Tyk Gateway 5.2 Release Notes

Last updated: 21 minutes read.

Open Source (Mozilla Public License)

This page contains all release notes for version 5.2.X displayed in reverse chronological order

Support Lifetime

Minor releases are supported until our next minor or major release comes out. There is no 5.3 scheduled in 2023. Subsequently, 5.2 is currently expected to remain in support until our next minor version comes out in Q1 2024.


5.2.5 Release Notes

Release Date 19 Dec 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.

Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release implements a bug fix. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Fixed

  • Long custom keys not maintained in distributed Data Planes

    Fixed an issue where custom keys over 24 characters in length were deleted from Redis in the Data Plane when key update action signalled in distributed (MDCB) setups.


5.2.4 Release Notes

Release Date 7 Dec 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.

Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release enhances security, stability, and performance. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Fixed

  • Output from Tyk OAS request validation schema failure is too verbose

    Fixed an issue where the Validate Request middleware provided too much information when reporting a schema validation failure in a request to a Tyk OAS API.

  • Gateway incorrectly applying policy Path-Based Permissions in certain circumstances

    Fixed a bug where the gateway didn’t correctly apply Path-Based Permissions from different policies when using the same sub claim but different scopes in each policy. Now the session will be correctly configured for the claims provided in the policy used for each API request.

  • Plugin compiler not correctly supporting build_id to differentiate between different builds of the same plugin

    Fixed a bug when using the build_id argument with the Tyk Plugin Compiler that prevents users from hot-reloading different versions of the same plugin compiled with different build_ids. The bug was introduced with the plugin module build change implemented in the upgrade to Go version 1.19 in Tyk 5.1.0.

  • URL Rewrite fails to handle escaped character in query parameter

    Fixed a bug that was introduced in the fix applied to the URL Rewrite middleware in Tyk 5.0.5/5.1.2. The previous fix did not correctly handle escaped characters in the query parameters. Now you can safely include escaped characters in your query parameters and Tyk will not modify them in the URL Rewrite middleware.


5.2.3 Release Notes

Release Date 21 Nov 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.

Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release enhances security, stability, and performance. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Fixed

  • Python version not always correctly autodetected

    Fixed an issue where Tyk was not autodetecting the installed Python version if it had multiple digits in the minor version (e.g. Python 3.11). The regular expression was updated to correctly identify Python versions 3.x and 3.xx, improving compatibility and functionality.

  • Gateway blocked trying to retrieve keys via MDCB when using JWT auth

    Improved the behaviour when using JWTs and the MDCB (Multi Data Centre Bridge) link is down; the Gateway will no longer be blocked attempting to fetch OAuth client info. We’ve also enhanced the error messages to specify which type of resource (API key, certificate, OAuth client) the data plane Gateway failed to retrieve due to a lost connection with the control plane.

  • Custom Authentication Plugin not working correctly with policies

    Fixed an issue where the session object generated when creating a Custom Key in a Go Plugin did not inherit parameters correctly from the Security Policy.

  • Attaching a public key to an API definition for mTLS brings down the Gateway

    Fixed an issue where uploading a public key instead of a certificate into the certificate store, and using that key for mTLS, caused all the Gateways that the APIs are published on to cease negotiating TLS. This fix improves the stability of the gateways and the successful negotiation of TLS.

Added

  • Implemented a `tyk version` command that provides more details about the Tyk Gateway build

    This prints the release version, git commit, Go version used, architecture and other build details.

  • Added option to fallback to default API version

    Added new option for Tyk to use the default version of an API if the requested version does not exist. This is referred to as falling back to default and is enabled using a configuration flag in the API definition; for Tyk OAS APIs the flag is fallbackToDefault, for Tyk Classic APIs it is fallback_to_default.

  • Implemented a backoff limit for GraphQL subscription connection retry

    Added a backoff limit for GraphQL subscription connection retry to prevent excessive error messages when the upstream stops working. The connection retries and linked error messages now occur in progressively longer intervals, improving error handling and user experience.

