Tyk Gateway 5.3 LTS Release Notes
Last updated: 35 minutes read.
Open Source (Mozilla Public License)
This page contains all release notes for version 5.3.X displayed in a reverse chronological order
Support Lifetime
Our minor releases are supported until our next minor comes out.
5.3.8 Release Notes
Release Date 07 November 2024
Release Highlights
This release focuses mainly on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
This release has no breaking changes.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.8 | MDCB v2.5.1 | MDCB v2.5.1 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.22 (GW) | 1.22 (GW) | Go plugins must be built using Go 1.22 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Deprecations
This is an advanced notice that the dedicated External OAuth, OpenID Connect (OIDC) authentication options, and SQLite support will be deprecated starting in version 5.7.0. We recommend that users of the External OAuth and OpenID Connect methods migrate to Tyk’s dedicated JWT Auth method. Please review your API configurations, as the Gateway logs will provide notifications for any APIs utilizing these methods.
Upgrade Instructions
If you are upgrading to 5.3.8, please follow the detailed upgrade instructions.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.8
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Added
-
Deprecation notice of External OAuth and OpenID Connect options
A deprecation notice for External OAuth and OpenID Connect (OIDC) authentication mechanisms has been implemented in the Gateway logs starting from version 5.3.8. This provides advanced notification to users regarding any APIs configured with these authentication methods in preparation for future upgrades where these middleware options may be removed in version 5.7.0.
Fixed
-
Memory consumption reduced in Gateway for large payloads
This update fixes a bug that caused increased memory usage when proxying large response payloads that was introduced in version 5.3.1, restoring memory requirements to the levels seen in version 5.0.6. Users experiencing out-of-memory errors with 1GB+ file downloads will notice improved performance and reduced latency.
-
Path-based permissions in combined policies not preserved
We resolved an issue that caused path-based permissions in policies to be lost when policies were combined, potentially omitting URL values and restricting access based on the merge order. It ensures that all applicable policies merge their allowed URL access rights, regardless of the order in which they are applied.
-
Enhanced flexibility in Tyk OAS schema validation
A backwards compatibility issue in the way that the Gateway handles Tyk OAS API definitions has been addressed by reducing the strictness of validation against the expected schema. Since Tyk version 5.3, the Gateway has enforced strict validation, potentially causing problems for users downgrading from newer versions. With this change, Tyk customers can move between versions seamlessly, ensuring their APIs remain functional and avoiding system performance issues.
-
Fix for API key loss on worker Gateways due to keyspace sync interruption
This update resolves an issue where API keys could be lost if the keyspace synchronization between control and data planes was interrupted. The solution now enforces a resynchronization whenever a connection is re-established between MDCB and the data plane, ensuring key data integrity and seamless API access.
5.3.7 Release Notes
Release Date 22 October 2024
Release Highlights
This patch release for Tyk Gateway addresses critical stability issues for users running Tyk Gateway within the data plane, connecting to the control plane or Tyk Hybrid. Affected users should upgrade immediately to version 5.3.7 to avoid service interruptions and ensure reliable operations with the control plane or Tyk Hybrid.
For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
There are no breaking changes in this release.
Deprecations
There are no deprecations in this release.
Upgrade Instructions
When upgrading to 5.3.7 please follow the detailed upgrade instructions.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.7 | MDCB v2.5.1 | MDCB v2.5.1 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.22 | 1.22 | Go plugins must be built using Go 1.22 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.7
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Fixed
-
Resolved gateway panic on reconnecting to MDCB control plane or Tyk Cloud
In version 5.3.6, Tyk Gateway could encounter a panic when attempting to reconnect to the control plane after it was restarted. This patch version has resolved this issue, ensuring stable connectivity between the gateway and control plane following reconnections and reducing the need for manual intervention.
5.3.6 Release Notes
Release Date 04 October 2024
Important Update
Date: 12 October 2024
Topic: Gateway panic when
reconnecting to MDCB control plane or Tyk Cloud
Workaround: Restart Gateway
Affected Product: Tyk
Gateway as an Edge Gateway
Affected versions: v5.6.0, v5.3.6, and v5.0.14
Issue Description:
We have identified an issue affecting Tyk Gateway deployed as a data plane connecting to the Multi-Data Center Bridge (MDCB) control plane or Tyk Cloud. In the above mentioned Gateway versions a panic may occur when gateway reconnect to the control plane after the control plane is restarted.
