com/Kong/kong/pull/8559) - **Serverless Functions**: The pre-functions plugin changed priority from `+inf` to `1000000`. [#8836](https://github.com/Kong/kong/pull/8836) - **JWT**: The authenticated JWT is no longer put into the nginx context (ngx.ctx.authenticated_jwt_token). Custom plugins which depend on that value being set under that name must be updated to use Kong's shared context instead (kong.ctx.shared.authenticated_jwt_token) before upgrading to 3.0 - **Prometheus**: The prometheus metrics have been reworked extensively for 3.0. - Latency has been split into 4 different metrics: kong_latency_ms, upstream_latency_ms and request_latency_ms (http) /tcp_session_duration_ms (stream). Buckets details below. - Separate out Kong Latency Bucket values and Upstream Latency Bucket values. - `consumer_status` removed. - `request_count` and `consumer_status` have been merged into just `http_requests_total`. If the `per_consumer` config is set false, the consumer label will be empty. If the `per_consumer` config is true, it will be filled. - `http_requests_total` has a new label `source`, set to either `exit`, `error` or `service`. - New Metric: `node_info`. Single gauge set to 1 that outputs the node's id and kong version. - All Memory metrics have a new label `node_id` - `nginx_http_current_connections` merged with `nginx_stream_current_connection` into `nginx_current_connections` [#8712](https://github.com/Kong/kong/pull/8712) - **Prometheus**: The plugin doesn't export status codes, latencies, bandwidth and upstream healthcheck metrics by default. They can still be turned on manually by setting `status_code_metrics`, `latency_metrics`, `bandwidth_metrics` and `upstream_health_metrics` respectively. Enabling those metrics will impact the performance if you have a large volume of Kong entities, we recommend using the [statsd](https://github.com/Kong/kong/tree/master/kong/plugins/statsd) plugin with the push model if that is the case. And now `prometheus` plugin new grafana [dashboard](https://grafana.com/grafana/dashboards/7424-kong-official/) updated [#9028](https://github.com/Kong/kong/pull/9028) - **ACME**: `allow_any_domain` field added. It is default to false and if set to true, the gateway will ignore the `domains` field. [#9047](https://github.com/Kong/kong/pull/9047) - **Statsd**: - The metric name that is related to the service has been renamed by adding a `service.` prefix. e.g. `kong.service..request.count` [#9046](https://github.com/Kong/kong/pull/9046) - The metric `kong..request.status.` and `kong..user..request.status.` has been renamed to `kong.service..status.` and `kong.service..user..status.` [#9046](https://github.com/Kong/kong/pull/9046) - The metric `*.status..total` from metrics `status_count` and `status_count_per_user` has been removed [#9046](https://github.com/Kong/kong/pull/9046) - **Proxy-cache**: The plugin does not store the response data in `ngx.ctx.proxy_cache_hit` anymore. Logging plugins that need the response data must read it from `kong.ctx.shared.proxy_cache_hit` from Kong 3.0 on. [#8607](https://github.com/Kong/kong/pull/8607) - **Rate-limiting**: The default policy is now `local` for all deployment modes. [#9344](https://github.com/Kong/kong/pull/9344) - **Response-rate-limiting**: The default policy is now `local` for all deployment modes. [#9344](https://github.com/Kong/kong/pull/9344) ### Deprecations - The `go_pluginserver_exe` and `go_plugins_dir` directives are no longer supported. [#8552](https://github.com/Kong/kong/pull/8552). If you are using [Go plugin server](https://github.com/Kong/go-pluginserver), please migrate your plugins to use the [Go PDK](https://github.com/Kong/go-pdk) before upgrading. - The migration helper library (mostly used for Cassandra migrations) is no longer supplied with Kong [#8781](https://github.com/Kong/kong/pull/8781) - The path_handling algorithm `v1` is deprecated and only supported when `router_flavor` config option is set to `traditional`. [#9290](https://github.com/Kong/kong/pull/9290) #### Configuration - The Kong constant `CREDENTIAL_USERNAME` with value of `X-Credential-Username` was removed. Kong plugins in general have moved (since [#5516](https://github.com/Kong/kong/pull/5516)) to use constant `CREDENTIAL_IDENTIFIER` with value of `X-Credential-Identifier` when setting the upstream headers for a credential. [#8815](https://github.com/Kong/kong/pull/8815) - Change the default of `lua_ssl_trusted_certificate` to `system` [#8602](https://github.com/Kong/kong/pull/8602) to