7 * Added support for setting `SVC.tls.appProtocol` and `SVC.http.appProtocol` values to configure the appProtocol fields
8 for Kubernetes Service HTTP and TLS ports. It might be useful for integration with external load balancers like GCP.
9 [#1018](https://github.com/Kong/charts/pull/1018)
13 * Rename the controller status port. This fixes a collision with the proxy status port in the Prometheus ServiceMonitor.
14 [#1008](https://github.com/Kong/charts/pull/1008)
20 * Bumped default `kong/kubernetes-ingress-controller` image tag and updated CRDs to 3.1.
21 [#1011](https://github.com/Kong/charts/pull/1011)
22 * Bumped default `kong` image tag to 3.6.
23 [#1011](https://github.com/Kong/charts/pull/1011)
29 * Add `KongLicense` RBAC rules.
30 [#1006](https://github.com/Kong/charts/pull/1006)
36 * The plugin helper no longer sets the plugin list when not in use.
37 [#1002](https://github.com/Kong/charts/pull/1002)
43 * Added controller's RBAC rules for `KongVault` CRD (installed only when KIC
45 [#992](https://github.com/Kong/charts/pull/992)
49 * Added a missing `envFrom` render in the main Kong proxy container.
50 [#994](https://github.com/Kong/charts/pull/994)
56 * The `envFrom` and `ingressController.envFrom` values.yaml keys now populate
57 the container field of the same name. This loads environment variables from
58 ConfigMap or Secret resource keys in bulk:
59 https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
60 [#987](https://github.com/Kong/charts/pull/987)
61 * Kong listens now use both IPv4 and IPv6 addresses.
62 [#986](https://github.com/Kong/charts/pull/986)
68 * Add RBAC rules for get, list and watch operations on namespaces so that Gateway API
69 controllers in KIC can access using a cached controller-runtime client.
70 [#974](https://github.com/Kong/charts/pull/974)
76 * Fix a template bug related to the `affinity` field for migrations Pods.
77 [#972](https://github.com/Kong/charts/pull/972)
83 * Use changed `incubator.ingress-controller.konghq.com` API group name in `KongServiceFacade`
84 RBAC rules. Refer to [KIC#5302](https://github.com/Kong/kubernetes-ingress-controller/pull/5302)
86 [#968](https://github.com/Kong/charts/pull/968)
92 * Only allow `None` ClusterIPs on ClusterIP-type Services.
93 [#961](https://github.com/Kong/charts/pull/961)
94 [#962](https://github.com/Kong/charts/pull/962)
95 * Bumped Kong version to 3.5.
96 [#957](https://github.com/Kong/charts/pull/957)
97 * Support for `affinity` configuration has been added to migration job templates.
98 * Display a warning message when Kong Manager is enabled and the Admin API is disabled.
99 * Validate Gateway API's `Gateway` and `HTTPRoute` resources in the controller's
100 admission webhook only when KIC version is 3.0 or higher.
101 [#954](https://github.com/Kong/charts/pull/954)
102 * Added controller's RBAC rules for `KongServiceFacade` CRD (installed only when
103 KongServiceFacade feature gate turned on and KIC version >= 3.1.0).
104 [#963](https://github.com/Kong/charts/pull/963)
110 * Add new `deployment.hostname` value to make identifying instances in
111 controlplane/dataplane configurations easier.
112 [#943](https://github.com/Kong/charts/pull/943)
118 * Added controller's RBAC rules for `KongUpstreamPolicy` CRD.
119 [#917](https://github.com/Kong/charts/pull/917)
120 * Added services resource to admission webhook config for KIC >= 3.0.0.
121 [#919](https://github.com/Kong/charts/pull/919)
122 * Update default ingress controller version to v3.0
123 [#929](https://github.com/Kong/charts/pull/929)
124 [#930](https://github.com/Kong/charts/pull/930)
128 * The target port for cmetrics should only be applied if the ingress controller is enabled.
129 [#926](https://github.com/Kong/charts/pull/926)
130 * Fix RBAC for Gateway API v1.
131 [#928](https://github.com/Kong/charts/pull/928)
132 * Enable Admission webhook for Gateway API v1 resources.
133 [#928](https://github.com/Kong/charts/pull/928)
139 * Prevent installing PodDisruptionBudget for `replicaCount: 1` or `autoscaling.minReplicas: 1`.
140 [#896](https://github.com/Kong/charts/pull/896)
141 * The admission webhook now will be triggered on Secrets creation for KIC 2.12.1+.
142 [#907](https://github.com/Kong/charts/pull/907)
143 * Container security context defaults now comply with the restricted pod
144 security standard. This includes an enforced run as user ID set to 1000. UID
145 1000 is used for official Kong images other than Alpine images (which use UID
146 100) and for KIC images 3.0.0+ (older images use UID 65532). Images that do
147 not use UID 1000 can still run with this user, as static image files are
148 world-accessible and runtime-created files are created in temporary
149 directories created for the run as user.
150 [#911](https://github.com/Kong/charts/pull/911)
151 * Allow using templates (via `tpl`) when specifying `proxy.nameOverride`.
152 [#914](https://github.com/Kong/charts/pull/914)
157 * Make it possible to set the admission webhook's `timeoutSeconds`.
158 [#894](https://github.com/Kong/charts/pull/894)
164 * The admission webhook now includes Gateway API resources and Ingress
165 resources for controller versions 2.12+. This version introduces new
166 validations for Kong's regex path implementation.
167 [#892](https://github.com/Kong/charts/pull/892)
173 * Bump default `kong` image tag to 3.4.
174 [#883](https://github.com/Kong/charts/pull/883)
175 * Bump default ingress controller image tag to 2.12.
176 * Added validation rule for `latency` upstream load balancing algorithm to
177 CRDs. [Upgrade your CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds)
178 when installing this release.
184 * Listens now all support `.address` configuration. This was an existing
185 setting that was not applied properly for some listens.
186 [#881](https://github.com/Kong/charts/pull/881)
192 * Kuma ServiceAccount Token hints and volumes are also available in migrations
194 [#877](https://github.com/Kong/charts/pull/877)
200 * updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri).
206 * Enabled Service and Ingress in Kong Manager for non enterprise users.
212 * Add missing CRD KongConsumerGroup and extend status subresource for CRDs
218 * Fix parsing enterprise tags (like e.g. `3.4.0.0`)
219 [#857](https://github.com/Kong/charts/pull/857)
225 2.26 changes the default proxy readiness endpoint for newer Kong versions. This
226 causes an issue in a narrow edge case. If all of the following are true:
228 * You use Kong 3.3 or newer.
229 * You use controller 2.10 or older.
230 * You run the controller and proxy in separate Deployments.
232 you are affected and should review [the 2.26 upgrade instructions](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2260).
236 * Use the Kong 3.3 `/status/ready` endpoint for readiness probes by default if
237 available. If not available, use the old `/status` default.
238 [#844](https://github.com/Kong/charts/pull/844)
239 * Add ArgoCD `Sync` and `BeforeHookCreation` [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/)
240 to the the init and pre-upgrade migrations Jobs.
241 * Add controller's RBAC rules for `KongConsumerGroups` CRD.
242 [#850](https://github.com/Kong/charts/pull/850)
243 * Updated controller version to 2.11.
247 - Generate the `adminApiService.name` value from `.Release.Name` rather than
249 [#839](https://github.com/Kong/charts/pull/839)
255 * Running `tpl` against user-supplied labels and annotations used in Deployment
256 [#814](https://github.com/Kong/charts/pull/814)
261 version: "{{ .Values.image.tag }}" # Will render dynamically when overridden downstream
264 * Fail to render templates when PodSecurityPolicy was requested but cluster doesn't
266 [#823](https://github.com/Kong/charts/pull/823)
267 * Add support for multiple hosts and tls configurations for Kong proxy `Ingress`.
