Releases: Kong/kong
0.7.0
Breaking changes
Due to the NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747), OpenResty was bumped to 1.9.7.3
which is not backwards compatible, and thus requires changes to be made to the nginx
property of Kong's configuration file. See the 0.7 upgrade path for instructions.
However by upgrading the underlying OpenResty version, source installations do not have to patch the NGINX core and use the old ssl-cert-by-lua
branch of ngx_lua anymore. This will make source installations much easier.
Added
- Support for OpenResty
1.9.7.*
. This includes NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). #906 - Plugins
- New Runscope plugin: Monitor your APIs from Kong with Runscope. Courtesy of @mansilladev. #924
- Datadog: New
response.size
metric. #923 - Rate-Limiting and Response Rate-Limiting
- New
config.async
option to asynchronously increment counters to reduce latency at the cost of slighly reducing the accuracy. #912 - New
config.continue_on_error
option to keep proxying requests in case the datastore is unreachable. rate-limiting operations will be disabled until the datastore is responsive again. #953
- New
- CLI
- Perform a simple permission check on the NGINX working directory when starting, to prevent errors during execution. #939
- Send 50x errors with the appropriate format. #927 #970
Fixed
- Plugins
- OAuth2
- IP restriction: Fix an issue that could arise when restarting Kong. Now Kong does not need to be restarted for the ip-restriction configuration to take effect. #782 #960
- SSL: Replace shelled out openssl calls with native
ngx.ssl
conversion utilities, which preserve the certificate chain. #968 - ACL: Properly invalidating entities when assigning a new ACL group. #996
- Avoid user warning on start when the user is not root. #964
- Store Serf logs in NGINX working directory to prevent eventual permission issues. #975
- Allow plugins configured on a Consumer without being configured on an API to run. #978 #980
- Fixed an edge-case where Kong nodes would not be registered in the
nodes
table. #1008
0.6.1
This release contains tiny bug fixes that were especially annoying for complex Cassandra setups and power users of the Admin API!
Added
- A
timeout
property for the Cassandra configuration. In ms, this timeout is effective as a connection and a reading timeout. #937
Fixed
- Correctly set the Cassandra SSL certificate in the Nginx configuration while starting Kong. #921
- Rename the
user
Cassandra property tousername
(Kong looks forusername
, henceuser
would fail). #922 - Allow Cassandra authentication with arbitrary plain text auth providers (such as Instaclustr uses), fixing authentication with them. #937
- Admin API
- Fix the
/plugins/:id
route forPATCH
method. #941
- Fix the
- Plugins
0.6.0
Breaking changes
We would recommended to consult the suggested 0.6 upgrade path for this release.
- Serf is now a Kong dependency. It allows Kong nodes to communicate between each other opening the way to many features and improvements.
- The configuration file changed. Some properties were renamed, others were moved, and some are new. We would recommended checking out the new default configuration file.
- Drop the Lua 5.1 dependency which was only used by the CLI. The CLI now runs with LuaJIT, which is consistent with other Kong components (Luarocks and OpenResty) already relying on LuaJIT. Make sure the LuaJIT interpreter is included in your
$PATH
. #799 kong.pid
becamenginx.pid
Added
One of the biggest new features of this release is the cluster-awareness added to Kong in #729, which deserves its own section:
- Each Kong node is now aware of belonging to a cluster through Serf. Nodes automatically join the specified cluster according to the configuration file's settings.
- The datastore cache is not invalidated by expiration time anymore, but following an invalidation strategy between the nodes of a same cluster, leading to improved performance.
- Admin API
- Expose a
/cache
endpoint for retrieving elements stored in the in-memory cache of a node. - Expose a
/cluster
endpoint used to add/remove/list members of the cluster, and also used internally for data propagation.
- Expose a
- CLI
- New
kong cluster
command for cluster management. - New
kong status
command for cluster healthcheck.