Community Contributions

Special thanks to the following member of the Tyk community for their contribution to this release:

  • Runtime log error incorrectly produced when using Go Plugin Virtual Endpoints

    Fixed a minor issue with Go Plugin virtual endpoints where a runtime log error was produced from a request, even if the response was successful. Thanks to uddmorningsun for highlighting the issue and proposing a fix.


5.2.2 Release Notes

Release Date 31 Oct 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.

Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Security

The following CVEs have been resolved in this release:

Fixed

  • Enforced timeouts were incorrect on a per-request basis

    Fixed an issue where enforced timeouts values were incorrect on a per-request basis. Since we enforced timeouts only at the transport level and created the transport only once within the value set by max_conn_time, the timeout in effect was not deterministic. Timeouts larger than 0 seconds are now enforced for each request.

  • Incorrect access privileges were granted in security policies

    Fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This was due to the policy cleaning operation that is triggered when an API is deleted from a policy in a MongoDB installation. With this fix, the policy cleaning operation will not remove the final (deleted) API from the policy; Tyk recognises that the API record is invalid and denies granting access rights to the key.

  • Logstash formatter timestamp was not in RFC3339 Nano format

    The Logstash formatter timestamp is now in RFC3339Nano format.

  • In high load scenarios the DRL Manager was not protected against concurrent read and write operations

    Fixed a potential race condition where the DRL Manager was not properly protected against concurrent read/write operations in some high-load scenarios.

  • Performance issue encountered when Tyk Gateway retrieves a key via MDCB for a JWT API

    Fixed a performance issue encountered when Tyk Gateway retrieves a key via MDCB for a JWT API. The token is now validated against JWKS or the public key in the API Definition.

  • JWT middleware introduced latency which reduced overall request/response throughput

    Fixed a performance issue where JWT middleware introduced latency which significantly reduced the overall request/response throughput.

  • UDG examples were not displayed when Open Policy Agent (OPA) was enabled

    Fixed an issue that prevented UDG examples from being displayed in the dashboard when the Open Policy Agent(OPA) is enabled.

  • Sensitive information logged when incorrect signature provided for APIs protected by HMAC authentication

    Fixed an issue where the Tyk Gateway logs would include sensitive information when the incorrect signature is provided in a request to an API protected by HMAC authentication.

Community Contributions

Special thanks to the following members of the Tyk community for their contributions to this release:

  • ULID Normalization implemented - Implemented *ULID Normalization*, replacing valid ULID identifiers in the URL with a `{ulid}` placeholder for analytics. This matches the existing UUID normalization. Thanks to [Mohammad Abdolirad](https://github.com/atkrad) for the contribution.
  • Duplicate error message incorrectly reported when a custom Go plugin returned an error

    Fixed an issue where a duplicate error message was reported when a custom Go plugin returned an error. Thanks to @PatrickTaibel for highlighting the issue and suggesting a fix.


5.2.1 Release Notes

Release Date 10 Oct 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.

Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are on a 5.2.0 we advise you to upgrade ASAP and if you are on an older version skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Changed

  • Log messaging quality enhanced

    Enhance log message quality by eliminating unnecessary messages

  • Configurable retry for resource loading introduced

    Fixed a bug that occurs during Gateway reload where the Gateway would continue to load new API definitions even if policies failed to load. This led to a risk that an API could be invoked without the associated policies (for example, describing access control or rate limits) having been loaded. Now Tyk offers a configurable retry for resource loading, ensuring that a specified number of attempts will be made to load resources (APIs and policies). If a resource fails to load, an error will be logged and the Gateway reverts to its last working configuration.

