Kong Gateway Operator Changelog
Changelog for supported Kong Gateway Operator versions.
1.4.1
Release Date 2024/11/28
- Fix setting the
ServiceAccountName
forDataPlane
’sDeployment
. #897 - Fixed setting
ExternalTrafficPolicy
onDataPlane
’s ingressService
when the requested value is empty. #898 - Set 0 members on
KonnectGatewayControlPlane
which type is set to group. #896 - Fixed a
panic
inKonnectAPIAuthConfigurationReconciler
occurring when nil response was returned by Konnect API when fetching the organization information. #901 - Bump sdk-konnect-go version to 0.1.10 to fix handling global API endpoints. #894
1.4.0
Release Date 2024/10/31
Added
- Proper
User-Agent
header is now set on outgoing HTTP requests. #387 - Introduce
KongPluginInstallation
CRD to allow installing custom Kong plugins distributed as container images. #400, #424, #474, #560, #615, #476 - Extended
DataPlane
API with a possibility to specifyPodDisruptionBudget
to be created for theDataPlane
deployments viaspec.resources.podDisruptionBudget
. #464 - Add
KonnectAPIAuthConfiguration
reconciler. #456 - Add support for Konnect tokens in
Secrets
inKonnectAPIAuthConfiguration
reconciler. #459 - Add
KonnectControlPlane
reconciler. #462 - Add
KongService
reconciler for Konnect control planes. #470 - Add
KongUpstream
reconciler for Konnect control planes. #593 - Add
KongConsumer
reconciler for Konnect control planes. #493 - Add
KongRoute
reconciler for Konnect control planes. #506 - Add
KongConsumerGroup
reconciler for Konnect control planes. #510 - Add
KongCACertificate
reconciler for Konnect CA certificates. #626 - Add
KongCertificate
reconciler for Konnect Certificates. #643 - Added command line flags to configure the certificate generator job’s images. #516
- Add
KongPluginBinding
reconciler for Konnect Plugins. #513, #535 - Add
KongTarget
reconciler for Konnect Targets. #627 - Add
KongVault
reconciler for Konnect Vaults. #597 - Add
KongKey
reconciler for Konnect Keys. #646 - Add
KongKeySet
reconciler for Konnect KeySets. #657 - Add
KongDataPlaneClientCertificate
reconciler for Konnect DataPlaneClientCertificates. #694 - The
KonnectExtension
CRD has been introduced. Such a CRD can be attached to aDataPlane
via the extensions field to have a konnect-flavoredDataPlane
. #453, #578, #736 - Entities created in Konnect are now labeled (or tagged for those that does not
support labels) with origin Kubernetes object’s metadata:
k8s-name
,k8s-namespace
,k8s-uid
,k8s-generation
,k8s-kind
,k8s-group
,k8s-version
. #565 - Add
KongService
,KongRoute
,KongConsumer
, andKongConsumerGroup
watchers in theKongPluginBinding
reconciler. #571 - Annotating the following resource with the
konghq.com/plugins
annotation results in the creation of a managedKongPluginBinding
resource: -
KongConsumer
associated withConsumerGroups
is now reconciled in Konnect by removing/adding the consumer from/to the consumer groups. #592 - Add support for
KongConsumer
credentials: - Add support for
KongRoute
s bound directly toKonnectGatewayControlPlane
s (serviceless routes). #669 - Allow setting
KonnectGatewayControlPlane
s group membership #697 - Apply Konnect-related customizations to
DataPlane
s that properly referenceKonnectExtension
resources. #714 - The KonnectExtension functionality is enabled only when the
--enable-controller-konnect
flag or theGATEWAY_OPERATOR_ENABLE_CONTROLLER_KONNECT
env var is set. #738
Fixed
- Fixed
ControlPlane
cluster wide resources not migrating to new ownership labels (introduced in 1.3.0) when upgrading the operator form 1.2 (or older) to 1.3.0. #369 - Requeue instead of reporting an error when a finalizer removal yields a conflict. #454
- Requeue instead of reporting an error when a GatewayClass status update yields a conflict. #612
- Guard object counters with checks whether CRDs for them exist #710
- Do not reconcile Gateways nor assign any finalizers when the referred GatewayClass is not supported. #711
- Fixed setting
ExternalTrafficPolicy
onDataPlane
’s ingressService
during update and patch operations. #750
Changes
- Default version of
ControlPlane
is bumped to 3.3.1 #580 - Default version of
DataPlane
is bumped to 3.8.0 #572 - Gateway API has been bumped to v1.2.0 #674
1.3.0
Release Date 2024/06/24
Fixes
- Fix the
ControlPlane
extensions controller to gracefully handle the absence of a Kong Gateway Enterprise license on startup. - Do not require existence of
certmanager.io/v1.certificates
CRD whenKonnectCertificateOptions
is empty inDataPlane
. - Fix version reporting in logs and via
-version
CLI arg - Fix enforcing up to date
ControlPlane
’sValidatingWebhookConfiguration
Changes
-
Gateway
do not have theirReady
status condition set anymore. - This aligns with Gateway API and its conformance test suite.
