Here are the release notes for Spring Cloud Gateway for Kubernetes.
v2.2.5
Release Date: July 18, 2024
Included in this release:
- Update to Spring Boot 3.2.7 and Spring Cloud 2023.0.3
- Fix a case where routes were not configured and validation did not report it
- Includes org.springframework.cloud:spring-cloud-gateway-server v4.1.5 with fix that prevented routes from being persisted
Security issues resolved in this release:
- CVE-2024-21147 (Java 17)
v2.2.4
Release Date: May 8, 2024
Included in this release:
- Updated Spring Boot to 3.2.5 and Spring Cloud to 2023.0.1
- Gateway now will not start if Redis Binding is not valid
Security issues resolved in this release:
- CVE-2024-22262 (Spring Web)
v2.2.3
Release Date: April 18, 2024
Included in this release:
- Resolved issue that prevented successful CORS validation of URL scheme on CircuitBreaker filter forwarded requests
v2.2.2
Release Date: April 4, 2024
Included in this release:
- Spring Cloud Gateway for Kubernetes Operator startup probe and liveness probe parameters are now configurable for both Tanzu CLI and Helm installations
- Operator startup probe default values now allow more time for the Operator to start
- Redundant Operator readiness probe has been removed
v2.2.1
Release Date: March 28, 2024
Caution Service disruption may occur on upgrade. Please be advised that users of the SSO and Rate Limiting functionality who are not using Redis for state storage will experience service disruption when upgrading to this version. Please see the notes regarding the upgrade of Hazelcast below.
Included in this release:
- GraphQL support (filters to restrict queries by operation count, operation depth and user role)
- Update to Spring Boot 3.2.3 and Spring Cloud 2023.0.0
- Client TLS support improved on Tanzu Application Platform (TAP)
- Updated to Hazelcast 5.3.6
- Improvements to Hazelcast graceful shutdown
- Hazelcast discovery no longer requires Kubernetes API access
- Grafana dashboard template updates
- Enhancements to
/actuator/gatewayendpoint
Security issues resolved in this release:
- CVE-2023-33264 (Hazelcast)
- CVE-2023-33265 (Hazelcast)
- CVE-2023-42503 (commons-compress)
- CVE-2023-45859 (Hazelcast)
- CVE-2023-45860 (Hazelcast)
Hazelcast upgrade:
In this release, we have upgraded the Hazelcast in-memory data store library to the latest available version. Hazelcast is used by Spring Cloud Gateway for Kubernetes for the storage of Single Sign-On (SSO) session and rate limit data, unless you have explicitly configured your Gateway to use Redis instead.
This is a significant update to the version of Hazelcast, and so requires recreation of the internal Hazelcast cluster. This will incur the loss of any existing SSO session and rate limit state.
This will be noticeable to users of the Gateway in the following ways:
- Users of routes that use SSO will need to re-authenticate.
- Users of routes that use the
RateLimitfilter will temporarily experience inconsistent limiting behavior due to the limiter counts being reset.
Gateway instances that are configured to use Redis instead of Hazelcast will not be affected. While we do not expect these significant Hazelcast upgrades to be frequent events, they are sometimes necessary to resolve security issues. Going forward, we recommend switching to Redis if you need to avoid the possibility of service interruption on future upgrades.
