You are browsing documentation for an older version. See the latest documentation here.
Kong Enterprise LTS 2.8 to 3.4 upgrade guide
Kong Gateway supports direct upgrades between long-term support (LTS) versions of Kong Gateway Enterprise.
This guide walks you through upgrading from Kong Gateway Enterprise 2.8 LTS to Kong Gateway Enterprise 3.4 LTS, specifically covering 2.8.0.0-2.8.4.1 up to 3.4.0.0. Carefully review each entry and make changes to your configuration accordingly.
There are three upgrade strategies available for the LTS to LTS upgrade. This guide nominates the best applicable strategy for each deployment mode that Kong Gateway supports. Additionally, it lists some fundamental factors that play important roles in the upgrade process, and explains how to back up and recover data.
This guide uses the following terms in the context of Kong Gateway:
- Upgrade: The overall process of switching from an older to a newer version of Kong Gateway.
- Migration: The migration of your data store data into a new environment. For example, the process of moving 2.8 data from an old PostgreSQL instance to a new one for 3.4 is referred to as database migration.
To make sure your upgrade is successful, carefully review all the steps in this guide. It’s very important to understand all the preparation steps and choose the recommended upgrade path based on your deployment type.
Caution: The migration pattern described in this document can only happen between two LTS versions, Kong Gateway Enterprise 2.8 LTS and Kong Gateway Enterprise 3.4 LTS. If you apply this document to other release intervals, database modifications may be run in the wrong sequence and leave the database schema in a broken state. To migrate between other versions, see the general upgrade guide.
Prerequisites
- Starting from 3.4, Cassandra is not supported. If you’re using Cassandra as your data store, migrate off of Cassandra first and upgrade second.
- Review version compatibility between your platform version and the version of that you are upgrading to:
- Review KIC upgrade compatibility.
- If you’re using decK, upgrade it to the latest version.
Read this document thoroughly to successfully complete the upgrade process, as it includes all the necessary operational knowledge for the upgrade.
Upgrade journey overview
Preparation phase
There are a number of steps you must complete before upgrading to Kong Gateway 3.4 LTS:
- Work through any listed prerequisites.
- Back up your database or your declarative configuration files.
- Choose the right strategy for upgrading based on your deployment topology.
- Review the Kong Gateway changes from 2.8 to 3.4 for any breaking changes that affect your deployments.
- Conduct a thorough examination of the modifications made to the
kong.conf
file between the LTS releases. - Using your chosen strategy, test migration in a pre-production environment.
Performing the upgrade
The actual execution of the migration is dependent on the type of deployment you have with Kong Gateway. In this part of the upgrade journey, you will use the strategy you determined during the preparation phase.
- Execute your chosen upgrade strategy on dev.
- Move from dev to prod.
- Smoke test.
- Wrap up the upgrade or roll back and try again.
Now, let’s move on to preparation, starting with your backup options.
Preparation: Choose a backup strategy
The kong migrations
commands used during upgrade and database migration are not reversible.
Always back up your database or declarative configuration files before an upgrade.
There are two main types of backup for Kong Gateway entities:
- Database backup: PostgreSQL has native exporting and importing tools that are reliable and performant, and that ensure consistency when backing up or restoring data. If you’re running Kong Gateway in traditional or hybrid mode, you should always take a database-native backup.
- Declarative backup: Kong ships two declarative backup tools: decK and the Kong CLI, which support managing Kong Gateway entities in the declarative format. For traditional and hybrid mode deployments, use these tools to create secondary backups. For DB-less mode deployments, use the Kong CLI and manually manage declarative configuration files.
We highly recommend backing up your data using both methods if possible, as this offers you recovery flexibility.
The database-native tools are robust and can restore data instantly compared to the declarative tools. In case of data corruption, try to do a database-level restore first. Otherwise, bootstrap a new database and use declarative tools to restore configuration from backup files.
Review the Backup and Restore guide to prepare backups of your configuration. If you run into any issues and need to roll back, you can also reference that guide to restore your old data store.