Our engineering team is actively working on a fix, and a patch (versions 5.6.1, 5.3.7, and 5.0.15) will be released soon.
Recommendations:
- For users on versions 5.5.0, 5.3.5, and 5.0.13
We advise you to delay upgrading to the affected versions (5.6.0, 5.3.6, or 5.0.14) until the patch is available. - For users who have already upgraded to 5.6.0, 5.3.6, or 5.0.14 and are experiencing a panic in the gateway:
Restarting the gateway process will restore it to a healthy state. If you are operating in a *Kubernetes* environment, Tyk Gateway instance should automatically restart, which ultimately resolves the issue.
We appreciate your understanding and patience as we work to resolve this. Please stay tuned for the upcoming patch release, which will address this issue.
Release Highlights
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
Docker images are now based on distroless. No shell is shipped in the image.
If moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.
Deprecations
There are no deprecations in this release.
Upgrade Instructions
When upgrading to 5.3.6 please follow the detailed upgrade instructions.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.6 | MDCB v2.5.1 | MDCB v2.5.1 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.22 | 1.22 | Go plugins must be built using Go 1.22 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.6
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Changed
-
Upgrade to Go 1.22 for Tyk Gateway
The Tyk Gateway has been upgraded from Golang 1.21 to Golang 1.22, bringing enhanced performance, strengthened security, and access to the latest features available in the new Golang release.
-
Introducing Distroless Containers for Tyk Gateway (2024 LTS)
In this release, we’ve enhanced the security of the Tyk Gateway image by changing the build process to support distroless containers. This significant update addresses critical CVEs associated with Debian, ensuring a more secure and minimal runtime environment. Distroless containers reduce the attack surface by eliminating unnecessary packages, which bolsters the security of your deployments.
Fixed
-
Custom Response Plugins not working for Tyk OAS APIs
We have resolved an issue where custom response plugins were not being triggered for Tyk OAS APIs. This fix ensures that all supported custom plugins are invoked as expected when using Tyk OAS APIs.
-
Data plane gateways sometimes didn't synchronise policies and APIs on start-up
We have enhanced the initial synchronization of Data Plane gateways with the Control Plane to ensure more reliable loading of policies and APIs on start-up. A synchronous initialization process has been implemented to avoid sync failures and reduce the risk of service disruptions caused by failed loads. This update ensures smoother and more consistent syncing of policies and APIs in distributed deployments.
-
Quota wasn't respected under extreme load
We have fixed an issue where the quota limit was not being consistently respected during request spikes, especially in deployments with multiple gateways. The problem occurred when multiple gateways cached the current and remaining quota counters at the end of quota periods. To address this, a distributed lock mechanism has been implemented, ensuring coordinated quota resets and preventing discrepancies across gateways.
-
Restored Key Creation Speed in Gateway 4.0.13 and Later
We have addressed a performance regression identified in Tyk Gateway versions 4.0.13 and later, where key creation for policies with a large number of APIs (100+) became significantly slower. The operation, which previously took around 1.5 seconds in versions 4.0.0 to 4.0.12, was taking over 20 seconds in versions 4.0.13 and beyond. This issue has been resolved by optimizing Redis operations during key creation, restoring the process to its expected speed of approximately 1.5 seconds, even with a large number of APIs in the policy.
Security Fixes
-
High priority CVEs fixed
Fixed the following high priority CVEs identified in the Tyk Gateway, providing increased protection against security vulnerabilities:
5.3.5 Release Notes
Release Date 26 September 2024
Release Highlights
This release fixes some issues related to the way that Tyk performs URL path matching, introducing two new Gateway configuration options to control path matching strictness. For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.
Deprecations
There are no deprecations in this release.
