Kong Gateway 2.1 Released!
We are happy to announce the first release in the 2.1 series of our flagship open source API gateway!
Since Kong 2.0 was released in January, we have released a number of patch releases, but we have also been busy writing new features as well! This release comes packed with new functionality, ranging from updates for improved P99 latency to new features for gRPC, improvements to your favorite plugins and much more. Here are the highlights:
Also, Kong Enterprise customers will be happy to hear we’ve worked hard to bring the timing of Enterprise releases into alignment with our Community versions. Kong Enterprise 2.1, which includes all features from Kong Gateway 2.1, is also available as a Beta today! You can learn more about Kong Enterprise and its additional capabilities here.
Without further ado, here are the highlights for Kong Gateway 2.1:
Asynchronous Load Balancer Updates
One of Kong’s main goals is to provide not only high performance but predictable, stable performance as well. A common source of performance instability is latency spikes when an application needs to reconfigure itself. In previous releases, we have improved our observed P99 latency numbers by making all updates to Kong’s internal memory structures for Routes and Services happen asynchronously.
Starting in Kong Gateway 2.1, reconfiguration of the load balancers happens asynchronously. This means that configuration changes made to the Upstream and Target entities should not cause perceptible latency spikes anymore.
Just like Router and Service updates, you can configure between strict (synchronous) and eventually consistent (asynchronous) modes — in fact, these configurations have been unified for both Router and Load Balancer.
New gRPC Plugins
Kong Gateway 2.1 expands our support for gRPC by introducing two new plugins that are specific for gRPC traffic:
- grpc-web – This plugin allows access to a gRPC service via the gRPC-Web protocol. Primarily, this means JS browser apps using the gRPC-Web library.
- grpc-gateway – This plugin allows you to expose a gRPC service via a HTTP REST interface. It translates requests and responses in a JSON format, allowing access to upstream gRPC services through a plain HTTP request.
Plugin Improvements All Around
Many plugins feature new functionality in Kong Gateway 2.1:
- Zipkin – increased configurability and support for tracing standards, with the addition of support for B3 and W3C headers
- Rate-Limiting – rate-limit by custom headers and Postgres auto-cleanup
- OAuth2 – persistent refresh tokens, PKCE and hashing of client secrets
- AWS-Lambda – support for custom Lambda endpoints, which is especially useful for testing environments
- Prometheus – support for tracking health check information from Upstreams, as well as significant performance improvements
- Serverless – ability to inject user-defined Lua functions in any request processing phase, giving you extreme flexibility to write all sorts of “micro-plugins” as snippets of code and have them injected in your proxy path without having to deploy a custom plugin
- LDAP – virtual credentials can now be used as a rate-limiting criteria
- The various authentication plugins now emit a consistent X-Credential-Identifier header, so the client service can inspect the identifier regardless of authentication method used
Postgres Read-Only Replica Support
If you are using Kong with Postgres, you now have the option to configure a read-only Postgres replica as well. When configured, Kong will perform read operations through the read-only replica instead of the main read-write connection. This allows you to spread the database load of your Kong cluster across read-only replicas for better performance.
Other Improvements and Fixes in Kong Gateway 2.1
Dynamic upstream keepalive pools – This change circumvents NGINX limitations and prevents virtual host confusion when Kong proxies traffic to virtual services (hosted on the same IP/port) over TLS. Keepalive pools now take into account the SNI and client certificate as well, instead of IP and port only. Additionally, this change allows for specifying an indefinite amount of max requests and idle timeout threshold for upstream keepalive connections, a capability that was previously removed by NGINX 1.15.3.
Per-service customization of TLS verification parameters – This provides greater flexibility for the configuration of secure services, making it especially convenient for services using mutual TLS (mTLS).
Hybrid mode and declarative config improvements – Since version 2.0, Kong supports Hybrid mode, where you can have separate Kong nodes dedicated as either Control Plane nodes (with database access and exposing the Admin API for configuration and no proxying) or Data Plane nodes (proxy-only nodes that run without a database, receiving its configuration instead from the Control Plane nodes). Kong Gateway 2.1 includes updates that improve the Hybrid mode experience:
- Support for PKI in Hybrid mode mTLS
- Certificate expiry and CA constraint checks for Hybrid mode certificates
- Update in the declarative configuration format to allow importing credentials with or without hashed passwords — this is a welcome addition to all DB-less mode users as well!
Several API additions to the Plugin Development Kit – Our API for plugin developers, the Plugin Development Kit (PDK), continues to be enhanced, with the addition of new modules and methods, including more functions for TLS control, improved L4 support and more. Check out the latest PDK docs for details!
Bug fixes – Besides all of the fixes that were already included in the 2.0.x series, Kong Gateway 2.1 includes some fixes that required the introduction of additional features and thus, by semantic versioning, were included in 2.1.0:
- Proper indexing of large CA certificates data via the introduction of a digest field
- Authorization values are now redacted out of the list of logged headers
- The ACL plugin now returns HTTP status 401 Unauthorized instead of 403 Forbidden
Community Contribution Spotlight
Several of these new features in Kong Gateway 2.1 are code contributions from our amazing open source community over at GitHub (26k stars and counting!). We’d like to acknowledge these contributions with shout-outs to:
- @Abhishekvrshny for configurable consistency levels for Cassandra read and write operations
- @ealogar for configurable negative TTL for cache objects
- @amberheilman for several OAuth2 improvements, including PKCE support, optional hashing of client secrets and ability to persist refresh tokens
- @carnei-ro for Prometheus health metrics and rate-limiting by custom headers
You all rock! Our community makes the project stronger and better for everyone.
As always, feel free to ask any questions on Kong Nation, our community forum. Your feedback allows us to better understand the mission-critical use cases and keep improving Kong.
Kong Gateway 2.1 the open source API gateway is now available