automatically load trusted CA list from system CA store. - Remove a warning of `AAAA` being experimental with `dns_order`. - It is no longer possible to use a .lua format to import a declarative config from the `kong` command-line tool, only json and yaml are supported. If your update procedure with kong involves executing `kong config db_import config.lua`, please create a `config.json` or `config.yml` and use that before upgrading. [#8898](https://github.com/Kong/kong/pull/8898) - We bumped the version number (`_format_version`) of declarative configuration to "3.0" because of changes on `route.path`. Declarative configuration with older version should be upgraded to "3.0" on the fly. [#9078](https://github.com/Kong/kong/pull/9078) #### Migrations - Postgres migrations can now have an `up_f` part like Cassandra migrations, designating a function to call. The `up_f` part is invoked after the `up` part has been executed against the database for both Postgres and Cassandra. - A new CLI command, `kong migrations status`, generates the status on a JSON file. ### Dependencies - Bumped OpenResty from 1.19.9.1 to [1.21.4.1](https://openresty.org/en/changelog-1021004.html) [#8850](https://github.com/Kong/kong/pull/8850) - Bumped pgmoon from 1.13.0 to 1.15.0 [#8908](https://github.com/Kong/kong/pull/8908) [#8429](https://github.com/Kong/kong/pull/8429) - Bumped OpenSSL from 1.1.1n to 1.1.1q [#9074](https://github.com/Kong/kong/pull/9074) [#8544](https://github.com/Kong/kong/pull/8544) [#8752](https://github.com/Kong/kong/pull/8752) [#8994](https://github.com/Kong/kong/pull/8994) - Bumped resty.openssl from 0.8.8 to 0.8.10 [#8592](https://github.com/Kong/kong/pull/8592) [#8753](https://github.com/Kong/kong/pull/8753) [#9023](https://github.com/Kong/kong/pull/9023) - Bumped inspect from 3.1.2 to 3.1.3 [#8589](https://github.com/Kong/kong/pull/8589) - Bumped resty.acme from 0.7.2 to 0.8.1 [#8680](https://github.com/Kong/kong/pull/8680) [#9165](https://github.com/Kong/kong/pull/9165) - Bumped luarocks from 3.8.0 to 3.9.1 [#8700](https://github.com/Kong/kong/pull/8700) [#9204](https://github.com/Kong/kong/pull/9204) - Bumped luasec from 1.0.2 to 1.2.0 [#8754](https://github.com/Kong/kong/pull/8754) [#8754](https://github.com/Kong/kong/pull/9205) - Bumped resty.healthcheck from 1.5.0 to 1.6.1 [#8755](https://github.com/Kong/kong/pull/8755) [#9018](https://github.com/Kong/kong/pull/9018) [#9150](https://github.com/Kong/kong/pull/9150) - Bumped resty.cassandra from 1.5.1 to 1.5.2 [#8845](https://github.com/Kong/kong/pull/8845) - Bumped penlight from 1.12.0 to 1.13.1 [#9206](https://github.com/Kong/kong/pull/9206) - Bumped lua-resty-mlcache from 2.5.0 to 2.6.0 [#9287](https://github.com/Kong/kong/pull/9287) ### Additions #### Performance - Do not register unnecessary event handlers on Hybrid mode Control Plane nodes [#8452](https://github.com/Kong/kong/pull/8452). - Use the new timer library to improve performance, except for the plugin server. [#8912](https://github.com/Kong/kong/pull/8912) - Increased use of caching for DNS queries by activating `additional_section` by default [#8895](https://github.com/Kong/kong/pull/8895) - `pdk.request.get_header` changed to a faster implementation, not to fetch all headers every time it's called [#8716](https://github.com/Kong/kong/pull/8716) - Conditional rebuilding of router, plugins iterator and balancer on DP [#8519](https://github.com/Kong/kong/pull/8519), [#8671](https://github.com/Kong/kong/pull/8671) - Made config loading code more cooperative by yielding [#8888](https://github.com/Kong/kong/pull/8888) - Use LuaJIT encoder instead of JSON to serialize values faster in LMDB [#8942](https://github.com/Kong/kong/pull/8942) - Move inflating and JSON decoding non-concurrent, which avoids blocking and makes DP reloads faster [#8959](https://github.com/Kong/kong/pull/8959) - Stop duplication of some events [#9082](https://github.com/Kong/kong/pull/9082) - Improve performance of config hash calculation by using string buffer and tablepool [#9073](https://github.com/Kong/kong/pull/9073) - Reduce cache usage in dbless by not using the kong cache for Routes and Services in LMDB [#8972](https://github.com/Kong/kong/pull/8972) #### Core - Implemented delayed response in stream mode [#6878](https://github.com/Kong/kong/pull/6878) - Added `cache_key` on target entity for uniqueness detection. [#8179](https://github.com/Kong/kong/pull/8179) - Introduced the tracing API which compatible with