268 [#813](https://github.com/Kong/charts/pull/813)
269 * Bump postgres default tag to `13.11.0-debian-11-r20` which includes arm64 images.
270 [#834](https://github.com/Kong/charts/pull/834)
274 * Fix Ingress and HPA API versions during capabilities checking
275 [#827](https://github.com/Kong/charts/pull/827)
281 * Add custom label configuration option for Kong proxy `Ingress`.
282 [#812](https://github.com/Kong/charts/pull/812)
283 * Bump default `kong/kubernetes-ingress-controller` image tag to 2.10.
284 Bump default `kong` image tag to 3.3.
285 [#815](https://github.com/Kong/charts/pull/815)
291 * Removed redundant RBAC permissions for non-existing subresources `secrets/status`
292 and `endpoints/status`.
293 [#798](https://github.com/Kong/charts/pull/798)
294 * For Kong Ingress Controller in version >= 2.10, RBAC permissions for `Endpoints`
295 are not configured anymore (because it uses `EndpointSlices`).
296 [#798](https://github.com/Kong/charts/pull/798)
297 * Added support for setting `certificates.cluster.commonName`. This allows a custom
298 certificate `CommonName` to be provided when deploying Kong Gateway in hybrid
299 mode using Cert Manager [#804](https://github.com/Kong/charts/pull/804)
305 * Added support for `startupProbe` on Kong pods. This can be configured via
306 `.Values.startupProbe`. To maintain backward compatibility, it is disabled by default.
307 [#792](https://github.com/Kong/charts/pull/792)
308 * Customize Admission Webhook namespaceSelectors and compose them from values.
309 [#794](https://github.com/Kong/charts/pull/794)
310 * Added `CustomResourceDefinition` `list` and `watch` permissions to controller's ClusterRole.
311 [#796](https://github.com/Kong/charts/pull/796)
317 * Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode
318 is disabled by default.
319 To enable it, set `.Values.ingressController.konnect.license.enabled=true`.
320 [#793](https://github.com/Kong/charts/pull/793)
326 * Fix correct timestamp format and remove `isCA` in certificates
327 [#791](https://github.com/Kong/charts/pull/791)
333 * Added support for automatic license provisioning for Gateways managed by
334 Ingress Controllers in Konnect mode (`.Values.ingressController.konnect.enabled=true`).
335 [#787](https://github.com/Kong/charts/pull/787)
341 * Fix `webhook-cert` being mounted regardless if `.Values.ingressController.enabled`
343 [#779](https://github.com/Kong/charts/pull/779)
349 * Security context enforces read-only root filesystem by default. This is not
350 expected to affect most configurations, but [will affect custom plugins that
351 write to the container filesystem](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2170).
352 [#770](https://github.com/Kong/charts/pull/770)
358 * Added support for the Admin API service TLS client verification.
359 [#780](https://github.com/Kong/charts/pull/780
365 * The `-redhat` suffix on official KIC images is no longer considered part of
366 the semver string for version checks.
367 [#779](https://github.com/Kong/charts/pull/779)
373 * Added support for controller's gateway discovery.
374 With `ingressController.gatewayDiscovery.enabled` set to `true` Kong Ingress Controller
375 will enable gateway discovery using an Admin API service.
376 For more information on this please see [the corresponding README.md section][kic_gateway_discovery_readme].
377 This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher.
378 [#747](https://github.com/Kong/charts/pull/747)
379 * Added experimental support for the ingress controller's Konnect sync feature via `ingressController.konnect.*` values.
380 This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and
381 requires `ingressController.gatewayDiscovery.enabled` set to `true`.
382 [#746](https://github.com/Kong/charts/pull/746)
383 * Added support for annotations on the admission webhook ValidatingWebhookConfiguration.
384 [#760](https://github.com/Kong/charts/pull/760)
385 * Added support for `subject` and `privateKey` properties on certificates.
386 [#762](https://github.com/Kong/charts/pull/762)
387 * Added support for loadBalancerClass in LoadBalancer type services.
388 [#767](https://github.com/Kong/charts/pull/767)
389 * Added support for `GRPCRoute`s.
390 [#772](https://github.com/Kong/charts/pull/772)
391 * Default Kong version is bumped to 3.2.
392 [#773](https://github.com/Kong/charts/pull/773)
393 * Added support for admissionhook to include labels.
394 [#768](https://github.com/Kong/charts/pull/768)
398 * Add kube-linter to the CI pipeline to ensure produced manifests comply
399 with community best practices.
400 [#751](https://github.com/Kong/charts/pull/751)
402 [kic_gateway_discovery_readme]: ./README.md#the-gatewaydiscovery-section
408 * Fix autoscaling version detection.
409 [#752](https://github.com/Kong/charts/pull/752)
410 * Don't include a clear-stale-pid initContainer when kong gateway is not
411 enabled in the deployment.
412 [#749](https://github.com/Kong/charts/pull/749)
418 * HorizontalPodAutoscaler's API version is detected properly.
419 [#744](https://github.com/Kong/charts/pull/744)
425 * Fix template issue preventing custom dblessconfig volume from being mounted.
426 [#741](https://github.com/Kong/charts/pull/741)
432 * The admission webhook is disabled when the ingress controller is disabled, as
433 the admission webhook requires a service provided by the ingress controller.
439 * serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20.
440 [#735](https://github.com/Kong/charts/pull/735)
446 * Let users specify their own labels and annotations for generated PodSecurityPolicy.
447 [#721](https://github.com/Kong/charts/pull/721)
448 * Enable the admission webhook by default. This can reject configuration, but
449 is not expected to be a meaningfully breaking change. Existing configuration
450 is not affected, and any new changes that the webhook would reject would also
452 [#727](https://github.com/Kong/charts/pull/727)
453 * Replaced static secret with projected volume in deployment.
454 [#722](https://github.com/Kong/charts/pull/722)
455 * Reject invalid log config values.
456 [#733](https://github.com/Kong/charts/pull/733)
457 * Update custom resource definitions to latest v2.8.1 from
458 kong/kubernetes-ingress-controller
459 [#730](https://github.com/Kong/charts/pull/730)
460 * Respect setting `.Values.deployment.serviceAccount.automountServiceAccountToken` in
461 migrations Jobs. This was already the case for the Deployment.
462 [#729](https://github.com/Kong/charts/pull/729)
468 * Changed `ingressController.readinessProbe` to use `/readyz` to prevent pods from becoming ready and serving 404s prior to the `ingress-controller` first syncing config to the `proxy` [#716](https://github.com/Kong/charts/pull/716).
469 * Fixed incorrect `if` block order in volume mount templates.
475 * Do not attempt to mount DB-less config if none provided by chart.
481 * Remove unnecessary failure condition from [#695](https://github.com/Kong/charts/pull/695).
487 * Add the `dblessConfig.secret` key to the values file, allowing the user to
488 supply a Secret for their dbless config file.
489 [#695](https://github.com/Kong/charts/pull/695)
490 * Add support for version `v1beta1` of the Gateway API when generating RBAC rules.
491 * Add support for version `v1beta1` of the Gateway API when generating RBAC rules.
492 ([#706](https://github.com/Kong/charts/pull/706))
493 * Prevent supplying duplicate plugin inclusion to `KONG_PLUGINS` env variable.
494 ([#711](https://github.com/Kong/charts/pull/711))
498 * Removed appProtocol to fix AKS load balancer
499 ([#705](https://github.com/Kong/charts/pull/705))
500 * Fix lookup for CA certificate secret for admission webhook.
501 ([#704](https://github.com/Kong/charts/pull/704))
505 Note: KIC 2.8 does include several updates to CRDs, but only for documentation and validation.
506 You can [upgrade CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds),
507 but doing so is not required.
511 * Default Kong and KIC versions bumped to 3.1 and 2.8.
512 * UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream).
