News How KrakenD Solves API Gateway Security Vulnerabilities

Return to blog's homepage

Blog categories

Product UpdatesSecurity

5 min read

KrakenD Enterprise v2.5 released with API Monetization

by Albert Lombarte

We’re excited to announce the latest release v2.5 of KrakenD Enterprise, packed with powerful features and enhancements to make your API gateway experience even more seamless and robust. Needless to say, the KrakenD Enterprise v2.5 contains everything in the KrakenD Community 2.5 and a lot more. Let’s dive into the key changes in this release:

API Monetization and Governance

Ooh la la! Our first release of KrakenD with API Monetization, in partnership with Moesif, which allows you to charge for your APIs based on usage, check the analytics, and set governance rules that KrakenD keeps in-sync in real time. Are you interested? Get in touch for a demo.

Moesif dashboard

API Monetization documentation

Access to request body

There are two interesting functionalities related with request payloads: You can access to the request body even in responses when using the body generator (.req_body added). Secondly, you asked for it, and now it’s here! Endpoints with multiple POSTs are now possible. The limitation on working with multiple unsafe methods simultaneously has been removed.

{
    "endpoints": [
        {
            "endpoint": "/abc",
            "method": "POST",
            "backend": [
                { "url_pattern": "/a", "method": "POST" },
                { "url_pattern": "/b", "method": "POST" },
                { "url_pattern": "/c", "method": "POST" }
            ]
        }
    ]
}

Easier License management

Introducing the new license command, allowing you to effortlessly check licenses in pipelines automatically. Keeping your licensing in check has never been this straightforward, as you don’t longer need custom scripts with openssl.

Multi-step E2E tests

The End-to-End testing feature now allows you to do multiple calls in a single test case using next, so you can emulate more complex flows in the same file.

E2E documentation

Extended Flexible Configuration (EFC) Advancements

EFC can now work automatically without the need for environment variables when a flexible_config.json file is present.

You can also do the --lint in a check command in a single step when you have flexible configuration, and you don’t longer need to use the output of a previous command.

In addition, templates have now access to a new {{ .meta }} variable containing metadata of the file tree involved in rendering the templates. Plus, enhanced error logging and debugging for a smoother development experience.

Extended Flexible Configuration documentation

OpenAPI Generation Enhancements

The OpenAPI generation now allows you to define the [request body using request_definition], and allows you to declare global component/schemas to reuse in endpoints through the $ref attribute, adding flexibility to your API design.

OpenAPI documentation

Security Boosts

Mutual TLS Support for upstream services: Complementing the previously existing mTLS from clients to KrakenD, now you can ensure secure communication from the gateway to your upstream services with this addition, available both globally and individually per backend.

Hashing Function Options for API keys: API Key declaration now accepts hashing functions like fnv128, sha256, and sha1 to not have api keys in clear text.

Listen IP Restriction: The new listen_ip setting allows you to restrict the service to listen to a specific IP, adding an extra layer of control.

There are a lot of additional features, upgrades and fixes in this release, see the summary list below.

🚀 Summary of changes for EEv2.5

The v2.5 introduces API Monetization, allows multiple POSTS in and out sequential calls, adds a license command and listening to a specific IP, and improves Flexible Configuration, E2E tests, OpenAPI, and more.

  • Added the API Monetization feature (integration in partnership with Moesif)
  • Endpoints with multiple POSTs are now possible. The restriction to work with multiple unsafe methods is now removed.
  • The response body generator also has access to the request body using .req_body
  • New command license to check licenses in pipelines automatically
  • The End-to-End testing allows multiple calls in a single test case using next.
  • The Extended Flexible Configuration can work automatically now without any environment variables when you have a flexible_config.json file, accepts multiple partial dirs, adds a .meta variable in templates, and improves error logging and debugging
  • The OpenAPI generation allows you to define the request body using request_definition and also to declare component/schemas you can reuse in endpoints with the $ref attribute.
  • Added Mutual TLS from the gateway to your upstream services, both globally (all connections) or individually per backend
  • API keys declaration accepts now the hashing functions fnv128, sha256, and sha1.
  • The body request generator is now available at the endpoint level in addition to the backend. It also parses the query and path at a later stage to have the most up-to-date values.
  • The new field listen_ip can now restrict the service to listen to a specific IP.
  • Added new attribute static_routing_key on AMQP consumers (thanks to Georgios Chronis).
  • Added a second level of input_query_strings in the backend section.
  • The propagate_claims attribute for JWT claims now sets to blank those headers with missing values and does not allow the user to override via custom headers.
  • The gRPC can now use headers to construct the payload
  • The WebSockets load balancer now takes a random host when a previously established connection fails.
  • The Flexible Configuration and the --lint flag of check can work now in a single step
  • Your custom plugins (server and client) will now receive the Service Go Context, so you can cancel services started by the plugin when the gateway shuts down.
  • Identity servers returning Content-Type: application/jwk-set+json in their jwk_url are now accepted.
  • When defining a custom router section, the default settings for remote_ip_headers were reset.
  • The rate limit eviction was resetting on very large time settings
  • Fixed race conditions on global JWK URL keys cache
  • Requests with method OPTIONS (CORS module) with HTTP/2 without HTTP/1.1 Upgrade returned 405 status code instead of 204 when use_h2c flag was enabled (thanks to @anivanovic)
  • WebSocket race condition on concurrent writing
  • The flag router.use_h2c has moved to the root level as use_h2c, and its usage inside the router is marked as deprecated.

Upgrading to the latest version is always advised.

We’re thrilled about the strides we’ve made with KrakenD Enterprise, and we’re confident that these updates will empower you in tackling complex API challenges. As always, thank you for being part of the KrakenD community!

Happy 🐙 configuring!

Categories: Product UpdatesSecurity
Scarf

Stay up to date with KrakenD releases and important updates