OpenTelemetry API spec and add build-in instrumentations. The tracing API is intend to be used with a external exporter plugin. Build-in instrumentation types and sampling rate are configuable through `opentelemetry_tracing` and `opentelemetry_tracing_sampling_rate` options. [#8724](https://github.com/Kong/kong/pull/8724) - Added `path`, `uri_capture`, and `query_arg` options to upstream `hash_on` for load balancing. [#8701](https://github.com/Kong/kong/pull/8701) - Introduced unix domain socket based `lua-resty-events` to replace shared memory based `lua-resty-worker-events`. [#8890](https://github.com/Kong/kong/pull/8890) - Introduced a new router implementation `atc-router`, which is written in Rust. [#8938](https://github.com/Kong/kong/pull/8938) - Introduce a new field for entities `table_name` that allows to specify a table name. Before the name was deduced by the entity `name` attribute. [#9182](https://github.com/Kong/kong/pull/9182) - Added `headers` on active healthcheck for upstreams. [#8255](https://github.com/Kong/kong/pull/8255) - Target entities using hostnames were resolved when they were not needed. Now when a target is removed or updated, the DNS record associated with it is removed from the list of hostnames to be resolved. [#8497](https://github.com/Kong/kong/pull/8497) [9265](https://github.com/Kong/kong/pull/9265) - Improved error handling and debugging info in the DNS code [#8902](https://github.com/Kong/kong/pull/8902) - Kong will now attempt to recover from an unclean shutdown by detecting and removing dangling unix sockets in the prefix directory [#9254](https://github.com/Kong/kong/pull/9254) #### Admin API - Added a new API `/timers` to get the timer statistics. [#8912](https://github.com/Kong/kong/pull/8912) and worker info [#8999](https://github.com/Kong/kong/pull/8999) - `/` endpoint now includes plugin priority [#8821](https://github.com/Kong/kong/pull/8821) #### Hybrid Mode - Add wRPC protocol support. Now configuration synchronization is over wRPC. wRPC is an RPC protocol that encodes with ProtoBuf and transports with WebSocket. [#8357](https://github.com/Kong/kong/pull/8357) - To keep compatibility with earlier versions, add support for CP to fall back to the previous protocol to support old DP. [#8834](https://github.com/Kong/kong/pull/8834) - Add support to negotiate services supported with wRPC protocol. We will support more services than config sync over wRPC in the future. [#8926](https://github.com/Kong/kong/pull/8926) - Declarative config exports happen inside a transaction in Postgres [#8586](https://github.com/Kong/kong/pull/8586) #### Plugins - Sync all plugin versions to the Kong version [#8772](https://github.com/Kong/kong/pull/8772) - Introduced the new **OpenTelemetry** plugin that export tracing instrumentations to any OTLP/HTTP compatible backend. `opentelemetry_tracing` configuration should be enabled to collect the core tracing spans of Kong. [#8826](https://github.com/Kong/kong/pull/8826) - **Zipkin**: add support for including HTTP path in span name through configuration property `http_span_name`. [#8150](https://github.com/Kong/kong/pull/8150) - **Zipkin**: add support for socket connect and send/read timeouts through configuration properties `connect_timeout`, `send_timeout`, and `read_timeout`. This can help mitigate `ngx.timer` saturation when upstream collectors are unavailable or slow. [#8735](https://github.com/Kong/kong/pull/8735) - **AWS-Lambda**: add support for cross account invocation through configuration properties `aws_assume_role_arn` and `aws_role_session_name`.[#8900](https://github.com/Kong/kong/pull/8900) [#8900](https://github.com/Kong/kong/pull/8900) - **AWS-Lambda**: accept string type `statusCode` as valid return when working in proxy integration mode. [#8765](https://github.com/Kong/kong/pull/8765) - **AWS-Lambda**: separate aws credential cache by IAM role ARN [#8907](https://github.com/Kong/kong/pull/8907) - **Statsd**: :fireworks: **Newly open-sourced plugin capabilities**: All capabilities of [Statsd Advanced](https://docs.konghq.com/hub/kong-inc/statsd-advanced/) are now bundled in [Statsd](https://docs.konghq.com/hub/kong-inc/statsd). [#9046](https://github.com/Kong/kong/pull/9046) #### Configuration - A new configuration item (`openresty_path`) has been added to allow developers/operators to specify the OpenResty installation to use when running Kong (instead of using the system-installed OpenResty) [#8412](https://github.com/Kong/kong/pull/8412) - Add `ipv6only` to listen options (e.g. `KONG_PROXY_LISTEN`) [#9225](https://github.com/Kong/kong/pull/9225) - Add `so_keepalive` to listen options (e.g. `KONG_PROXY_LISTEN`) [#9225](https://github.com/Kong/kong/pull/9225) - Add LMDB dbless config persistence and removed the JSON based config cache for faster startup time [#8670](https://github.com/Kong/kong/pull/8670) - `nginx_events_worker_connections=auto` has a lower bound of 1024 [#9276](https://github.com/Kong/kong/pull/9276) - `nginx_main_worker_rlimit_nofile=auto` has a lower bound of 1024 [#9276](https://github.com/Kong/kong/pull/9276) #### PDK - Added new PDK function: `kong.request.get_start_time()` [#8688](https://github.com/Kong/kong/pull/8688) - `kong.db.*.cache_key()` falls back to `.id` if nothing from `cache_key` is found [#8553](https://github.com/Kong/kong/pull/8553) ### Fixes #### Core - The schema validator now correctly converts `null` from declarative configurations to `nil`. [#8483](https://github.com/Kong/kong/pull/8483) - Only reschedule router and plugin iterator timers after finishing previous execution, avoiding unnecessary concurrent executions. [#8567](https://github.com/Kong/kong/pull/8567) - External plugins now handle returned JSON with null member correctly. [#8611](https://github.com/Kong/kong/pull/8611) - Fixed an issue where the address of the environ variable could change but the code didn't assumed it was fixed after init [#8581](https://github.com/Kong/kong/pull/8581) - Fix issue where the Go plugin server instance would not be updated after a restart (e.g., upon a plugin server crash). [#8547](https://github.com/Kong/kong/pull/8547) - Fixed an issue on trying to reschedule the DNS resolving timer when Kong was being reloaded. [#8702](https://github.com/Kong/kong/pull/8702) - The private stream API has been rewritten to allow for larger message payloads [#8641](https://github.com/Kong/kong/pull/8641) - Fixed an issue that the client certificate sent to upstream was not updated when calling PATCH Admin API [#8934](https://github.com/Kong/kong/pull/8934) - Fixed an issue where the CP and wRPC modules would cause Kong to crash when calling `export_deflated_reconfigure_payload` without a pcall [#8668](https://github.com/Kong/kong/pull/8668) - Moved all `.proto` files to `/usr/local/kong/include` and ordered by priority. [#8914](https://github.com/Kong/kong/pull/8914) - Fixed an issue that cause unexpected 404 error on creating/updating configs with invalid options [#8831](https://github.com/Kong/kong/pull/8831) - Fixed an issue that causes crashes when calling some PDK APIs [#8604](https://github.com/Kong/kong/pull/8604) - Fixed an issue that cause crashes when go PDK calls return arrays [#8891](https://github.com/Kong/kong/pull/8891) - Plugin servers now shutdowns gracefully when Kong exits [#8923](https://github.com/Kong/kong/pull/8923) - CLI now prompts with `[y/n]` instead of `[Y/n]`, as it does not take `y` as default [#9114](https://github.com/Kong/kong/pull/9114) - Improved the error message when Kong cannot connect to Cassandra on init [#8847](https://github.com/Kong/kong/pull/8847) - Fixed an issue where Vault Subschema wasn't loaded in `off` strategy [#9174](https://github.com/Kong/kong/pull/9174) - The Schema now runs select transformations before process_auto_fields [#9049](https://github.com/Kong/kong/pull/9049) - Fixed an issue where Kong would use too many timers to keep track of upstreams when `worker_consistency`=`eventual` [#8694](https://github.com/Kong/kong/pull/8694), [#8858](https://github.com/Kong/kong/pull/8858) - Fixed an issue where it wasn't possible to set target status using only a hostname for targets set only by their hostname [#8797](https://github.com/Kong/kong/pull/8797) - Fixed pagination issue when getting to the second page while iterationg over a foreign key field using the DAO [#9255](https://github.com/Kong/kong/pull/9255) - Fixed an issue where cache entries of some entities were not being properly invalidated after a cascade delete [#9261](https://github.com/Kong/kong/pull/9261) - Running `kong start` when Kong is already running will no longer clobber the existing `.kong_env` file [#9254](https://github.com/Kong/kong/pull/9254) #### Admin API - Support HTTP/2 when requesting `/status` [#8690](https://github.com/Kong/kong/pull/8690) #### Plugins - Plugins with colliding priorities have now deterministic sorting based on their name [#8957](https://github.com/Kong/kong/pull/8957) - External Plugins: better