513 This can be still overridden to TCP by specifying the protocol explicitly, but it is not recommended to do so.
514 [#682](https://github.com/Kong/charts/pull/682)
515 * Supported `autoscaling/v2` API
516 ([#679](https://github.com/Kong/charts/pull/679))
517 * Add support for specifying the minium number of seconds for which newly created pods should be ready without
518 any of its container crashing, for it to be considered available. (`deployment.minReadySeconds`)
519 ([#688](https://github.com/Kong/charts/pull/688))
520 * Increased the default memory requests and limits for the Kong pod to 2G
521 ([#690](https://github.com/Kong/charts/pull/690))
522 * Add a rule for `KongIngress` to the ValidatingWebhookConfiguration.
523 ([#702](https://github.com/Kong/charts/pull/702))
527 * Removed `PodSecurityPolicy` if the API is not supported in k8s cluster
528 to be compatible to k8s 1.25+.
529 [#680](https://github.com/Kong/charts/pull/680)
536 * Updated default controller version to [KIC 2.7](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#270).
542 * Added cert-manager issuer support for proxy default and cluster mtls certificates
543 ([#592](https://github.com/Kong/charts/pull/592))
544 * Updated CRDs with the new ordering field for KongPlugins, the new
545 IngressClassParameters resource, and assorted field description updates.
546 These [require a manual update](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds).
547 * Updated default tags to Kong 3.0 and KIC 2.6.
553 * Added ClusterRole for cluster-scoped resources when using watchNamespaces.
554 [#611](https://github.com/Kong/charts/issues/611)
555 * Added `extraObjects` to create additional k8s resources as part of the helm release.
556 [#652](https://github.com/Kong/charts/issues/652)
562 * Fixed Deployment missing if in case of empty tolerations
563 [#630](https://github.com/Kong/charts/issues/630)
564 * Use stdout and stderr by default for all logs. Several were writing to prefix
566 [#634](https://github.com/Kong/charts/issues/634)
567 * Remove `terminationGracePeriodSeconds` from KIC's container spec since this
568 field is only applicable for pods, not containers.
569 [#640](https://github.com/Kong/charts/issues/640)
573 * Bump controller version to 2.5.
574 [#642](https://github.com/Kong/charts/issues/642)
575 * Added `fullnameOverride` to override the normal resource name string.
576 [#635](https://github.com/Kong/charts/issues/635)
577 * Added size limits for emptyDir mounts.
578 [#632](https://github.com/Kong/charts/issues/632)
584 * Kuma now also mounts ServiceAccount tokens on releases without a controller
591 * Updated manual ServiceAccount Secret mount format for compatibility with
598 * Added option to disable test job pods.
599 [#598](https://github.com/Kong/charts/issues/598)
600 * Changed default admission failure policy from `Fail` to `Ignore`.
601 [#612](https://github.com/Kong/charts/issues/612)
602 * ServiceAccount tokens are now only mounted in the controller container to
603 limit attack surface.
604 [#619](https://github.com/Kong/charts/issues/619)
610 * Fixed another unwanted newline chomp that broke GatewayClass
615 * Added terminationDelaySeconds for Ingress Controller.
616 ([597](https://github.com/Kong/charts/pull/597))
617 * Made KNative permissions conditional on CRD availability.
621 * Removed KNative permission from the Gateway permissions set.
627 * Fixed an unwanted newline chomp in fix PR #595.
628 ([594](https://github.com/Kong/charts/pull/594))
634 * Fixed the stream default type, which should have been an empty array, not an
635 empty map. This had no effect on chart behavior, but resulted in warning
636 messages when user values.yamls contained non-empty stream configuration.
637 ([594](https://github.com/Kong/charts/pull/594))
638 * Gateway API permissions are no longer created if Gateway API CRDs are not
639 installed on the cluster. This would block installs by non-super admin users.
640 ([595](https://github.com/Kong/charts/pull/595))
646 2.8 requires manual removal of existing IngressClass resources and updates the
647 Postgres sub-chart version. Further details are available [in the upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#280).
649 The chart honors `ingressController.installCRDs: false` again. Remove it from
650 your values.yaml if it is currently present. Unless your install user [lacks
652 CRDs](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-c
653 luster-scoped-permissions), which would have prevented you from installing
654 earlier chart versions, you should omit this setting and let the templates
655 detect whether you use the legacy CRD installation method automatically.
659 * Added Ingress for cluster sync.
660 ([583](https://github.com/Kong/charts/pull/583))
661 * Added controller support for custom environment variables.
662 ([568](https://github.com/Kong/charts/pull/568))
663 * Ingress `pathType` field is now configurable.
664 ([564](https://github.com/Kong/charts/pull/564))
665 * Added IngressClass resources to RBAC roles.
666 ([563](https://github.com/Kong/charts/pull/563))
667 * Ingresses now support wildcard hostnames.
668 ([559](https://github.com/Kong/charts/pull/559))
669 * Enables the option to add sidecar containers to the migration containers.
670 ([540](https://github.com/Kong/charts/pull/540))
671 * Update the IngressClass controller string to match the value used upstream.
672 ([557](https://github.com/Kong/charts/pull/557))
673 * Added support for user-defined controller volume mounts.
674 ([560](https://github.com/Kong/charts/pull/560))
675 * Added support for autoscaling `behavior`.
676 ([561](https://github.com/Kong/charts/pull/561))
677 * Improved support and documentation for installations that [lack
678 cluster-scoped permissions](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-cluster-scoped-permissions).
679 ([565](https://github.com/Kong/charts/pull/565))
680 * Updated podDisruptionBudget from `policy/v1beta1` to `policy/v1`.
681 ([574](https://github.com/Kong/charts/pull/574))
682 * Updated controller version to 2.3.
686 * Removed CREATE from ValidatingWebhookConfiguration objectSelector for Secrets to align with changes in Kong/kubernetes-ingress-controller.
687 ([#542](https://github.com/Kong/charts/pull/542))
688 * Fixed traffic routing from Istio's envoy proxy to Kong proxy when using Istio's AuthorizationPolicy.
689 ([#550](https://github.com/Kong/charts/pull/550))
690 * Fixed creation of non-default IngressClasses
691 ([#552](https://github.com/Kong/charts/pull/552))
692 * Fixed: wait_for_db no longer tries to instantiate the keyring in Kong Enterprise
693 ([#556](https://github.com/Kong/charts/pull/556))
697 2.7.0 includes CRD updates, which [must be applied manually](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#270).
701 * There are upstream changes to the Postgres sub-chart that change many
702 values.yaml keys. The default `postgresqlUsername` and `postgresqlDatabase`
703 keys used in this chart's values.yaml are now `auth.username` and
704 `auth.database`. If you set other Postgres sub-chart values, consult the
705 [upstream README](https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
706 and [upgrade guide](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/#to-1100)
707 to see what you need to change.
711 * Added Gateway API resources to RBAC rules.
712 ([#536](https://github.com/Kong/charts/pull/536))
713 * Replaced `sleep 15` in `preStop` command with `--wait=15` argument to `kong quit`.
714 ([#531](https://github.com/Kong/charts/pull/531))
715 * Added support for non `KONG_` prefixed custom environment variables
716 ([#530](https://github.com/Kong/charts/pull/530))
717 * Updated to latest CRDs from upstream.
723 * Generated IngressClass resources persist across updates properly.
724 ([#518](https://github.com/Kong/charts/pull/518))
730 * Updated default tags to Kong 2.7, Kong Enterprise 2.7.0.0, and Kong Ingress
735 * Corrected a misnamed field in podDisruptionBudget.
736 ([#519](https://github.com/Kong/charts/pull/519))
742 * Increased example resources for the Kong container.
743 ([#511](https://github.com/Kong/charts/pull/511))
747 * Corrected an invalid label match condition for the admission webhook.
748 ([#513](https://github.com/Kong/charts/pull/513))
754 * Added `app` and `version` labels to pods.
