2025.20 Infrastructure Changes
2 min read
New Models:
deployment_name | Reference in code | sku_type | Location | Applications |
|---|---|---|---|---|
|
|
| Switzerland only replacing the sweedencentral version | node-chat |
|
|
| Global(East Us 2) | node-chat |
|
|
| Global(East Us 2) | node-chat |
Changes on Application environment
Change | Name | Default | Example | Required | Applications | Short Description |
|---|---|---|---|---|---|---|
Added |
| unset |
| No | node-ingestion-worker | Filter documents containing the defined keys and values in their metadata (see example for foo and bar, and/or baz and qux). Can be used to filter documents by Microsoft Sensitivity Labels. |
Added |
| false |
| No | node-ingestion-worker | If you want to apply an AND logic instead of the default OR logic, you can set the following. |
Added |
| unset |
| One of both Refer to Cluster-internal token validation below. | node-scope-management | Replaces |
Marked for deprecation |
| unset | Allows consistent settings for Cluster-internal token validation. | |||
Added |
| false |
| No | node-chat node-ingestion | This is used to replace PUA characters with blank space from the body of the request sent to the LLMs |
Removed |
| This was used to encode the body of the request sent to the LLMs with UTF8 characters |
Cluster-internal token validation
Up until 2025.20, the default and suggested configurations suggested that both the scope-management service as well as the JWT Middleware of the API Gateway :kong: both did hairpin loops to access Zitadel over its exposing ingress.
Now it is supported to do both the scope-management related work items as well as the JWT validation cluster-internally.
This change is voluntary and the product stays unaffected if not performed (see Removal of ZITADEL_INTERNAL_HOST).
Preparation
Do only change this setup if you have an active requirement or case for it.
If you have neither, stay on the old design and potentially just swap ZITADEL_INTERNAL_HOST for ZITADEL_GRPC_HOST any time.
Note down the JWT issuers external domain carefully (namely Zitadel)
Ensure all use cases of the system still work after the migration
Test the switch by activating network rules or policies that deny access to the external Zitadel domain (e.g. by removing a firewall rule that was added to allow this specific case)
Migration steps
Changes to the Kong Plugin
Upgrade to > https://artifacthub.io/packages/helm/unique/kong-plugins?modal=changelog&version=1.2.0
Follow https://artifacthub.io/packages/helm/unique/kong-plugins#cluster-internal-jwt-validation
Changes to node-scope-management
Adapt the deployment
ZITADEL_GRPC_DEFAULT_AUTHORITY: <external domain of issuer without protocol> ZITADEL_GRPC_HOST: <previous value of ZITADEL_INTERNAL_HOST, cluster internal URL of Zitadel> ZITADEL_GRPC_SSL_TARGET_NAME_OVERRIDE: <external domain of issuer without protocol> ZITADEL_HTTP_EXTRA_HEADERS: '{"x-zitadel-instance-host": "<external domain of issuer without protocol>"}' ZITADEL_HOST: <previous value of ZITADEL_INTERNAL_HOST> # Remove deprecated argument ZITADEL_INTERNAL_HOST --> delete this key value pairLearn more about these parameters at GRPC. If you do not set the authority or name_override, the protocol-stripped
ZITADEL_HOSTwill be used. Set the two explicitly for increased control and awareness.Deploy/reboot
scope-management.
Removal of ZITADEL_INTERNAL_HOST
Until further notice, scope-management supports both key-values and there is no EOL known for ZITADEL_INTERNAL_HOST. It’s removal will be announced separately and marked as breaking change.
Requirement for Crawl4ai(additional requirement for WebSearch module for crawling)
Either
Mount .crawl4ai volumes like so in helm,
.crawl4aiis the default or . the defaultCRAWL4_AI_BASE_DIRECTORYispath-to-/.crawl4aivolumeMounts: - mountPath: [path-to]/.crawl4ai name: crawl4ai-volume volumes: - name: crawl4ai-volume emptyDir: sizeLimit: 500Miif you choose a custom directory like
tmpor (any value preferred) setCRAWL4_AI_BASE_DIRECTORYenv variable to/tmpthen mount/tmpvolume.volumeMounts: - mountPath: [path-to]/tmp name: tmp-volume volumes: - name: tmp-volume emptyDir: sizeLimit: 500Mi