Preparation: Choose an upgrade strategy based on deployment mode
Upgrade strategies introduced in this section are generic and may or may not fit in with your deployment environment.
Choose your deployment mode:
Here’s a flowchart that breaks down how the decision process works:
flowchart TD A{Deployment type?} --> B(Traditional mode) A{Deployment type?} --> C(Hybrid mode) A{Deployment type?} --> D(DB-less mode) A{Deployment type?} --> E(Konnect DP) B ---> F{Enough hardware to run another cluster?} C --> G(Upgrade CP first) & H(Upgrade DP second) D ----> K([Rolling upgrade]) E ----> K G --> F F ---Yes--->I([Dual-cluster upgrade]) F ---No--->J([In-place upgrade]) H ---> K click K "/gateway/latest/upgrade/rolling-upgrade/" click I "/gateway/latest/upgrade/dual-cluster/" click J "/gateway/latest/upgrade/in-place/"
Figure 1: Choose an upgrade strategy based on your deployment type. For traditional mode, choose a dual-cluster upgrade if you have enough resources, or an in-place upgrade if you don’t have enough resources. For DB-less mode and Konnect DPs, use a rolling upgrade. For hybrid mode, use one of the traditional mode strategies for CPs, and the rolling upgrade for DPs.
See the following sections for breakdowns of each strategy.
Traditional mode
A traditional mode deployment is when all Kong Gateway components are running in one environment, and there is no control plane/data plane separation.
You have two options when upgrading Kong Gateway in traditional mode:
- Dual-cluster upgrade: A new Kong Gateway cluster of version Y is deployed alongside the current version X, so that two clusters serve requests concurrently during the upgrade process.
- In-place upgrade: An in-place upgrade reuses the existing database and has to shut down cluster X first, then configure the new cluster Y to point to the database.
We recommend using a dual-cluster upgrade if you have the resources to run another cluster concurrently. Use the in-place method only if resources are limited, as it will cause business downtime.
Dual-cluster upgrade
Upgrading Kong Gateway from one LTS version to another LTS version with zero downtime can be achieved through a dual-cluster upgrade strategy. This approach involves setting up a new cluster running the upgraded version of Kong Gateway alongside the existing cluster running the current version.
At a high level, the process typically involves the following steps:
-
Provisioning a same-size deployment: You need to ensure that the new cluster, which will run the upgraded version of Kong Gateway, has the same capacity and resources as the existing cluster. This ensures that both clusters can handle the same amount of traffic and workload.
-
Setting up dual-cluster deployment: Once the new cluster is provisioned, you can start deploying your APIs and configurations to both clusters simultaneously. The dual cluster deployment allows both the old and new clusters to coexist and process requests in parallel.
-
Data synchronization: During the dual cluster deployment, data synchronization is crucial to ensure that both clusters have the same data. This can involve migrating data from the old cluster to the new one or setting up a shared data storage solution to keep both clusters in sync. Import the database from the old cluster to the new cluster by using a snapshot or
pg_restore
. -
Traffic rerouting: As the new cluster is running alongside the old one, you can start gradually routing incoming traffic to the new cluster. This process can be done gradually or through a controlled switchover mechanism to minimize any impact on users. This can be achieved by any load balancer, like DNS, Nginx, F5, or even a Kong Gateway node with Canary plugin enabled.
-
Testing and validation: Before performing a complete switchover to the new cluster, it is essential to thoroughly test and validate the functionality of the upgraded version. This includes testing APIs, plugins, authentication mechanisms, and other functionalities to ensure they are working as expected.
-
Complete switchover: Once you are confident that the upgraded cluster is fully functional and stable, you can redirect all incoming traffic to the new cluster. This step completes the upgrade process and decommissions the old cluster.
By following this dual cluster deployment strategy, you can achieve a smooth and zero-downtime upgrade from one LTS version of Kong Gateway to another. This approach helps ensure high availability and uninterrupted service for your users throughout the upgrade process.