Upgrade Instructions
When upgrading to 5.3.5 please follow the detailed upgrade instructions.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.5 | MDCB v2.5.1 | MDCB v2.5.1 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | Go plugins must be built using Go 1.21 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.5
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Added
-
Implemented Gateway configuration options to set URL path matching strictness
We have introduced two new options in the
http_server_options
Gateway configuration that will enforce prefix and/or suffix matching when Tyk performs checks on whether middleware or other logic should be applied to a request:enable_path_prefix_matching
ensures that the start of the request path must match the path defined in the API definitionenable_path_suffix_matching
ensures that the end of the request path must match the path defined in the API definition- combining
enable_path_prefix_matching
andenable_path_suffix_matching
will ensure an exact (explicit) match is performed
These configuration options provide control to avoid unintended matching of paths from Tyk’s default wildcard match. Use of regex special characters when declaring the endpoint path in the API definition will automatically override these settings for that endpoint. Tyk recommends that exact matching is employed, but both options default to
false
to avoid introducing a breaking change for existing users.The example Gateway configuration file
tyk.conf.example
has been updated to set the recommended exact matching with:http_server_options.enable_path_prefix_matching = true
http_server_options.enable_path_suffix_matching = true
http_server_options.enable_strict_routes = true
Fixed
-
Incorrectly configured regex in policy affected Path-Based Permissions authorization
Fixed an issue when using granular Path-Based Permissions in access policies and keys that led to authorization incorrectly being granted to endpoints if an invalid regular expression was configured in the key/policy. Also fixed an issue where path-based parameters were not correctly handled by Path-Based Permissions. Now Tyk’s authorization check correctly handles both of these scenarios granting access only to the expected resources.
-
Missing path parameter could direct to the wrong endpoint
Fixed an issue where a parameterized endpoint URL (e.g.
/user/{id}
) would be invoked if a request is made that omits the parameter. For example, a request to/user/
will now be interpreted as a request to/user
and not to/user/{id}
.
5.3.4 Release Notes
Release Date August 26th 2024
Release Highlights
Gateway 5.3.4 was version bumped only, to align with Dashboard 5.3.4. Subsequently, no changes were encountered in release 5.3.4. For further information please see the release notes for Dashboard v5.3.4
Breaking Changes
Attention: Please read this section carefully.
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.
Deprecations
There are no deprecations in this release.
Upgrade Instructions
When upgrading to 5.3.4 please follow the detailed upgrade instructions.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.4 | MDCB v2.5.1 | MDCB v2.5.1 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | Go plugins must be built using Go 1.21 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.4
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Since this release was version bumped only to align with Dashboard v5.3.4, no changes were encountered in this release.
5.3.3 Release Notes
Release Date August 2nd 2024
Breaking Changes
Attention: Please read this section carefully.
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.
Deprecations
There are no deprecations in this release.
Upgrade Instructions
When upgrading to 5.3.3 please follow the detailed upgrade instructions.
Release Highlights
Bug Fixes
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.
FIPS Compliance
Tyk Gateway now offers FIPS 140-2 compliance. For further details please consult Tyk API Management FIPS support.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.3 | MDCB v2.5.1 | MDCB v2.5.1 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | Go plugins must be built using Go 1.21 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.3
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Added
-
Added FIPS compliance
Added FIPS compliance for Tyk Gateway.
-
Corrected ordering of Tyk OAS API paths to prevent middleware misapplication
Fixed an issue where nested API endpoints, such as ‘/test’ and ‘/test/abc’, might incorrectly apply middleware from the parent path to the nested path. The fix ensures that API endpoint definitions are correctly ordered, preventing this middleware misapplication and ensuring both the HTTP method and URL match accurately.
Fixed
-
Optimised key creation to reduce redundant Redis commands
Addressed an issue where creating or resetting a key caused an exponential number of Redis DeleteRawKey commands. Previously, the key creation sequence repeated for every API in the access list, leading to excessive deletion events, especially problematic for access lists with over 100 entries. Now, the key creation sequence executes only once, and redundant deletion of non-existent keys in Redis has been eliminated, significantly improving performance and stability for larger access lists.
-
Resolved SSE streaming issue
Fixed a bug that caused Server Side Event (SSE) streaming responses to be considered for caching, which required buffering the response and prevented SSE from being correctly proxied.
-
Fixed Analytics Latency Reporting for MDCB Setups
Resolved an issue where Host and Latency fields (Total and Upstream) were not correctly reported for edge gateways in MDCB setups. The fix ensures accurate Host values and Latency measurements are now captured and displayed in analytics data.
5.3.2 Release Notes
Release Date 5th June 2024
Breaking Changes
Attention: Please read this section carefully.
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.
Deprecations
There are no deprecations in this release.
Upgrade Instructions
When upgrading to 5.3.2 please follow the detailed upgrade instructions.
