Skip to content

Commit

Permalink
chore: v3.4.0 CHANGELOG and config update (#6860)
Browse files Browse the repository at this point in the history
* chore: v3.4.0 CHANGELOG

Signed-off-by: Mattia Lavacca <[email protected]>

* chore: KIC 3.4 used in manifests

Signed-off-by: Mattia Lavacca <[email protected]>

* Update CHANGELOG.md

Co-authored-by: Grzegorz Burzyński <[email protected]>

---------

Signed-off-by: Mattia Lavacca <[email protected]>
Co-authored-by: Grzegorz Burzyński <[email protected]>
  • Loading branch information
mlavacca and czeslavo authored Dec 18, 2024
1 parent a6293dd commit 92a6761
Show file tree
Hide file tree
Showing 9 changed files with 112 additions and 89 deletions.
185 changes: 104 additions & 81 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ Adding a new version? You'll need three changes:
* Add the diff link, like "[2.7.0]: https://github.com/kong/kubernetes-ingress-controller/compare/v1.2.2...v1.2.3".
This is all the way at the bottom. It's the thing we always forget.
--->
- [3.4.0](#340)
- [3.3.1](#331)
- [3.3.0](#330)
- [3.2.4](#324)
Expand Down Expand Up @@ -99,16 +100,104 @@ Adding a new version? You'll need three changes:
- [0.0.5](#005)
- [0.0.4 and prior](#004-and-prior)

## Unreleased
## [3.4.0]

### Deprecated
> Release date: 2024-12-18
- CRD type bindings under `/pkg` and clientsets under `/pkg/clientset` are deprecated
and will be removed in the next major release. Until then, they won't be updated.
They were migrated to a new dedicated [repository][kconf]. If you depend on them,
please update your dependencies to use the new repository.
### Highlights

[kconf]: https://github.com/kong/kubernetes-configuration
- 🎂 New LTS version.
- 🔒 Added Upstream TLS verification, both via `Service` annotations and Gateway
API `BackendTLSPolicy`. By using this feature, it is now possible to set up encrypted
communication between Kong and the backends.
- 🎓 `KongCustomEntity` API has been promoted from beta to GA.
- 🔎 Added `/debug/config/diff-report` diagnostic endpoint. It returns the latest
diff information for the controller's last configuration sync along with config
hash and sync timestamp metadata. It's only supported with Gateways running in DB mode.
- 📊 Added the `--secret-label-selector` and `--configmap-label-selector` to
limit the number of `Secret`s and `ConfigMap`s ingested by the controller. By
setting this flag, the `Secret`s and `ConfigMap`s that are ingested will be limited
to those having the flag's value as a label set to "true". This can reduce the
memory usage in scenarios with a large number of big `Secret`s and `ConfigMap`s.