    We have introduced two new variables to configure this behaviour:

    • resource_sync.retry_attempts - defines the number of retries that the Gateway should perform during a resource sync (APIs or policies), defaulting to zero which means no retries are attempted
    • resource_sync.interval - setting the fixed interval between retry attempts (in seconds)
  • Added http.response.body.size and http.request.body.size for OpenTelemetry users

    For OpenTelemetry users, we’ve included much-needed attributes, http.response.body.size and http.request.body.size, in both Tyk HTTP spans and upstream HTTP spans. This addition enables users to gain better insight into incoming/outgoing request/response sizes within their traces.

Fixed

  • Memory leak was encountered if OpenTelemetry enabled

    Fixed a memory leak issue in Gateway 5.2.0 if OpenTelemetry (abbreviated “OTel”) is enabled. It was caused by multiple otelhttp handlers being created. We have updated the code to use a single instance of otelhttp handler in 5.2.1 to improve performance under high traffic load.

  • Memory leak encountered when enabling the strict routes option

    Fixed a memory leak that occurred when enabling the strict routes option to change the routing to avoid nearest-neighbour requests on overlapping routes (TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES)

  • High rates of Tyk Gateway reloads were encountered

    Fixed a potential performance issue related to high rates of Tyk Gateway reloads (when the Gateway is updated due to a change in APIs and/or policies). The gateway uses a timer that ensures there’s at least one second between reloads, however in some scenarios this could lead to poor performance (for example overloading Redis). We have introduced a new configuration option, reload_interval (TYK_GW_RELOADINTERVAL), that can be used to adjust the duration between reloads and hence optimise the performance of your Tyk deployment.

  • Headers for GraphQL headers were not properly forwarded upstream for GQL/UDG subscriptions

    Fixed an issue with GraphQL APIs, where headers were not properly forwarded upstream for GQL/UDG subscriptions.

  • Idle upstream connections were incorrectly closed

    Fixed a bug where the Gateway did not correctly close idle upstream connections (sockets) when configured to generate a new connection after a configurable period of time (using the max_conn_time configuration option). This could lead to the Gateway eventually running out of sockets under heavy load, impacting performance.

  • Extra chunked transfer encoding was uncessarily added to rawResponse analytics

    Removed the extra chunked transfer encoding that was added unnecessarily to rawResponse analytics

  • Reponse body transformation not execute when Persist GraphQL middleware used

    Resolved a bug with HTTP GraphQL APIs where, when the Persist GraphQL middleware was used in combination with Response Body Transform, the response’s body transformation was not being executed.

    Bug in persistent gql and response body transform

  • Unable to modify a key that provides access to an inactive or draft API

    Fixed a bug where, if you created a key which provided access to an inactive or draft API, you would be unable to subsequently modify that key (via the Tyk Dashboard UI, Tyk Dashboard API or Tyk Gateway API)

Dependencies

  • Updated TykTechnologies/gorm to v1.21 in Tyk Gateway

5.2.0 Release Notes

Release Date 29 Sep 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.

Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Release Highlights

We’re thrilled to bring you some exciting enhancements and crucial fixes to improve your experience with Tyk Gateway. For a comprehensive list of changes, please refer to the detailed changelog below.

Added Body Transform Middleware to Tyk OAS API Definition

With this release, we are adding the much requested Body Transformations to Tyk OAS API Definition. You can now configure middleware for both request and response body transformations and - as a Tyk Dashboard user - you’ll be able to do so from within our simple and elegant API Designer tool.

Reference Tyk OAS API Definition From Within Your Custom Go Plugins

Reference the Tyk OAS API definition from within your custom Go Plugins, bringing them up to standard alongside those you might use with a Tyk Classic API.

Configure Caching For Each API Endpoint

We’ve added the ability to configure per-endpoint timeouts for Tyk’s response cache, giving you increased flexibility to tailor your APIs to your upstream services.

