-
Removed unnecessary DNS client initialization #13479 KAG-5059
-
Improved latency performance when gzipping/gunzipping large data (such as CP/DP config data). #13338 KAG-4878
- Debian 10 and RHEL 7 reached their End of Life (EOL) dates on June 30, 2024. As of version 3.8.0.0 onward, Kong is not building installation packages or Docker images for these operating systems. Kong is no longer providing official support for any Kong version running on these systems. #13468 KAG-4847 FTI-6054 KAG-4549 KAG-5122
-
Bumped lua-resty-acme to 0.15.0 to support username/password auth with redis. #12909 KAG-4330
-
Bumped lua-resty-aws to 1.5.3 to fix a bug related to the STS regional endpoint. #12846 KAG-3424 FTI-5732
-
Bumped lua-resty-healthcheck from 3.0.1 to 3.1.0 to reduce active healthcheck timer usage. #13038 FTI-5847
-
Bumped lua-resty-lmdb to 1.4.3 (lmdb 0.9.33) #12786
-
Bumped lua-resty-openssl to 1.5.1. #12665
-
Bumped OpenResty to 1.25.3.2 #12327 KAG-3515 KAG-3570 KAG-3571 JIT-2
-
Bumped PCRE2 to 10.44 to fix some bugs and tidy up the release. #12366 KAG-3571 KAG-3521 KAG-2025
-
Introduced a yieldable JSON library
lua-resty-simdjson
, which significantly improves latency. #13421 KAG-3647
-
Bumped lua-protobuf 0.5.2 #12834
-
Bumped
ngx_wasm_module
to96b4e27e10c63b07ed40ea88a91c22f23981db35
#12011 -
Bumped
Wasmtime
version to23.0.2
#12011 -
Made the RPM package relocatable with the default prefix set to
/
. #13468 KAG-4847 FTI-6054 KAG-4549 KAG-5122
- prometheus: Added
ai_requests_total
,ai_cost_total
andai_tokens_total
metrics in the Prometheus plugin to start counting AI usage. #13148
-
Added the new configuration parameter
concurrency_limit
(integer, defaults to 1), which lets you specify the number of delivery timers in the queue. Note that settingconcurrency_limit
to-1
means no limit at all, and each HTTP log entry would create an individual timer for sending. #13332 FTI-6022 -
Kong Gateway now appends gateway info to the upstream
Via
header in the format1.1 kong/3.8.0
, and optionally to the responseVia
header if it is present in theheaders
config ofkong.conf
, in the format2 kong/3.8.0
. This follows standards defined in RFC7230 and RFC9110. #12733 FTI-5807 -
Starting from this version, a new DNS client library has been implemented and added into Kong. This library is disabled by default, and can be enabled by setting the
new_dns_client
parameter toon
. The new DNS client library provides the following: -
Global caching for DNS records across workers, significantly reducing the query load on DNS servers.
-
Observable statistics for the new DNS client, and a new Status API
/status/dns
to retrieve them.
-
Added
0
to support unlimited body size. When parametermax_allowed_file_size
is0
,get_raw_body
will return the entire body, but the size of this body will still be limited by Nginx'sclient_max_body_size
. #13431 KAG-4698 -
Extended
kong.request.get_body
andkong.request.get_raw_body
to read from buffered files. #13158 -
Added a new PDK module
kong.telemetry
and the functionkong.telemetry.log
to generate log entries to be reported via the OpenTelemetry plugin. #13329 KAG-4848
-
acl: Added a new config
always_use_authenticated_groups
to support using authenticated groups even when an authenticated consumer already exists. #13184 FTI-5945 -
AI plugins: Latency data is now pushed to logs and metrics. #13428
-
AI-proxy-plugin: Added the
allow_override
option to allow overriding the upstream model auth parameter or header from the caller's request. #13158 -
AI-proxy-plugin: Add
allow_override
option to allow overriding the upstream model auth parameter or header from the caller's request. #13493 -
AI-proxy-plugin: Replace the lib and use cycle_aware_deep_copy for the
request_table
object. #13582 -
Kong AI Gateway (AI Proxy and associated plugin family) now supports all AWS Bedrock "Converse API" models. #12948
-
Kong AI Gateway (AI Proxy and associated plugin family) now supports the Google Gemini "chat" (generateContent) interface. #12948
-
ai-proxy: The Mistral provider can now use mistral.ai-managed services by omitting the
upstream_url
. #13481 -
ai-proxy: Added the new response header
X-Kong-LLM-Model
, which displays the name of the language model used in the AI Proxy plugin. #13472 -
AI-Prompt-Guard: Added the
match_all_roles
option to allow matching all roles in addition touser
. #13183 -
"AWS-Lambda: Added support for a configurable STS endpoint with the new configuration field