In-place upgrade
While an in-place upgrade allows you to perform the upgrade on the same infrastructure, it does require some downtime during the actual upgrade process. Plan a suitable maintenance or downtime window during which you can perform the upgrade. During this period, the Kong Gateway will be temporarily unavailable.
For scenarios where zero downtime is critical, consider the dual-cluster upgrade method, keeping in mind the additional resources and complexities.
DB-less mode
In DB-less mode, each independent Kong Gateway node loads a copy of declarative Kong Gateway configuration data into memory without persistent database storage, so failure of some nodes doesn’t spread to other nodes.
Deployments in this mode should use the rolling upgrade strategy.
You could parse the validity of the declarative YAML contents with version Y, using the deck gateway validate
or the kong config parse
command.
You must back up your current kong.yaml
file before starting the upgrade.
Hybrid mode
Hybrid mode comprises of one or more control plane (CP) nodes, and one or more data plane (DP) nodes. CP nodes use a database to store Kong configuration data, whereas DP nodes don’t, since they get all of the needed information from the CP. The recommended upgrade process is a combination of different upgrade strategies for each type of node, CP or DP.
The major challenge with a hybrid mode upgrade is the communication between the CP and DP. As hybrid mode requires the minor version of the CP to be no less than that of the DP, you must upgrade CP nodes before DP nodes. The upgrade must be carried out in two phases:
- First, upgrade the CP according to the recommendations in the section Traditional Mode, while DP nodes are still serving API requests.
- Next, upgrade DP nodes using the recommendations from the section DB-less Mode. Point the new DP nodes to the new CP to avoid version conflicts.
The role decoupling feature between CP and DP enables DP nodes to serve API requests while upgrading CP. With this method, there is no business downtime.
Custom plugins (either your own plugins or third-party plugins that are not shipped with Kong Gateway) need to be installed on both the control plane and the data planes in hybrid mode. Install the plugins on the control plane first, and then the data planes.
See the following sections for a breakdown of the options for hybrid mode deployments.
Control planes
CP nodes must be upgraded before DP nodes. CP nodes serve an admin-only role and require database support. So, you can select from the same upgrade strategies nominated for traditional mode (dual-cluster or in-place), as described in figure 2 and figure 3 respectively.
Upgrading the CP nodes using the dual-cluster strategy:
flowchart TD DBA[(Current database)] DBB[(New database)] CPX(Current control plane X) Admin(No admin write operations) CPY(New control plane Y) DPX(fa:fa-layer-group Current data plane X nodes) API(API requests) DBA -.- CPX -."DP connects to either \nCP X...".- DPX Admin -.X.- CPX & CPY DBB --pg_restore--- CPY -."...OR to CP Y".- DPX API--> DPX style API stroke:none style DBA stroke-dasharray:3 style CPX stroke-dasharray:3 style Admin fill:none,stroke:none,color:#d44324 linkStyle 2,3 stroke:#d44324,color:#d44324
Figure 2: The diagram shows a CP upgrade using the dual-cluster strategy. The new CP Y is deployed alongside the current CP X, while current DP nodes X are still serving API requests.
Upgrading the CP nodes using the in-place strategy:
flowchart DBA[(Database)] CPX(Current control plane X \n #40;inactive#41;) Admin(No admin \n write operations) CPY(New control plane Y) DPX(fa:fa-layer-group Current data plane X nodes) API(API requests) DBA -..- CPX -."DP connects to either \nCP X...".- DPX Admin -.X.- CPX & CPY DBA --"kong migrations up \n kong migrations finish"--- CPY -."...OR to CP Y".- DPX API--> DPX style API stroke:none style CPX stroke-dasharray:3 style Admin fill:none,stroke:none,color:#d44324 linkStyle 2,3 stroke:#d44324,color:#d44324
Figure 3: The diagram shows a CP upgrade using the in-place strategy, where the current CP X is directly replaced by a new CP Y. The database is reused by the new CP Y, and the current CP X is shut down once all nodes are migrated.