### Added

- Added Prometheus metrics `ingress_controller_configuration_push_size`
and `ingress_controller_fallback_configuration_push_size` to record size of
the config sent to a Kong DataPlane by the controller in DB-less mode.
[#6664](https://github.com/Kong/kubernetes-ingress-controller/pull/6664)
- Added support for `ControlPlaneRef` in `KongConsumer`, `KongConsumerGroup`,
and `KongVault` reconcilers. From now, objects that have `ControlPlaneRef`
of type other than `kic` will be ignored by the reconcilers. KIC will still
reconcile objects with `ControlPlaneRef` of type `kic` or without an explicit
`ControlPlaneRef`.
[#6690](https://github.com/Kong/kubernetes-ingress-controller/pull/6690)
- Combine Kong gateway services from rules of `HTTPRoute` sharing the same
backends (same combination of group, kind, namespace, name, port and weight)
from different `HTTPRoute` in the same namespace.
The feature is enabled when feature gate `CombinedServicesFromDifferentHTTPRoutes`
is enabled. The feature gate is disabled by default.
The name of translated Kong gateway service is changed to
`httproute.<namespace>.svc.<backend_ns>.<backend_name>.<backend_port>.[backend_weight]_[next_backends]...`
when the feature is enabled, like:
`httproute.default.svc.default.svc1.80.90_default.svc2.80.10`.
If the calculated service name is longer than 511 characters
(maximum allowed by Kong or Konnect), the name will be trimmed to the format
with only the first backend reserved in the name:
`httproute.<namespace>.svc.<backend_ns>.<backend_name>.<backend_port>.[backend_weight]_combined.<hash>`
where `<hash>` is the hash result of the calculated name, like
`httproute.default.svc.default.a-long-long-long-service-name.80_combined.00001111222233334444aaaabbbbcccc`.
[#6711](https://github.com/Kong/kubernetes-ingress-controller/pull/6711)
[#6766](https://github.com/Kong/kubernetes-ingress-controller/pull/6766)
- The new tag `k8s-named-route-rule` is added to a Kong Route, in the case when
mapped `HTTPRoute`, `GRPCRoute`, `TCPRoute`, `TLSRoute` or `UDPRoute` has one
or many route rules named (filled `spec.rules[*].name` field), those names will
be propagated to one or many instances of aforementioned tag.
[#6759](https://github.com/Kong/kubernetes-ingress-controller/pull/6759)
[#6780](https://github.com/Kong/kubernetes-ingress-controller/pull/6780)
- Added `/debug/config/diff-report` diagnostic endpoint. This endpoint is
available in DB mode when the `--dump-config` and `--dump-sensitive-config`
are enabled. It returns the latest diff information for the controller's last
configuration sync along with config hash and sync timestamp metadata. The
controller maintains the last 5 diffs in cache. You can retrieve older diffs
by appending a `?hash=<hash>` query string argument. Available config hashes
and their timestamps are listed under the `available` section of the
response.
[#6131](https://github.com/Kong/kubernetes-ingress-controller/pull/6131)
- Added schema validation for `KongCustomEntity`. Kubernetes event will be created
for each validation error for `KongCustomEntity` objects.
[#6802](https://github.com/Kong/kubernetes-ingress-controller/pull/6802)
- Added support for upstream TLS verification with new Kubernetes `Service`
annotations:
- `konghq.com/tls-verify`: set to `true` to enable TLS verification for
upstream connections of a `Service`.
- `konghq.com/tls-verify-depth`: set to an integer to specify the maximum
depth of the certificate chain that will be verified.
- `konghq.com/ca-certificates-secrets`: set to a comma-delimited list of CA
certificate Secrets' names to use for verification.
- `konghq.com/ca-certificates-configmaps`: set to a comma-delimited list of CA
certificate ConfigMaps' names to use for verification.
[#6707](https://github.com/Kong/kubernetes-ingress-controller/pull/6707)
- Added Support for upstream TLS verification with the Gateway API `BackendTLSPolicy`
API. The user can reference any Kubernetes `Service` in the `BackendTLSPolicy`
spec, and in case the service is used as a backend by `HTTPRoute`s that reference
a Kong Gateway as parent, such Backend TLS configuration is applied to the service
section of the Kong configuration. The `BackendTLSPolicies` CA Certificates can
be set in `Secret`s or `ConfigMap`s.
[#6712](https://github.com/Kong/kubernetes-ingress-controller/pull/6712)
[#6753](https://github.com/Kong/kubernetes-ingress-controller/pull/6753)
[#6837](https://github.com/Kong/kubernetes-ingress-controller/pull/6837)
[#6853](https://github.com/Kong/kubernetes-ingress-controller/pull/6853)
- Added the flag `--secret-label-selector` to set the label selector for `Secrets`
to ingest. By setting this flag, the secrets that are ingested will be limited
to those having the flag's value as a label set to "true". This can reduce the
memory usage in scenarios with a large number of giant secrets.
[#6795](https://github.com/Kong/kubernetes-ingress-controller/pull/6795)
- Added the flag `--configmap-label-selector` to set the label selector for `ConfigMap`s
to ingest. By setting this flag, the `ConfigMap`s that are ingested will be limited
to those having the flag's value as a label set to "true". This limits the amount
of resources that are kept in memory. The default value is `konghq.com/configmap`.
[#6753](https://github.com/Kong/kubernetes-ingress-controller/pull/6753)

