Kong 1.3.0rc2 available for testing!

Hello, Kong Nation!

We’re happy to share with you the second release candidate for our next release, Kong 1.3.0rc2!

This is the next step leading us to Kong 1.3: the first release to officially support gRPC proxying!

Additionally, Kong 1.3 includes several highly-requested features such as support for upstream mutual TLS , header-based routing (not only Host ), and database export , and configurable upstream keepalive timeouts, and is built using the latest and greatest OpenResty

Kong 1.3.0rc2 also includes the latest security patches for the recently-announced NGINX vulnerabilities affecting the HTTP/2 module.


:package: Download Kong 1.3.0rc2 today — as always we are looking forward to your feedback!

  • :warning: All packages have been renamed from noarch to amd64, in anticipation to the ARM64 packages that should be released with Kong 1.3.0 final.

For more details about the updated installation, please visit the official docs: https://konghq.com/install.

What’s new in Kong 1.3.0rc2 :fireworks:


  • :lock: Security
  • :electric_plug: Plugins
    • Consumer references in various plugin entities are now properly marked as required, avoiding credentials that map to no Consumer #4879
    • hmac-auth: Correct the encoding of HTTP/1.0 requests. #4839
    • oauth2: empty client_id wasn’t checked, causing a server error. #4884
    • response-transformer: preserve empty arrays correctly. #4901
    • prometheus: updated to version 0.4.1
  • :gear: Admin API:
    • Ensure PUT works correctly when applied to plugin configurations. #4882
  • :construction_worker_man: PDK:
    • Prevent calls from failing in custom content blocks. This fixes a misbehavior affecting the Prometheus plugin. #4904
    • Ensure kong.response.add_header works in the rewrite phase. #4888

And a recap of all the new stuff in the 1.3.0 series :fireworks:

  • :fireworks: Native gRPC proxying. Kong gained new ability to proxy gRPC traffic through it and to the upstream gRPC services. #4801
  • :fireworks: Mutual TLS handshake with upstream services. Kong can now present a client certificate while TLS handshake with upstream services. #4800
  • :fireworks: Route by any request header . The router now has the ability to match Routes by any request header (not only Host ). #4758
  • :fireworks: Newly open-sourced plugin : the session plugin (previously only available in Enterprise) is now bundled in Kong. It can be used to manage browser sessions for APIs proxied and authenticated by Kong. #4685
  • :fireworks: Least-connection load-balancing . Kong can choose upstream server to connect to based on the amount of connections currently with them. #4528
  • :fireworks: A new section in the kong.conf file describes injected Nginx
    (added to Kong 0.14.0) and specifies a few default ones. This should help user getting rid of most of the customized Nginx templates eventually. #4382
  • :fireworks: New configuration properties allow for controlling the behavior of
    upstream keepalive connections. Which should reduce the number of 502 errors some customers may see. #4382
  • :fireworks: Database export via the new kong config db_export CLI command. Exported file can be used for running Kong in DB-less mode (added to Kong 1.1.0) or be imported back into the database later. #4809
  • The new “CA Certificates” core entity.
  • Support for more listening flags.
  • Improvements on the easiness use of Admin API.
  • New PDK capabilities.
  • :rocket: Tons of bugfixes and performance improvements!

:spiral_notepad: Here’s a link to the 1.3.0rc2 Changelog.

:whale: The updated Docker image is live on Docker Hub.

:arrow_up: The recommended upgrade path is the usual one, and is detailed in the 1.3 Upgrade Path

We encourage everyone to run this release candidate in their test environments and give us your feedback! This forum is a great way to ask questions or post feedback, and the GitHub issues is the place for bug reports.

Thank you all for the feedback in this release candidate series, and keep it coming! :green_heart:

1 Like

Hoping to test this sometime before Wednesday, especially curious if the Kong as a LB doing active health checks factoring in the FQDN along with the ip:port pair is working great now. Been really looking forward to cutting out some middleman LB tools and letting Kong handle that all! :smile: One slight concern I have around Kong as LB is this:

Which Kong solved in one iteration for pure regular upstream proxying by adding the option to do the rebuilds to the background as a pattern with eventual consistency. Might be doable in this case as well.

Thanks for all Kong Core teams hard work! #KongStrong

Yes, it should be possible to add eventual consistency to the balancer module as well, though that might be extra tricky because of healthchecker interactions. I haven’t thought deeply about it, but it’s a cool idea.

Still, that particular line mentioned in #4883 which resets the upstream list cache in the PATCH and DELETE callback has been there for for a long time (since 0.x days), so I don’t think that’s a new regression. It would be interesting though to see if adding a dummy get_all_upstreams invocation to the callback just to refresh the cache would do any difference, since is triggered by the Admin API and already runs async to the proxy-path requests.

1 Like