handling of the logging when a plugin instance loses the instances_id in an event handler [#8652](https://github.com/Kong/kong/pull/8652) - **ACME**: `auth_method` default value is set to `token` [#8565](https://github.com/Kong/kong/pull/8565) - **ACME**: Added cache for `domains_matcher` [#9048](https://github.com/Kong/kong/pull/9048) - **syslog**: `conf.facility` default value is now set to `user` [#8564](https://github.com/Kong/kong/pull/8564) - **AWS-Lambda**: Removed `proxy_scheme` field from schema [#8566](https://github.com/Kong/kong/pull/8566) - **AWS-Lambda**: Change path from request_uri to upstream_uri, fix uri can not follow the rule defined in the request-transformer configuration [#9058](https://github.com/Kong/kong/pull/9058) [#9129](https://github.com/Kong/kong/pull/9129) - **hmac-auth**: Removed deprecated signature format using `ngx.var.uri` [#8558](https://github.com/Kong/kong/pull/8558) - Remove deprecated `blacklist`/`whitelist` config fields from bot-detection, ip-restriction and ACL plugins. [#8560](https://github.com/Kong/kong/pull/8560) - **Zipkin**: Correct the balancer spans' duration to include the connection time from Nginx to the upstream. [#8848](https://github.com/Kong/kong/pull/8848) - **Zipkin**: Correct the calculation of the header filter start time [#9230](https://github.com/Kong/kong/pull/9230) - **Zipkin**: Compatibility with the latest Jaeger header spec, which makes `parent_id` optional [#8352](https://github.com/Kong/kong/pull/8352) - **LDAP-Auth**: Refactored ASN.1 parser using OpenSSL API through FFI. [#8663](https://github.com/Kong/kong/pull/8663) - **Rate-Limiting** and **Response-ratelimiting**: Fix a disordered behaviour caused by `pairs` function which may cause Postgres DEADLOCK problem [#8968](https://github.com/Kong/kong/pull/8968) - **Response-rate-Limiting**: Fix a disordered behaviour caused by `pairs` function which may cause Postgres DEADLOCK problem [#8968](https://github.com/Kong/kong/pull/8968) - **gRPC gateway**: Fix the handling of boolean fields from URI arguments [#9180](https://github.com/Kong/kong/pull/9180) - **Serverless Functions**: Fix problem that could result in a crash [#9269](https://github.com/Kong/kong/pull/9269) - **Azure-functions**: Support working without dummy service [#9177](https://github.com/Kong/kong/pull/9177) #### Clustering - The cluster listener now uses the value of `admin_error_log` for its log file instead of `proxy_error_log` [#8583](https://github.com/Kong/kong/pull/8583) - Fixed a typo in some business logic that checks the Kong role before setting a value in cache at startup [#9060](https://github.com/Kong/kong/pull/9060) - Fixed DP get zero size config while service with plugin-enabled route is disabled [#8816](https://github.com/Kong/kong/pull/8816) - Localize `config_version` to avoid a race condition from the new yielding config loading code [#8188](https://github.com/Kong/kong/pull/8818) #### PDK - `kong.response.get_source()` now return an error instead of an exit when plugin throws runtime exception on access phase [#8599](https://github.com/Kong/kong/pull/8599) - `kong.tools.uri.normalize()` now does escaping of reserved and unreserved characters more correctly [#8140](https://github.com/Kong/kong/pull/8140) ## Previous releases Please see [CHANGELOG-OLD.md](CHANGELOG-OLD.md) file for < 3.0 releases. [Back to TOC](#table-of-contents) [3.3.0]: https://github.com/Kong/kong/compare/3.2.0...3.3.0 [3.2.0]: https://github.com/Kong/kong/compare/3.1.0...3.2.0 [3.1.0]: https://github.com/Kong/kong/compare/3.0.1...3.1.0 [3.0.1]: https://github.com/Kong/kong/compare/3.0.0...3.0.1 [3.0.0]: https://github.com/Kong/kong/compare/2.8.1...3.0.0 ================================================ FILE: CODE_OF_CONDUCT.md ================================================ # Contributor Covenant Code of Conduct ## Our Pledge In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to make participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. ## Our Standards Examples of behavior that contributes to creating a positive environment include: * Using welcoming and inclusive language * Being respectful of differing viewpoints and experiences * Gracefully accepting constructive criticism * Focusing on what is best for the community * Showing empathy towards other community members Examples of unacceptable behavior by participants include: * The use of sexualized language or imagery and unwelcome sexual attention or advances * Trolling, insulting/derogatory comments, and personal or political attacks * Public or private harassment * Publishing others' private information, such as a physical or electronic address, without explicit permission * Other conduct which could reasonably be considered inappropriate in a professional setting ## Our Responsibilities Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. ## Scope This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at support@konghq.com. