# Changelog ## 2.38.0 ### Changes * Added support for setting `SVC.tls.appProtocol` and `SVC.http.appProtocol` values to configure the appProtocol fields for Kubernetes Service HTTP and TLS ports. It might be useful for integration with external load balancers like GCP. [#1018](https://github.com/Kong/charts/pull/1018) ## 2.37.1 * Rename the controller status port. This fixes a collision with the proxy status port in the Prometheus ServiceMonitor. [#1008](https://github.com/Kong/charts/pull/1008) ## 2.37.0 ### Changes * Bumped default `kong/kubernetes-ingress-controller` image tag and updated CRDs to 3.1. [#1011](https://github.com/Kong/charts/pull/1011) * Bumped default `kong` image tag to 3.6. [#1011](https://github.com/Kong/charts/pull/1011) ## 2.36.0 ### Fixed * Add `KongLicense` RBAC rules. [#1006](https://github.com/Kong/charts/pull/1006) ## 2.35.1 ### Fixed * The plugin helper no longer sets the plugin list when not in use. [#1002](https://github.com/Kong/charts/pull/1002) ## 2.35.0 ### Added * Added controller's RBAC rules for `KongVault` CRD (installed only when KIC version >= 3.1.0). [#992](https://github.com/Kong/charts/pull/992) ### Fixed * Added a missing `envFrom` render in the main Kong proxy container. [#994](https://github.com/Kong/charts/pull/994) ## 2.34.0 ### Added * The `envFrom` and `ingressController.envFrom` values.yaml keys now populate the container field of the same name. This loads environment variables from ConfigMap or Secret resource keys in bulk: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables [#987](https://github.com/Kong/charts/pull/987) * Kong listens now use both IPv4 and IPv6 addresses. [#986](https://github.com/Kong/charts/pull/986) ## 2.33.3 ### Fixed * Add RBAC rules for get, list and watch operations on namespaces so that Gateway API controllers in KIC can access using a cached controller-runtime client. [#974](https://github.com/Kong/charts/pull/974) ## 2.33.2 ### Fixed * Fix a template bug related to the `affinity` field for migrations Pods. [#972](https://github.com/Kong/charts/pull/972) ## 2.33.1 ### Fixed * Use changed `incubator.ingress-controller.konghq.com` API group name in `KongServiceFacade` RBAC rules. Refer to [KIC#5302](https://github.com/Kong/kubernetes-ingress-controller/pull/5302) for rename reasoning. [#968](https://github.com/Kong/charts/pull/968) ## 2.33.0 ### Improvements * Only allow `None` ClusterIPs on ClusterIP-type Services. [#961](https://github.com/Kong/charts/pull/961) [#962](https://github.com/Kong/charts/pull/962) * Bumped Kong version to 3.5. [#957](https://github.com/Kong/charts/pull/957) * Support for `affinity` configuration has been added to migration job templates. * Display a warning message when Kong Manager is enabled and the Admin API is disabled. * Validate Gateway API's `Gateway` and `HTTPRoute` resources in the controller's admission webhook only when KIC version is 3.0 or higher. [#954](https://github.com/Kong/charts/pull/954) * Added controller's RBAC rules for `KongServiceFacade` CRD (installed only when KongServiceFacade feature gate turned on and KIC version >= 3.1.0). [#963](https://github.com/Kong/charts/pull/963) ## 2.32.0 ### Improvements * Add new `deployment.hostname` value to make identifying instances in controlplane/dataplane configurations easier. [#943](https://github.com/Kong/charts/pull/943) ## 2.31.0 ### Improvements * Added controller's RBAC rules for `KongUpstreamPolicy` CRD. [#917](https://github.com/Kong/charts/pull/917) * Added services resource to admission webhook config for KIC >= 3.0.0. [#919](https://github.com/Kong/charts/pull/919) * Update default ingress controller version to v3.0 [#929](https://github.com/Kong/charts/pull/929) [#930](https://github.com/Kong/charts/pull/930) ### Fixed * The target port for cmetrics should only be applied if the ingress controller is enabled. [#926](https://github.com/Kong/charts/pull/926) * Fix RBAC for Gateway API v1. [#928](https://github.com/Kong/charts/pull/928) * Enable Admission webhook for Gateway API v1 resources. [#928](https://github.com/Kong/charts/pull/928) ## 2.30.0 ### Improvements * Prevent installing PodDisruptionBudget for `replicaCount: 1` or `autoscaling.minReplicas: 1`. [#896](https://github.com/Kong/charts/pull/896) * The admission webhook now will be triggered on Secrets creation for KIC 2.12.1+. [#907](https://github.com/Kong/charts/pull/907) * Container security context defaults now comply with the restricted pod security standard. This includes an enforced run as user ID set to 1000. UID 1000 is used for official Kong images other than Alpine images (which use UID 100) and for KIC images 3.0.0+ (older images use UID 65532). Images that do not use UID 1000 can still run with this user, as static image files are world-accessible and runtime-created files are created in temporary directories created for the run as user. [#911](https://github.com/Kong/charts/pull/911) * Allow using templates (via `tpl`) when specifying `proxy.nameOverride`. [#914](https://github.com/Kong/charts/pull/914) ## 2.29.0 ### Improvements * Make it possible to set the admission webhook's `timeoutSeconds`. [#894](https://github.com/Kong/charts/pull/894) ## 2.28.1 ### Fixed * The admission webhook now includes Gateway API resources and Ingress resources for controller versions 2.12+. This version introduces new validations for Kong's regex path implementation. [#892](https://github.com/Kong/charts/pull/892) ## 2.28.0 ### Improvements * Bump default `kong` image tag to 3.4. [#883](https://github.com/Kong/charts/pull/883) * Bump default ingress controller image tag to 2.12. * Added validation rule for `latency` upstream load balancing algorithm to CRDs. [Upgrade your CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds) when installing this release. ## 2.27.0 ### Improvements * Listens now all support `.address` configuration. This was an existing setting that was not applied properly for some listens. [#881](https://github.com/Kong/charts/pull/881) ## 2.26.5 ### Fixed * Kuma ServiceAccount Token hints and volumes are also available in migrations Pods. [#877](https://github.com/Kong/charts/pull/877) ## 2.26.4 ### Fixed * updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). ## 2.26.3 ### Fixed * Enabled Service and Ingress in Kong Manager for non enterprise users. ## 2.26.2 ### Fixed * Add missing CRD KongConsumerGroup and extend status subresource for CRDs ## 2.26.1 ### Fixed * Fix parsing enterprise tags (like e.g. `3.4.0.0`) [#857](https://github.com/Kong/charts/pull/857) ## 2.26.0 ### Breaking changes 2.26 changes the default proxy readiness endpoint for newer Kong versions. This causes an issue in a narrow edge case. If all of the following are true: * You use Kong 3.3 or newer. * You use controller 2.10 or older. * You run the controller and proxy in separate Deployments. you are affected and should review [the 2.26 upgrade instructions](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2260). ### Improvements * Use the Kong 3.3 `/status/ready` endpoint for readiness probes by default if available. If not available, use the old `/status` default. [#844](https://github.com/Kong/charts/pull/844) * Add ArgoCD `Sync` and `BeforeHookCreation` [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/) to the the init and pre-upgrade migrations Jobs. * Add controller's RBAC rules for `KongConsumerGroups` CRD. [#850](https://github.com/Kong/charts/pull/850) * Updated controller version to 2.11. ## 2.25.0 - Generate the `adminApiService.name` value from `.Release.Name` rather than hardcoding to `kong` [#839](https://github.com/Kong/charts/pull/839) ## 2.24.0 ### Improvements * Running `tpl` against user-supplied labels and annotations used in Deployment [#814](https://github.com/Kong/charts/pull/814) Example: ```yaml podLabels: version: "{{ .Values.image.tag }}" # Will render dynamically when overridden downstream ``` * Fail to render templates when PodSecurityPolicy was requested but cluster doesn't serve its API. [#823](https://github.com/Kong/charts/pull/823) * Add