755 ([#504](https://github.com/Kong/charts/pull/504))
756 * Reworked leftover socket file cleanup to avoid similar problems of the same
758 ([#508](https://github.com/Kong/charts/pull/508))
762 * SecurityContext and resources applied to PID cleanup initContainer also.
763 ([#503](https://github.com/Kong/charts/pull/503))
764 * Disabled the admission webhook on Helm Secrets, fixing an issue where it
765 prevented Helm from updating release metadata.
766 ([#500](https://github.com/Kong/charts/pull/500))
767 * initContainers that use the Kong image use the same imagePullPolicy as the
769 ([#501](https://github.com/Kong/charts/pull/501))
770 * Applied mesh sidecar annotations to the Pod, not the Deployment.
771 ([#507](https://github.com/Kong/charts/pull/507))
777 * Disabled IngressClass creation on Kubernetes versions that do not support it.
778 * Added missing resources (Secrets, KongClusterPlugins) to the admission
779 controller configuration.
780 ([#492](https://github.com/Kong/charts/pull/492))
784 **Note:** chart versions 2.3.0 through 2.5.0 contained an incorrect
785 KongIngress CRD. The `proxy.path` field was missing. Helm will not fix this
786 automatically on upgrade. You can fix it by running:
789 kubectl apply -f https://raw.githubusercontent.com/Kong/charts/main/charts/kong/crds/custom-resource-definitions.yaml
794 * Added an initContainer to clear leftover PID file in the event of a Kong
795 container crash, allowing the container to restart.
796 ([#480](https://github.com/Kong/charts/pull/480))
797 * Added deployment.hostNetwork to enable host network access.
798 ([#486](https://github.com/Kong/charts/pull/486))
802 * NOTES.txt documentation link now uses up-to-date location.
803 * Ingress availability check tightened to require the Ingress API specifically
804 in `networking.k8s.io/v1`.
805 ([#484](https://github.com/Kong/charts/pull/484))
806 * Flipped backwards logic for creating an IngressClass when no IngressClass was
808 ([#485](https://github.com/Kong/charts/pull/485))
809 * Removed unnecessary hardcoded controller container argument.
810 ([#481](https://github.com/Kong/charts/pull/481))
811 * Restored missing `proxy.path` field to KongIngress CRD.
817 * Default Kong proxy version updated to 2.6.
821 * Properly disable KongClusterPlugin when watchNamespaces is set.
822 ([#475](https://github.com/Kong/charts/pull/475))
828 * KIC now defaults to version 2.0. If you use a database, you must first
829 perform a temporary intermediate upgrade to disable KIC before upgrading it
830 to 2.0 and re-enabling it. See the [upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#disable-ingress-controller-prior-to-2x-upgrade-when-using-postgresql)
831 for detailed instructions.
832 * ServiceAccount are now always created by default unless explicitly disabled.
833 ServiceAccount customization has [moved under the `deployment` section of
834 configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changed-serviceaccount-configuration-location)
835 to reflect this. This accomodates configurations that need a ServiceAccount
836 but that do not use the ingress controller.
837 ([#455](https://github.com/Kong/charts/pull/455))
841 * Migration jobs support a configurable backoffLimit.
842 ([#442](https://github.com/Kong/charts/pull/442))
843 * Generated Ingresses now use `networking.k8s.io/v1` when available.
844 ([#446](https://github.com/Kong/charts/pull/446))
848 * 5-digit UDP ports now work properly.
849 ([#443](https://github.com/Kong/charts/pull/443))
850 * Fixed port name used for NLB annotation example.
851 ([#458](https://github.com/Kong/charts/pull/458))
852 * Fixed a compatibility issue with Helm's `--set-file` feature and
853 user-provided DB-less configuration ConfigMaps.
854 ([#465](https://github.com/Kong/charts/pull/465))
860 * Upgraded CRDs to V1 from the previous deprecated v1beta1.
861 [#391](https://github.com/kong/charts/issues/391)
862 ACTION REQUIRED: This is a breaking change as it makes
863 this chart incompatible with Kubernetes clusters older
864 than v1.16.x. Upgrade your cluster to a version greater
865 than or equal to v1.16 before installing.
866 Note that technically it will remain possible to deploy
867 on older clusters by managing the CRDs manually ahead of
868 time (e.g. intentionally deploying the legacy CRDs) but
869 these configurations will be considered unsupported.
870 [upgrade](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/)
871 ACTION REQUIRED: For existing deployments Helm avoids managing
872 CRDs so when upgrading from a previous release you will need
873 to apply the new V1 versions of the CRDs (in `crds/`) manually.
874 [hip-0011](https://github.com/helm/community/blob/main/hips/hip-0011.md)
875 ([#415](https://github.com/Kong/charts/pull/415))
876 * Added support for controller metrics to the Prometheus resources. This
877 requires KIC 2.x. The chart automatically detects if your controller image is
878 compatible, but only if your tag is semver-compliant. If you are using an
879 image without a semver-compliant tag (such as `next`) you _must_ set the
880 `ingressController.image.effectiveSemver` value to a semver string
881 appropriate for your image (for example, if your image is 2.0.0-based, you
882 would set it to `2.0.0`.
883 ([#430](https://github.com/Kong/charts/pull/430))
887 * Updated default Kong versions to 2.5 (OSS) and 2.5.0.0 (Enterprise).
888 * Added user-configured initContainer support to Jobs.
889 ([#408](https://github.com/Kong/charts/pull/408))
890 * Upgraded RBAC resources to v1 from v1beta1 for compatibility with Kubernetes
891 1.22 and newer. This breaks compatibility with Kubernetes 1.7 and older, but
892 these Kubernetes versions were never supported, so this change is not
893 breaking. Added additional permissions to support KIC 2.x.
894 ([#420](https://github.com/Kong/charts/pull/420))
895 ([#419](https://github.com/Kong/charts/pull/419))
896 * Added `ingressController.watchNamespaces[]` to values.yaml. When set, the
897 controller will only watch the listed namespaces (instead of all namespaces,
898 the default), and will create Roles for each namespace (instead of a
899 ClusterRole). This feature requires KIC 2.x.
900 ([#420](https://github.com/Kong/charts/pull/420))
901 * Added support for [dnsPolicy and
902 dnsConfig](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/).
903 ([#425](https://github.com/Kong/charts/pull/425))
904 * Use migration commands directly in upgrade/install Jobs instead of invoking
905 them via a shell. This adds support for some additional features in Kong
906 images that only apply when the container command starts with `kong`.
907 ([#429](https://github.com/Kong/charts/pull/429))
910 * Fixed an incorrect template for DaemonSet releases.
911 ([#426](https://github.com/Kong/charts/pull/426))
917 * Removed default `maxUnavailable` setting for pod disruption budget
918 configuration. This is necessary to allow usage of the `minUnavailable`
919 setting, but means that there is no longer any default availability
920 constraint. If you set `podDisruptionBudget.enabled=true` in your values and
921 did not previously set any `podDisruptionBudget.maxUnavailable` value, you
922 must add `podDisruptionBudget.maxUnavailable="50%"` to your values.
926 * Added host alias injection to override DNS and/or add DNS entries not
927 available from the DNS resolver.
928 ([#366](https://github.com/Kong/charts/pull/366))
929 * Added support for custom labels.
930 ([#370](https://github.com/Kong/charts/pull/370))
931 * Only add paths to Ingresses if configured, for OpenShift 4.x compatibility.
932 ([#375](https://github.com/Kong/charts/pull/375))
933 * Kong containers no longer the image ENTRYPOINT. This allows the stock image
934 bootstrap scripts to run normally.
935 ([#377](https://github.com/Kong/charts/pull/377))
936 * Added security context settings for containers.
937 ([#387](https://github.com/Kong/charts/pull/387))
938 * Bumped Kong and controller image defaults to the latest versions.
939 ([#378](https://github.com/Kong/charts/pull/378))
940 * Added support for user-provided admission webhook certificates.