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. ## Attribution This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] [homepage]: http://contributor-covenant.org [version]: http://contributor-covenant.org/version/1/4/ ================================================ FILE: COMMUNITY_PLEDGE.md ================================================ # Our pledge to the open source community Kong Gateway is not only an awesome open source project, but also part of the product offering of Kong Inc. We have a large team of product people, software developers, testers and release engineers working on Kong Gateway. We make many of the enhancements to Kong Gateway in the Community Edition, so our open source community directly benefits from the commercial work that we do. Recognizing that we operate as a commercial entity, we face the challenge of balancing our commercial interests with the desire to accommodate and support open source users and contributors effectively. ## Response time to GitHub issues and pull requests In the Kong Gateway team, we're committed to maintaining a rapid and timely response to community contributions, promising to acknowledge and engage within a dedicated timeframe of 10 working days. It is important to note, however, that while we strive to be as responsive as possible, we may not always be able to offer immediate solutions to every reported problem or incorporate every submitted pull request into the product. ## Maintaining an active working set We will be closing pull requests or issue reports when we made the decision that we will not be able to merge or resolve them in the foreseeable future. We do that in the interest of keeping our working set manageable, as accumulating pull requests and issues which don't make progress does not help improving Kong Gateway in the long run. We automatically close issues and pull requests for which we do not get responses to our questions or update requests within 3 weeks. ================================================ FILE: CONTRIBUTING.md ================================================ # Contributing to Kong :monkey_face: Hello, and welcome! Whether you are looking for help, trying to report a bug, thinking about getting involved in the project, or about to submit a patch, this document is for you! It intends to be both an entry point for newcomers to the community (with various technical backgrounds), and a guide/reference for contributors and maintainers. Please have a look at our [Community Pledge](./COMMUNITY_PLEDGE.md) to understand how we work with our open-source contributors! Consult the Table of Contents below, and jump to the desired section. # Table of Contents * [Contributing to Kong :monkey_face:](#contributing-to-kong-monkey_face) * [Where to seek for help?](#where-to-seek-for-help) * [Enterprise Edition](#enterprise-edition) * [Community Edition](#community-edition) * [Where to report bugs?](#where-to-report-bugs) * [Where to submit feature requests?](#where-to-submit-feature-requests) * [Contributing](#contributing) * [Improving the documentation](#improving-the-documentation) * [Proposing a new plugin](#proposing-a-new-plugin) * [Submitting a patch](#submitting-a-patch) * [Git branches](#git-branches) * [Commit atomicity](#commit-atomicity) * [Commit message format](#commit-message-format) * [Type](#type) * [Scope](#scope) * [Subject](#subject) * [Body](#body) * [Footer](#footer) * [Examples](#examples) * [Static linting](#static-linting) * [Writing tests](#writing-tests) * [Writing changelog](#writing-changelog) * [Writing performant code](#writing-performant-code) * [Adding Changelog](#adding-changelog) * [Contributor Badge](#contributor-badge) * [Code style](#code-style) * [Table of Contents - Code style](#table-of-contents---code-style) * [Modules](#modules) * [Variables](#variables) * [Tables](#tables) * [Strings](#strings) * [Functions](#functions) * [Conditional expressions](#conditional-expressions) ## Where to seek for help? ### Enterprise Edition If you are a Kong Enterprise customer, you may