-
Gateway
s’ listeners now have theirattachedRoutes
count filled in status. - Detect when
ControlPlane
has its admission webhook disabled via -
CONTROLLER_ADMISSION_WEBHOOK_LISTEN
environment variable and ensure that - relevant webhook resources are not created/deleted.
- The
OwnerReferences
on cluster-wide resources to indicate their owner are now - replaced by a proper set of labels to identify
kind
,namespace
, and -
name
of the owning object. - Default version of
ControlPlane
is bumped to 3.2.0
Breaking Changes
- Changes project layout to match
kubebuilder
v4
. Some import paths (due to dir renames) have changedapis
->api
andcontrollers
->controller
.
Added
- Add
ExternalTrafficPolicy
toDataPlane
’sServiceOptions
1.2.3
Release Date 2024/04/24
Fixes
- Fixed an issue where the managed
Gateway
s controller wasn’t able to reduce the createdDataPlane
objects when too many were created. -
Gateway
controller will no longer setDataPlane
deployment’s replicas to the default value whenDataPlaneOptions
inGatewayConfiguration
define a scaling strategy. This effectively allows users to useDataPlane
horizontal autoscaling withGatewayConfiguration
because the generatedDataPlane
deployment won’t be rejected. - Made creating a
DataPlane
index conditional based on enabling theControlPlane
controller. This allows KGO to run without theControlPlane
CRD with its controller disabled.
1.2.2
Release Date 2024/04/23
NOTE: Retracted
v1.2.2 was retracted due to a misplaced git tag. Due to Golang’s proxy caching modules indefinitely we needed to retract this version. v1.2.3 contains all the changes that v1.2.2 intended to contain.
1.2.1
Release Date 2024/03/20
Fixes
- Fixed an issue where operator wasn’t able to update
ControlPlane
ClusterRole
orClusterRoleBinding
when they got out of date. - Add missing watch RBAC policy rule for cert-manager’s Certificate resources
Changes
- KGO now uses
GATEWAY_OPERATOR_
prefix for all flags, including thezap
related logging flags.
1.2.0
Release Date 2024/03/15
Highlights
- 🎓 The Managed
Gateway
s feature is now GA. - 🎓
ControlPlane
andGatewayConfig
APIs have been promoted tov1beta1
. - ✨
DataPlane
s managed byGateway
s can be now scaled horizontally through theGatewayConfiguration
API. - ✨
Gateway
listeners are dynamically mapped to theDataPlane
proxy service ports. - 🧠 The new feature
AIGateway
has been released inalpha
stage. - ✨ Kong Gateway Operator exposes metrics with latency that can be used for autoscaling of your workloads.
- ✨ Automated handling of certificates for Konnect’s PKI mode with cert-manager.
Added
- Added support for specifying command line flags through environment
variables having the
GATEWAY_OPERATOR_
prefix. - Add horizontal autoscaling for
DataPlane
s using itsscaling.horizontal
spec field. -
ControlPlane
s now use Gateway Discovery by default, with Service DNS Strategy. Additionally, theDataPlane
readiness probe has been changed to/status/ready
when theDataPlane
is managed by aGateway
. -
Gateway
s andListener
sAccepted
andConflicted
conditions are now set and enforced based on the Gateway API specifications. -
ControlPlane
ClusterRole
s andClusterRoleBinding
s are enforced and kept up to date by theControlPlane
controller. - The
Gateway
listeners are now dynamically mapped toDataPlane
ingress service ports. This means that the change of aGateway
spec leads to aDataPlane
reconfiguration, along with an ingress service update. -
--enable-controller-gateway
and--enable-controller-controlplane
command line flags are set totrue
by default to enable controllers forGateway
s andControlPlane
s. - When the
Gateway
controller provisions aControlPlane
, it sets theCONTROLLER_GATEWAY_TO_RECONCILE
env variable to let theControlPlane
reconcile that specificGateway
only. -
ControlPlane
is now deployed with a validating webhook server turned on. This involves creatingValidatingWebhookConfiguration
, aService
that exposes the webhook and aSecret
that holds a TLS certificate. TheSecret
is mounted in theControlPlane
’sPod
for the webhook server to use it. - Added
konnectCertificate
field to the DataPlane resource. - Added
v1alpha1.AIGateway
as an experimental API. This can be enabled by manually deploying theAIGateway
CRD and enabling the feature on the controller manager with the--enable-controller-aigateway
flag. - Added validation on checking if ports in
KONG_PORT_MAPS
andKONG_PROXY_LISTEN
environment variables of deployment options inDataPlane
match theports
in the ingress service options of theDataPlane
. - Support for KongLicense CRD to manage Kong Gateway Enterprise licenses.