From the two figures, you can see that DP nodes X remain connected to the current CP node X, or alternatively switch to the new CP node Y. Kong Gateway guarantees that new minor versions of CPs are compatible with old minor versions of the DP, so you can temporarily point DP nodes X to the new CP node Y. This lets you pause the upgrade process if needed, or conduct it over a longer period of time.
This setup is meant to be temporary, to be used only during the upgrade process. We do not recommend running a combination of new versions of CP nodes and old versions of DP nodes in a long-term production deployment.
After the CP upgrade, cluster X can be decommissioned. You can delay this task to the very end of the DP upgrade.
Data planes
Once the CP nodes are upgraded, you can move on to upgrade the DP nodes. The only supported upgrade strategy for DP upgrades is the rolling upgrade. The following diagrams, figure 4 and 5, are the counterparts of figure 2 and 3 respectively.
Using the dual-cluster strategy with a rolling upgrade workflow:
flowchart TD DBX[(Current \n database)] DBY[(New \n database)] CPX(Current control plane X) CPY(New control plane Y) DPX(Current data planes X) DPY(New data planes Y) API(API requests) LB(Load balancer) Admin(No admin \n write operations) Admin2(No admin \n write operations) subgraph A Admin -.X.- CPX DBX -.- CPX DBY --- CPY CPX -."Current DP connects to \neither CP X...".- DPX Admin2 -.X.- CPY CPY -."...OR to CP Y".- DPX DPX -.90%..- LB CPY --- DPY --10%---- LB end subgraph B API --> LB & LB & LB end linkStyle 0,4 stroke:#d44324,color:#d44324 linkStyle 8,9 stroke:#b6d7a8 style CPX stroke-dasharray:3,fill:#eff0f1ff,stroke:#c1c6cdff style DPX stroke-dasharray:3 style DBX stroke-dasharray:3,fill:#eff0f1ff,stroke:#c1c6cdff style API stroke:none style A stroke:none,color:#fff style B stroke:none,color:#fff style Admin fill:none,stroke:none,color:#d44324 style Admin2 fill:none,stroke:none,color:#d44324
Figure 4: The diagram shows a DP upgrade using the dual-cluster and rolling strategies. The new CP Y is deployed alongside with the current CP X, while current DP nodes X are still serving API requests. In the image, the background color of the current database and CP X is grey instead of white, signaling that the old CP is already upgraded and might have been decommissioned.
Using the in-place strategy strategy with a rolling upgrade workflow:
flowchart DBA[(Database)] CPX(Current control plane X \n #40;inactive#41;) CPY(New control plane Y) DPX(Current data planes X) DPY(New data planes Y) API(API requests) LB(Load balancer) Admin(No admin \n write operations) Admin2(No admin \n write operations) subgraph A Admin -.X.- CPX DBA -.X.- CPX DBA --- CPY CPX -."Current DP connects to \neither CP X...".- DPX Admin2 -.X.- CPY CPY -."OR to CP Y".- DPX -.90%..- LB CPY --- DPY --10%---- LB end subgraph B API --> LB & LB & LB end linkStyle 0,1,4 stroke:#d44324,color:#d44324 linkStyle 8,9 stroke:#b6d7a8 style CPX stroke-dasharray:3,fill:#eff0f1ff,stroke:#c1c6cdff style DPX stroke-dasharray:3 style A stroke:none,color:#fff style B stroke:none,color:#fff style Admin fill:none,stroke:none,color:#d44324 style Admin2 fill:none,stroke:none,color:#d44324
Figure 5: The diagram shows a DP upgrade using the in-place and rolling strategies. The diagram shows that the database is reused by the new CP Y, while current DP nodes X are still serving API requests.
Preparation: Review gateway changes
The following tables categorize all relevant changelog entries from Kong Gateway Enterprise 2.8.0.0-2.8.4.1 up to 3.4.0.0. Carefully review each entry and make changes to your configuration accordingly.
New feature
The following table lists new features introduced in a 3.x release. These features may affect existing configurations.