### Changed

Expand Down Expand Up @@ -206,81 +295,14 @@ Adding a new version? You'll need three changes:
requestRedirect filter is used.
[#6855](https://github.com/Kong/kubernetes-ingress-controller/pull/6855)

### Added
### Deprecated

- Added Prometheus metrics `ingress_controller_configuration_push_size`
and `ingress_controller_fallback_configuration_push_size` to record size of
the config sent to a Kong DataPlane by the controller in DB-less mode.
[#6664](https://github.com/Kong/kubernetes-ingress-controller/pull/6664)
- Added support for `ControlPlaneRef` in `KongConsumer`, `KongConsumerGroup`,
and `KongVault` reconcilers. From now, objects that have `ControlPlaneRef`
of type other than `kic` will be ignored by the reconcilers. KIC will still
reconcile objects with `ControlPlaneRef` of type `kic` or without an explicit
`ControlPlaneRef`.
[#6690](https://github.com/Kong/kubernetes-ingress-controller/pull/6690)
- Added support for upstream TLS verification with new Kubernetes `Service`
annotations:
- `konghq.com/tls-verify`: set to `true` to enable TLS verification for
upstream connections of a `Service`.
- `konghq.com/tls-verify-depth`: set to an integer to specify the maximum
depth of the certificate chain that will be verified.
- `konghq.com/ca-certificates-secrets`: set to a comma-delimited list of CA
certificate Secrets' names to use for verification.
- `konghq.com/ca-certificates-configmaps`: set to a comma-delimited list of CA
certificate ConfigMaps' names to use for verification.
[#6707](https://github.com/Kong/kubernetes-ingress-controller/pull/6707)
- Combine Kong gateway services from rules of `HTTPRoute` sharing the same
backends (same combination of group, kind, namespace, name, port and weight)
from different `HTTPRoute` in the same namespace.
The feature is enabled when feature gate `CombinedServicesFromDifferentHTTPRoutes`
is enabled. The feature gate is disabled by default.
The name of translated Kong gateway service is changed to
`httproute.<namespace>.svc.<backend_ns>.<backend_name>.<backend_port>.[backend_weight]_[next_backends]...`
when the feature is enabled, like:
`httproute.default.svc.default.svc1.80.90_default.svc2.80.10`.
If the calculated service name is longer than 511 characters
(maximum allowed by Kong or Konnect), the name will be trimmed to the format
with only the first backend reserved in the name:
`httproute.<namespace>.svc.<backend_ns>.<backend_name>.<backend_port>.[backend_weight]_combined.<hash>`
where `<hash>` is the hash result of the calculated name, like
`httproute.default.svc.default.a-long-long-long-service-name.80_combined.00001111222233334444aaaabbbbcccc`.
[#6711](https://github.com/Kong/kubernetes-ingress-controller/pull/6711)
[#6766](https://github.com/Kong/kubernetes-ingress-controller/pull/6766)
- The new tag `k8s-named-route-rule` is added to a Kong Route, in the case when mapped `HTTPRoute`, `GRPCRoute`,
`TCPRoute`, `TLSRoute` or `UDPRoute` has one or many route rules named (filled `spec.rules[*].name` field),
those names will be propagated to one or many instances of aforementioned tag.
[#6759](https://github.com/Kong/kubernetes-ingress-controller/pull/6759)
[#6780](https://github.com/Kong/kubernetes-ingress-controller/pull/6780)
- Added the flag `--secret-label-selector` to set the label selector for `Secrets` to ingest.
By setting this flag, the secrets that are ingested will be limited to those having this label set to "true".
This can reduce the memory usage in scenarios with a large number of giant secrets.
[#6795](https://github.com/Kong/kubernetes-ingress-controller/pull/6795)
- Added `/debug/config/diff-report` diagnostic endpoint. This endpoint is
available in DB mode when the `--dump-config` and `--dump-sensitive-config`
are enabled. It returns the latest diff information for the controller's last
configuration sync along with config hash and sync timestamp metadata. The
controller maintains the last 5 diffs in cache. You can retrieve older diffs
by appending a `?hash=<hash>` query string argument. Available config hashes
and their timestamps are listed under the `available` section of the
response.
[#6131](https://github.com/Kong/kubernetes-ingress-controller/pull/6131)
- Added schema validation for `KongCustomEntity`. Kubernetes event will be created for
each validation error for `KongCustomEntity` objects.
[#6802](https://github.com/Kong/kubernetes-ingress-controller/pull/6802)
- Added `BackendTLSPolicy` support. The user can now reference any Kubernetes `Service`
in the `BackendTLSPolicy` spec, and in case the service is used as a backend by
`HTTPRoute`s that reference a Kong Gateway as parent, such Backend TLS configuration
is applied to the service section of the Kong configuration. The `BackendTLSPolicies`
CA Certificates can be set in `Secret`s or `ConfigMap`s.
[#6712](https://github.com/Kong/kubernetes-ingress-controller/pull/6712)
[#6753](https://github.com/Kong/kubernetes-ingress-controller/pull/6753)
[#6837](https://github.com/Kong/kubernetes-ingress-controller/pull/6837)
[#6853](https://github.com/Kong/kubernetes-ingress-controller/pull/6853)
- Added the flag `--configmap-label-selector` to set the label selector for `ConfigMap`s
to ingest. By setting this flag, the `ConfigMap`s that are ingested will be limited
to those having this label set to "true". This limits the amount of resources that are kept in memory.
The default value is `konghq.com/configmap`.
[#6753](https://github.com/Kong/kubernetes-ingress-controller/pull/6753)
- CRD type bindings under `/pkg` and clientsets under `/pkg/clientset` are deprecated
and will be removed in the next major release. Until then, they won't be updated.
They were migrated to a new dedicated [repository][kconf]. If you depend on them,
please update your dependencies to use the new repository.