- New ControlPlane extensions controller to manage control plane extensions with initial support for
DataPlaneMetricsExtension
. - DataPlane Prometheus metrics scrapping support for
DataPlaneMetricsExtension
. - DataPlane resources can provision cert-manager Certificate resources from a (Cluster) Issuer for use with Konnect’s PKI mode.
- ControlPlane extensions controller now checks for a valid Kong enterprise license.
Changes
- The
GatewayConfiguration
API has been promoted fromv1alpha1
tov1beta1
. - The
ControlPlane
API has been promoted fromv1alpha1
tov1beta1
. - The CRD’s short names of
ControlPlane
,DataPlane
andGatewayConfiguration
has been changed tokocp
,kodp
andkogc
. -
ControlPlane
(Kong Ingress Controller) default and minimum version has been bumped to 3.1.2. -
DataPlane
(Kong Gateway) default version has been bumped tov3.6.0
.
Fixes
- Fixed a problem where the operator would not set the defaults to
PodTemplateSpec
patch and because of that it would detect a change and try to reconcile the owned resource where in fact the change was not there. One of the symptoms of this bug could have been aStartupProbe
set inPodSpec
preventing theDataPlane
from getting correct status information. - If the Gateway controller is enabled,
DataPlane
andControlPlane
controllers get enabled as well. - Fix applying the
PodTemplateSpec
patch so that it’s not applied when the calculated patch (resulting from the generated manifest and current in-cluster state) is empty. One of the symptoms of this bug was that when users tried to apply aReadinessProbe
which specified a port name instead of a number (which is what’s generated by the operator) it would never reconcile and the status conditions would never get up to dateObservedGeneration
. - Fix manager RBAC permissions which prevented the operator from being able to
create
ControlPlane
’sClusterRole
s, list pods or listEndpointSlices
. -
DataPlane
s with BlueGreen rollout strategy enabled will now have its Ready status condition updated to reflect “live”Deployment
andService
s status. - The
ControlPlane
election-id
has been changed so that everyControlPlane
has its ownelection-id
, based on theControlPlane
name. This preventspod
s belonging to differentControlPlane
s from competing for the same lease. - Fill in the defaults for
env
andvolumes
when comparing the in-cluster spec with the generated spec. - Do not flap
DataPlane
’sReady
status condition when e.g. ingressService
can’t get an address assigned andspec.network.services.ingress.
annotations` is non-empty. - Update or recreate a
ClusterRoleBinding
for control planes if the existing one does not contain theServiceAccount
used byControlPlane
, orClusterRole
is changed. - Retry reconciling
Gateway
s when provisioning ownedDataPlane
fails.
1.1.0
Release Date 2023/11/20
Added
- Add support for
ControlPlane
v3.0
by updating the generatedClusterRole
.
Changes
- Bump
ControlPlane
default version tov3.0
. - Bump Gateway API to v1.0.
Fixes
- Operator
Role
generation is fixed. As a result it contains now less rules hence the operator needs less permissions to run.
1.0.3
Release Date 2023/11/06
Fixes
- Fix an issue where operator is upgraded from an older version and it orphans
old
DataPlane
resources.
Added
- Setting
spec.deployment.podTemplateSpec.spec.volumes
andspec.deployment.podTemplateSpec.spec.containers[*].volumeMounts
onControlPlane
s is now allowed.
1.0.2
Release Date 2023/10/18
Changed
- Bump dependencies
1.0.1
Release Date 2023/10/02
Fixes
- Fix flapping of
Gateway
managedControlPlane
spec
field when applied withoutcontrolPlaneOptions
set.
Changes
- Bump
ControlPlane
default version tov2.12
. - Bump
WebhookCertificateConfigBaseImage
tov1.3.0
.
1.0.0
Release Date 2023/09/27
Features
- Deploy and configure Kong Gateway services
- Customise deployments using
PodTemplateSpec
to deploy sidecars, set node affinity and more. - Upgrade Data Planes using a rolling restart or blue/green deployments