What’s New in Kong Ingress Controller 3.4 LTS?

Happy holidays everyone! We've been working hard on the Kong Ingress Controller (KIC) and the latest 3.4 release is jam-packed with new features, bugfixes, and improvements. 

With this update, we're introducing easier TLS encryption, enhanced performance during complex deployments, and general availability of Kong Custom Entities support. Additionally, we've made some internal changes to where our CRD references are published that may affect some customers.

We’re also excited to announce that this release of KIC will have long-term support (LTS).

Let's dive in!

Simplifying encryption to upstream services

In this release, we’re adding support for ensuring “upstream TLS” — that is, ensuring by policy that traffic will be encrypted in transit between when traffic enters the cluster at the Ingress and the upstream service within the cluster. The policy can either be configured using the Kubernetes Gateway API or by adding specific annotations to Kubernetes Service objects.

If you use the Gateway API, you can configure upstream TLS using BackendTLSPolicy. If you reference a Kubernetes Service in your BackendTLSPolicy spec, and that service is mapped to an HTTPRoute that binds it to a Kong Gateway as a parent, the Gateway will be configured to verify with the upstream Service using a TLS connection as defined in the policy. 

As an alternative configuration option, we’ve added support for using annotations on Kubernetes Service objects to set upstream TLS policies. For example, once you add the konghq.com/tls-verify annotation to a service the Gateway will verify that connections from that Service are TLS encrypted. Additional annotations are available to configure specific TLS settings. For more details, check out the docs.

Improving scalability in complex environments

Our customers are using KIC in larger and more complex deployments than ever. In this release, we've made a few changes to configure and optimize the behavior of KIC in these scenarios.

• A tech preview feature: KIC can now combine Kong Services when different HTTPRoutes are created using the Gateway API that refers to the same target. Learn more here.
• We've added the flag --secret-label-selector to set the label selector for Secrets to ingest. By setting this flag, the secrets that are ingested will be limited to those having this label set to "true". This can reduce memory usage in scenarios with a large number of large secrets. Learn more here.
• We've added the flag --configmap-label-selector to set the label selector for ConfigMaps to ingest. By setting this flag, the ConfigMaps that are ingested will be limited to those having this label set to "true". This limits the amount of resources that are kept in memory. The default value is konghq.com/configmap. Learn more here.

We've added Prometheus metrics ingress_controller_configuration_push_size and ingress_controller_fallback_configuration_push_size to record the size of the config sent to a Kong DataPlane by the controller in DB-less mode. Learn more here.

Introducing general availability of Kong Custom Entities support 

We’ve also done some important housekeeping for this release.

Kong Custom Entities support, which graduated in KIC 3.3 to beta status, is now generally available. Kong Custom Entities allow you to configure certain Kong Plugins using CRDs, which simplifies declarative configuration of the controller. Please refer to our documentation to learn more.

Also, in order to share custom resource definitions efficiently between the KIC and the Kong Gateway Operator, we've migrated our active CRDs to a new dedicated repository. If you depend on them, please update your dependencies to use the new repository. CRD type bindings under /pkg and clientsets under /pkg/clientset are deprecated and will be removed in the next major release. Until then, they won't be updated.

Read our engineering deep dive to learn more about this change.

Long-term support for KIC 3.4

Lastly, in part because of this work, a lot of testing, and detailed feedback from early users, we're excited to announce that KIC 3.4 is a long-term support (LTS) release — the first release in the 3.X series to come with LTS. LTS means that we'll continue to update KIC 3.4 with critical fixes for the next three years, giving teams confidence that they'll continue to be supported without significant API or functional changes. Read more about long-term support for KIC.

This is just a taste of the more than 30 features, fixes, and updates in the 3.4 release of KIC. For a full list please read the CHANGELOG.

Try Kong Ingress Controller 3.4

As always, the quickest way to get started with KIC is with Kong Konnect thanks to our KIC in Kong Konnect functionality. 

Please also share any feedback that you might have on our GitHub discussion forum for KIC here.