support for multiple hosts and tls configurations for Kong proxy `Ingress`. [#813](https://github.com/Kong/charts/pull/813) * Bump postgres default tag to `13.11.0-debian-11-r20` which includes arm64 images. [#834](https://github.com/Kong/charts/pull/834) ### Fixed * Fix Ingress and HPA API versions during capabilities checking [#827](https://github.com/Kong/charts/pull/827) ## 2.23.0 ### Improvements * Add custom label configuration option for Kong proxy `Ingress`. [#812](https://github.com/Kong/charts/pull/812) * Bump default `kong/kubernetes-ingress-controller` image tag to 2.10. Bump default `kong` image tag to 3.3. [#815](https://github.com/Kong/charts/pull/815) ## 2.22.0 ### Improvements * Removed redundant RBAC permissions for non-existing subresources `secrets/status` and `endpoints/status`. [#798](https://github.com/Kong/charts/pull/798) * For Kong Ingress Controller in version >= 2.10, RBAC permissions for `Endpoints` are not configured anymore (because it uses `EndpointSlices`). [#798](https://github.com/Kong/charts/pull/798) * Added support for setting `certificates.cluster.commonName`. This allows a custom certificate `CommonName` to be provided when deploying Kong Gateway in hybrid mode using Cert Manager [#804](https://github.com/Kong/charts/pull/804) ## 2.21.0 ### Improvements * Added support for `startupProbe` on Kong pods. This can be configured via `.Values.startupProbe`. To maintain backward compatibility, it is disabled by default. [#792](https://github.com/Kong/charts/pull/792) * Customize Admission Webhook namespaceSelectors and compose them from values. [#794](https://github.com/Kong/charts/pull/794) * Added `CustomResourceDefinition` `list` and `watch` permissions to controller's ClusterRole. [#796](https://github.com/Kong/charts/pull/796) ## 2.20.2 ### Fixed * Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode is disabled by default. To enable it, set `.Values.ingressController.konnect.license.enabled=true`. [#793](https://github.com/Kong/charts/pull/793) ## 2.20.1 ### Fixed * Fix correct timestamp format and remove `isCA` in certificates [#791](https://github.com/Kong/charts/pull/791) ## 2.20.0 ### Improvements * Added support for automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode (`.Values.ingressController.konnect.enabled=true`). [#787](https://github.com/Kong/charts/pull/787) ## 2.19.1 ### Fixed * Fix `webhook-cert` being mounted regardless if `.Values.ingressController.enabled` is set. [#779](https://github.com/Kong/charts/pull/779) ## 2.19.0 ### Improvements * Security context enforces read-only root filesystem by default. This is not expected to affect most configurations, but [will affect custom plugins that write to the container filesystem](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2170). [#770](https://github.com/Kong/charts/pull/770) ## 2.18.0 ### Improvements * Added support for the Admin API service TLS client verification. [#780](https://github.com/Kong/charts/pull/780 ## 2.17.1 ### Fixed * The `-redhat` suffix on official KIC images is no longer considered part of the semver string for version checks. [#779](https://github.com/Kong/charts/pull/779) ## 2.17.0 ### Improvements * Added support for controller's gateway discovery. With `ingressController.gatewayDiscovery.enabled` set to `true` Kong Ingress Controller will enable gateway discovery using an Admin API service. For more information on this please see [the corresponding README.md section][kic_gateway_discovery_readme]. This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher. [#747](https://github.com/Kong/charts/pull/747) * Added experimental support for the ingress controller's Konnect sync feature via `ingressController.konnect.*` values. This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and requires `ingressController.gatewayDiscovery.enabled` set to `true`. [#746](https://github.com/Kong/charts/pull/746) * Added support for annotations on the admission webhook ValidatingWebhookConfiguration. [#760](https://github.com/Kong/charts/pull/760) * Added support for `subject` and `privateKey` properties on certificates. [#762](https://github.com/Kong/charts/pull/762) * Added support for loadBalancerClass in LoadBalancer type services. [#767](https://github.com/Kong/charts/pull/767) * Added support for `GRPCRoute`s. [#772](https://github.com/Kong/charts/pull/772) * Default Kong version is bumped to 3.2. [#773](https://github.com/Kong/charts/pull/773) * Added support for admissionhook to include labels. [#768](https://github.com/Kong/charts/pull/768) ### Under the hood * Add kube-linter to the CI pipeline to ensure produced manifests comply with community best practices. [#751](https://github.com/Kong/charts/pull/751) [kic_gateway_discovery_readme]: ./README.md#the-gatewaydiscovery-section ## 2.16.5 ### Fixed * Fix autoscaling version detection. [#752](https://github.com/Kong/charts/pull/752) * Don't include a clear-stale-pid initContainer when kong gateway is not enabled in the deployment. [#749](https://github.com/Kong/charts/pull/749) ## 2.16.4 ### Fixed * HorizontalPodAutoscaler's API version is detected properly. [#744](https://github.com/Kong/charts/pull/744) ## 2.16.3 ### Fixed * Fix template issue preventing custom dblessconfig volume from being mounted. [#741](https://github.com/Kong/charts/pull/741) ## 2.16.2 ### Fixed * The admission webhook is disabled when the ingress controller is disabled, as the admission webhook requires a service provided by the ingress controller. ## 2.16.1 ### Fixed * serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20. [#735](https://github.com/Kong/charts/pull/735) ## 2.16.0 ### Improvements * Let users specify their own labels and annotations for generated PodSecurityPolicy. [#721](https://github.com/Kong/charts/pull/721) * Enable the admission webhook by default. This can reject configuration, but is not expected to be a meaningfully breaking change. Existing configuration is not affected, and any new changes that the webhook would reject would also be rejected by Kong. [#727](https://github.com/Kong/charts/pull/727) * Replaced static secret with projected volume in deployment. [#722](https://github.com/Kong/charts/pull/722) * Reject invalid log config values. [#733](https://github.com/Kong/charts/pull/733) * Update custom resource definitions to latest v2.8.1 from kong/kubernetes-ingress-controller [#730](https://github.com/Kong/charts/pull/730) * Respect setting `.Values.deployment.serviceAccount.automountServiceAccountToken` in migrations Jobs. This was already the case for the Deployment. [#729](https://github.com/Kong/charts/pull/729) ## 2.15.3 ### Fixed * Changed `ingressController.readinessProbe` to use `/readyz` to prevent pods from becoming ready and serving 404s prior to the `ingress-controller` first syncing config to the `proxy` [#716](https://github.com/Kong/charts/pull/716). * Fixed incorrect `if` block order in volume mount templates. ## 2.15.2 ### Fixed * Do not attempt to mount DB-less config if none provided by chart. ## 2.15.1 ### Fixed * Remove unnecessary failure condition from [#695](https://github.com/Kong/charts/pull/695). ## 2.15.0 ### Improvements * Add the `dblessConfig.secret` key to the values file, allowing the user to supply a Secret for their dbless config file. [#695](https://github.com/Kong/charts/pull/695) * Add support for version `v1beta1` of the Gateway API when generating RBAC rules. * Add support for version `v1beta1` of the Gateway API when generating RBAC rules. ([#706](https://github.com/Kong/charts/pull/706)) * Prevent supplying duplicate plugin inclusion to `KONG_PLUGINS` env variable. ([#711](https://github.com/Kong/charts/pull/711)) ### Fixed * Removed appProtocol to fix AKS load balancer ([#705](https://github.com/Kong/charts/pull/705)) * Fix lookup for CA certificate secret for admission webhook. ([#704](https://github.com/Kong/charts/pull/704)) ## 2.14.0 Note: KIC 2.8 does include several updates to CRDs, but only for documentation and validation. You can [upgrade CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds), but doing so is not required. ### Improvements * Default Kong and KIC versions bumped to 3.1 and 2.8. * UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream). This can be still overridden to TCP by specifying the protocol explicitly, but it is not recommended to do so. [#682](https://github.com/Kong/charts/pull/682) * Supported `autoscaling/v2` API ([#679](https://github.com/Kong/charts/pull/679)) * Add support for specifying the minium number of seconds for which newly created pods should be ready without any of its container crashing, for it to be considered available. (`deployment.minReadySeconds`) ([#688](https://github.com/Kong/charts/pull/688)) * Increased the default memory requests and limits for the Kong pod to 2G ([#690](https://github.com/Kong/charts/pull/690)) * Add a rule for `KongIngress` to the ValidatingWebhookConfiguration. ([#702](https://github.com/Kong/charts/pull/702)) ### Fixed * Removed `PodSecurityPolicy` if the API is not supported in k8s cluster to be compatible to k8s 1.25+. [#680](https://github.com/Kong/charts/pull/680) ## 2.13.1 ### Improvements * Updated default controller version to [KIC 2.7](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#270). ## 2.13.0 ### Improvements * Added cert-manager issuer support for proxy default and cluster mtls certificates ([#592](https://github.com/Kong/charts/pull/592)) * Updated CRDs with the new ordering field for KongPlugins, the new IngressClassParameters resource, and assorted field description updates. These [require a manual update](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds). * Updated default tags to Kong 3.0 and KIC 2.6. ## 2.12.0 ### Improvements * Added ClusterRole for cluster-scoped resources when using watchNamespaces. [#611](https://github.com/Kong/charts/issues/611) * Added `extraObjects` to create additional k8s resources as part of the helm release. [#652](https://github.com/Kong/charts/issues/652) ## 2.11.0 ### Fixed * Fixed Deployment missing if in case of empty tolerations [#630](https://github.com/Kong/charts/issues/630) * Use stdout and stderr by default for all logs. Several were writing to prefix directory files. [#634](https://github.com/Kong/charts/issues/634) * Remove `terminationGracePeriodSeconds` from KIC's container spec since this field is only applicable for pods, not containers. [#640](https://github.com/Kong/charts/issues/640) ### Improvements * Bump controller version to 2.5. [#642](https://github.com/Kong/charts/issues/642) * Added `fullnameOverride` to override the normal resource name string. [#635](https://github.com/Kong/charts/issues/635) * Added size limits for emptyDir mounts. [#632](https://github.com/Kong/charts/issues/632) ## 2.10.2 ### Fixed * Kuma now also mounts ServiceAccount tokens on releases without a controller container. ## 2.10.1 ### Fixed * Updated manual ServiceAccount Secret mount format for compatibility with Kuma. ## 2.10.0 ### Added * Added option to disable test job pods. [#598](https://github.com/Kong/charts/issues/598) * Changed default admission failure policy from `Fail` to `Ignore`. [#612](https://github.com/Kong/charts/issues/612) * ServiceAccount tokens are now only mounted in the controller container to limit attack surface. [#619](https://github.com/Kong/charts/issues/619) ## 2.9.1 ### Fixed * Fixed another unwanted newline chomp that broke GatewayClass permissions. ## 2.9.0 * Added terminationDelaySeconds for Ingress Controller. ([597](https://github.com/Kong/charts/pull/597)) * Made KNative permissions conditional on CRD availability. ### Fixed * Removed KNative permission from the Gateway permissions set. ## 2.8.2 ### Fixed * Fixed an unwanted newline chomp in fix PR #595. ([594](https://github.com/Kong/charts/pull/594)) ## 2.8.1 ### Fixed * Fixed the stream default type, which should have been an empty array, not an empty map. This had no effect on chart behavior, but resulted in warning messages when user values.yamls contained non-empty stream configuration. ([594](https://github.com/Kong/charts/pull/594)) * Gateway API permissions are no longer created if Gateway API CRDs are not installed on the cluster. This would block installs by non-super admin users. ([595](https://github.com/Kong/charts/pull/595)) ## 2.8.0 ### Breaking changes 2.8 requires manual removal of existing IngressClass resources and updates the Postgres sub-chart version. Further details are available [in the upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#280). The chart honors `ingressController.installCRDs: false` again. Remove it from your values.yaml if it is currently present. Unless your install user [lacks permissions to read CRDs](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-c luster-scoped-permissions), which would have prevented you from installing earlier chart versions, you should omit this setting and let the templates detect whether you use the legacy CRD installation method automatically. ### Improvements * Added Ingress for cluster sync. ([583](https://github.com/Kong/charts/pull/583)) * Added controller support for custom environment variables. ([568](https://github.com/Kong/charts/pull/568)) * Ingress `pathType` field is now configurable. ([564](https://github.com/Kong/charts/pull/564)) * Added IngressClass resources to RBAC roles. ([563](https://github.com/Kong/charts/pull/563)) * Ingresses now support wildcard hostnames. ([559](https://github.com/Kong/charts/pull/559)) * Enables the option to add sidecar containers to the migration containers. ([540](https://github.com/Kong/charts/pull/540)) * Update the IngressClass controller string to match the value used upstream. ([557](https://github.com/Kong/charts/pull/557)) * Added support for user-defined controller volume mounts. ([560](https://github.com/Kong/charts/pull/560)) * Added support for autoscaling `behavior`. ([561](https://github.com/Kong/charts/pull/561)) * Improved support and documentation for installations that [lack cluster-scoped permissions](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-cluster-scoped-permissions). ([565](https://github.com/Kong/charts/pull/565)) * Updated podDisruptionBudget from `policy/v1beta1` to `policy/v1`. ([574](https://github.com/Kong/charts/pull/574)) * Updated controller version to 2.3. ### Fixed * Removed CREATE from ValidatingWebhookConfiguration objectSelector for Secrets to align with changes in Kong/kubernetes-ingress-controller. ([#542](https://github.com/Kong/charts/pull/542)) * Fixed traffic routing from Istio's envoy proxy to Kong proxy when using Istio's AuthorizationPolicy. ([#550](https://github.com/Kong/charts/pull/550)) * Fixed creation of non-default IngressClasses ([#552](https://github.com/Kong/charts/pull/552)) * Fixed: wait_for_db no longer tries to instantiate the keyring in Kong Enterprise ([#556](https://github.com/Kong/charts/pull/556)) ## 2.7.0 2.7.0 includes CRD updates, which [must be applied manually](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#270). ### Breaking Changes * There are upstream changes to the Postgres sub-chart that change many values.yaml keys. The default `postgresqlUsername` and `postgresqlDatabase` keys used in this chart's values.yaml are now `auth.username` and `auth.database`. If you set other Postgres sub-chart values, consult the [upstream README](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) and [upgrade guide](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/#to-1100) to see what you need to change. ### Improvements * Added Gateway API resources to RBAC rules. ([#536](https://github.com/Kong/charts/pull/536)) * Replaced `sleep 15` in `preStop` command with `--wait=15` argument to `kong quit`. ([#531](https://github.com/Kong/charts/pull/531)) * Added support for non `KONG_` prefixed custom environment variables ([#530](https://github.com/Kong/charts/pull/530)) * Updated to latest CRDs from upstream. ## 2.6.5 ### Fixed * Generated IngressClass resources persist across updates properly. ([#518](https://github.com/Kong/charts/pull/518)) ## 2.6.4 ### Improvements * Updated default tags to Kong 2.7, Kong Enterprise 2.7.0.0, and Kong Ingress Controller 2.1. ### Fixed * Corrected a misnamed field in podDisruptionBudget. ([#519](https://github.com/Kong/charts/pull/519)) ## 2.6.3 ### Improvements * Increased example resources for the Kong container. ([#511](https://github.com/Kong/charts/pull/511)) ### Fixed * Corrected an invalid label match condition for the admission webhook. ([#513](https://github.com/Kong/charts/pull/513)) ## 2.6.2 ### Improvements * Added `app` and `version` labels to pods. ([#504](https://github.com/Kong/charts/pull/504)) * Reworked leftover socket file cleanup to avoid similar problems of the same class. ([#508](https://github.com/Kong/charts/pull/508)) ### Fixed * SecurityContext and resources applied to PID cleanup initContainer also. ([#503](https://github.com/Kong/charts/pull/503)) * Disabled the admission webhook on Helm Secrets, fixing an issue where it prevented Helm from updating release metadata. ([#500](https://github.com/Kong/charts/pull/500)) * initContainers that use the Kong image use the same imagePullPolicy as the main Kong container. ([#501](https://github.com/Kong/charts/pull/501)) * Applied mesh sidecar annotations to the Pod, not the Deployment. ([#507](https://github.com/Kong/charts/pull/507)) ## 2.6.1 ### Fixed * Disabled IngressClass creation on Kubernetes versions that do not support it. * Added missing resources (Secrets, KongClusterPlugins) to the admission controller configuration. ([#492](https://github.com/Kong/charts/pull/492)) ## 2.6.0 **Note:** chart versions 2.3.0 through 2.5.0 contained an incorrect KongIngress CRD. The `proxy.path` field was missing. Helm will not fix this automatically on upgrade. You can fix it by running: ``` kubectl apply -f https://raw.githubusercontent.com/Kong/charts/main/charts/kong/crds/custom-resource-definitions.yaml ``` ### Improvements * Added an initContainer to clear leftover PID file in the event of a Kong container crash, allowing the container to restart. ([#480](https://github.com/Kong/charts/pull/480)) * Added deployment.hostNetwork to enable host network access. ([#486](https://github.com/Kong/charts/pull/486)) ### Fixed * NOTES.txt documentation link now uses up-to-date location. * Ingress availability check tightened to require the Ingress API specifically in `networking.k8s.io/v1`. ([#484](https://github.com/Kong/charts/pull/484)) * Flipped backwards logic for creating an IngressClass when no IngressClass was present. ([#485](https://github.com/Kong/charts/pull/485)) * Removed unnecessary hardcoded controller container argument. ([#481](https://github.com/Kong/charts/pull/481)) * Restored missing `proxy.path` field to KongIngress CRD. ## 2.5.0 ### Improvements * Default Kong proxy version updated to 2.6. ### Fixed * Properly disable KongClusterPlugin when watchNamespaces is set. ([#475](https://github.com/Kong/charts/pull/475)) ## 2.4.0 ### Breaking Changes * KIC now defaults to version 2.0. If you use a database, you must first perform a temporary intermediate upgrade to disable KIC before upgrading it to 2.0 and re-enabling it. See the [upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#disable-ingress-controller-prior-to-2x-upgrade-when-using-postgresql) for detailed instructions. * ServiceAccount are now always created by default unless explicitly disabled. ServiceAccount customization has [moved under the `deployment` section of configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changed-serviceaccount-configuration-location) to reflect this. This accomodates configurations that need a ServiceAccount but that do not use the ingress controller. ([#455](https://github.com/Kong/charts/pull/455)) ### Improvements * Migration jobs support a configurable backoffLimit. ([#442](https://github.com/Kong/charts/pull/442)) * Generated Ingresses now use `networking.k8s.io/v1` when available. ([#446](https://github.com/Kong/charts/pull/446)) ### Fixed * 5-digit UDP ports now work properly. ([#443](https://github.com/Kong/charts/pull/443)) * Fixed port name used for NLB annotation example. ([#458](https://github.com/Kong/charts/pull/458)) * Fixed a compatibility issue with Helm's `--set-file` feature and user-provided DB-less configuration ConfigMaps. ([#465](https://github.com/Kong/charts/pull/465)) ## 2.3.0 ### Breaking Changes * Upgraded CRDs to V1 from the previous deprecated v1beta1. [#391](https://github.com/kong/charts/issues/391) ACTION REQUIRED: This is a breaking change as it makes this chart incompatible with Kubernetes clusters older than v1.16.x. Upgrade your cluster to a version greater than or equal to v1.16 before installing. Note that technically it will remain possible to deploy on older clusters by managing the CRDs manually ahead of time (e.g. intentionally deploying the legacy CRDs) but these configurations will be considered unsupported. [upgrade](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/) ACTION REQUIRED: For existing deployments Helm avoids managing CRDs so when upgrading from a previous release you will need to apply the new V1 versions of the CRDs (in `crds/`) manually. [hip-0011](https://github.com/helm/community/blob/main/hips/hip-0011.md) ([#415](https://github.com/Kong/charts/pull/415)) * Added support for controller metrics to the Prometheus resources. This requires KIC 2.x. The chart automatically detects if your controller image is compatible, but only if your tag is semver-compliant. If you are using an image without a semver-compliant tag (such as `next`) you _must_ set the `ingressController.image.effectiveSemver` value to a semver string appropriate for your image (for example, if your image is 2.0.0-based, you would set it to `2.0.0`. ([#430](https://github.com/Kong/charts/pull/430)) ### Improvements * Updated default Kong versions to 2.5 (OSS) and 2.5.0.0 (Enterprise). * Added user-configured initContainer support to Jobs. ([#408](https://github.com/Kong/charts/pull/408)) * Upgraded RBAC resources to v1 from v1beta1 for compatibility with Kubernetes 1.22 and newer. This breaks compatibility with Kubernetes 1.7 and older, but these Kubernetes versions were never supported, so this change is not breaking. Added additional permissions to support KIC 2.x. ([#420](https://github.com/Kong/charts/pull/420)) ([#419](https://github.com/Kong/charts/pull/419)) * Added `ingressController.watchNamespaces[]` to values.yaml. When set, the controller will only watch the listed namespaces (instead of all namespaces, the default), and will create Roles for each namespace (instead of a ClusterRole). This feature requires KIC 2.x. ([#420](https://github.com/Kong/charts/pull/420)) * Added support for [dnsPolicy and dnsConfig](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/). ([#425](https://github.com/Kong/charts/pull/425)) * Use migration commands directly in upgrade/install Jobs instead of invoking them via a shell. This adds support for some additional features in Kong images that only apply when the container command starts with `kong`. ([#429](https://github.com/Kong/charts/pull/429)) ### Fixed * Fixed an incorrect template for DaemonSet releases. ([#426](https://github.com/Kong/charts/pull/426)) ## 2.2.0 ### Breaking changes * Removed default `maxUnavailable` setting for pod disruption budget configuration. This is necessary to allow usage of the `minUnavailable` setting, but means that there is no longer any default availability constraint. If you set `podDisruptionBudget.enabled=true` in your values and did not previously set any `podDisruptionBudget.maxUnavailable` value, you must add `podDisruptionBudget.maxUnavailable="50%"` to your values. ### Improvements * Added host alias injection to override DNS and/or add DNS entries not available from the DNS resolver. ([#366](https://github.com/Kong/charts/pull/366)) * Added support for custom labels. ([#370](https://github.com/Kong/charts/pull/370)) * Only add paths to Ingresses if configured, for OpenShift 4.x compatibility. ([#375](https://github.com/Kong/charts/pull/375)) * Kong