aws_sts_endpoint_url
. #13388 KAG-4599 -
AWS-Lambda: Added the configuration field
empty_arrays_mode
to control whether Kong should send[]
empty arrays (returned by Lambda function) as[]
empty arrays or{}
empty objects in JSON responses. #13084 FTI-5937 KAG-4622 KAG-4615 -
response-transformer: Added support for
json_body
rename. #13131 KAG-4664 -
OpenTelemetry: Added support for OpenTelemetry formatted logs. #13291 KAG-4712
-
standard-webhooks: Added standard webhooks plugin. #12757
-
Request-Transformer: Fixed an issue where renamed query parameters, url-encoded body parameters, and JSON body parameters were not handled properly when the target name was the same as the source name in the request. #13358 KAG-4915
- Fixed an issue where some debug level error logs were not being displayed by the CLI. #13143 FTI-5995
-
Fixed an issue where luarocks-admin was not available in /usr/local/bin. #13372 KAG-911
-
Fixed an issue where 'read' was not always passed to Postgres read-only database operations. #13530 KAG-5196
-
Fixed an issue with deprecated shorthand fields so that they don't take precedence over replacement fields when both are specified. #13486 KAG-5134
-
Fixed an issue where
lua-nginx-module
context was cleared whenngx.send_header()
triggeredfilter_finalize
. openresty/lua-nginx-module#2323. #13316 FTI-6005 -
Changed the way deprecated shorthand fields are used with new fields. If the new field contains null, it allows for deprecated field to overwrite it if both are present in the request. #13592 KAG-5287
-
Fixed an issue where an unnecessary uninitialized variable error log was reported when 400 bad requests were received. #13201 FTI-6025
-
Fixed an issue where the URI captures were unavailable when the first capture group was absent. #13024 KAG-4474
-
Fixed an issue where the priority field could be set in a traditional mode route when
router_flavor
was configured asexpressions
. #13142 KAG-4411 -
Fixed an issue where setting
tls_verify
tofalse
didn't override the global levelproxy_ssl_verify
. #13470 FTI-6095 -
Fixed an issue where the SNI cache wasn't invalidated when an SNI was updated. #13165 FTI-6009
-
The
kong.logrotate
configuration file will no longer be overwritten during upgrade. When upgrading, set the environment variableDEBIAN_FRONTEND=noninteractive
on Debian/Ubuntu to avoid any interactive prompts and enable fully automatic upgrades. #13348 FTI-6079 -
Fixed an issue where the Vault secret cache got refreshed during
resurrect_ttl
time and could not be fetched by other workers. #13561 FTI-6137 -
Error logs produced during Vault secret rotation are now logged at the
notice
level instead ofwarn
. #13540 FTI-5775 -
Fixed an issue where the
host_header
attribute of the upstream entity wouldn't be set correctly as a Host header in requests to the upstream during connection retries. #13135 FTI-5987 -
Moved internal Unix sockets to a subdirectory (
sockets
) of the Kong prefix. #13409 KAG-4947 -
Changed the behaviour of shorthand fields that are used to describe deprecated fields. If both fields are sent in the request and their values mismatch, the request will be rejected. #13594 KAG-5262
-
Reverted the DNS client to the original behavior of ignoring ADDITIONAL SECTION in DNS responses. #13278 FTI-6039
-
Shortened names of internal Unix sockets to avoid exceeding the socket name limit. #13571 KAG-5136
-
PDK: Fixed an issue where the log serializer logged
upstream_status
as nil in the requests that contained subrequests. #12953 FTI-5844 -
Vault: References ending with a slash, when parsed, will no longer return a key. #13538 KAG-5181
-
Fixed an issue where
pdk.log.serialize()
threw an error when the JSON entity set byserialize_value
containedjson.null
. #13376 FTI-6096
-
AI-proxy: Fixed an issue where certain Azure models would return partial tokens/words when in response-streaming mode. #13000 KAG-4596
-
AI Transformer plugins: Fixed an issue where Cloud Identity authentication was not used in
ai-request-transformer
andai-response-transformer
plugins. #13487 -
AI-proxy: Fixed an issue where Cohere and Anthropic providers didn't read the
model
parameter properly from the caller's request body. #13000 KAG-4596 -
AI-proxy: Fixed an issue where using OpenAI Function inference requests would log a request error, and then hang until timeout. #13000 KAG-4596
-
AI-proxy: Fixed an issue where AI Proxy would still allow callers to specify their own model, ignoring the plugin-configured model name. #13000 KAG-4596