Change | Category | Action required |
---|---|---|
Request Validator plugin The Request Validator plugin now allows requests carrying a
|
Plugins |
No |
The data plane configuration cache was removed. Configuration persistence is now done automatically with LMDB. The data plane config cache mechanism and its related configuration options
( |
DB config |
Remove parameters from Kong configuration. |
Bumped the version number of declarative configuration to 3.0 for changes on Declarative configurations using older versions are upgraded to 3.0 during migrations. |
DB config |
If any configurations are stored in a repository (following a GitOps model),
these need to be upgraded using |
Tags may now contain space characters. |
DB config |
No |
The default value of |
kong.conf |
If you don’t have this field explicitly configured, make sure that the new default value’s behavior of automatically pulling in all certs on the server suits your deployment. Otherwise, adjust the setting. |
Rate Limiting, Rate Limiting Advanced, and Response Rate Limiting plugins The default policy for these plugins is now |
Plugins |
No |
Plugin batch queuing: HTTP Log, StatsD, OpenTelemetry, and Datadog plugins The queuing system has been reworked, causing some plugin parameters to not function as expected anymore. |
Plugins |
If you use queues in these plugins, new parameters must be configured. See each plugin’s documentation for details. The module |
In OpenSSL 3.2, the default SSL/TLS security level has been changed from 1 to 2. This means the security level is set to 112 bits of security. As a result, the following are prohibited:
|
OpenSSL |
Ensure that your configuration complies with the new security level requirements. |
Removed or deprecated
The feature or behaviors in the following table have been permanently removed. By updating settings based on the table below, you can avoid any potential issues that may arise from using deprecated aliases and ensure that your Kong instance functions correctly with the most recent changes and improvements.
It’s essential to keep configurations up-to-date to maintain the system’s stability, security, and optimal performance.
Change | Category | Action required |
---|---|---|
Deprecated and stopped producing Debian 8 (Jessie) containers and packages. |
Deployment |
Debian 10 and 11 are available. Upgrade to one of these versions before upgrading to Kong 3.4. |
Deprecated and stopped producing Amazon Linux 1 containers and packages. |
Deployment |
We recommend migrating to Amazon Linux 2 or another supported operating system to continue receiving updates, security patches, and support from AWS. |
Deprecated and stopped producing Alpine Linux images and packages. The underlying operating system (OS) for our convenience Docker tags
(for example, |
Deployment |
Review your Dockerfiles for OS-specific configuration and adjust as necessary. If you are using one of the convenience images, adjust your configuration for Ubuntu.
Otherwise, switch to an image using a specific OS tag
(for example, |
Deprecated and stopped producing Ubuntu 18.04 (“Bionic”) packages, as Standard Support for Ubuntu 18.04 has ended as of June 2023. |
Deployment |
Ubuntu 20.04 and 22.04 are available. Upgrade to one of these versions before upgrading to Kong 3.4. |
The deprecated shorthands field in Kong plugin or DAO schemas was removed
in favor of the typed |
Plugins |
If your custom schemas still use |
Support for the |
You can no longer use the Any references to |
|
The deprecated alias of |
Nginx templates |
If your custom Nginx templates still use the alias, change it to |
The Kong singletons module |
PDK |
Remove the For example: |
|
Tracing |
If you were previously using |
The normalization rules for Previously, Kong Gateway replaced percent-encoding in the regex path pattern to ensure different forms of URI matches. That is no longer supported. Except for the reserved characters defined in RFC 3986, write all other characters without percent-encoding. |
Router |
After the upgrade, if you configure routes using the old method, you will receive an alert and need to reconfigure the affected routes using the new route configuration method. |
Kong Gateway no longer uses a heuristic to guess whether a route path is a regex pattern.
