Upgrade Kong Gateway
Upgrade to major, minor, and patch Kong Gateway (Enterprise package) releases using the kong migrations
commands.
You can also use the commands to migrate all Kong Gateway (OSS) entities to Kong Gateway. See Migrating from Kong Gateway (OSS) to Kong Gateway.
If you experience any issues when running migrations, contact Kong Support for assistance.
Upgrade path for Kong Gateway releases
Kong adheres to semantic versioning, which makes a distinction between major, minor, and patch versions. The upgrade path for major and minor versions differs depending on the previous version from which you are migrating:
If you are migrating from 2.x.x, upgrading to 2.7.x is a minor upgrade. You can upgrade from any 2.1.x or later version directly to 2.7.x.
If you are migrating from 1.x.x, upgrading to 2.7.x is a major upgrade. While you can upgrade directly to the latest version, be aware of any breaking changes between the 1.x and 2.x series noted in this document and in the Gateway changelogs.
See specific breaking changes in the Kong Gateway changelogs: open-source (OSS) and Enterprise. Since Kong Gateway is built on an open-source foundation, any breaking changes in OSS affect all Gateway packages.
In either case, you can review the upgrade considerations, then follow the database migration instructions.
Upgrade considerations
Before upgrading, review this list for any configuration or breaking changes that affect your current installation.
If you are adding a new plugin to your installation, you need to run kong migrations up
with the plugin name specified. For example, KONG_PLUGINS=oauth2
.
Kong Manager breaking changes
Version 2.7.x introduced a new way to configure the OIDC plugin to map IdP roles to Kong Manager admin accounts. You must now specify the admin_claim
instead of the consumer_claim
in your OIDC config file. For more information, see OIDC Authenticated Group Mapping.
Dev Portal migrations
There are no migrations necessary for the Dev Portal when upgrading from 2.6.x to 2.7.x.
If you are currently using the Dev Portal in 1.5.x or earlier, manually migrate the files to version 2.1.x before continuing.
Hybrid mode considerations
- If you are currently running 2.6.x in classic (traditional) mode and want to run in hybrid mode instead, follow the hybrid mode installation instructions after running the migration.
- Custom plugins (either your own plugins or third-party plugins that are not shipped with Kong) need to be installed on both the control plane and the data planes in hybrid mode. Install the plugins on the control plane first, and then the data planes.
- The Rate Limiting Advanced plugin does not support the
cluster
strategy in hybrid mode. Theredis
strategy must be used instead.
Kong for Kubernetes considerations
The Helm chart automates the upgrade migration process. When running helm upgrade
, the chart spawns an initial job to run kong migrations up
and then spawns new Kong pods with the updated version. Once these pods become ready, they begin processing traffic and old pods are terminated. Once this is complete, the chart spawns another job to run kong migrations finish
.
While the migrations themselves are automated, the chart does not automatically ensure that you follow the recommended upgrade path. If you are upgrading from more than one minor Kong version back, check the upgrade path recommendations for Kong open source or Kong Gateway.
Although not required, users should upgrade their chart version and Kong version independently. In the event of any issues, this will help clarify whether the issue stems from changes in Kubernetes resources or changes in Kong.
For specific Kong for Kubernetes version upgrade considerations, see Upgrade considerations
Kong deployment split across multiple releases
The standard chart upgrade automation process assumes that there is only a single Kong release in the Kong cluster, and runs both migrations up
and migrations finish
jobs.
If you split your Kong deployment across multiple Helm releases (to create proxy-only and admin-only nodes, for example), you must set which migration jobs run based on your upgrade order.
To handle clusters split across multiple releases, you should:
Upgrade one of the releases with:
helm upgrade RELEASENAME -f values.yaml \
--set migrations.preUpgrade=true \
--set migrations.postUpgrade=false
Upgrade all but one of the remaining releases with:
helm upgrade RELEASENAME -f values.yaml \
--set migrations.preUpgrade=false \
--set migrations.postUpgrade=false
Upgrade the final release with:
helm upgrade RELEASENAME -f values.yaml \
--set migrations.preUpgrade=false \
--set migrations.postUpgrade=true
This ensures that all instances are using the new Kong package before running kong migrations finish
.
Upgrade from 1.x.x - 2.6.x to 2.7.x
Kong Gateway supports the zero downtime migration model. This means that while the migration is in process, you have two Kong clusters with different versions running that are sharing the same database. This is sometimes referred to as the blue-green migration model.
The migrations are designed so that there is no need to fully copy the data. The new version of Kong Gateway is able to use the data as it is migrated, and the old Kong cluster keeps working until it is finally time to decommission it. For this reason, the full migration is split into two commands:
kong migrations up
: performs only non-destructive operationskong migrations finish
: puts the database in the final expected state (DB-less mode is not supported in Kong Gateway)
Follow the instructions for your backing data store to migrate to the new version. If you prefer to use a fresh data store and only migrate your kong.conf
file, see the instructions to install 2.7.x on a fresh datastore.
Postgres
- Download 2.7.x, and configure it to point to the same datastore as your old (1.x.x-2.x.x) cluster.
- Run
kong migrations up
. After that finishes running, both the old (1.x.x-2.x.x) and new (2.7.x) clusters can now run simultaneously on the same datastore. Start provisioning 2.7.x nodes, but do not use their Admin API yet.
Gradually divert traffic away from your old nodes, and redirect traffic to your 2.7.x cluster. Monitor your traffic to make sure everything is going smoothly.
- When your traffic is fully migrated to the 2.7.x cluster, decommission your old nodes.
From your 2.7.x cluster, run
kong migrations finish
. From this point onward, it is no longer possible to start nodes in the old cluster that still points to the same datastore.Run this command only when you are confident that your migration was successful. From now on, you can safely make Admin API requests to your 2.7.x nodes.
Cassandra
Due to internal changes, the table schemas used by Kong Gateway 2.7.x on Cassandra are incompatible with those used by Kong Gateway 2.1.x or lower. Migrating using the usual commands kong migrations up
and kong migrations finish
will require a small window of downtime, since the old and new versions cannot use the database at the same time.
Alternatively, to keep your previous version fully operational while the new one initializes, transfer the data to a new keyspace using a database dump, as described below:
Download 2.7.x, and configure it to point to a new keyspace.
Run
kong migrations bootstrap
.Once that finishes running, both the old (1.x.x-2.1.x) and new (2.7.x) clusters can now run simultaneously, but the new cluster does not have any data yet.
On the old cluster, run
kong config db_export
. This will create a file namedkong.yml
with a database dump.- Transfer the file to the new cluster and run
kong config db_import kong.yml
. This will load the data into the new cluster. - Gradually divert traffic away from your old nodes, and into your 2.7.x cluster. Monitor your traffic to make sure everything is going smoothly.
- When your traffic is fully migrated to the 2.7.x cluster, decommission your old nodes.
Install 2.7.x on a fresh datastore
For installing on a fresh datastore, Kong Gateway 2.7.x has the kong migrations bootstrap
command. Run the following commands to prepare a new 2.7.x cluster from a fresh datastore. By default, the kong
CLI tool loads the configuration from /etc/kong/kong.conf
, but you can optionally use the -c
flag to indicate the path to your configuration file:
$ kong migrations bootstrap [-c /path/to/kong.conf]
$ kong start [-c /path/to/kong.conf]