Release Highlights
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.2 | MDCB v2.5.1 | MDCB v2.5.1 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | Go plugins must be built using Go 1.21 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.2
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Fixed
-
Remove sensitive information leaked from OpenTelemetry traces
In Gateway version 5.2+ and 5.3+, we discovered a bug within the OpenTelemetry tracing feature that inadvertently transmits sensitive information. Specifically,
tyk.api.apikey
andtyk.api.oauthid
attributes were exposing API keys. We have fixed the issue to ensure that only the hashed version of the API key is transmitted in traces. -
APIs with common listen paths but different custom domains
Addressed an issue where an API with a custom domain might not be invoked if another API with the same listen path but no custom domain was also deployed on the Gateway. Now APIs with custom domain names are loaded first, so requests will be checked against these first before falling back to APIs without custom domains.
-
Gateway service discovery issue with consul
Addressed an issue in service discovery where an IP:port returned by Consul wasn’t parsed correctly on the Gateway side, leading to errors when proxying requests to the service. The issue primarily occurred with IP:port responses, while valid domain names were unaffected.
-
Resolved Universal Data Graph Nested Field Mapping Issue
Fixed an issue with nested field mapping in UDG when used with GraphQL (GQL) operations for a field’s data source. Previously, querying only the mentioned field resulted in an error, but querying alongside another ’normal’ field from the same level worked without issue.
-
Added control over access to context variables from middleware when using Tyk OAS APIs
Addressed a potential issue when working with Tyk OAS APIs where request context variables are automatically made available to relevant Tyk and custom middleware. We have introduced a control in the Tyk OAS API definition to disable this access if required.
5.3.1 Release Notes
Release Date 24 April 2024
Breaking Changes
Attention: Please read this section carefully.
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.
Deprecations
There are no deprecations in this release.
Upgrade Instructions
When upgrading to 5.3.1 please follow the detailed upgrade instructions.
Release Highlights
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.1 | MDCB v2.5.1 | MDCB v2.5.1 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.3.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | Go plugins must be built using Go 1.21 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.1
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Fixed
-
Improved security: don't load APIs into Gateway if custom plugin bundle fails to load
Issues were addressed where Tyk failed to properly reject custom plugin bundles with signature verification failures, allowing APIs to load without necessary plugins, potentially exposing upstream services. With the fix, if the plugin bundle fails to load (for example, due to failed signature verification) the API will not be loaded and an error will be logged in the Gateway.
-
Stability: fixed a Gateway panic that could occur when using custom JavaScript plugins with the Ignore Authentication middleware
Fixed a panic scenario that occurred when a custom JavaScript plugin that requests access to the session metadata (
require_session:true
) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn’t guarantee its presence, only that it’s passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it. -
Stability: Gateway could crash when custom Python plugins attempted to access storage
Fixed a bug where the Gateway could crash when using custom Python plugins that access the Redis storage. The Tyk Python API methods
store_data
andget_data
could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash. -
Stability: Gateway panics when arguments are missing in persist GraphQL endpoints
In some instances users were noticing gateway panics when using the Persist GQL middleware without arguments defined. This issue has been fixed and the gateway will not throw panics in these cases anymore.
-
Missing GraphQL OTel attributes in spans when requests fail validation
In cases where
detailed_tracing
was set tofalse
and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users. -
Incorrect naming for semantic conventions attributes in GQL spans
GQL Open Telemetry semantic conventions attribute names were missing
graphql
prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix. -
URL Rewrite middleware did not always correctly observe quotas for requests using keys created from policies
Fixed two bugs in the handling of usage quotas by the URL rewrite middleware when it was configured to rewrite to itself (e.g. to
tyk://self
). Quota limits were not observed and the quota related response headers always contained0
. -
Tyk Dashboard License Statistics page could display incorrect number of data plane gateways
Resolved an issue in distributed deployments where the MDCB data plane gateway counter was inaccurately incremented when a Gateway was stopped and restarted.
-
Unable to clear the API cache in distributed data plane Gateways from the control plane Dashboard
Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane gateways. This fix requires MDCB 2.5.1.
-
Unable to load custom Go plugins compiled in RHEL 8
Fixed a bug where custom Go plugins compiled in RHEL8 environments were unable to load into Tyk Gateway due to a discrepancy in base images between the Gateway and Plugin Compiler environments. This fix aligns the plugin compiler base image with the gateway build environment, enabling seamless plugin functionality on RHEL8 environments.
-
Removed unused packages from plugin compiler image
Removed several unused packages from the plugin compiler image. The packages include: docker, buildkit, ruc, sqlite, curl, wget, and other build tooling. The removal was done in order to address invalid CVE reporting, none of the removed dependencies are used to provide plugin compiler functionality.