contact the Enterprise Support channels by opening an Enterprise support ticket on [https://support.konghq.com](https://support.konghq.com/). If you are experiencing a P1 issue, please call the [24/7 Enterprise Support phone line](https://support.konghq.com/hc/en-us/articles/115004921808-Telephone-Support) for immediate assistance, as published in the Customer Success Reference Guide. If you are interested in becoming a Kong Enterprise customer, please visit https://konghq.com/kong-enterprise-edition/ or contact us at [sales@konghq.com](mailto:sales@konghq.com). [Back to TOC](#table-of-contents) ### Community Edition For questions about the use of the Community Edition, please use [GitHub Discussions](https://github.com/Kong/kong/discussions). You can also join our [Community Slack](http://kongcommunity.slack.com/) for real-time conversations around Kong Gateway. **Please avoid opening GitHub issues for general questions or help**, as those should be reserved for actual bug reports. The Kong community is welcoming and more than willing to assist you on those channels! Our public forum, [Kong Nation](https://discuss.konghq.com) is great for asking questions, giving advice, and staying up-to-date with the latest announcements. [Back to TOC](#table-of-contents) ## Where to report bugs? Feel free to [submit an issue](https://github.com/Kong/kong/issues/new/choose) on the GitHub repository, we would be grateful to hear about it! Please make sure that you respect the GitHub issue template, and include: 1. A summary of the issue 2. A list of steps to help reproduce the issue 3. The version of Kong that you encountered the issue with 4. Your Kong configuration, or the parts that are relevant to your issue If you wish, you are more than welcome to propose a patch to fix the issue! See the [Submit a patch](#submitting-a-patch) section for more information on how to best do so. [Back to TOC](#table-of-contents) ## Where to submit feature requests? You can [submit an issue](https://github.com/Kong/kong/issues/new/choose) for feature requests. Please make sure to add as much detail as you can when doing so. You are also welcome to propose patches adding new features. See the section on [Submitting a patch](#submitting-a-patch) for details. [Back to TOC](#table-of-contents) ## Contributing In addition to code enhancements and bug fixes, you can contribute by - Reporting a bug (see the [report bugs](#where-to-report-bugs) section) - Helping other members of the community on the support channels - Fixing a typo in the code - Fixing a typo in the documentation at https://docs.konghq.com (see the [documentation contribution](#improving-the-documentation) section) - Providing your feedback on the proposed features and designs - Reviewing Pull Requests If you wish to contribute code (features or bug fixes), see the [Submitting a patch](#submitting-a-patch) section. [Back to TOC](#table-of-contents) ### Improving the documentation The documentation hosted at https://docs.konghq.com is open source and built with [Jekyll](https://jekyllrb.com/). You are very welcome to propose changes to it (correct typos, add examples or clarifications...) and contribute to the [Kong Hub](https://docs.konghq.com/hub/)! The repository is also hosted on GitHub at: https://github.com/Kong/docs.konghq.com/ [Back to TOC](#table-of-contents) ### Proposing a new plugin We **do not** generally accept new plugins into this repository. The plugins that are currently part of it form the foundational set of plugins which is available to all installations of Kong Gateway. Specialized functionality should be implemented in plugins residing in separate repository. If you are interested in writing a new plugin for your own needs, you should begin by reading the [Plugin Development Guide](https://docs.konghq.com/latest/plugin-development). If you already wrote a plugin, and are thinking about making it available to the community, we strongly encourage you to host it on a publicly available repository (like GitHub), and distribute it via [LuaRocks](https://luarocks.org/search?q=kong). A good resource on how to do so is the [Distribution Section](https://docs.konghq.com/latest/plugin-development/distribution/#distributing-your-plugin) of the Plugin Development Guide. To give visibility to your plugin, we advise that you: 1. Add your plugin to the [Kong Hub](https://docs.konghq.com/hub/) 2. Create a post in the [Announcements category of Kong Nation](https://discuss.konghq.com/c/announcements) [Back