[kconf]: https://github.com/kong/kubernetes-configuration

## [3.3.1]

Expand Down Expand Up @@ -3932,6 +3954,7 @@ Please read the changelog and test in your environment.
- The initial versions were rapildy iterated to deliver
a working ingress controller.

[3.4.0]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.3.1...v3.4.0
[3.3.1]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.3.0...v3.3.1
[3.3.0]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.2.4...v3.3.0
[3.2.4]: https://github.com/kong/kubernetes-ingress-controller/compare/v3.2.3...v3.2.4
Expand Down
2 changes: 1 addition & 1 deletion config/image/oss/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@ images:
newTag: '3.8' # renovate: datasource=docker versioning=docker depName=kong@regenerate packageName=kong
- name: kic-placeholder
newName: kong/kubernetes-ingress-controller
newTag: '3.3' # renovate: datasource=docker versioning=docker depName=kong/kubernetes-ingress-controller@regenerate packageName=kong/kubernetes-ingress-controller
newTag: '3.4' # renovate: datasource=docker versioning=docker depName=kong/kubernetes-ingress-controller@regenerate packageName=kong/kubernetes-ingress-controller
2 changes: 1 addition & 1 deletion test/e2e/manifests/all-in-one-dbless-k4k8s-enterprise.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion test/e2e/manifests/all-in-one-dbless-konnect.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion test/e2e/manifests/all-in-one-dbless.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion test/e2e/manifests/all-in-one-postgres-enterprise.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion test/e2e/manifests/all-in-one-postgres.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 comment on commit 92a6761

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'Go Benchmark'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 2.

Benchmark suite Current: 92a6761 Previous: a6293dd Ratio
BenchmarkGetPluginRelations 18456 ns/op 7600 B/op 66 allocs/op 7815 ns/op 7600 B/op 66 allocs/op 2.36
BenchmarkGetPluginRelations - ns/op 18456 ns/op 7815 ns/op 2.36

This comment was automatically generated by workflow using github-action-benchmark.

CC: @Kong/k8s-maintainers

Please sign in to comment.