5.3.0 Release Notes
Release Date 5 April 2024
Breaking Changes
Attention: Please read this section carefully
Tyk OAS APIs Compatibility Caveats - Tyk OSS
This upgrade transitions Tyk OAS APIs out of Early Access.
For licensed deployments (Tyk Cloud, Self Managed including MDCB), please refer to the release notes of Tyk Dashboard 5.3.0.
- Out of Early Access
- This means that from now on, all Tyk OAS APIs will be backwards compatible and in case of a downgrade from v5.3.X to v5.3.0, the Tyk OAS API definitions will always work.
- Not Backwards Compatible
- Tyk OAS APIs in Tyk Gateway v5.3.0 are not backwards compatible. This means that the new Tyk OAS API format created by Tyk Gateway v5.3.X does not work with older versions of Tyk Gateway, i.e. you cannot export these API definitions from a v5.3.X Tyk Gateway and import them to an earlier version.
- The upgrade is not reversible, i.e. you cannot use version 5.3.X Tyk OAS API definitions with an older version of Tyk Dashboard.
- This means that if you wish to downgrade or revert to your previous version of Tyk, you will need to restore these API definitions from a backup. Please go to the backup section for detailed instructions on backup before upgrading to v5.3.0.
- If you are not using Tyk OAS APIs, Tyk will maintain backward compatibility standards.
- Not Forward Compatible
- Tyk OAS API Definitions prior to v5.3.0 are not forward compatible with Tyk Gateway v5.3.X.
- This means that any Tyk OAS APIs created in any previous release (4.1.0-5.2.x) cannot work with the new Tyk Gateway v5.3.X without being migrated to its latest format.
- After upgrade (the good news)
- Tyk OAS API definitions that are part of the file system are not automatically converted to the new format. Subsequently, users will have to manually update their OAS API Definitions to the new format.
- If users upgrade to 5.3.0, create new Tyk OAS APIs and then decide to rollback then the upgrade is non-reversible. Reverting to your previous version requires restoring from a backup.
Important: Please go to the backup section for detailed instructions on backup before upgrading to v5.3.0
Python plugin support
Starting from Tyk Gateway version v5.3.0, Python is no longer bundled with the official Tyk Gateway Docker image to reduce exposure to security vulnerabilities in the Python libraries.
Whilst the Gateway still supports Python plugins, you must extend the image to add the language support.
Dependencies
Compatibility Matrix For Tyk Components
Gateway Version | Recommended Releases | Backwards Compatibility |
---|---|---|
5.3.0 | MDCB v2.5 | MDCB v2.4.2 |
Operator v0.17 | Operator v0.16 | |
Sync v1.4.3 | Sync v1.4.3 | |
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.3.0 | Helm all versions | |
EDP v1.8.3 | EDP all versions | |
Pump v1.9.0 | Pump all versions | |
TIB (if using standalone) v1.5.1 | TIB all versions |
3rd Party Dependencies & Tools
Third Party Dependency | Tested Versions | Compatible Versions | Comments |
---|---|---|---|
Go | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | Go plugins must be built using Go 1.21 |
Redis | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
OpenAPI Specification | v3.0.x | v3.0.x | Supported by Tyk OAS |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
Deprecations
In 5.3.0, we have simplified the configuration of response transform middleware. We encourage users to embrace the
global_headers
mechanism as the response_processors.header_injector
is now an optional setting and will be removed
in a future release.
Upgrade instructions
If you are upgrading to 5.3.0, please follow the detailed upgrade instructions.
The following steps are essential to follow before upgrading Tyk Cloud (including Hybrid Gateways) and Self Managed users - Please refer to the release notes of Tyk Dashboard 5.3.0.
For OSS deployments -
- Backup Your environment using the usual guidance documented with every release (this includes backup config file and database).
- Backup all your API definitions (Tyk OAS API and Classic Definitions) by saving your API and policy files or by
exporting them using the
GET /tyk/apis
andGet /tyk/policies
- Performing the upgrade - follow the instructions in the upgrade guide when upgrading Tyk.
Release Highlights
We’re thrilled to announce the release of 5.3.0, an update packed with exciting features and significant fixes to elevate your experience with Tyk Gateway. For a comprehensive list of changes, please refer to the detailed changelog below.