to TOC](#table-of-contents) ### Submitting a patch Feel free to contribute fixes or minor features by opening a Pull Request. Small contributions are more likely to be merged quicker than changes which require a lot of time to review. If you are planning to develop a larger feature, please talk to us first in the [GitHub Discussions](https://github.com/Kong/kong/discussions) section! When contributing, please follow the guidelines provided in this document. They will cover topics such as the different Git branches we use, the commit message format to use, or the appropriate code style. Once you have read them, and you feel that you are ready to submit your Pull Request, be sure to verify a few things: - Your commit history is clean: changes are atomic and the git message format was respected - Rebase your work on top of the base branch (seek help online on how to use `git rebase`; this is important to ensure your commit history is clean and linear) - The static linting is succeeding: run `make lint`, or `luacheck .` (see the development documentation for additional details) - The tests are passing: run `make test`, `make test-all`, or whichever is appropriate for your change - Do not update `CHANGELOG.md` inside your Pull Request. This file is automatically regenerated and maintained during the release process. If the above guidelines are respected, your Pull Request has all its chances to be considered and will be reviewed by a maintainer. If you are asked to update your patch by a reviewer, please do so! Remember: **You are responsible for pushing your patch forward**. If you contributed it, you are probably the one in need of it. You must be ready to apply changes to it if necessary. If your Pull Request was accepted and fixes a bug, adds functionality, or makes it significantly easier to use or understand Kong, congratulations! You are now an official contributor to Kong. Get in touch with us to receive your very own [Contributor Badge](#contributor-badge)! Your change will be included in the subsequent release and its changelog, and we will not forget to include your name if you are an external contributor. :wink: [Back to TOC](#table-of-contents) #### Git branches If you have write access to the GitHub repository, please follow the following naming scheme when pushing your branch(es): - `feat/foo-bar` for new features - `fix/foo-bar` for bug fixes - `tests/foo-bar` when the change concerns only the test suite - `refactor/foo-bar` when refactoring code without any behavior change - `style/foo-bar` when addressing some style issue - `docs/foo-bar` for updates to the README.md, this file, or similar documents - `chore/foo-bar` when the change does not concern the functional source - `perf/foo-bar` for performance improvements [Back to TOC](#table-of-contents) #### Commit atomicity When submitting patches, it is important that you organize your commits in logical units of work. You are free to propose a patch with one or many commits, as long as their atomicity is respected. This means that no unrelated changes should be included in a commit. For example: you are writing a patch to fix a bug, but in your endeavour, you spot another bug. **Do not fix both bugs in the same commit!** Finish your work on the initial bug, propose your patch, and come back to the second bug later on. This is also valid for unrelated style fixes, refactors, etc... You should use your best judgment when facing such decisions. A good approach for this is to put yourself in the shoes of the person who will review your patch: will they understand your changes and reasoning just by reading your commit history? Will they find unrelated changes in a particular commit? They shouldn't! Writing meaningful commit messages that follow our commit message format will also help you respect this mantra (see the below section). [Back to TOC](#table-of-contents) #### Commit message format To maintain a healthy Git history, we ask of you that you write your commit messages as follows: - The tense of your message must be **present** - Your message must be prefixed by a type, and a scope - The header of your message should not be longer than 50 characters - A blank line should be included between the header and the body - The body of your message should not contain lines longer than 72 characters We strive to adapt the [conventional-commits](https://www.conventionalcommits.org/en/v1.0.0/) format. Here is a template of what your commit message should look like: ``` ():