From 3.0 onward, all regex paths must start with the |
Router |
No manual migration required. Going forward, when writing a regex, it must start with the |
Support for the |
No |
|
The Admin API endpoints |
Admin API |
After the upgrade, use one of the following endpoints from the Vitals API instead:
|
POST requests on |
Admin API |
If you have scripts that use POST requests to modify |
The |
PDK |
No |
|
PDK |
No |
The |
Go PDK |
If you are using Go plugin server, migrate your plugins to use the Go PDK before upgrading. |
The Kong constant Kong plugins also don’t support this constant. |
Plugins |
Use the constant |
It is no longer possible to use |
Declarative config |
If your update procedure with Kong Gateway involves executing |
DAOs in plugins must be listed in an array, so that their loading order is explicit. Loading them in a hash-like table is no longer supported. |
Plugins |
Review your custom plugins. If you have plugins that use hash-like tables for listing DAOs, convert them into arrays. |
Plugins now must have a valid PRIORITY (integer) and VERSION ( |
Plugins |
Review your custom plugins. Add a PRIORITY and VERSION in their respective formats to all of your custom plugins. |
The |
PDK |
Upgrade your plugins to use the new PDK function. |
The support for deprecated legacy plugin schemas was removed. |
Plugins |
If your custom plugins still use the old (0.x era) schemas, you must upgrade them. |
Updated the priority for some plugins. This is important for those who run custom plugins as it may affect the sequence in which your plugins are executed. This does not change the order of execution for plugins in a standard Kong Gateway installation. Old and new plugin priority values:
|
Plugins |
Review custom plugin priorities. If any of the changes in priorities break expected behaviour, adjust as necessary. |
JWT plugin The authenticated JWT is no longer put into the Nginx context ( |
Plugins |
Custom plugins which depend on that value being set under that name must be updated to use Kong’s
shared context instead ( |
JWT plugin (jwt) The JWT plugin now denies any request that has different tokens in the JWT token search locations. |
Plugins |
No |
** StatsD plugin** Any metric name that is related to a service now has a
|
Plugins |
No |
Proxy Cache, Proxy Cache Advanced, and GraphQL Proxy Cache Advanced plugins These plugins don’t store response data in |
Plugins |
Logging plugins that need the response data must now read it from |
Added the |
DB config |
If you were previously relying on the Kong-Debug header to provide debugging information,
set If you’re using Response Transformer plugin as a workaround to remove headers, you no longer need the plugin. Disable and remove it. |
The This library is used by the following plugins: Session, OpenID Connect, and SAML. Many session parameters used by these plugins have been renamed or removed. This also affects any session configuration that uses the Session or OpenID Connect plugin in the background, including sessions for Kong Manager and Dev Portal. |
Plugins |
All existing sessions are invalidated when upgrading to this version. For sessions to work as expected in this version, all nodes must run Kong Gateway 3.4.x. For that reason, we recommend that during upgrades, proxy nodes with mixed versions run for as little time as possible. During that time, the invalid sessions could cause failures and partial downtime. You can expect the following behavior:
After you have upgraded all of your CP and DP nodes to 3.4 and ensured that your environment is stable, you can update parameters to their new renamed versions. Although your configuration will continue to work as previously configured, we recommend adjusting your configuration to avoid future unexpected behavior. See the breaking changes doc for all session configuration changes and guidance on how to convert your existing session configuration. |
Cassandra DB support has been removed. It is no longer supported as a data store for Kong Gateway. |
DB config |
Compatible
The following table lists behavior changes that may cause your database configuration
or kong.conf
to fail.
This includes deprecated (but not removed) features.