941 ([#385](https://github.com/Kong/charts/pull/385))
942 * Disable service account tokens when it is unnecessary.
943 ([#389](https://github.com/Kong/charts/pull/389))
947 * Admission webhook port is now listed under the controller container, where
948 the admission webhook runs.
949 ([#384](https://github.com/Kong/charts/pull/384))
953 * Removed a duplicate key from example values.
954 ([#360](https://github.com/Kong/charts/pull/360))
955 * Clarified Enterprise free mode usage.
956 ([#362](https://github.com/Kong/charts/pull/362))
957 * Expand EKS Service annotation examples for proxy.
958 ([#376](https://github.com/Kong/charts/pull/375))
964 * Added support for user-defined volumes, volume mounts, and init containers.
965 ([#317](https://github.com/Kong/charts/pull/317))
966 * Tolerations are now applied to migration Job Pods also.
967 ([#341](https://github.com/Kong/charts/pull/341))
968 * Added support for using a DaemonSet instead of Deployment.
969 ([#347](https://github.com/Kong/charts/pull/347))
970 * Updated default image versions and completed migration off Bintray
972 ([#349](https://github.com/Kong/charts/pull/349))
973 * PDB ignores migration Job Pods.
974 ([#352](https://github.com/Kong/charts/pull/352))
978 * Clarified service monitor usage information.
979 ([#345](https://github.com/Kong/charts/pull/345))
985 * Helm 2 is no longer supported. You **must** [migrate your Kong chart releases
986 to Helm 3](https://helm.sh/docs/topics/v2_v3_migration/) before updating to
988 * Deprecated [Portal auth settings](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters)
989 are no longer supported.
990 * The deprecated [`runMigrations` setting](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-migration-job-configuration)
991 is no longer supported.
992 * Deprecated [admin API Service configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-kong-service-configuration)
993 is no longer supported.
994 * Deprecated [multi-host proxy configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress)
995 is no longer supported.
997 `helm upgrade` with the previous version (1.15.0) will print a warning message
998 if you still use any of the removed values.yaml configuration. If you do not
999 see any warnings after the upgrade completes, you are already using the modern
1000 equivalents of these settings and can proceed with upgrading to 2.0.0-rc1.
1004 * Admission webhook certificates persist after their initial creation. This
1005 prevents an unnecessary restart of Kong Pods on upgrades that do not actually
1006 modify the deployment.
1007 ([#256](https://github.com/Kong/charts/pull/256))
1008 * `ingressController.installCRDs` now defaults to `false`, simplifying
1009 installation on Helm 3. Installs now default to using Helm 3's CRD management
1010 system, and do not require changes to values or install flags to install
1012 ([#305](https://github.com/Kong/charts/pull/305))
1013 * Added support for Pod `topologySpreadConstraints`.
1014 ([#308](https://github.com/Kong/charts/pull/308))
1015 * Kong Ingress Controller image now pulled from Docker Hub (due to Bintray being
1016 discontinued). Changed the default Docker image repository for the ingress
1021 * Generated admission webhook certificates now include SANs for compatibility
1022 with Go 1.15 controller builds.
1023 ([#312](https://github.com/Kong/charts/pull/312)).
1027 * Clarified use of `terminationGracePeriodSeconds`.
1028 ([#302](https://github.com/Kong/charts/pull/302))
1032 1.15.0 is an interim release before the planned release of 2.0.0. There were
1033 several feature changes we wanted to release prior to the removal of deprecated
1034 functionality for 2.0. The original planned deprecations covered in the [1.14.0
1035 changelog](#1140) are still planned for 2.0.0.
1039 * The default Kong version is now 2.3 and the default Kong Enterprise version
1041 * Added configurable `terminationGracePeriodSeconds` for the pre-stop lifecycle
1043 ([#271](https://github.com/Kong/charts/pull/271)).
1044 * Initial migration database wait init containers no longer have a default
1045 image configuration in values.yaml. When no image is specified, the chart
1046 will use the Kong image. The standard Kong images include bash, and can run
1047 the database wait script without downloading a separate image. Configuring a
1048 wait image is now only necessary if you use a custom Kong image that lacks
1050 ([#285](https://github.com/Kong/charts/pull/285)).
1051 * Init containers for database availability and migration completeness can now
1052 be disabled. They cause compatibility issues with many service meshes.
1053 ([#285](https://github.com/Kong/charts/pull/285)).
1054 * Removed the default migration Job annotation that disabled Kuma's mesh proxy.
1055 The latest version of Kuma no longer prevents Jobs from completing.
1056 ([#285](https://github.com/Kong/charts/pull/285)).
1057 * Services now support user-configurable labels, and the Prometheus
1058 ServiceMonitor label is included on the proxy Service by default. Users that
1059 disable the proxy Service and add this label to another Service to collect
1061 ([#290](https://github.com/Kong/charts/pull/290)).
1062 * Migration Jobs now allow resource quota configuration. Init containers
1063 inherit their resource quotas from their associated Kong container.
1064 ([#294](https://github.com/Kong/charts/pull/294)).
1068 * The database readiness wait script ConfigMap and associated mounts are no
1069 longer created if that feature is not in use.
1070 ([#285](https://github.com/Kong/charts/pull/285)).
1071 * Removed a duplicated field from CRDs.
1072 ([#281](https://github.com/Kong/charts/pull/281)).
1078 * Removed `http2` from default status listen TLS parameters. It only supports a
1079 limited subset of the extra listen parameters, and does not allow `http2`.
1085 * Status listens now include parameters in the default values.yaml. The absence
1086 of these defaults caused a template rendering error when the TLS listen was
1091 * Updated status listen comments to reflect TLS listen availability on Kong
1098 * Fix issues with legacy proxy Ingress object template.
1104 * Corrected invalid default value for `enterprise.smtp.smtp_auth`.
1110 * Moved several Kong container settings into the appropriate template block.
1111 Previously these were rendered whether or not the Kong container was enabled,
1112 which unintentionally applied them to the controller container.
1116 ### Breaking changes
1118 1.14 is the last planned 1.x version of the Kong chart. 2.x will remove support
1119 for Helm 2.x and all deprecated configuration. The chart prints a warning when
1120 upgrading or installing if it detects any configuration still using an old
1123 * All Ingress and Service resources now use the same template. This ensures
1124 that all chart Ingresses and Services support the same configuration. The
1125 proxy previously used a unique Ingress configuration, which is now
1126 deprecated. If you use the proxy Ingress, [see the instructions in
1127 UPGRADE.md](https://github.com/Kong/charts/blob/kong-1.14.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress)
1128 to update your configuration. No changes are required for other Service and
1129 Ingress configurations.
1130 ([#251](https://github.com/Kong/charts/pull/251)).
1131 * The chart now uses the standard Kong status endpoint instead of custom
1132 configuration, allowing users to specify their own custom configuration. The
1133 status endpoint is no available in versions older than Kong 1.4.0 or Kong
1134 Enterprise 1.5.0; if you use an older version, you will need to [add and load
1135 the old custom configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#default-custom-server-block-replaced-with-status-listen).
1137 If you use a newer version and include Kong container readinessProbe and/or
1138 livenessProbe configuration in your values.yaml, you must change the port
1139 from `metrics` to `status`.
1140 ([#255](https://github.com/Kong/charts/pull/255)).
1144 * Correct an issue with migrations Job toggles.
1145 ([#231](https://github.com/Kong/charts/pull/231))
1151 * Updated default Kong Enterprise version to 2.2.1.0-alpine.
1152 * Updated default Kong Ingress Controller version to 1.1.
1153 * Add `namespace` to values.yaml to override release namespace if desired.
1154 ([#231](https://github.com/Kong/charts/pull/231))
1158 * Migration Jobs now use the same nodeSelector configuration as the main Kong
1160 ([#238](https://github.com/Kong/charts/pull/238))
1161 * Disabled custom Kong template mount if Kong is not enabled.
