am I 施 ⽂翰(シ ブンカン) Wenhan Shi • ⽇⽴製作所 - Linux kernel module development/Support • Red Hat K.K. - GlusterFS/OpenShift Support • Canonical Japan K.K. - Ubuntu/OpenStack/Kubernetes Support • Rancher Lab/SUSE - Rancher Support • Kong Inc. - Solutions Engineer @shi_wenhan [email protected]
We Start! Kong 2.8 is Kong’s first every LTS versions! STRONGLY recommend any customers running < 2.8 get onto 2.8 ASAP 2.8 LTS will have full support until March 2025 You can learn more here
Kong Gateway 3.0 Plugins Secret Management (GA) - Modify the default plugin execution order - Without the need to change plugin code - No need to package another version of the same plugin with different priority value Plugin Ordering Open Telemetry-Tracing - Support open telemetry - Instrumentation of trace and span - Hashi Vault and AWS Secret Manager integration - Referenceable secrets for more secure deployments - Used in custom and bundled plugins
Kong Gateway 3.1 Security & Complaince - On-demand granularity control of logs for Day 2 operations. Dynamic Log Level Changes More OOTB Plugins - AppDynamics and Datadog - SAML 2.0 Authentication - JWT Encryption & Decryption - Open API Spec validation - XML threat-protection - - FIPS 140-2 compliant packages - Expanded support for HashiCorp Vault backends for K8s service account tokens
Kong Gateway Flagship Features LMDB New Route Optimization Plugin Ordering Secrets Management Websocket Support FIPS 140-2 Kong Manager 3.0 LDAP Group Authentication OpenTelemetry New Router UBI + Slim Images
Kong Gateway Flagship Features LMDB New Route Optimization Plugin Ordering Websocket Support FIPS 140-2 LDAP Group Authentication UBI + Slim Images Secrets Management Kong Manager 3.0 OpenTelemetry New Router
Kong Gateway 3.0 ships with a new router ▪ The router is what helps Kong decide which upstream to forward inbound requests to ▪ The new router can be used in traditional-compatible mode, or using a new expression based language What is it? 12
▪ Comparable performance for commonly used scenarios ▪ Incremental rebuilds ◦ By leveraging efficient data structures instead of function closures for matching optimization ▪ More expressive format ◦ Reduced cardinality ◦ Reduced expensive regexs ▪ Unified implementation for all users ◦ Kong DP, Koko, Kong Manager, … Design Goals
▪ Reduced router rebuild time when changing Kong’s configuration ◦ Reduced P99 latency from 1.5s to 0.1s with 10,000 routes ▪ Powerful routing language that can handle complex routing requirements ▪ Increased runtime performance when routing requests Business Benefit
▪ OpenTelemetry (OTel) is a collection of tools, APIs and SDKs to instrument, collect and export telemetry data for your software ▪ Use it to understand what your software is doing, how it’s performing and where time is being spent during execution What is it?
▪ Allows DevOps and SRE teams to understand where time is being spent when running Kong Gateway to help tune performance ▪ Provides a Plugin Development Kit (PDK) to enable customers to instrument their own custom plugins Business Benefit
▪ Kong Manger is a UI that we provide to help customers configure and monitor their Kong deployment ▪ Kong Manager 3.0 ships a new design and improved user experience (including more tooltips) What is it?
▪ Store sensitive information in external vaults, such as AWS Secrets Manager, Google Cloud Secrets Manager or Hashicorp Vault, ▪ Secrets can be used for any kong.conf value, and specific plugins (with more being added each release) ▪ Automatic secret rotation is supported for some values (such as Postgres password) What is it?