Tyk OAS Feature Maturity
Tyk OAS is now out of Early Access as we have reached feature maturity. You are now able to make use of the majority of Tyk Gateway’s features from your Tyk OAS APIs, so they are a credible alternative to the legacy Tyk Classic APIs.
From Tyk 5.3.0 we support the following features when using Tyk OAS APIs with Tyk Gateway:
-
Security
- All Tyk-supported client-gateway authentication methods including custom auth plugins
- Automatic configuration of authentication from the OpenAPI description
- Gateway-upstream mTLS
- CORS
-
API-level (global) middleware including:
- Response caching
- Custom plugins for PreAuth, Auth, PostAuth, Post and Response hooks
- API-level rate limits
- Request transformation - headers
- Response transformation - headers
- Service discovery
- Internal API
-
Endpoint-level (per-path) middleware including:
- Request validation - headers and body (automatically configurable from the OpenAPI description)
- Request transformation - method, headers and body
- Response transformation - headers and body
- URL rewrite and internal endpoints
- Mock responses (automatically configurable from the OpenAPI description)
- Response caching
- Custom Go Post-Plugin
- Request size limit
- Virtual endpoint
- Allow and block listing
- Do-not-track
- Circuit breakers
- Enforced timeouts
- Ignore authentication
-
Observability
- Open Telemetry tracing
- Detailed log recording (include payload in the logs)
- Do-not-track endpoint
-
Governance
- API Versioning
Enhanced KV storage of API Definition Fields
Tyk is able to store configuration data from the API definition in KV systems, such as Vault and Consul, and then
reference these values during configuration of the Tyk Gateway or APIs deployed on the Gateway. Previously this was
limited to the Target URL and Listen Path but from 5.3.0 you are able to store any string
type field from your API
definition, unlocking the ability to store sensitive information in a centralised location. For full details check out
the documentation of this powerful feature.
Redis v7.x Compatibility
We have upgraded Redis driver go-redis to v9. Subsequently, Tyk 5.3 is compatible with Redis v7.x.
Gateway and Component Upgrades
We’ve raised the bar with significant upgrades to our Gateway and components. Leveraging the power and security of Go 1.21, upgrading Sarama to version 1.41.0 and enhancing the GQL engine with Go version 1.19, we ensure improved functionality and performance to support your evolving needs seamlessly.
Downloads
- Docker image to pull
-
docker pull tykio/tyk-gateway:v5.3.0
-
- Helm charts
- Source code tarball for OSS projects
Changelog
Added
-
Additional features now supported when working with Tyk OAS APIs
The following features have been added in 5.3.0 to bring Tyk OAS to feature maturity:
- Detailed log recording (include payload in the logs)
- Enable Open Telemetry tracing
- Context variables available to middleware chain
- API-level header transforms (request and response)
- Endpoint-level cache
- Circuit breakers
- Track endpoint logs for inclusion in Dashboard aggregated data
- Do-not-track endpoint
- Enforced upstream timeouts
- Configure endpoint as Internal, not available externally
- URL rewrite
- Per-endpoint request size limit
- Request transformation - method, header
- Response transformation - header
- Custom domain certificates
-
Enhanced KV storage for API Definition fields
We have implemented support for all
string
type fields in the Tyk OAS and Tyk Classic API Definitions to be stored in separate KV storage, including Hashicorp Consul and Vault. -
Support for Redis v7.0.x
Tyk 5.3 refactors Redis connection logic by using storage v1.2.2, which integrates with go-redis v9. Subsequently, Tyk 5.3 supports Redis v7.0.x.
-
Clearer error messages from GQL engine for invalid variables (JSON Schema)
Some of the error messages generated by the GQL engine were unclear for users, especially relating to variable validation. The errors have been changed and are now much more clearer and helpful in cases where engine processing fails.
-
Upgraded GQL Engine's Go version to 1.19
Upgraded Go version for GraphQL engine to 1.19.