Added Header Management in Universal Data Graph

With this release we are adding a concept of header management in Universal Data Graph. With multiple upstream data sources, data graphs need to be sending the right headers upstream, so that our users can effectively track the usage and be able to enforce security rules at each stage. All Universal Data Graph headers now have access to request context variables like JWT claims, IP address of the connecting client or request ID. This provides extensive configurability of customisable information that can be sent upstream.

Added Further Support For GraphQL WebSocket Protocols

Support for WebSocket protocols between client and the Gateway has also been expanded. Instead of only supporting the graphql-ws protocol, which is becoming deprecated, we now also support graphql-transport-ws by setting the Sec-WebSocket-Protocol header to graphql-transport-ws.

Added OpenTelemetry Tracing

In this version, we’re introducing the support for OpenTelemetry Tracing, the new open standard for exposing observability data. This addition gives you improved visibility into how API requests are processed, with no additional license required. It is designed to help you with monitoring and troubleshooting APIs, identify bottlenecks, latency issues and errors in your API calls. For detailed information and guidance, you can check out our OpenTelemetry Tracing resource.

OpenTelemetry makes it possible to isolate faults within the request lifetime through inspecting API and Gateway meta-data. Additionally, performance bottlenecks can be identified within the request lifetime. API owners and developers can use this feature to understand how their APIs are being used or processed within the Gateway.

OpenTelemetry functionality is also available in Go Plugins. Developers can write code to add the ability to preview OpenTelemetry trace attributes, error status codes etc., for their Go Plugins.

We offer support for integrating OpenTelemetry traces with supported open source tools such Jaeger, Dynatrace or New Relic. This allows API owners and developers to gain troubleshooting and performance insights from error logs, response times etc. You can also find a direct link to our docs in the official OpenTelemetry Integration page

Warning

Tyk Gateway 5.2 now includes OpenTelemetry Tracing. Over the next year, we’ll be deprecating OpenTracing. We recommend migrating to OpenTelemetry for better trace insights and more comprehensive support. This change will offer you significant advantages in managing your distributed tracing needs.

Downloads

Changelog

Added:

  • Added support for configuring distributed tracing behaviour

    Added support for configuring distributed tracing behaviour of Tyk Gateway. This includes enabling tracing, configuring exporter types, setting the URL of the tracing backend to which data is to be sent, customising headers, and specifying enhanced connectivity for HTTP, HTTPS and gRPC. Subsequently, users have precise control over tracing behaviour in Tyk Gateway.

  • Added support for configuring OpenTelemetry

    Added support to configure OpenTelemetry sampling types and rates in the Tyk Gateway. This allows users to manage the need for collected detailed tracing information against performance and resource usage requirements.

  • Added span attributes to simplify identifying Tyk API and request meta-data per request

    Added span attributes to simplify identifying Tyk API and request meta-data per request. Example span attributes include: tyk.api.id, tyk.api.name, tyk.api.orgid, tyk.api.tags, tyk.api.path, tyk.api.version, tyk.api.apikey, tyk.api.apikey.alias and tyk.api.oauthid. This allows users to use OpenTelemetry semantic conventions to filter and create metrics for increased insight and observability.

  • Add custom resource attributes to allow process information to be available in traces

    Added custom resource attributes: service.name, service.instance.id, service.version, tyk.gw.id, tyk.gw.dataplane, tyk.gw.group.id, tyk.gw.tags to allow process information to be available in traces.

  • Allow clients to retrieve the trace ID from response headers when OpenTelemetry enabled

    Added a new feature that allows clients to retrieve the trace ID from response headers. This feature is available when OpenTelemetry is enabled and simplifies debugging API requests, empowering users to seamlessly correlate and analyse data for a specific trace in any OpenTelemetry backend like Jaeger.

  • Allow detailed tracing to be enabled/disabled at API level

    Added configuration parameter to enable/disable detail_tracing for Tyk Classic API.

  • Add OpenTelemetry support for GraphQL

    Added OpenTelemetry support for GraphQL. This is activated by setting opentelemetry.enabled to true. This integration enhances observability by enabling GQL traces in any OpenTelemetry backend, like Jaeger, granting users comprehensive insights into the execution process, such as request times.

