THE CLOUD CONNECTIVITY COMPANY 1 © Kong Inc. THE CLOUD CONNECTIVITY COMPANY Kong Gateway 最新情報 Wenhan Shi Solutions Engineer [email protected]

THE CLOUD CONNECTIVITY COMPANY 2 © Kong Inc. 2 Who am I 施 ⽂翰(シ ブンカン) Wenhan Shi • ⽇⽴製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]

THE CLOUD CONNECTIVITY COMPANY 3 © Kong Inc. 3 Before We Start! Kong 2.8 is Kong’s first every LTS versions! STRONGLY recommend any customers running < 2.8 get onto 2.8 ASAP 2.8 LTS will have full support until March 2025 You can learn more here

THE CLOUD CONNECTIVITY COMPANY 4 © Kong Inc. 4 Agenda ● Kong Gateway 3.0/3.1 ● Kong Gateway 3.2 ● Kong Gateway 3.3 ● Isomnia 2023.2.2

THE CLOUD CONNECTIVITY COMPANY 5 © Kong Inc. 5 Kong Gateway 3.0/3.1 2022/09/12, 2022/12/06

6 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 6 Kong Gateway 3.0 Core Performance - Resource optimizations - More scalable inter-worker communication Event and Timer New Route Optimization - Configuration local persistence - Improved performance Fake Nginx request Timer coroutine Timer library worker http-log flush request http-log flush request http-log flush request http-log flush request http-log flush request - New Router object - More powerful Routes - Lay the foundation for incremental configuration change

7 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 7 Kong Gateway 3.0 Plugins Secret Management (GA) - Modify the default plugin execution order - Without the need to change plugin code - No need to package another version of the same plugin with different priority value Plugin Ordering Open Telemetry-Tracing - Support open telemetry - Instrumentation of trace and span - Hashi Vault and AWS Secret Manager integration - Referenceable secrets for more secure deployments - Used in custom and bundled plugins

8 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 8 Kong Gateway 3.1 Security & Complaince - On-demand granularity control of logs for Day 2 operations. Dynamic Log Level Changes More OOTB Plugins - AppDynamics and Datadog - SAML 2.0 Authentication - JWT Encryption & Decryption - Open API Spec validation - XML threat-protection - - FIPS 140-2 compliant packages - Expanded support for HashiCorp Vault backends for K8s service account tokens

9 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 9 Kong Gateway Flagship Features LMDB New Route Optimization Plugin Ordering Secrets Management Websocket Support FIPS 140-2 Kong Manager 3.0 LDAP Group Authentication OpenTelemetry New Router UBI + Slim Images

10 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 10 Kong Gateway Flagship Features LMDB New Route Optimization Plugin Ordering Websocket Support FIPS 140-2 LDAP Group Authentication UBI + Slim Images Secrets Management Kong Manager 3.0 OpenTelemetry New Router

11 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY New Router 11

12 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY ■ Kong Gateway 3.0 ships with a new router ■ The router is what helps Kong decide which upstream to forward inbound requests to ■ The new router can be used in traditional-compatible mode, or using a new expression based language What is it? 12

13 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 13 ■ Comparable performance for commonly used scenarios ■ Incremental rebuilds ○ By leveraging efficient data structures instead of function closures for matching optimization ■ More expressive format ○ Reduced cardinality ○ Reduced expensive regexs ■ Unified implementation for all users ○ Kong DP, Koko, Kong Manager, … Design Goals

14 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY A DSL-based approach "protocols": ["http", "https"], "methods": ["GET", "POST"], "hosts": ["example.com" , "foo.test"], "paths": ["/foo", "/bar"], "headers": {"x-another-header":["bla"], "x-my-header":["foo", "bar"]}, 2.x 3.x (net.protocol == "http" || net.protocol == "https") && (http.method == "GET" || http.method == "POST") && (http.host == "example.com" || http.host == "foo.test") && (http.path ^= "/foo" || http.path ^= "/bar") && http.headers.x_another_header == "bla" && (http.headers.x_my_header == "foo" || http.headers.x_my_header == "bar") 14

15 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 15 ■ Reduced router rebuild time when changing Kong’s configuration ○ Reduced P99 latency from 1.5s to 0.1s with 10,000 routes ■ Powerful routing language that can handle complex routing requirements ■ Increased runtime performance when routing requests Business Benefit

16 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY OpenTelemetry 16

17 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 17 ■ OpenTelemetry (OTel) is a collection of tools, APIs and SDKs to instrument, collect and export telemetry data for your software ■ Use it to understand what your software is doing, how it’s performing and where time is being spent during execution What is it?