- New
Other additions include:
- New Cassandra driver which makes Kong aware of the Cassandra cluster. Kong is now unaffected if one of your Cassandra nodes goes down as long as a replica is available on another node. Load balancing policies also improve the performance along with many other smaller improvements. #803
- Admin API
- A new
total
field in API responses, that counts the total number of entities in the datastore. #635
- A new
- Configuration
- Possibility to configure the keyspace replication strategy for Cassandra. It will be taken into account by the migrations when the configured keyspace does not already exist. #350
- Dnsmasq is now optional. You can specify a custom DNS resolver address that Kong will use when resolving hostnames. This can be configured in
kong.yml
. #625
- Plugins
Changed
- As mentioned in the breaking changes section, a new configuration file format and validation. All properties are now documented and commented out with their default values. This allows for a lighter configuration file and more clarity as to what properties relate to. It also catches configuration mistakes. #633
- Replace the UUID generator library with a new implementation wrapping lib-uuid, fixing eventual conflicts happening in cases such as described in #659. See #695
- Admin API
Fixed
- Behaviors described in #603 related to the failure of Cassandra nodes thanks to the new driver. #803
- Latency headers are now properly included in responses sent to the client. #708
strip_request_path
does not add a trailing slash to the API'supstream_url
anymore before proxying. #675- Do not URL decode querystring before proxying the request to the upstream service. #749
- Handle cases when the request would be terminated prior to the Kong execution (that is, before ngx_lua reaches the
access_by_lua
context) in cases such as the use of a custom nginx module. #594 - Admin API
- The PUT method now correctly updates boolean fields (such as
strip_request_path
). #765 - The PUT method now correctly resets a plugin configuration. #720
- PATCH correctly set previously unset fields. #861
- In the responses, the
next
link is not being displayed anymore if there are no more entities to be returned. #635 - Prevent the update of
created_at
fields. #820 - Better
request_path
validation for APIs. "/" is not considered a valid path anymore. #881
- The PUT method now correctly updates boolean fields (such as
- Plugins:
- Galileo: ensure the
mimeType
value is always a string in ALFs. #584 - JWT: allow to update JWT credentials using the PATCH method. It previously used to reply with
405 Method not allowed
because the PATCH method was not implemented. #667 - Rate limiting: fix a warning when many periods are configured. #681
- Basic Authentication: do not re-hash the password field when updating a credential. #726
- File log: better permissions for on file creation for file-log plugin. #877
- OAuth2
- Galileo: ensure the
_internal_
- Event bus for local and cluster-wide events propagation. Plans for this event bus is to be widely used among Kong in the future.
- The Kong Public Lua API (Lua helpers integrated in Kong such as DAO and Admin API helpers) is now documented with ldoc format and published on the online documentation.
- Work has been done to restore the reliability of the CI platforms.
- Migrations can now execute DML queries (instead of DDL queries only). Handy for migrations implying plugin configuration changes, plugins renamings etc... #770
0.5.4
0.5.3
0.5.2
A few fixes requested by the community!
Fixed
- Kong properly search the
nginx
in your $PATH variable. - Plugins:
0.5.1
Fixing a few glitches we let out with 0.5.0!
Added
- Basic Authentication and HMAC Authentication plugins now also send the
X-Credential-Username
to the upstream server. - Admin API now accept JSON when receiving a CORS request. #580
- Add a
WWW-Authenticate
header for HTTP 401 responses for basic-auth and key-auth. #588
Changed
- Protect Kong from POODLE SSL attacks by omitting SSLv3 (CVE-2014-3566). #563
- Remove support for key-auth key in body. #566
Fixed
- Plugins
- Fix an occasional error when updating a plugin without a config. #571
0.5.0
With new plugins, many improvements and bug fixes, this release comes with breaking changes that will require your attention.
Breaking changes
Several breaking changes are introduced. You will have to slightly change your configuration file and a migration script will take care of updating your database cluster. Please follow the instructions in UPDATE.md for an update without downtime.
- Many plugins were renamed due to new naming conventions for consistency. #480
- In the configuration file, the Cassandra
hosts
property was renamed tocontact_points
. #513 - Properties belonging to APIs entities have been renamed for clarity. #513
public_dns
->request_host
path
->request_path
strip_path
->strip_request_path
target_url
->upstream_url
plugins_configurations
have been renamed toplugins
, and theirvalue
property has been renamed toconfig
to avoid confusions. #513- The database schema has been updated to handle the separation of plugins outside of the core repository.