-
Enhanced semantic conventions for GraphQL spans in Gateway
We’ve added OpenTelemetry semantic conventions for GraphQL spans. Spans will now incorporate
<operation.type>
,<operation.name>
and<document>
tags. -
Added support for detailed_tracing to be configured via GQL API definitions
GraphQL APIs can now use the
detailed_tracing
setting in an API definition. With that property set totrue
any call to a GraphQL API will create a span for each middleware involved in request processing. While it is set tofalse
, only two spans encapsulating the entire request lifecycle will be generated. This setting helps to reduce the size of traces, which can get large for GraphQL APIs. Furthermore, this gives users an option to customize the level of tracing detail to suit their monitoring needs. -
Enhanced OpenTelemetry trace generation for UDG with mixed data sources
This release introduces an enhanced trace generation system for Universal Data Graph (UDG). It consolidates all spans from both Tyk-managed and external data source executions into a single trace when used together. Furthermore, when UDG solely utilizes Tyk-managed data sources, trace management is simplified and operational visibility is improved.
-
Disabled normalize and validate in GraphQL Engine
For GraphQL requests normalization and validation has been disabled in the GraphQL engine. Both of those actions were performed in the Tyk Gateway and were unnecessary to be done again in the engine. This enhances performance slightly and makes detailed OTel traces concise and easier to read.
-
Enhanced OAS-to-UDG converter handling of arrays of objects in OpenAPI Documents
The Tyk Dashboard API endpoint /api/data-graphs/data-sources/import now handles OpenAPI schemas with arrays of objects. This addition means users can now import more complex OpenAPI documents and transform them into UDG configurations.
-
OAS-to-UDG converter support for allOf/anyOf/oneOf keywords
The OAS-to-UDG converter now seamlessly handles OpenAPI descriptions that utilize the allOf, anyOf and oneOf keywords, ensuring accurate and comprehensive conversion to a Tyk API definition. The feature expands the scope of OpenAPI documents that the converter can handle and allows our users to import REST API data sources defined in OAS in more complex cases.
-
Improved UDG's handling of unnamed object definitions in OpenAPI descriptions
The OAS-to-UDG converter can now create GraphQL types even if an object’s definition doesn’t have an explicit name.
-
Refined handling of arrays of objects in endpoint responses by OAS-to-UDG Converter
The OAS-to-UDG converter was unable to handle a document properly if an object within the OpenAPI description had no properties defined. This limitation resulted in unexpected behavior and errors during the conversion process. The tool will now handle such cases seamlessly, ensuring a smoother and more predictable conversion process.
-
OAS-to-UDG converter support for enumerated types in OpenAPI descriptions
Previously OAS-to-UDG converter had limitations in handling enums from OpenAPI descriptions, leading to discrepancies and incomplete conversions. With the inclusion of enum support, the OAS converter now seamlessly processes enums defined in your OpenAPI descriptions, ensuring accurate and complete conversion to GraphQL schemas.
-
Expanded handling of HTTP Status Code ranges by OAS-to-GQL converter
OAS-to-UDG converter can now handle HTTP status code ranges that are defined by the OpenAPI Specification. This means that code ranges defined as 1XX, 2XX, etc will be correctly converted by the tool.
-
Added support for custom rate limit keys
We have added the capability for users to define a custom rate limit key within session metadata. This increases flexibility with rate limiting, as the rate limit can be assigned to different entities identifiable from the session metadata (such as a client app or organization) and is particularly useful for users of Tyk’s Enterprise Developer Portal.
Changed
-
Prefetch session expiry information from MDCB to reduce API call duration in case Gateway is temporarily disconnected from MDCB
Previously, when operating in a worker configuration (in the data plane), the Tyk Gateway fetched session expiry information from the control plane the first time an API was accessed for a given organization. This approach led to a significant issue: if the MDCB connection was lost, the next attempt to consume the API would incur a long response time. This delay, typically around 30 seconds, was caused by the Gateway waiting for the session-fetching operation to time out, as it tried to communicate with the now-inaccessible control plane.
Now, the worker gateway fetches the session expiry information up front, while there is an active connection to MDCB. This ensures that this data is already available locally in the event of an MDCB disconnection.
This change significantly improves the API response time under MDCB disconnection scenarios by removing the need for the Gateway to wait for a timeout when attempting to fetch session information from the control plane, avoiding the previous 30-second delay. This optimization enhances the resilience and efficiency of Tyk Gateway in distributed environments. -
Changes to the Tyk OAS API Definition
We have made some changes to the Tyk OAS API Definition to provide a stable contract that will now be under breaking-change control for future patches and releases as Tyk OAS moves out of Early Access. Changes include the removal of the unnecessary
slug
field and simplification of the custom plugin contract. -
Optimized Gateway memory usage and reduced network request payload with Redis Rate Limiter
We have optimized the allocation behavior of our sliding window log rate limiter implementation (Redis Rate Limiter). Previously the complete request log would be retrieved from Redis. With this enhancement only the count of the requests in the window is retrieved, optimizing the interaction with Redis and decreasing the Gateway memory usage.