containers no longer the image ENTRYPOINT. This allows the stock image bootstrap scripts to run normally. ([#377](https://github.com/Kong/charts/pull/377)) * Added security context settings for containers. ([#387](https://github.com/Kong/charts/pull/387)) * Bumped Kong and controller image defaults to the latest versions. ([#378](https://github.com/Kong/charts/pull/378)) * Added support for user-provided admission webhook certificates. ([#385](https://github.com/Kong/charts/pull/385)) * Disable service account tokens when it is unnecessary. ([#389](https://github.com/Kong/charts/pull/389)) ### Fixed * Admission webhook port is now listed under the controller container, where the admission webhook runs. ([#384](https://github.com/Kong/charts/pull/384)) ### Documentation * Removed a duplicate key from example values. ([#360](https://github.com/Kong/charts/pull/360)) * Clarified Enterprise free mode usage. ([#362](https://github.com/Kong/charts/pull/362)) * Expand EKS Service annotation examples for proxy. ([#376](https://github.com/Kong/charts/pull/375)) ## 2.1.0 ### Improvements * Added support for user-defined volumes, volume mounts, and init containers. ([#317](https://github.com/Kong/charts/pull/317)) * Tolerations are now applied to migration Job Pods also. ([#341](https://github.com/Kong/charts/pull/341)) * Added support for using a DaemonSet instead of Deployment. ([#347](https://github.com/Kong/charts/pull/347)) * Updated default image versions and completed migration off Bintray repositories. ([#349](https://github.com/Kong/charts/pull/349)) * PDB ignores migration Job Pods. ([#352](https://github.com/Kong/charts/pull/352)) ### Documentation * Clarified service monitor usage information. ([#345](https://github.com/Kong/charts/pull/345)) ## 2.0.0 ### Breaking changes * Helm 2 is no longer supported. You **must** [migrate your Kong chart releases to Helm 3](https://helm.sh/docs/topics/v2_v3_migration/) before updating to this release. * Deprecated [Portal auth settings](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters) are no longer supported. * The deprecated [`runMigrations` setting](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-migration-job-configuration) is no longer supported. * Deprecated [admin API Service configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-kong-service-configuration) is no longer supported. * Deprecated [multi-host proxy configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress) is no longer supported. `helm upgrade` with the previous version (1.15.0) will print a warning message if you still use any of the removed values.yaml configuration. If you do not see any warnings after the upgrade completes, you are already using the modern equivalents of these settings and can proceed with upgrading to 2.0.0-rc1. ### Improvements * Admission webhook certificates persist after their initial creation. This prevents an unnecessary restart of Kong Pods on upgrades that do not actually modify the deployment. ([#256](https://github.com/Kong/charts/pull/256)) * `ingressController.installCRDs` now defaults to `false`, simplifying installation on Helm 3. Installs now default to using Helm 3's CRD management system, and do not require changes to values or install flags to install successfully. ([#305](https://github.com/Kong/charts/pull/305)) * Added support for Pod `topologySpreadConstraints`. ([#308](https://github.com/Kong/charts/pull/308)) * Kong Ingress Controller image now pulled from Docker Hub (due to Bintray being discontinued). Changed the default Docker image repository for the ingress controller. ### Fixed * Generated admission webhook certificates now include SANs for compatibility with Go 1.15 controller builds. ([#312](https://github.com/Kong/charts/pull/312)). ### Documentation * Clarified use of `terminationGracePeriodSeconds`. ([#302](https://github.com/Kong/charts/pull/302)) ## 1.15.0 1.15.0 is an interim release before the planned release of 2.0.0. There were several feature changes we wanted to release prior to the removal of deprecated functionality for 2.0. The original planned deprecations covered in the [1.14.0 changelog](#1140) are still planned for 2.0.0. ### Improvements * The default Kong version is now 2.3 and the default Kong Enterprise version is now 2.3.2.0. * Added configurable `terminationGracePeriodSeconds` for the pre-stop lifecycle hook. ([#271](https://github.com/Kong/charts/pull/271)). * Initial migration database wait init containers no longer have a default image configuration in values.yaml. When no image is specified, the chart will use the Kong image. The standard Kong images include bash, and can run the database wait script without downloading a separate image. Configuring a wait image is now only necessary if you use a custom Kong image that lacks bash. ([#285](https://github.com/Kong/charts/pull/285)). * Init containers for database availability and migration completeness can now be disabled. They cause compatibility issues with many service meshes. ([#285](https://github.com/Kong/charts/pull/285)). * Removed the default migration Job annotation that disabled Kuma's mesh proxy. The latest version of Kuma no longer prevents Jobs from completing. ([#285](https://github.com/Kong/charts/pull/285)). * Services now support user-configurable labels, and the Prometheus ServiceMonitor label is included on the proxy Service by default. Users that disable the proxy Service and add this label to another Service to collect metrics. ([#290](https://github.com/Kong/charts/pull/290)). * Migration Jobs now allow resource quota configuration. Init containers inherit their resource quotas from their associated Kong container. ([#294](https://github.com/Kong/charts/pull/294)). ### Fixed * The database readiness wait script ConfigMap and associated mounts are no longer created if that feature is not in use. ([#285](https://github.com/Kong/charts/pull/285)). * Removed a duplicated field from CRDs. ([#281](https://github.com/Kong/charts/pull/281)). ## 1.14.5 ### Fixed * Removed `http2` from default status listen TLS parameters. It only supports a limited subset of the extra listen parameters, and does not allow `http2`. ## 1.14.4 ### Fixed * Status listens now include parameters in the default values.yaml. The absence of these defaults caused a template rendering error when the TLS listen was enabled. ### Documentation * Updated status listen comments to reflect TLS listen availability on Kong 2.1+. ## 1.14.3 ### Fixed * Fix issues with legacy proxy Ingress object template. ## 1.14.2 ### Fixed * Corrected invalid default value for `enterprise.smtp.smtp_auth`. ## 1.14.1 ### Fixed * Moved several Kong container settings into the appropriate template block. Previously these were rendered whether or not the Kong container was enabled, which unintentionally applied them to the controller container. ## 1.14.0 ### Breaking changes 1.14 is the last planned 1.x version of the Kong chart. 2.x will remove support for Helm 2.x and all deprecated configuration. The chart prints a warning when upgrading or installing if it detects any configuration still using an old format. * All Ingress and Service resources now use the same template. This ensures that all chart Ingresses and Services support the same configuration. The proxy previously used a unique Ingress configuration, which is now deprecated. If you use the proxy Ingress, [see the instructions in UPGRADE.md](https://github.com/Kong/charts/blob/kong-1.14.