▪ Ensure these Sensitive Keys used in Kong Deployments are: ◦ Secrets are not inadvertently visible throughout Kong’s platform (e.g decK configurations, logs, Manager UIs) which may lead to unauthorized access. ◦ Secrets can be securely stored, tightly controlled and are auditable by IT organizations ▪ Move from “Secret Sprawl” to Centralization ◦ Customers can leverage their own centrally managed secret management infrastructure to ensure sensitive information necessary for Gateway operations is up-to-date and adheres to IT security policies Business Benefit
1) Use pre-built “Connectors” to AWS Secret Manager, Hashicorp Vault and Google Cloud Secret Manager 2) Reference secrets using a simple and intuitive variable used throughout Kong configurations: {vault://driver/secret/path} 3) Automatically resolve secrets on Kong Data Planes whose secret values only exist in memory and are obfuscated throughout the deployment. Key Features
& Compliance • FIPS compliance for plugins • Global sessions for OIDC Reliable and Simplified API Management • Data plane scale-out • Kong Manager updates Kong Enterprise 3.2 Key Highlights Boost Performance • Latency Based Steering
In hybrid mode, in the event of control plane failure, new data plane nodes can now seamlessly boot up and access the most recent configuration from GCP or AWS storage bucket. ▪ New or restarted data plane(s) only retrieves configuration that is compatible with the version of Kong Enterprise currently in operation running. This helps to prevent any version compatibility issues. Business continuity with Data plane scale out ▪ Ensure your APIs and services are always available to your users and can handle increased load over time. ▪ Prevent API and service disruptions and ensure consistent performance to deliver a great user experience Key Features Benefits
Kong Gateway runtime and all associated first- party (supported by Kong) plugins, now only use a FIPS 140-2 validated module for its encryption functions. ▪ This is an exclusive Kong Gateway (EE) feature. Kong Gateway Runtime and First Party Plugins are FIPS 140-2 Compliant ▪ Kong Gateway and all associated first party plugins are ideal for highly regulated industries and organizations with strict compliance and security considerations. Key Features Benefits FIPS 140-2 Compliant
Latency based steering allows Kong load balancers to choose the “fastest” backend based on total response time when proxying to upstream services. ▪ This algorithm is based on the exponentially weighted moving average (EWMA), which ensures the balancer selects the upstream service that has the lowest average latency. Boost Performance with Latency-based Steering ▪ This algorithm is a good choice for services that receive high volume of requests per second and will help increase API performance at scale. Key Features Benefits
Key Entities can now be created in Kong Manager. ▪ Kong Manager provides you the option to download or copy the license usage report directly from the UI. ▪ Kong Manager simplifies building and validating expression-based routes. ◦ The “expression” field has full linting and autocomplete support for the expression syntax. ◦ You can test requests against expression-based routes with the router playground. More Intuitive Kong Manager Experience ▪ Improved user experience and productivity for API and microservices management. Key Features Benefits
& Compliance • Software Bill of Materials (SBOM) • AWS IAM DB Auth Simplified API Management • Admin api spec for Kong admin api! • Readiness Endpoint • Dataplane Metadata Kong Enterprise 3.3 Key Highlights Reliable Operations • Configurable Queuing Behavior • OpenTel Improvements
Delivering a long-awaited request - OpenAPI spec for Kong’s admin API ▪ Includes both OSS + Enterprise specs ▪ Available at https://developer.konghq.com/ ▪ Internal preview at: https://kong605fea6a.us.portal.konghq.com/ ▪ Konnect specific timeline ~1 month or so OpenAPI Spec for Kong Admin API (Beta) Key Features Benefits • OpenAPI is the standard for documenting your APIs • The specs give customers a clear, holistic view of Kong’s api surface - it is a ‘contract’ • This reduces developer hours examining documentation
Prospects and customers can now receive an SBOM for every release from 3.3 onwards ▪ SBOMs are generated in cyclonedx and spdx format ▪ They can be found on our support page (url TBD) Close Deals Faster With a Software Bill of Materials (SBOM) ▪ SBOMs help customers/prospects understand all third party dependencies/libraries that Kong uses ▪ This information is important to security and compliance teams who do diligence on Kong ▪ Having an SBOM automatically available on every release will allow Kong to respond quickly to these requests Key Features Benefits
A new endpoint on DPs which will return a 200 if the DP has loaded configuration successfully ▪ On the CP this endpoint will error out if the DB is unreachable, else 200 Endpoint for Configuration Readiness ▪ Give customers visibility into when their DPs are ‘ready’ to start proxying traffic ▪ Enable K8s users to configure readiness probes to ensure that the pods do not receive any traffic until they have received a valid configuration Key Features Benefits
Robust configuration options for plugins that use queues ▪ Set ‘max entries’ and queuing behavior including retry logic Increased Reliability With Configurable Queueing Behavior ▪ Increased platform reliability through full control and customization over queuing behavior ▪ Address the issue upstream server unavailability due to queues growing uncontrollably Key Features Benefits
Instead of using a Username/Password to authenticate with Postgres, customer can now use DB IAM Auth ▪ ‘Officially’ support RDS + Aurora as backends and added test coverage for these platforms Connect to RDS + Aurora with DB IAM in AWS ▪ No need to store Username/Password in Kong config ▪ Comply with security best practices Key Features Benefits
Ensure accuracy of span hierarchy for intra-Kong calls ▪ Intuitive naming and grouping of Kong specific spans which describes the types of spans (i.e. ‘kong.router’, ‘kong.dns’, etc) ▪ Improved propagation support - Kong & OpenTelemetry now work with incoming propagation headers and map external requests to Kong specific spans in a robust manner ▪ Ensure accuracy of latency/ timing data by exposing Kong specific spans OTel Improvements Key Features Benefits ▪ Ease of use for distributed tracing and report low-level spans
Notes: - 3.3 is the last release we will support Alpine - Ubuntu is the new ‘flavor’ in our quickstarts - This build has ARM support - The build should also be available in Konnect for testing - Cassandra will be removed in 3.4 - Reached out to the customers we know are still using it - 3.3 likely to be LTS Kong (and will likely include Cassandra)