Change | Category | Action required |
---|---|---|
Regex look-around and backreferences support in the atc-router have been removed. These are rarely used features and removing support for them improves the speed of our regex matching. If your current regexes use look-around or backreferences you will receive an error when attempting to start Kong, showing exactly what regex is incompatible. |
Router |
To ensure consistency of behavior after the upgrade, set Review the regex paths and ensure these removed features are not in use. Update the regex router accordingly. |
ACL, Bot Detection, and IP Restriction plugins Removed the deprecated |
Plugins |
Remove the deprecated |
ACME plugin The default value of the |
Plugins |
Caution: Following the upgrade, the |
AWS Lambda plugin
|
Plugins |
Review your configuration or consult with the Kong Support team. |
HTTP Log (http-log) plugin The |
Plugins |
Review your configuration or consult with the Kong Support team. |
Prometheus plugin Complete overhaul of the plugin:
|
Plugins |
To make sure you don’t miss any data, adjust your plugin configuration to use the new settings. If you have any custom dashboards or have written any custom PromQL, review them and ensure the name changes haven’t broken anything. |
StatsD Advanced plugin The StatsD Advanced plugin has been deprecated and will be removed in 4.0. All capabilities are now available in the StatsD plugin. |
Plugins |
We recommend migrating over to the StatsD plugin, however StatsD Advanced continues to function in 3.4. |
Serverless Functions ( Removed the deprecated |
Plugins |
Use the |
The default PostgreSQL SSL version has been bumped to TLS 1.2. In
This mirrors the setting |
DB config |
Change the value in your To use the default setting in |
The |
Admin API |
Instead of setting overrides, you can apply a plugin instance to a consumer group entity. See the Rate Limiting Advanced documentation for an example. |
The |
Admin API |
Rename the configuration property |
Debatable
Upgrades using the following features might require help from Kong.
Kong’s support team provides advanced features and professional services tailored to meet specific business needs, including data migration, custom plugin integration, and seamless coordination with existing settings PDK.
Change | Category | Action required |
---|---|---|
As of 3.0, Kong Gateway’s schema library’s If a custom plugin relied on |
Plugins |
If a custom plugin needs to fetch data by deep copying, perform it on the Define
|
The list of reported plugins available on the server now returns a table of
metadata per plugin instead of the boolean For example:
|
Plugins |
Adapt to use the new metadata instead of boolean values. |
Notifications of changed behavior
The following table lists changes that you should be aware of, but require no action.
Change | Category |
---|---|
The PDK is no longer versioned. |
PDK |
The migration helper library (mostly used for Cassandra migrations) is no longer supplied with Kong Gateway. |
DB config |
PostgreSQL migrations can now have an |
DB config |
Kong Plugins are no longer individually versioned. Starting in 3.0.0, every Kong plugin’s version has been updated to match Kong Gateway’s version. |
Plugins |
HTTP Log plugin If the log server responds with a 3xx HTTP status code, the plugin now considers it to be an error and retries according to the retry configuration. Previously, 3xx status codes would be interpreted as a success, causing the log entries to be dropped. |
Plugins |
Serverless Functions (post-function or pre-function)
|
Plugins |
Zipkin plugin This plugin now uses queues for internal buffering. The standard queue parameter set is available to control queuing behavior. |
Plugins |
kong.conf changes
2.8 | 3.4 |
---|---|
data_plane_config_cache_mode = unencrypted |
Removed in 3.4 |
data_plane_config_cache_path |
Removed in 3.4 |
admin_api_uri |
Deprecated. Use admin_gui_api_url instead |
database |
Accepted values are postgres and off . All Cassandra options have been removed |
pg_keepalive_timeout = 60000 |
Specify the maximal idle timeout (in ms) for the Postgres connections in the pool. If this value is set to 0 then the timeout interval is unlimited. If not specified this value will be the same as lua_socket_keepalive_timeout . |
worker_consistency = strict |
worker_consistency = eventual |
prometheus_plugin_* |
Disabled Prometheus plugin high-cardinality metrics. |
lua_ssl_trusted_certificate No default value |
Default value: lua_ssl_trusted_certificate = system
|
pg_ssl_version = tlsv1 |
pg_ssl_version = tlsv1_2 |
– |
allow_debug_header = off (new parameter) |
Perform upgrade
Now that you have chosen an upgrade strategy, reviewed all the relevant changes between the 2.8 and 3.4 LTS releases you can move on to performing the upgrade with your chosen strategy:
Traditional mode or control planes in hybrid mode:
DB-less mode or data planes in hybrid mode:
Troubleshooting
If you run into issues during the upgrade and need to roll back, restore Kong Gateway based on the backup method.