18 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 18 ■ Allows DevOps and SRE teams to understand where time is being spent when running Kong Gateway to help tune performance ■ Provides a Plugin Development Kit (PDK) to enable customers to instrument their own custom plugins Business Benefit

19 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY Kong Manager 19

20 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 20 ■ Kong Manger is a UI that we provide to help customers configure and monitor their Kong deployment ■ Kong Manager 3.0 ships a new design and improved user experience (including more tooltips) What is it?

21 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 21

22 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY Secrets Management 22

23 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 23 ■ Store sensitive information in external vaults, such as AWS Secrets Manager, Google Cloud Secrets Manager or Hashicorp Vault, ■ Secrets can be used for any kong.conf value, and specific plugins (with more being added each release) ■ Automatic secret rotation is supported for some values (such as Postgres password) What is it?

24 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 24 ■ Ensure these Sensitive Keys used in Kong Deployments are: ○ Secrets are not inadvertently visible throughout Kong’s platform (e.g decK configurations, logs, Manager UIs) which may lead to unauthorized access. ○ Secrets can be securely stored, tightly controlled and are auditable by IT organizations ■ Move from “Secret Sprawl” to Centralization ○ Customers can leverage their own centrally managed secret management infrastructure to ensure sensitive information necessary for Gateway operations is up-to-date and adheres to IT security policies Business Benefit

25 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 25 1) Use pre-built “Connectors” to AWS Secret Manager, Hashicorp Vault and Google Cloud Secret Manager 2) Reference secrets using a simple and intuitive variable used throughout Kong configurations: {vault://driver/secret/path} 3) Automatically resolve secrets on Kong Data Planes whose secret values only exist in memory and are obfuscated throughout the deployment. Key Features

26 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY Architecture 26

27 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY – Original Timer – Timer library 27 Timer Library Make Callback Functions Scalable

28 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY wrk -c 10000 -t 36 -d 3m --latency http://localhost:8080 28 Events Library Improved inter-worker communication

29 Kong Proprietary and Confidential THE CLOUD CONNECTIVITY COMPANY 29 New Storage Engine for Hybrid and DB-less LMDB

THE CLOUD CONNECTIVITY COMPANY 30 © Kong Inc. 30 Kong Gateway 3.2 2023/02/28

THE CLOUD CONNECTIVITY COMPANY 31 © Kong Inc. 31 Security & Compliance ● FIPS compliance for plugins ● Global sessions for OIDC Reliable and Simplified API Management ● Data plane scale-out ● Kong Manager updates Kong Enterprise 3.2 Key Highlights Boost Performance ● Latency Based Steering

THE CLOUD CONNECTIVITY COMPANY 32 © Kong Inc. 32 ■ In hybrid mode, in the event of control plane failure, new data plane nodes can now seamlessly boot up and access the most recent configuration from GCP or AWS storage bucket. ■ New or restarted data plane(s) only retrieves configuration that is compatible with the version of Kong Enterprise currently in operation running. This helps to prevent any version compatibility issues. Business continuity with Data plane scale out ■ Ensure your APIs and services are always available to your users and can handle increased load over time. ■ Prevent API and service disruptions and ensure consistent performance to deliver a great user experience Key Features Benefits

THE CLOUD CONNECTIVITY COMPANY 33 © Kong Inc. 33 ■ Kong Gateway runtime and all associated first- party (supported by Kong) plugins, now only use a FIPS 140-2 validated module for its encryption functions. ■ This is an exclusive Kong Gateway (EE) feature. Kong Gateway Runtime and First Party Plugins are FIPS 140-2 Compliant ■ Kong Gateway and all associated first party plugins are ideal for highly regulated industries and organizations with strict compliance and security considerations. Key Features Benefits FIPS 140-2 Compliant

THE CLOUD CONNECTIVITY COMPANY 34 © Kong Inc. 34 ■ Latency based steering allows Kong load balancers to choose the “fastest” backend based on total response time when proxying to upstream services. ■ This algorithm is based on the exponentially weighted moving average (EWMA), which ensures the balancer selects the upstream service that has the lowest average latency. Boost Performance with Latency-based Steering ■ This algorithm is a good choice for services that receive high volume of requests per second and will help increase API performance at scale. Key Features Benefits

THE CLOUD CONNECTIVITY COMPANY 35 © Kong Inc. 35 ■ Key Entities can now be created in Kong Manager. ■ Kong Manager provides you the option to download or copy the license usage report directly from the UI. ■ Kong Manager simplifies building and validating expression-based routes. ○ The “expression” field has full linting and autocomplete support for the expression syntax. ○ You can test requests against expression-based routes with the router playground. More Intuitive Kong Manager Experience ■ Improved user experience and productivity for API and microservices management. Key Features Benefits