- The Key authentication and Basic authentication plugins routes have changed:
Old route New route
/consumers/:consumer/keyauth -> /consumers/:consumer/key-auth
/consumers/:consumer/keyauth/:id -> /consumers/:consumer/key-auth/:id
/consumers/:consumer/basicauth -> /consumers/:consumer/basic-auth
/consumers/:consumer/basicauth/:id -> /consumers/:consumer/basic-auth/:id
The old routes are still maintained but will be removed in upcoming versions. Consider them deprecated.
- Admin API
- The route to retrieve enabled plugins is now under
/plugins/enabled
. - The route to retrieve a plugin's configuration schema is now under
/plugins/schema/{plugin name}
.
- The route to retrieve enabled plugins is now under
Added
- Plugins
- New Response Rate Limiting plugin: Give a usage quota to your users based on a parameter in your response. #247
- New ACL (Access Control) plugin: Configure authorizations for your Consumers. #225
- New JWT (JSON Web Token) plugin: Verify and authenticate JWTs. #519
- New HMAC signature plugin: Verify and authenticate HMAC signed HTTP requests. #549
- Plugins migrations. Each plugin can now have its own migration scripts if it needs to store data in your cluster. This is a step forward to improve Kong's pluggable architecture. #443
- Basic Authentication: the password field is now sha1 encrypted. #33
- Basic Authentication: now supports credentials in the
Proxy-Authorization
header. #460
Changed
- Basic Authentication and Key Authentication now require authentication parameters even when the
Expect: 100-continue
header is being sent. #408 - Key Auth plugin does not support passing the key in the request payload anymore. #566
- APIs' names cannot contain characters from the RFC 3986 reserved list. #589
Fixed
- Resolver
- Making a request with a querystring will now correctly match an API's path. #496
- Admin API
- Data associated to a given API/Consumer will correctly be deleted if related Consumer/API is deleted. #107 #438 #504
- The
/api/{api_name_or_id}/plugins/{plugin_name_or_id}
changed to/api/{api_name_or_id}/plugins/{plugin_id}
to avoid requesting the wrong plugin if two are configured for one API. #482 - APIs created without a
name
but with arequest_path
will now have a name which defaults to the setrequest_path
. #547
- Plugins
- Mashape Analytics: More robust buffer and better error logging. #471
- Mashape Analytics: Several ALF (API Log Format) serialization fixes. #515
- Oauth2: A response is now returned on
http://kong:8001/consumers/{consumer}/oauth2/{oauth2_id}
. #469 - Oauth2: Saving
authenticated_userid
on Password Grant. #476 - Oauth2: Proper handling of the
/oauth2/authorize
and/oauth2/token
endpoints in the OAuth 2.0 Plugin when an API with apath
is being consumed using thepublic_dns
instead. #503 - OAuth2: Properly returning
X-Authenticated-UserId
in theclient_credentials
andpassword
flows. #535 - Response-Transformer: Properly handling JSON responses that have a charset specified in their
Content-Type
header.
0.4.2
This update slightly changes the configuration file format, checkout UPDATE.md for instructions.
Added
- Cassandra authentication and SSL encryption. #405
preserve_host
flag on APIs to preserve the Host header when a request is proxied. #444- Added the Resource Owner Password Credentials Grant to the OAuth 2.0 Plugin. #448
- Auto-generation of default SSL certificate. #453
Changed
- Remove
cassandra.port
property in configuration. Ports are specified by havingcassandra.hosts
addresses using thehost:port
notation (RFC 3986). #457 - Default SSL certificate is now auto-generated and stored in the
nginx_working_dir
.
Fixed
- Better handling of multi-nodes Cassandra clusters. #450
- mashape-analytics plugin: handling of numerical values in querystrings. #449
- Path resolver
strip_path
option wrongfully matching thepath
property multiple times in the request URI. #442 - File Log Plugin bug that prevented the file creation in some environments. #461
- Clean output of the Kong CLI. #235
0.4.1
Fixed
- Issues with the Mashape Analytics plugin. #425
- Handle hyphens when executing path routing with
strip_path
option enabled. #431 - Adding the Client Credentials OAuth 2.0 flow. #430
- A bug that prevented "dnsmasq" from being started on some systems, including Debian. f7da790
- File Log plugin: optimizations by avoiding the buffered I/O layer. 20bb478