1162 ([#240](https://github.com/Kong/charts/pull/240))
1163 * Changed YAML string to a YAML boolean.
1164 ([#240](https://github.com/Kong/charts/pull/240))
1168 * Clarify requirements for using horizontal pod autoscalers.
1169 ([#236](https://github.com/Kong/charts/pull/236))
1175 * Increased default worker count to 2 to avoid issues with latency during
1176 blocking tasks, such as DB-less config updates. This change increases memory
1177 usage, but the increase should not be a concern for any but the smallest
1178 deployments (deployments with memory limits below 512MB).
1179 * Updated default Kong version to 2.2.
1180 ([#221](https://github.com/Kong/charts/pull/221))
1181 * Updated default Kong Enterprise version to 2.1.4.1.
1182 * Added a means to mount extra ConfigMap and Secret resources.
1183 ([#208](https://github.com/Kong/charts/pull/208))
1184 * Added configurable annotations for migration Jobs.
1185 ([#219](https://github.com/Kong/charts/pull/219))
1186 * Added template for deprecation warnings to automate formatting and avoid
1191 * Upgrades no longer force auto-scaling Deployments back to the replica count.
1192 ([#222](https://github.com/Kong/charts/pull/222))
1196 ### Breaking changes
1198 * Kong Ingress Controller 1.0 removes support for several deprecated flags and
1199 the KongCredential custom resource. Please see the [controller changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#breaking-changes)
1200 for details. Note that Helm 3 will not remove the KongCredential CRD by
1201 default: you should delete it manually after converting KongCredentials to
1202 [credential Secrets](https://github.com/Kong/kubernetes-ingress-controller/blob/next/docs/guides/using-consumer-credential-resource.md#provision-a-consumer).
1203 If you manage CRDs using Helm (check to see if your KongCredential CRD has a
1204 `app.kubernetes.io/managed-by: Helm` label), perform the credential Secret
1205 conversion **before** upgrading to chart 1.11.0 to avoid losing credential
1207 * The chart no longer uses the `extensions` API for PodSecurityPolicy, and now
1208 uses the modern `policy` API. This breaks compatibility with Kubernetes
1209 versions 1.11 and older.
1210 ([#195](https://github.com/Kong/charts/pull/195))
1214 * Updated default controller version to 1.0.
1215 * The chart now adds namespace information to manifests explicitly. This
1216 simplifies workflows that use `helm template`.
1217 ([#193](https://github.com/Kong/charts/pull/193))
1220 * Changes to annotation block generation prevent incorrect YAML indentation
1221 when specifying annotations via command line arguments to Helm commands.
1222 ([#200](https://github.com/Kong/charts/pull/200))
1226 ### Breaking changes
1228 * Kong Ingress Controller 0.10.0 comes with breaking changes to global
1229 `KongPlugin`s and to resources without an ingress class defined. Refer to the
1230 [`UPGRADE.md notes for chart 1.10.0`](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#1100)
1235 * Updated default controller version to 0.10.0.
1239 * Removed the `status` field from the `TCPIngress` CRD.
1240 ([#188](https://github.com/Kong/charts/pull/188))
1246 * Clarified documentation for [breaking changes in 1.9.0](#190) to indicate
1247 that any values.yaml that sets `waitImage.repository` requires changes,
1248 including those that set the old default.
1249 * Updated Enterprise examples to use latest Enterprise image version.
1253 ### Breaking changes
1255 1.9.0 now uses a bash-based pre-migration database availability check. If you
1256 set `waitImage.repository` in values.yaml, either to the previous default
1257 (`busybox`) or to a custom image, you must change it to an image that includes
1258 a `bash` executable.
1260 Once you have `waitImage.repository` set to an image with bash, [perform an
1261 initial chart version upgrade with migrations disabled](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-wait-for-postgres-image)
1262 before re-enabling migrations, updating your Kong image version, and performing
1263 a second release upgrade.
1267 * Added support for sidecar injection.
1268 ([#174](https://github.com/Kong/charts/pull/174))
1269 * Changed to a bash-based pre-migration database availability check.
1270 ([#179](https://github.com/Kong/charts/pull/179))
1271 * Changed to a bash-based pre-migration database availability check.
1272 ([#179](https://github.com/Kong/charts/pull/179))
1273 * Updated default Kong Enterprise version to 2.1.3.0.
1277 * Added missing cluster telemetry service and fixed missing cluster service
1279 ([#185](https://github.com/Kong/charts/pull/185))
1283 * Added an example Enterprise controller-managed DB-less values.yaml.
1284 ([#175](https://github.com/Kong/charts/pull/175))
1288 **Kong Enterprise users:** please review documentation for the [Kong Enterprise
1290 release](https://docs.konghq.com/enterprise/2.1.x/release-notes/#coming-soon)
1291 and [hybrid mode on Kong
1292 Enterprise](https://docs.konghq.com/enterprise/2.1.x/deployment/hybrid-mode/#kubernetes-support)
1293 as well. Version 1.8 of the Kong Helm chart adds support for hybrid mode, which
1294 is currently only available in the 2.1.x beta. Production systems should
1295 continue to use the Kong Enterprise 1.5.x stable releases, which do not support
1300 * Update default Kong version to 2.1.
1301 * Update Kong Enterprise images to 1.5.0.4 (kong-enterprise-edition) and
1302 2.0.4.2 (kong-enterprise-k8s).
1303 * Updated default controller version to 0.9.1.
1304 ([#150](https://github.com/Kong/charts/pull/150))
1305 * Added support for ServiceMonitor targetLabels (for use with the Prometheus
1307 ([#162](https://github.com/Kong/charts/pull/162))
1308 * Automatically handle the [new port_maps
1309 setting](https://github.com/Kong/kong/pull/5861) for the proxy service.
1310 ([#169](https://github.com/Kong/charts/pull/169))
1311 * Add support for [hybrid mode
1312 deployments](https://docs.konghq.com/latest/hybrid-mode/).
1313 ([#160](https://github.com/Kong/charts/pull/160))
1318 * Fixed an issue with improperly-rendered listen strings.
1319 ([#155](https://github.com/Kong/charts/pull/155))
1323 * Improved inline documentation of `env` in values.yaml.
1324 ([#163](https://github.com/Kong/charts/pull/163))
1331 [CRD-only](https://github.com/Kong/charts/blob/1.7.0/charts/kong/README.md#crds-only)
1332 and [controller-only releases](https://github.com/Kong/charts/blob/next/charts/kong/README.md#standalone-controller-nodes).
1333 ([#136](https://github.com/Kong/charts/pull/136))
1337 * Added a set of [example
1338 values.yamls](https://github.com/Kong/charts/tree/main/charts/kong/example-values)
1339 for various configurations of Kong and Kong Enterprise.
1340 ([#134](https://github.com/Kong/charts/pull/134))
1344 This release contains no changes other than the version. This is to address an
1345 issue with our release automation.
1351 * Updated default controller version to 0.9.0.
1352 ([#132](https://github.com/Kong/charts/pull/132))
1353 * Updated default Enterprise versions to 2.0.4.1 and 1.5.0.2.
1354 ([#130](https://github.com/Kong/charts/pull/130))
1355 * Added ability to override chart lifecycle.
1356 ([#116](https://github.com/Kong/charts/pull/116))
1357 * Added ability to apply user-defined labels to pods.
1358 ([#121](https://github.com/Kong/charts/pull/121))
1359 * Filtered serviceMonitor to disable metrics collection from non-proxy
1361 ([#112](https://github.com/Kong/charts/pull/112))
1362 * Set admin API to listen on localhost only if possible.
1363 ([#125](https://github.com/Kong/charts/pull/125))
1364 * Add `auth_type` and `ssl` settings to `smtp` block.
1365 ([#127](https://github.com/Kong/charts/pull/127))
1366 * Remove UID from default securityContext.