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress) to update your configuration. No changes are required for other Service and Ingress configurations. ([#251](https://github.com/Kong/charts/pull/251)). * The chart now uses the standard Kong status endpoint instead of custom configuration, allowing users to specify their own custom configuration. The status endpoint is no available in versions older than Kong 1.4.0 or Kong Enterprise 1.5.0; if you use an older version, you will need to [add and load the old custom configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#default-custom-server-block-replaced-with-status-listen). If you use a newer version and include Kong container readinessProbe and/or livenessProbe configuration in your values.yaml, you must change the port from `metrics` to `status`. ([#255](https://github.com/Kong/charts/pull/255)). ### Fixed * Correct an issue with migrations Job toggles. ([#231](https://github.com/Kong/charts/pull/231)) ## 1.13.0 ### Improvements * Updated default Kong Enterprise version to 2.2.1.0-alpine. * Updated default Kong Ingress Controller version to 1.1. * Add `namespace` to values.yaml to override release namespace if desired. ([#231](https://github.com/Kong/charts/pull/231)) ### Fixed * Migration Jobs now use the same nodeSelector configuration as the main Kong Deployment. ([#238](https://github.com/Kong/charts/pull/238)) * Disabled custom Kong template mount if Kong is not enabled. ([#240](https://github.com/Kong/charts/pull/240)) * Changed YAML string to a YAML boolean. ([#240](https://github.com/Kong/charts/pull/240)) ### Documentation * Clarify requirements for using horizontal pod autoscalers. ([#236](https://github.com/Kong/charts/pull/236)) ## 1.12.0 ### Improvements * Increased default worker count to 2 to avoid issues with latency during blocking tasks, such as DB-less config updates. This change increases memory usage, but the increase should not be a concern for any but the smallest deployments (deployments with memory limits below 512MB). * Updated default Kong version to 2.2. ([#221](https://github.com/Kong/charts/pull/221)) * Updated default Kong Enterprise version to 2.1.4.1. * Added a means to mount extra ConfigMap and Secret resources. ([#208](https://github.com/Kong/charts/pull/208)) * Added configurable annotations for migration Jobs. ([#219](https://github.com/Kong/charts/pull/219)) * Added template for deprecation warnings to automate formatting and avoid excess newlines. ### Fixed * Upgrades no longer force auto-scaling Deployments back to the replica count. ([#222](https://github.com/Kong/charts/pull/222)) ## 1.11.0 ### Breaking changes * Kong Ingress Controller 1.0 removes support for several deprecated flags and the KongCredential custom resource. Please see the [controller changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#breaking-changes) for details. Note that Helm 3 will not remove the KongCredential CRD by default: you should delete it manually after converting KongCredentials to [credential Secrets](https://github.com/Kong/kubernetes-ingress-controller/blob/next/docs/guides/using-consumer-credential-resource.md#provision-a-consumer). If you manage CRDs using Helm (check to see if your KongCredential CRD has a `app.kubernetes.io/managed-by: Helm` label), perform the credential Secret conversion **before** upgrading to chart 1.11.0 to avoid losing credential configuration. * The chart no longer uses the `extensions` API for PodSecurityPolicy, and now uses the modern `policy` API. This breaks compatibility with Kubernetes versions 1.11 and older. ([#195](https://github.com/Kong/charts/pull/195)) ### Improvements * Updated default controller version to 1.0. * The chart now adds namespace information to manifests explicitly. This simplifies workflows that use `helm template`. ([#193](https://github.com/Kong/charts/pull/193)) ### Fixed * Changes to annotation block generation prevent incorrect YAML indentation when specifying annotations via command line arguments to Helm commands. ([#200](https://github.com/Kong/charts/pull/200)) ## 1.10.0 ### Breaking changes * Kong Ingress Controller 0.10.0 comes with breaking changes to global `KongPlugin`s and to resources without an ingress class defined. Refer to the [`UPGRADE.md notes for chart 1.10.0`](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#1100) for details. ### Improvements * Updated default controller version to 0.10.0. ### Fixed * Removed the `status` field from the `TCPIngress` CRD. ([#188](https://github.com/Kong/charts/pull/188)) ## 1.9.1 ### Documentation * Clarified documentation for [breaking changes in 1.9.0](#190) to indicate that any values.yaml that sets `waitImage.repository` requires changes, including those that set the old default. * Updated Enterprise examples to use latest Enterprise image version. ## 1.9.0 ### Breaking changes 1.9.0 now uses a bash-based pre-migration database availability check. If you set `waitImage.repository` in values.yaml, either to the previous default (`busybox`) or to a custom image, you must change it to an image that includes a `bash` executable. Once you have `waitImage.repository` set to an image with bash, [perform an initial chart version upgrade with migrations disabled](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-wait-for-postgres-image) before re-enabling migrations, updating your Kong image version, and performing a second release upgrade. ### Improvements * Added support for sidecar injection. ([#174](https://github.com/Kong/charts/pull/174)) * Changed to a bash-based pre-migration database availability check. ([#179](https://github.com/Kong/charts/pull/179)) * Changed to a bash-based pre-migration database availability check. ([#179](https://github.com/Kong/charts/pull/179)) * Updated default Kong Enterprise version to 2.1.3.0. ### Fixed * Added missing cluster telemetry service and fixed missing cluster service port. ([#185](https://github.com/Kong/charts/pull/185)) ### Documentation * Added an example Enterprise controller-managed DB-less values.yaml. ([#175](https://github.com/Kong/charts/pull/175)) ## 1.8.0 **Kong Enterprise users:** please review documentation for the [Kong Enterprise 2.1.x beta release](https://docs.konghq.com/enterprise/2.1.x/release-notes/#coming-soon) and [hybrid mode on Kong Enterprise](https://docs.konghq.com/enterprise/2.1.x/deployment/hybrid-mode/#kubernetes-support) as well. Version 1.8 of the Kong Helm chart adds support for hybrid mode, which is currently only available in the 2.1.x beta. Production systems should continue to use the Kong Enterprise 1.5.x stable releases, which do not support hybrid mode. ### Improvements * Update default Kong version to 2.1. * Update Kong Enterprise images to 1.5.0.4 (kong-enterprise-edition) and 2.0.4.2 (kong-enterprise-k8s). * Updated default controller version to 0.9.1. ([#150](https://github.com/Kong/charts/pull/150)) * Added support for ServiceMonitor targetLabels (for use with the Prometheus Operator). ([#162](https://github.com/Kong/charts/pull/162)) * Automatically handle the [new port_maps setting](https://github.com/Kong/kong/pull/5861) for the proxy service. ([#169](https://github.com/Kong/charts/pull/169)) * Add support for [hybrid mode deployments](https://docs.konghq.com/latest/hybrid-mode/). ([#160](https://github.com/Kong/charts/pull/160)) ### Fixed * Fixed an issue with improperly-rendered listen strings. ([#155](https://github.com/Kong/charts/pull/155)) ### Documentation * Improved inline documentation of `env` in values.yaml. ([#163](https://github.com/Kong/charts/pull/163)) ## 1.7.0 ### Improvements * Added support for [CRD-only](https://github.com/Kong/charts/blob/1.7.0/charts/kong/README.md#crds-only) and [controller-only releases](https://github.com/Kong/charts/blob/next/charts/kong/README.md#standalone-controller-nodes). ([#136](https://github.com/Kong/charts/pull/136)) ### Documentation * Added a set of [example values.yamls](https://github.com/Kong/charts/tree/main/charts/kong/example-values) for various configurations of Kong and Kong Enterprise. ([#134](https://github.com/Kong/charts/pull/134)) ## 1.6.1 This release contains no changes other than the version. This is to address an issue with our release automation. ## 1.6.0 ### Improvements * Updated default controller version to 0.9.0. ([#132](https://github.com/Kong/charts/pull/132)) * Updated default Enterprise versions to 2.0.4.1 and 1.5.0.2. ([#130](https://github.com/Kong/charts/pull/130)) * Added ability to override chart lifecycle. ([#116](https://github.com/Kong/charts/pull/116)) * Added ability to apply user-defined