-
AI-proxy: Fixed an issue where AI Proxy would not take precedence of the plugin's configured model tuning options over those in the user's LLM request. #13000 KAG-4596
-
AI-proxy: Fixed an issue where setting OpenAI SDK model parameter "null" caused analytics to not be written to the logging plugin(s). #13000 KAG-4596
-
ACME: Fixed an issue where the DP would report that deprecated config fields were used when configuration was pushed from the CP. #13069 KAG-4515
-
ACME: Fixed an issue where username and password were not accepted as valid authentication methods. #13496 FTI-6143
-
AI-Proxy: Fixed issue when response was gzipped even if the client didn't accept the format. #13155
-
Prometheus: Fixed an issue where CP/DP compatibility check was missing for the new configuration field
ai_metrics
. #13417 KAG-4934 -
Fixed an issue where certain AI plugins couldn't be applied per consumer or per service. #13209
-
AI-Prompt-Guard: Fixed an issue which occurred when
allow_all_conversation_history
was set to false, and caused the first user request to be selected instead of the last one. #13183 -
AI-Proxy: Resolved an issue where the object constructor would set data on the class instead of the instance. #13028
-
AWS-Lambda: Fixed an issue where the plugin didn't work with multiValueHeaders defined in proxy integration and legacy
empty_arrays_mode
. #13381 FTI-6100 -
AWS-Lambda: Fixed an issue where the
version
field wasn't set in the request payload whenawsgateway_compatible
was enabled. #13018 FTI-5949 -
correlation-id: Fixed an issue where the plugin would not work if we explicitly set the
generator
tonull
. #13439 FTI-6134 -
CORS: Fixed an issue where the
Access-Control-Allow-Origin
header was not sent whenconf.origins
had multiple entries but included*
. #13334 FTI-6062 -
grpc-gateway: When there is a JSON decoding error, respond with status 400 and error information in the body instead of status 500. #12971
-
HTTP-Log: Fixed an issue where the plugin didn't include port information in the HTTP host header when sending requests to the log server. #13116
-
AI Plugins: Fixed an issue where multi-modal inputs weren't properly validated and calculated. #13445
-
OpenTelemetry: Fixed an issue where migration failed when upgrading from below version 3.3 to 3.7. #13391 FTI-6109
-
OpenTelemetry and Zipkin: Removed redundant deprecation warnings. #13220 KAG-4744
-
Basic-Auth: Fixed an issue where the realm field wasn't recognized for older Kong Gateway versions (before 3.6). #13042 KAG-4516
-
Key-Auth: Fixed an issue where the realm field wasn't recognized for older Kong Gateway versions (before 3.7). #13042 KAG-4516
-
Request Size Limiting: Fixed an issue where the body size didn't get checked when the request body was buffered to a temporary file. #13303 FTI-6034
-
Response-RateLimiting: Fixed an issue where the DP would report that deprecated config fields were used when configuration was pushed from the CP. #13069 KAG-4515
-
Rate-Limiting: Fixed an issue where the DP would report that deprecated config fields were used when configuration was pushed from the CP. #13069 KAG-4515
-
OpenTelemetry: Improved accuracy of sampling decisions. #13275 KAG-4785
-
hmac-auth: Added WWW-Authenticate headers to 401 responses. #11791 KAG-321
-
Prometheus: Improved error logging when having inconsistent labels count. #13020
-
jwt: Added WWW-Authenticate headers to 401 responses. #11792 KAG-321
-
ldap-auth: Added WWW-Authenticate headers to all 401 responses. #11820 KAG-321
-
OAuth2: Added WWW-Authenticate headers to all 401 responses and realm option. #11833 KAG-321
-
proxy-cache: Fixed an issue where the Age header was not being updated correctly when serving cached responses. #13387
- Fixed an issue where validation of the certificate schema failed if the
snis
field was present in the request body. #13357
- Fixed an issue where hybrid mode wasn't working if the forward proxy password contained the special character
#
. Note that theproxy_server
configuration parameter still needs to be url-encoded. #13457 FTI-6145
- AI-proxy: Added a configuration validation to prevent
log_statistics
from being enabled upon providers not supporting statistics. Accordingly, the default oflog_statistics
is changed fromtrue
tofalse
, and a database migration is added as well for disablinglog_statistics
if it has already been enabled upon unsupported providers. #12860