THE CLOUD CONNECTIVITY COMPANY 36 © Kong Inc. 36 Kong Gateway 3.3 2023/05/19

THE CLOUD CONNECTIVITY COMPANY 37 © Kong Inc. 37 Security & Compliance ● Software Bill of Materials (SBOM) ● AWS IAM DB Auth Simplified API Management ● Admin api spec for Kong admin api! ● Readiness Endpoint ● Dataplane Metadata Kong Enterprise 3.3 Key Highlights Reliable Operations ● Configurable Queuing Behavior ● OpenTel Improvements

THE CLOUD CONNECTIVITY COMPANY 38 © Kong Inc. 38 ■ Delivering a long-awaited request - OpenAPI spec for Kong’s admin API ■ Includes both OSS + Enterprise specs ■ Available at https://developer.konghq.com/ ■ Internal preview at: https://kong605fea6a.us.portal.konghq.com/ ■ Konnect specific timeline ~1 month or so OpenAPI Spec for Kong Admin API (Beta) Key Features Benefits ● OpenAPI is the standard for documenting your APIs ● The specs give customers a clear, holistic view of Kong’s api surface - it is a ‘contract’ ● This reduces developer hours examining documentation

THE CLOUD CONNECTIVITY COMPANY 39 © Kong Inc. 39 ■ Prospects and customers can now receive an SBOM for every release from 3.3 onwards ■ SBOMs are generated in cyclonedx and spdx format ■ They can be found on our support page (url TBD) Close Deals Faster With a Software Bill of Materials (SBOM) ■ SBOMs help customers/prospects understand all third party dependencies/libraries that Kong uses ■ This information is important to security and compliance teams who do diligence on Kong ■ Having an SBOM automatically available on every release will allow Kong to respond quickly to these requests Key Features Benefits

THE CLOUD CONNECTIVITY COMPANY 40 © Kong Inc. 40 Software Bill of Materials

THE CLOUD CONNECTIVITY COMPANY 41 © Kong Inc. 41 ■ A new endpoint on DPs which will return a 200 if the DP has loaded configuration successfully ■ On the CP this endpoint will error out if the DB is unreachable, else 200 Endpoint for Configuration Readiness ■ Give customers visibility into when their DPs are ‘ready’ to start proxying traffic ■ Enable K8s users to configure readiness probes to ensure that the pods do not receive any traffic until they have received a valid configuration Key Features Benefits

THE CLOUD CONNECTIVITY COMPANY 42 © Kong Inc. 42 ■ Robust configuration options for plugins that use queues ■ Set ‘max entries’ and queuing behavior including retry logic Increased Reliability With Configurable Queueing Behavior ■ Increased platform reliability through full control and customization over queuing behavior ■ Address the issue upstream server unavailability due to queues growing uncontrollably Key Features Benefits

THE CLOUD CONNECTIVITY COMPANY 43 © Kong Inc. 43 Configurable Queueing Behavior

THE CLOUD CONNECTIVITY COMPANY 44 © Kong Inc. 44 ■ Instead of using a Username/Password to authenticate with Postgres, customer can now use DB IAM Auth ■ ‘Officially’ support RDS + Aurora as backends and added test coverage for these platforms Connect to RDS + Aurora with DB IAM in AWS ■ No need to store Username/Password in Kong config ■ Comply with security best practices Key Features Benefits

THE CLOUD CONNECTIVITY COMPANY 45 © Kong Inc. 45 ■ Ensure accuracy of span hierarchy for intra-Kong calls ■ Intuitive naming and grouping of Kong specific spans which describes the types of spans (i.e. ‘kong.router’, ‘kong.dns’, etc) ■ Improved propagation support - Kong & OpenTelemetry now work with incoming propagation headers and map external requests to Kong specific spans in a robust manner ■ Ensure accuracy of latency/ timing data by exposing Kong specific spans OTel Improvements Key Features Benefits ■ Ease of use for distributed tracing and report low-level spans

THE CLOUD CONNECTIVITY COMPANY 46 © Kong Inc. 46 Other Notes: - 3.3 is the last release we will support Alpine - Ubuntu is the new ‘flavor’ in our quickstarts - This build has ARM support - The build should also be available in Konnect for testing - Cassandra will be removed in 3.4 - Reached out to the customers we know are still using it - 3.3 likely to be LTS Kong (and will likely include Cassandra)

THE CLOUD CONNECTIVITY COMPANY 47 © Kong Inc. 47 Insomnia 2023.2.2

THE CLOUD CONNECTIVITY COMPANY 48 © Kong Inc. 48 Live View is back!

THE CLOUD CONNECTIVITY COMPANY 49 © Kong Inc. 49 Thank you