News Automating License Validity Checks with KrakenD

Community Documentation

Recent changes

Upgrading KrakenD from an older version

Document updated on Mar 11, 2024

Upgrading to a new version of KrakenD is designed to be straightforward, thanks to our commitment to maintaining backward compatibility across versions within the same major release (e.g., within 2.x versions). You can generally update KrakenD to a newer version without altering your configuration. However, to ensure optimal performance and access to the latest features, reviewing and adjusting your configuration is wise.

KrakenD’s upgrade policy
Our policy focuses on minimizing disruption by preserving compatibility with previous versions. However, important changes can occur between versions, such as the deprecation of components, the introduction of superior alternatives, the relocation of properties, or the outright removal of outdated features. Although KrakenD aims to ensure your existing setup will continue to run, these changes may necessitate adjustments to your configuration for improved stability and performance.

Upgrade steps

  1. Review the changelog. This document provides a chronological list of releases detailing new features, bug fixes, and possible breaking changes between major versions.
  2. Adjust your configuration and run the linter as needed. Below, you’ll find the changes between versions. Scroll down to your current version and apply all changes above it. Then, run the linter (krakend check --lint), which is designed to scrutinize your configuration rigorously.
  3. Update the KrakenD binary. Replace the existing binary file with the latest version. This process varies depending on how KrakenD was installed and whether it is container-based or not.
Jumping several versions
To upgrade when you are more than one version away from the latest, adjust the configuration for all the versions that the upgrade comprehends.

The list below is automatically generated based on the changelog.

Upgrade to CE v2.6 (latest)

OpenTelemetry integration, extended plugin capabilities, updated Grafana Dashboard, and JWT fixes. Configuration changes for v2.6:

  • Removed from schema previosuly deprecated fields allow_insecure_connections in the root. Must be declared under client_tls.allow_insecure_connections now.
  • Removed from schema previously deprecated prefetch_size and prefetch_count attributes from AMQP. These attributes did not have any effect in the software.
  • The telemetry exporters based in telemetry/opencensus, although they are still available, won’t receive further updates and will be deprecated in the future. All efforts are focused on OpenTelemetry instead.
  • The telemetry exporter telemetry/influx is still available, but won’t receive further updates and will be deprecated in the future. All efforts are focused on OpenTelemetry instead.

Upgrade to CE v2.5

The v2.5 binary allows multiple POSTS in and out sequential calls, restricts service listening to a specific IP, and improves JWT and AMQP. Configuration changes for v2.5:

  • The flag router.use_h2c has moved to the root level as use_h2c, and its usage inside the router is marked as deprecated.

Upgrade to CE v2.4

The v2.4 improves the rate limit usage experience to support non-second time intervals, and offers more granularity option to improve security. Configuration changes for v2.4:

  • The flag allow_insecure_connections was relocated under client_tls in v2.3 and the old location on tls is no longer supported.
  • The flag prefer_server_cipher_suites is no longer supported. Servers now select the best mutually supported cipher suite automatically based on the logic that considers inferred client hardware, server hardware, and security.

Upgrade to CE v2.3

The v2.3 adds more connectivity options with backends and caching and adds the possibility to load changes into a local KrakenD using the Designer (UI) directly. Configuration changes for v2.3:

  • The flag tls.allow_insecure_connections is now marked as deprecated because it has moved to client_tls.allow_insecure_connections. The support under tls will be removed in the next version.

Upgrade to CE v2.2

It introduces a new security audit command (krakend audit) that parses and analyzes your configurations and outputs security recommendations. We have designed it to run as a standalone command or integrated it into your existing CI/CD pipeline to avoid dangerous configurations, such as unwillingly disabling the TLS, setting excessive timeouts, unprotected endpoints, or similar scenarios. Configuration changes for v2.2:

This version does not require any configuration change.

Upgrade to CE v2.1

KrakenD 2.1 brings a new ready-to-use Kibana dashboard, an updated Grafana Dashboard for InfluxDB v2 and more features and bugfixes Configuration changes for v2.1:

This version does not require any configuration change.

Upgrade to v2.0 from v0.x or v1.x

The KrakenD 2.0 release is a major version that simplifies the configuration of v1.x and standardizes field names that were using different criteria to declare the attributes. The migration tool allows you to migrate from KrakenD 0.x or 1.x to 2.0

How to use the legacy migration tool

  • Use git or similar DVCS to track the changes. Compare the differences at the end.
  • Download the configuration migration tool and execute it passing the path to your KrakenD project
  • Review the changes the migration tool did to your config and start the config with the new version

If you have custom go plugins, recompile them. KrakenD has now a command krakend check-plugin and krakend test-plugin to test them.

Special attention to short words
The migration script replaces words used by KrakenD in the past and are no longer supported that might collide with wording you use in your endpoints. Words like whitelist or blacklist will be replaced by allow and deny. Make sure to check the changes in the configuration and ensure that the migration tool didn’t change any endpoint definition using those names.

The migration tool will take care of what is described below for you, and is actually quite simple. For the most part, what it does is to rename configurations and namespaces. The following list is what it takes care of:

Renamed namespaces

The most visible change is that all non-core components (this is everything outside of Lura) were declared inside an extra_config section, using a looong namespace. That namespace contained what could look like a URL (e.g., github.com/devopsfaith/krakend-jose/validator) and generated frequent misunderstandings year after year. Now, all namespaces have been categorized and simplified to a description of their functionality (e.g., auth/validator).

See the migration tool’s source code for the complete list of renamed namespaces.

Consistent attribute naming

Another relevant change is that some attributes have been renamed to be consistent across all configurations. Prior to 2.0, some attributes used hyphenation (hyphen-ation), while others used snake case (snake_case) or camel case (camelCase). Now, we use snake_case everywhere if possible.

Removed deprecated elements

The final change is that all functionalities and attributes marked as deprecated in 1.4 have been removed.

  • whitelist is removed, and only allow is recognized now
  • blacklist is removed, and only deny is recognized now
  • krakend-etc is no longer included in the binary
  • krakend-consul, the integration of consul for the JWT revoker, is no longer included in the binary.

Summing up, see the before and after of the following snippet which has 3 of the changes mentioned above.

KrakenD 1:

{
    "endpoint": "/foo",
    "extra_config": {
        "github.com/devopsfaith/krakend-jose/validator" {
            "alg": "RS256",
            "jwk-url": "https://url/to/jwks.json"
        }
    },
    "backend": [
        {
            "url_pattern": "/foo",
            "whitelist": ["field1", "field2"]
        }
    ]
}

KrakenD 2: Differences highlighted

{
    "endpoint": "/foo",
    "extra_config": {
        "auth/validator": {
            "alg": "RS256",
            "jwk_url": "https://url/to/jwks.json"
        }
    },
    "backend": [
        {
            "url_pattern": "/foo",
            "allow": ["field1", "field2"]
        }
    ]
}

Scarf

Unresolved issues?

The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.