labels to pods. ([#121](https://github.com/Kong/charts/pull/121)) * Filtered serviceMonitor to disable metrics collection from non-proxy services. ([#112](https://github.com/Kong/charts/pull/112)) * Set admin API to listen on localhost only if possible. ([#125](https://github.com/Kong/charts/pull/125)) * Add `auth_type` and `ssl` settings to `smtp` block. ([#127](https://github.com/Kong/charts/pull/127)) * Remove UID from default securityContext. ([#138](https://github.com/Kong/charts/pull/138)) ### Documentation * Corrected invalid default serviceMonitor.interval value. ([#110](https://github.com/Kong/charts/pull/110)) * Removed duplicate `installCRDs` documentation. ([#115](https://github.com/Kong/charts/pull/115)) * Simplified example license Secret creation command. ([#131](https://github.com/Kong/charts/pull/131)) ## 1.5.0 ### Improvements * Added support for annotating the ServiceAccount. ([#97](https://github.com/Kong/charts/pull/97)) * Updated controller templates to use environment variables for default configuration. ([#99](https://github.com/Kong/charts/pull/99)) * Added support for stream listens. ([#103](https://github.com/Kong/charts/pull/103)) * Moved migration configuration under a `migrations` block with support for enabling upgrade jobs independently and adding annotations. ([#102](https://github.com/Kong/charts/pull/102)) * Added support for the [status listen](https://github.com/Kong/kong/pull/4977). ([#107](https://github.com/Kong/charts/pull/107)) * :warning: Exposed PodSecurityPolicy spec in values.yaml and added default configuration to enforce a read-only root filesystem. **Kong Enterprise versions prior to 1.5.0 require the root filesystem be read-write. If you use an older version and enforce PodSecurityPolicy, you must set `.Values.podSecurityPolicy.spec.readOnlyRootFilesystem: false`.** ([#104](https://github.com/Kong/charts/pull/104)) ### Fixed * Fixed old init-migrations jobs blocking upgrades. ([#102](https://github.com/Kong/charts/pull/102)) ### Documentation * Fixed discrepancy between image version in values.yaml and README.md. ([#96](https://github.com/Kong/charts/pull/96)) * Added example Enterprise image tags to values.yaml. ([#100](https://github.com/Kong/charts/pull/100)) * Added deprecation warnings in CHANGELOG.md. ([#91](https://github.com/Kong/charts/pull/91)) * Improved RBAC documentation to clarify process and use new controller functionality. ([#95](https://github.com/Kong/charts/pull/95)) * Added documentation for managing multi-release clusters with varied node roles (e.g. admin-only, Portal-only, etc.). ([#102](https://github.com/Kong/charts/pull/102)) ## 1.4.1 ### Documentation * Fixed an issue with the 1.4.1 upgrade steps. ## 1.4.0 ### Improvements * :warning: Service and listen configuration now use a unified configuration format. **The previous configuration format for the admin API service is deprecated and will be removed in a future release.** Listen configuration now supports specifying parameters. Kubernetes service creation can now be enabled or disabled for all Kong services. Users should review the [1.4.0 upgrade guide](https://github.com/Kong/charts/blob/next/charts/kong/UPGRADE.md#changes-to-kong-service-configuration) for details on how to update their values.yaml. ([#72](https://github.com/Kong/charts/pull/72)) * Updated the default controller version to 0.8. This adds new KongClusterPlugin and TCPIngress CRDs and RBAC permissions for them. Users should also note that `strip_path` now defaults to disabled, which will likely break existing configuration. See [the controller changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#080---20200325) and [upgrade-guide](https://github.com/Kong/charts/blob/next/charts/kong/UPGRADE.md#strip_path-now-defaults-to-false-for-controller-managed-routes) for full details. ([#77](https://github.com/Kong/charts/pull/77)) * Added support for user-supplied ingress controller CLI arguments. ([#79](https://github.com/Kong/charts/pull/79)) * Added support for annotating the chart's deployment. ([#81](https://github.com/Kong/charts/pull/81)) * Switched to the Bitnami Postgres chart, as the chart in Helm's repository has [moved there](https://github.com/helm/charts/tree/master/stable/postgresql#this-helm-chart-is-deprecated). ([#82](https://github.com/Kong/charts/pull/82)) ### Fixed * Corrected the app version in Chart.yaml. ([#86](https://github.com/Kong/charts/pull/86)) ### Documentation * Fixed incorrect default value for `installCRDs`. ([#78](https://github.com/Kong/charts/pull/78)) * Added detailed upgrade guide covering breaking changes and deprecations. ([#74](https://github.com/Kong/charts/pull/74)) * Improved installation steps for Helm 2 and Helm 3. ([#83](https://github.com/Kong/charts/pull/83)) ([#84](https://github.com/Kong/charts/pull/84)) * Remove outdated `ingressController.replicaCount` setting. ([#87](https://github.com/Kong/charts/pull/87)) ## 1.3.1 ### Fixed * Added missing newline to NOTES.txt template. ([#66](https://github.com/Kong/charts/pull/66)) ### Documentation * Instruct users to create secrets for both the kong-enterprise-k8s and kong-enterprise-edition Docker registries. ([#65](https://github.com/Kong/charts/pull/65)) * Updated maintainer information. ## 1.3.0 ### Improvements * Custom plugin mounts now support subdirectories. These are necessary for plugins that include their own migrations. Note that Kong versions prior to 2.0.1 [have a bug](https://github.com/Kong/kong/pull/5509) that prevents them from running these migrations. ([#24](https://github.com/Kong/charts/pull/24)) * LoadBalancer services will now respect their NodePort. ([#48](https://github.com/Kong/charts/pull/41)) * The proxy TLS listen now enables HTTP/2 (and, by extension, gRPC). ([#47](https://github.com/Kong/charts/pull/47)) * Added support for `priorityClassName` to the Kong deployment. ([#56](https://github.com/Kong/charts/pull/56)) * Bumped default Kong version to 2.0 and controller version to 0.7.1. ([#60](https://github.com/Kong/charts/pull/60)) * :warning: Removed dedicated Portal auth settings, which are unnecessary in modern versions. **The `enterprise.portal.portal_auth` and `enterprise.portal.session_conf_secret` settings in values.yaml are deprecated and will be removed in a future release.** See the [upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters) for instructions on migrating them to environment variables. ([#55](https://github.com/Kong/charts/pull/55)) ### Fixed * Fixed typo in HorizontalPodAutoscaler template. ([#45](https://github.com/Kong/charts/pull/45)) ### Documentation * Added contributing guidelines. ([#41](https://github.com/Kong/charts/pull/41)) * Added README section for Helm 2 versus Helm 3 considerations. ([#34](https://github.com/Kong/charts/pull/41)) * Added documentation for `proxy.annotations` to README.md. ([#57](https://github.com/Kong/charts/pull/57)) * Added FAQ entry for init-migrations job conflicts on upgrades. ([#59](https://github.com/Kong/charts/pull/59) * Move changelog out of README.md into CHANGELOG.md. ([#60](https://github.com/Kong/charts/pull/60) * Improved formatting for 1.2.0 changelog. ## 1.2.0 ### Improvements * Added support for HorizontalPodAutoscaler. ([#12](https://github.com/Kong/charts/pull/12)) * Environment variables are now consistently sorted alphabetically. ([#29](https://github.com/Kong/charts/pull/29)) ### Fixed * Removed temporary ServiceAccount template, which caused upgrades to break the existing ServiceAccount's credentials. Moved template and instructions for use to FAQs, as the temporary user is only needed in rare scenarios. ([#31](https://github.com/Kong/charts/pull/31)) * Fix an issue where the wait-for-postgres job did not know which port to use in some scenarios. ([#28](https://github.com/Kong/charts/pull/28)) ### Documentation * Added warning regarding volume mounts. ([#25](https://github.com/Kong/charts/pull/25)) ## 1.1.1 ### Fixed * Add missing `smtp_admin_emails` and `smtp_mock = off` to SMTP enabled block in `kong.env`. ### CI