  • Add support to configure granual control over cache timeout at the endpoint level

    Added a new timeout option, offering granular control over cache timeout at the endpoint level.

  • Enable request context variables in UDG global or data source headers

    Added support for using request context variables in UDG global or data source headers. This feature enables much more advanced header management for UDG and allows users to extract header information from an incoming request and pass it to upstream data sources.

  • Add support for configuration of global headers for any UDG

    Added support for configuration of global headers for any UDG. These headers will be forwarded to all data sources by default, enhancing control over data flow.

  • Add ability for Custom GoPlugin developers using Tyk OAS APIs to access the API Definition

    Added the ability for Custom GoPlugin developers using Tyk OAS APIs to access the API Definition from within their plugin. The newly introduced ctx.getOASDefinition function provides read-only access to the OAS API Definition and enhances the flexibility of plugins.

  • Add support for graphql-transport-ws websocket protocol

    Added support for the websocket protocol, graphql-transport-ws protocol, enhancing communication between the client and Gateway. Users connecting with the header Sec-WebSocket-Protocol set to graphql-transport-ws can now utilise messages from this protocol for more versatile interaction.

  • Developers using Tyk OAS API Definition can configure body transform middleware for API reponses

    Added support for API Developers using Tyk OAS API Definition to configure a body transform middleware that operates on API responses. This enhancement ensures streamlined and selective loading of the middleware based on configuration, enabling precise response data customisation at the per-endpoint level.

  • Enhanced Gateway usage reporting, allowing reporting of number of connected gateways and data planes - Added support for enhanced *Gateway* usage reporting. *MDCB v2.4* and *Gateway v5.2* can now report the number of connected gateways and data planes. Features such as data plane gateway visualisation are available in *Tyk Dashboard* for enhanced monitoring of your deployment.

Changed:

  • Response Body Transform middleware updated to remove unnecessary entries in Tyk Classic API Definition

    Updated Response Body Transform middleware for Tyk Classic APIs to remove unnecessary entries in the API definition. The dependency on the response_processor.response_body_transform configuration has been removed to streamline middleware usage, simplifying API setup.

Fixed:

  • UDG was dropping array type parameter in certain circumstances from final request URL sent upstream

    Fixed an issue with querying a UDG API containing a query parameter of array type in a REST data source. The UDG was dropping the array type parameter from the final request URL sent upstream.

  • Introspection of GraphQL schemas raised an error when dealing with some custom root types

    Fixed an issue with introspecting GraphQL schemas that previously raised an error when dealing with custom root types other than Query, Mutation or Subscription.

  • Enforced Timeout configuration parameter of an API endpoint was not validated

    Fixed an issue where the Enforced Timeout configuration parameter of an API endpoint accepted negative values, without displaying validation errors. With this fix, users receive clear feedback and prevent unintended configurations.

  • allowedIPs validation failures were causing the loss of other error types reported

    Fixed an issue where allowedIPs validation failures replaced the reported errors list, causing the loss of other error types. This fix appends IP validation errors to the list, providing users with a comprehensive overview of encountered errors. Subsequently, this enhances the clarity and completeness of validation reporting.

  • The Data Plane Gateway for versions < v5.1 crashed with panic error when creating a Tyk OAS API

    Fixed a critical issue in MDCB v2.3 deployments, relating to Data Plane stability. The Data Plane Gateway with versions older than v5.1 was found to crash with a panic when creating a Tyk OAS API. The bug has been addressed, ensuring stability and reliability in such deployments.


Further Information

Upgrading Tyk

Please refer to the upgrading Tyk page for further guidance with respect to the upgrade strategy.

API Documentation

FAQ

Please visit our Developer Support page for further information relating to reporting bugs, upgrading Tyk, technical support and how to contribute.