1367 ([#138](https://github.com/Kong/charts/pull/138))
1371 * Corrected invalid default serviceMonitor.interval value.
1372 ([#110](https://github.com/Kong/charts/pull/110))
1373 * Removed duplicate `installCRDs` documentation.
1374 ([#115](https://github.com/Kong/charts/pull/115))
1375 * Simplified example license Secret creation command.
1376 ([#131](https://github.com/Kong/charts/pull/131))
1382 * Added support for annotating the ServiceAccount.
1383 ([#97](https://github.com/Kong/charts/pull/97))
1384 * Updated controller templates to use environment variables for default
1386 ([#99](https://github.com/Kong/charts/pull/99))
1387 * Added support for stream listens.
1388 ([#103](https://github.com/Kong/charts/pull/103))
1389 * Moved migration configuration under a `migrations` block with support for
1390 enabling upgrade jobs independently and adding annotations.
1391 ([#102](https://github.com/Kong/charts/pull/102))
1392 * Added support for the [status listen](https://github.com/Kong/kong/pull/4977).
1393 ([#107](https://github.com/Kong/charts/pull/107))
1394 * :warning: Exposed PodSecurityPolicy spec in values.yaml and added default
1395 configuration to enforce a read-only root filesystem. **Kong Enterprise
1396 versions prior to 1.5.0 require the root filesystem be read-write. If you use
1397 an older version and enforce PodSecurityPolicy, you must set
1398 `.Values.podSecurityPolicy.spec.readOnlyRootFilesystem: false`.**
1399 ([#104](https://github.com/Kong/charts/pull/104))
1403 * Fixed old init-migrations jobs blocking upgrades.
1404 ([#102](https://github.com/Kong/charts/pull/102))
1408 * Fixed discrepancy between image version in values.yaml and README.md.
1409 ([#96](https://github.com/Kong/charts/pull/96))
1410 * Added example Enterprise image tags to values.yaml.
1411 ([#100](https://github.com/Kong/charts/pull/100))
1412 * Added deprecation warnings in CHANGELOG.md.
1413 ([#91](https://github.com/Kong/charts/pull/91))
1414 * Improved RBAC documentation to clarify process and use new controller
1416 ([#95](https://github.com/Kong/charts/pull/95))
1417 * Added documentation for managing multi-release clusters with varied node
1418 roles (e.g. admin-only, Portal-only, etc.).
1419 ([#102](https://github.com/Kong/charts/pull/102))
1425 * Fixed an issue with the 1.4.1 upgrade steps.
1431 * :warning: Service and listen configuration now use a unified configuration
1432 format. **The previous configuration format for the admin API service is
1433 deprecated and will be removed in a future release.** Listen configuration
1434 now supports specifying parameters. Kubernetes service creation can now be
1435 enabled or disabled for all Kong services. Users should review the
1436 [1.4.0 upgrade guide](https://github.com/Kong/charts/blob/next/charts/kong/UPGRADE.md#changes-to-kong-service-configuration)
1437 for details on how to update their values.yaml.
1438 ([#72](https://github.com/Kong/charts/pull/72))
1439 * Updated the default controller version to 0.8. This adds new
1440 KongClusterPlugin and TCPIngress CRDs and RBAC permissions for them. Users
1441 should also note that `strip_path` now defaults to disabled, which will
1442 likely break existing configuration. See [the controller
1443 changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#080---20200325)
1444 and [upgrade-guide](https://github.com/Kong/charts/blob/next/charts/kong/UPGRADE.md#strip_path-now-defaults-to-false-for-controller-managed-routes)
1446 ([#77](https://github.com/Kong/charts/pull/77))
1447 * Added support for user-supplied ingress controller CLI arguments.
1448 ([#79](https://github.com/Kong/charts/pull/79))
1449 * Added support for annotating the chart's deployment.
1450 ([#81](https://github.com/Kong/charts/pull/81))
1451 * Switched to the Bitnami Postgres chart, as the chart in Helm's repository has
1453 there](https://github.com/helm/charts/tree/master/stable/postgresql#this-helm-chart-is-deprecated).
1454 ([#82](https://github.com/Kong/charts/pull/82))
1458 * Corrected the app version in Chart.yaml.
1459 ([#86](https://github.com/Kong/charts/pull/86))
1463 * Fixed incorrect default value for `installCRDs`.
1464 ([#78](https://github.com/Kong/charts/pull/78))
1465 * Added detailed upgrade guide covering breaking changes and deprecations.
1466 ([#74](https://github.com/Kong/charts/pull/74))
1467 * Improved installation steps for Helm 2 and Helm 3.
1468 ([#83](https://github.com/Kong/charts/pull/83))
1469 ([#84](https://github.com/Kong/charts/pull/84))
1470 * Remove outdated `ingressController.replicaCount` setting.
1471 ([#87](https://github.com/Kong/charts/pull/87))
1477 * Added missing newline to NOTES.txt template.
1478 ([#66](https://github.com/Kong/charts/pull/66))
1482 * Instruct users to create secrets for both the kong-enterprise-k8s and
1483 kong-enterprise-edition Docker registries.
1484 ([#65](https://github.com/Kong/charts/pull/65))
1485 * Updated maintainer information.
1491 * Custom plugin mounts now support subdirectories. These are necessary for
1492 plugins that include their own migrations. Note that Kong versions prior to
1493 2.0.1 [have a bug](https://github.com/Kong/kong/pull/5509) that prevents them
1494 from running these migrations. ([#24](https://github.com/Kong/charts/pull/24))
1495 * LoadBalancer services will now respect their NodePort.
1496 ([#48](https://github.com/Kong/charts/pull/41))
1497 * The proxy TLS listen now enables HTTP/2 (and, by extension, gRPC).
1498 ([#47](https://github.com/Kong/charts/pull/47))
1499 * Added support for `priorityClassName` to the Kong deployment.
1500 ([#56](https://github.com/Kong/charts/pull/56))
1501 * Bumped default Kong version to 2.0 and controller version to 0.7.1.
1502 ([#60](https://github.com/Kong/charts/pull/60))
1503 * :warning: Removed dedicated Portal auth settings, which are unnecessary in
1504 modern versions. **The `enterprise.portal.portal_auth` and
1505 `enterprise.portal.session_conf_secret` settings in values.yaml are
1506 deprecated and will be removed in a future release.** See the [upgrade
1507 guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters)
1508 for instructions on migrating them to environment variables.
1509 ([#55](https://github.com/Kong/charts/pull/55))
1513 * Fixed typo in HorizontalPodAutoscaler template.
1514 ([#45](https://github.com/Kong/charts/pull/45))
1518 * Added contributing guidelines. ([#41](https://github.com/Kong/charts/pull/41))
1519 * Added README section for Helm 2 versus Helm 3 considerations.
1520 ([#34](https://github.com/Kong/charts/pull/41))
1521 * Added documentation for `proxy.annotations` to README.md.
1522 ([#57](https://github.com/Kong/charts/pull/57))
1523 * Added FAQ entry for init-migrations job conflicts on upgrades.
1524 ([#59](https://github.com/Kong/charts/pull/59)
1525 * Move changelog out of README.md into CHANGELOG.md.
1526 ([#60](https://github.com/Kong/charts/pull/60)
1527 * Improved formatting for 1.2.0 changelog.
1532 * Added support for HorizontalPodAutoscaler.
1533 ([#12](https://github.com/Kong/charts/pull/12))
1534 * Environment variables are now consistently sorted alphabetically.
1535 ([#29](https://github.com/Kong/charts/pull/29))
1538 * Removed temporary ServiceAccount template, which caused upgrades to break the
1539 existing ServiceAccount's credentials. Moved template and instructions for
1540 use to FAQs, as the temporary user is only needed in rare scenarios.
1541 ([#31](https://github.com/Kong/charts/pull/31))
1542 * Fix an issue where the wait-for-postgres job did not know which port to use
1543 in some scenarios. ([#28](https://github.com/Kong/charts/pull/28))
1546 * Added warning regarding volume mounts.