changes * Remove version bump requirement in preparation for new release model. ## 1.1.0 > https://github.com/Kong/charts/pull/4 ### Improvements * Significantly refactor the `env`/EnvVar templating system to determine the complete set of environment variables (both user-defined variables and variables generated from other sections of values.yaml) and resolve conflicts before rendering. User-provided values are now guaranteed to take precedence over generated values. Previously, precedence relied on a Kubernetes implementation quirk that was not consistent across all Kubernetes providers. * Combine templates for license, session configuration, etc. that generate `secretKeyRef` values into a single generic template. ## 1.0.3 - Fix invalid namespace for pre-migrations and Role. - Fix whitespaces formatting in README. ## 1.0.2 - Helm 3 support: CRDs are declared in crds directory. Backward compatible support for helm 2. ## 1.0.1 Fixed invalid namespace variable name causing ServiceAccount and Role to be generated in other namespace than desired. ## 1.0.0 There are not code changes between `1.0.0` and `0.36.5`. From this version onwards, charts are hosted at https://charts.konghq.com. The `0.x` versions of the chart are available in Helm's [Charts](https://github.com/helm/charts) repository are are now considered deprecated. ## 0.36.5 > PR https://github.com/helm/charts/pull/20099 ### Improvements - Allow `grpc` protocol for KongPlugins ## 0.36.4 > PR https://github.com/helm/charts/pull/20051 ### Fixed - Issue: [`Ingress Controller errors when chart is redeployed with Admission Webhook enabled`](https://github.com/helm/charts/issues/20050) ## 0.36.3 > PR https://github.com/helm/charts/pull/19992 ### Fixed - Fix spacing in ServiceMonitor when label is specified in config ## 0.36.2 > PR https://github.com/helm/charts/pull/19955 ### Fixed - Set `sideEffects` and `admissionReviewVersions` for Admission Webhook - timeouts for liveness and readiness probes has been changed from `1s` to `5s` ## 0.36.1 > PR https://github.com/helm/charts/pull/19946 ### Fixed - Added missing watch permission to custom resources ## 0.36.0 > PR https://github.com/helm/charts/pull/19916 ### Upgrade Instructions - When upgrading from <0.35.0, in-place chart upgrades will fail. It is necessary to delete the helm release with `helm del --purge $RELEASE` and redeploy from scratch. Note that this will cause downtime for the kong proxy. ### Improvements - Fixed Deployment's label selector that prevented in-place chart upgrades. ## 0.35.1 > PR https://github.com/helm/charts/pull/19914 ### Improvements - Update CRDs to Ingress Controller 0.7 - Optimize readiness and liveness probes for more responsive health checks - Fixed incorrect space in NOTES.txt ## 0.35.0 > PR [#19856](https://github.com/helm/charts/pull/19856) ### Improvements - Labels on all resources have been updated to adhere to the Helm Chart guideline here: https://v2.helm.sh/docs/developing_charts/#syncing-your-chart-repository ## 0.34.2 > PR [#19854](https://github.com/helm/charts/pull/19854) This release contains no user-visible changes ### Under the hood - Various tests have been consolidated to speed up CI. ## 0.34.1 > PR [#19887](https://github.com/helm/charts/pull/19887) ### Fixed - Correct indentation for Job securityContexts. ## 0.34.0 > PR [#19885](https://github.com/helm/charts/pull/19885) ### New features - Update default version of Ingress Controller to 0.7.0 ## 0.33.1 > PR [#19852](https://github.com/helm/charts/pull/19852) ### Fixed - Correct an issue with white space handling within `final_env` helper. ## 0.33.0 > PR [#19840](https://github.com/helm/charts/pull/19840) ### Dependencies - Postgres sub-chart has been bumped up to 8.1.2 ### Fixed - Removed podDisruption budge for Ingress Controller. Ingress Controller and Kong run in the same pod so this was no longer applicable - Migration job now receives the same environment variable and configuration as that of the Kong pod. - If Kong is configured to run with Postgres, the Kong pods now always wait for Postgres to start. Previously this was done only when the sub-chart Postgres was deployed. - A hard-coded container name is used for kong: `proxy`. Previously this was auto-generated by Helm. This deterministic naming allows for simpler scripts and documentation. ### Under the hood Following changes have no end user visible effects: - All Custom Resource Definitions have been consolidated into a single template file - All RBAC resources have been consolidated into a single template file - `wait-for-postgres` container has been refactored and de-duplicated ## 0.32.1 ### Improvements - This is a doc only release. No code changes have been done. - Post installation steps have been simplified and now point to a getting started page - Misc updates to README: - Document missing variables - Remove outdated variables - Revamp and rewrite major portions of the README - Added a table of content to make the content navigable ## 0.32.0 ### Improvements - Create and mount emptyDir volumes for `/tmp` and `/kong_prefix` to allow for read-only root filesystem securityContexts and PodSecurityPolicys. - Use read-only mounts for custom plugin volumes. - Update stock PodSecurityPolicy to allow emptyDir access. - Override the standard `/usr/local/kong` prefix to the mounted emptyDir at `/kong_prefix` in `.Values.env`. - Add securityContext injection points to template. By default, it sets Kong pods to run with UID 1000. ### Fixes - Correct behavior for the Vitals toggle. Vitals defaults to on in all current Kong Enterprise releases, and the existing template only created the Vitals environment variable if `.Values.enterprise.enabled == true`. Inverted template to create it (and set it to "off") if that setting is instead disabled. - Correct an issue where custom plugin configurations would block Kong from starting. ## 0.31.0 ### Breaking changes - Admin Service is disabled by default (`admin.enabled`) - Default for `proxy.type` has been changed to `LoadBalancer` ### New features - Update default version of Kong to 1.4 - Update default version of Ingress Controller to 0.6.2 - Add support to disable kong-admin service via `admin.enabled` flag. ## 0.31.2 ### Fixes - Do not remove white space between documents when rendering `migrations-pre-upgrade.yaml` ## 0.30.1 ### New Features - Add support for specifying Proxy service ClusterIP ## 0.30.0 ### Breaking changes - `admin_gui_auth_conf_secret` is now required for Kong Manager authentication methods other than `basic-auth`. Users defining values for `admin_gui_auth_conf` should migrate them to an externally-defined secret with a key of `admin_gui_auth_conf` and reference the secret name in `admin_gui_auth_conf_secret`. ## 0.29.0 ### New Features - Add support for specifying Ingress Controller environment variables. ## 0.28.0 ### New Features - Added support for the Validating Admission Webhook with the Ingress Controller. ## 0.27.2 ### Fixes - Do not create a ServiceAccount if it is not necessary. - If a configuration change requires creating a ServiceAccount, create a temporary ServiceAccount to allow pre-upgrade tasks to complete before the regular ServiceAccount is created. ## 0.27.1 ### Documentation updates - Retroactive changelog update for 0.24 breaking changes. ## 0.27.0 ### Breaking changes - DB-less mode is enabled by default. - Kong is installed as an Ingress Controller for the cluster by default. ## 0.25.0 ### New features - Add support for PodSecurityPolicy - Require creation of a ServiceAccount ## 0.24.0 ### Breaking changes - The configuration format for ingresses in values.yaml has changed. Previously, all ingresses accepted an array of hostnames, and would create ingress rules for each. Ingress configuration for services other than the proxy now accepts a single hostname, which allows simpler TLS configuration and automatic population of `admin_api_uri` and similar settings. Configuration for the proxy ingress is unchanged, but its documentation now accurately reflects the TLS configuration needed.