Fixed
-
Improved OAuth token management in Redis
In this release, we fixed automated token trimming in Redis, ensuring efficient management of OAuth tokens by implementing a new hourly job within the Gateway and providing a manual trigger endpoint.
-
Tyk Gateway now validates RFC3339 Date-Time Formats
We fixed a bug in the Tyk OAS Validate Request middleware where we were not correctly validating date-time format schema, which could lead to invalid date-time values reaching the upstream services.
-
Inaccurate Distributed Rate Limiting (DRL) behavior on Gateway startup
Fixed an issue when using the Distributed Rate Limiter (DRL) where the Gateway did not apply any rate limit until a DRL notification was received. Now the rate of requests will be limited at 100% of the configured rate limit until the DRL notification is received, after which the limit will be reduced to an even share of the total (i.e. 100% divided by the number of Gateways) per the rate limit algorithm design.
-
Duplicate fields added by OAS-to-UDG converter
Fixed an issue where the OAS-to-UDG converter was sometimes adding the same field to an object type many times. This caused issues with the resulting GQL schema and made it non-compliant with GQL specification.
-
Gateway issue processing queries with GQL Engine
Fixed an issue where the Gateway attempted to execute a query with GQL engine version 1 (which lacks OTel support), while simultaneously trying to validate the same query with the OpenTelemetry (OTel) supported engine. It caused the API to fail with an error message “Error socket hang up”. Right now with OTel enabled, the gateway will enforce GQL engine to default to version 2, so that this problem doesn’t occur anymore.
-
Handling arrays of objects in endpoint responses by OAS-to-UDG converter
The OAS-to-UDG converter now effectively handles array of objects within POST paths. Previously, there were instances where the converter failed to accurately interpret and represent these structures in the generated UDG configuration.
-
GQL Playground issues related to encoding of request response
An issue was identified where the encoding from the GQL upstream cache was causing readability problems in the response body. Specifically, the upstream GQL cache was utilizing brotli compression and not respecting the Accept-Encoding header. Consequently, larger response bodies became increasingly unreadable for the GQL engine due to compression, leading to usability issues for users accessing affected content. The issue has now been fixed by adding the brotli encoder to the GQL engine.
-
OAS-to-UDG converter issue with "JSON" return type
OAS-to-UDG converter was unable to correctly process Tyk OAS API definitions where “JSON” was used as one of enum values. This issue is now fixed and whenever “JSON” is used as one of enums in the OpenAPI description, it will get correctly transformed into a custom scalar in GQL schema.
-
Gateway Panic during API Edit with Virtual Endpoint
Fixed an issue where the Gateway could panic while updating a Tyk OAS API with the Virtual Endpoint middleware configured.
-
Gateway panics during API Reload with JavaScript middleware bundle
Fixed an issue where reloading a bundle containing JS plugins could cause the Gateway to panic.
-
GraphQL introspection issue when Allow/Block List enabled
Fixed an issue where the Disable introspection setting was not working correctly in cases where field-based permissions were set (allow or block list). It was not possible to introspect the GQL schema while introspection was technically allowed but field-based permissions were enabled. Currently, Allow/Block list settings are ignored only for introspection queries and introspection is only controlled by the Disable introspection setting.
-
Handling of objects without properties in OAS-to-UDG converter
The OAS-to-UDG converter was unable to handle a document properly if an object within the OpenAPI description had no properties defined. This limitation resulted in unexpected behavior and errors during the conversion process. The tool will now handle such cases seamlessly, ensuring a smoother and more predictable conversion process
-
Fixed memory leak issue in Tyk Gateway v5.2.4
Addressed a memory leak issue in Tyk Gateway linked to a logger mutex change introduced in v5.2.4. Reverting these changes has improved connection management and enhanced system performance.
Security Fixes
-
High priority CVEs fixed
Fixed the following high priority CVEs identified in the Tyk Gateway, providing increased protection against security vulnerabilities:
Further Information
Upgrading Tyk
Please refer to the upgrading Tyk page for further guidance on the upgrade strategy.
API Documentation
FAQ
Please visit our Developer Support page for further information relating to reporting bugs, upgrading Tyk, technical support and how to contribute.