1547 ([#25](https://github.com/Kong/charts/pull/25))
1553 * Add missing `smtp_admin_emails` and `smtp_mock = off` to SMTP enabled block in
1558 * Remove version bump requirement in preparation for new release model.
1562 > https://github.com/Kong/charts/pull/4
1566 * Significantly refactor the `env`/EnvVar templating system to determine the
1567 complete set of environment variables (both user-defined variables and
1568 variables generated from other sections of values.yaml) and resolve conflicts
1569 before rendering. User-provided values are now guaranteed to take precedence
1570 over generated values. Previously, precedence relied on a Kubernetes
1571 implementation quirk that was not consistent across all Kubernetes providers.
1572 * Combine templates for license, session configuration, etc. that generate
1573 `secretKeyRef` values into a single generic template.
1577 - Fix invalid namespace for pre-migrations and Role.
1578 - Fix whitespaces formatting in README.
1582 - Helm 3 support: CRDs are declared in crds directory. Backward compatible support for helm 2.
1586 Fixed invalid namespace variable name causing ServiceAccount and Role to be generated in other namespace than desired.
1590 There are not code changes between `1.0.0` and `0.36.5`.
1591 From this version onwards, charts are hosted at https://charts.konghq.com.
1593 The `0.x` versions of the chart are available in Helm's
1594 [Charts](https://github.com/helm/charts) repository are are now considered
1599 > PR https://github.com/helm/charts/pull/20099
1603 - Allow `grpc` protocol for KongPlugins
1607 > PR https://github.com/helm/charts/pull/20051
1611 - Issue: [`Ingress Controller errors when chart is redeployed with Admission
1612 Webhook enabled`](https://github.com/helm/charts/issues/20050)
1616 > PR https://github.com/helm/charts/pull/19992
1620 - Fix spacing in ServiceMonitor when label is specified in config
1624 > PR https://github.com/helm/charts/pull/19955
1628 - Set `sideEffects` and `admissionReviewVersions` for Admission Webhook
1629 - timeouts for liveness and readiness probes has been changed from `1s` to `5s`
1633 > PR https://github.com/helm/charts/pull/19946
1637 - Added missing watch permission to custom resources
1641 > PR https://github.com/helm/charts/pull/19916
1643 ### Upgrade Instructions
1645 - When upgrading from <0.35.0, in-place chart upgrades will fail.
1646 It is necessary to delete the helm release with `helm del --purge $RELEASE` and redeploy from scratch.
1647 Note that this will cause downtime for the kong proxy.
1651 - Fixed Deployment's label selector that prevented in-place chart upgrades.
1655 > PR https://github.com/helm/charts/pull/19914
1659 - Update CRDs to Ingress Controller 0.7
1660 - Optimize readiness and liveness probes for more responsive health checks
1661 - Fixed incorrect space in NOTES.txt
1665 > PR [#19856](https://github.com/helm/charts/pull/19856)
1669 - Labels on all resources have been updated to adhere to the Helm Chart
1671 https://v2.helm.sh/docs/developing_charts/#syncing-your-chart-repository
1675 > PR [#19854](https://github.com/helm/charts/pull/19854)
1677 This release contains no user-visible changes
1681 - Various tests have been consolidated to speed up CI.
1685 > PR [#19887](https://github.com/helm/charts/pull/19887)
1689 - Correct indentation for Job securityContexts.
1693 > PR [#19885](https://github.com/helm/charts/pull/19885)
1697 - Update default version of Ingress Controller to 0.7.0
1701 > PR [#19852](https://github.com/helm/charts/pull/19852)
1705 - Correct an issue with white space handling within `final_env` helper.
1709 > PR [#19840](https://github.com/helm/charts/pull/19840)
1713 - Postgres sub-chart has been bumped up to 8.1.2
1717 - Removed podDisruption budge for Ingress Controller. Ingress Controller and
1718 Kong run in the same pod so this was no longer applicable
1719 - Migration job now receives the same environment variable and configuration
1720 as that of the Kong pod.
1721 - If Kong is configured to run with Postgres, the Kong pods now always wait
1722 for Postgres to start. Previously this was done only when the sub-chart
1723 Postgres was deployed.
1724 - A hard-coded container name is used for kong: `proxy`. Previously this
1725 was auto-generated by Helm. This deterministic naming allows for simpler
1726 scripts and documentation.
1730 Following changes have no end user visible effects:
1732 - All Custom Resource Definitions have been consolidated into a single
1734 - All RBAC resources have been consolidated into a single template file
1735 - `wait-for-postgres` container has been refactored and de-duplicated
1741 - This is a doc only release. No code changes have been done.
1742 - Post installation steps have been simplified and now point to a getting
1744 - Misc updates to README:
1745 - Document missing variables
1746 - Remove outdated variables
1747 - Revamp and rewrite major portions of the README
1748 - Added a table of content to make the content navigable
1754 - Create and mount emptyDir volumes for `/tmp` and `/kong_prefix` to allow
1755 for read-only root filesystem securityContexts and PodSecurityPolicys.
1756 - Use read-only mounts for custom plugin volumes.
1757 - Update stock PodSecurityPolicy to allow emptyDir access.
1758 - Override the standard `/usr/local/kong` prefix to the mounted emptyDir
1759 at `/kong_prefix` in `.Values.env`.
1760 - Add securityContext injection points to template. By default,
1761 it sets Kong pods to run with UID 1000.
1765 - Correct behavior for the Vitals toggle.
1766 Vitals defaults to on in all current Kong Enterprise releases, and
1767 the existing template only created the Vitals environment variable
1768 if `.Values.enterprise.enabled == true`. Inverted template to create
1769 it (and set it to "off") if that setting is instead disabled.
1770 - Correct an issue where custom plugin configurations would block Kong
1775 ### Breaking changes
1777 - Admin Service is disabled by default (`admin.enabled`)
1778 - Default for `proxy.type` has been changed to `LoadBalancer`
1782 - Update default version of Kong to 1.4
1783 - Update default version of Ingress Controller to 0.6.2
1784 - Add support to disable kong-admin service via `admin.enabled` flag.
1790 - Do not remove white space between documents when rendering
1791 `migrations-pre-upgrade.yaml`
1797 - Add support for specifying Proxy service ClusterIP
1801 ### Breaking changes
1803 - `admin_gui_auth_conf_secret` is now required for Kong Manager
1804 authentication methods other than `basic-auth`.
1805 Users defining values for `admin_gui_auth_conf` should migrate them to
1806 an externally-defined secret with a key of `admin_gui_auth_conf` and
1807 reference the secret name in `admin_gui_auth_conf_secret`.
1813 - Add support for specifying Ingress Controller environment variables.
1819 - Added support for the Validating Admission Webhook with the Ingress Controller.
1825 - Do not create a ServiceAccount if it is not necessary.
1826 - If a configuration change requires creating a ServiceAccount,
1827 create a temporary ServiceAccount to allow pre-upgrade tasks to
1828 complete before the regular ServiceAccount is created.
1832 ### Documentation updates
1833 - Retroactive changelog update for 0.24 breaking changes.
1837 ### Breaking changes
1839 - DB-less mode is enabled by default.
1840 - Kong is installed as an Ingress Controller for the cluster by default.
1846 - Add support for PodSecurityPolicy
1847 - Require creation of a ServiceAccount
1851 ### Breaking changes
1853 - The configuration format for ingresses in values.yaml has changed.
1854 Previously, all ingresses accepted an array of hostnames, and would create
1855 ingress rules for each. Ingress configuration for services other than the proxy
1856 now accepts a single hostname, which allows simpler TLS configuration and
1857 automatic population of `admin_api_uri` and similar settings. Configuration for
1858 the proxy ingress is unchanged, but its documentation now accurately reflects
1859 the TLS configuration needed.