Skip to main content
  • Get notified about new releases! Click the RSS feed button above.
  • Try out the latest Conduktor version for free.
  • Have questions or feedback? Get in touch .
Console 1.40.0
2025-11-13

Breaking changes - Partner Zone PENDING status

The PENDING status has been replaced with:
  • PENDING_CREATE on initial creation
  • PENDING_UPDATE on subsequent updates
No action is required - existing Partner Zones will be automatically migrated to PENDING_UPDATE.The Partner Zone status appears only in the API responses and will not have impact on usage of the CLI.

Conduktor Scale

SSO login

Console now supports browser-based Single Sign-On (SSO) with external JWT tokens. Once users are authenticated to their organization’s Identity Provider, they are also automatically logged in to Console.This feature supports organizations that require centralized authentication management and provides a seamless single sign-on experience across applications.Find out more about configuring browser-based SSO with external JWT tokens.

Enhanced login and onboarding experience

The login and onboarding experience has been redesigned with a modern, streamlined interface. The updated design improves visual consistency, enhances usability, and provides a more intuitive user experience for both new and returning users.

Topic size information for Confluent Cloud topics

We now support showing Confluent Cloud topic sizes (storage in bytes) throughout the product.To enable visibility of topic storage information for Confluent Cloud clusters, you have to configure the Confluent Cloud provider and add a Confluent Cloud API key with the MetricsViewer role.

Quality of life improvements v1.40.0

  • Improved Insights dashboard user experience with enhanced usability and navigation.
  • CSV export of Insights data now supports zip compression for easier file management.
  • Labels filter dropdown now supports search functionality for easier label selection.
  • Improved navigation in Topic Catalog with clickable links to the application, instance, and owner group.
  • Added database.options and kafka_sql.database.options configuration to pass any valid JDBC or Hikari options, as an alternative to database.url and kafka_sql.database.url, respectively. Find out more about Console database properties.
  • We have added the new metric console_license_remaining_days which can be used to monitor the remaining days on your console license.

Fixes v1.40.0

  • The connector form didn’t update when switching connector type during creation. This has now been resolved.
  • Duplicate operationId values in the OpenAPI specification prevented code generation with openapi-generator-cli. The specification has been corrected.
  • The Group API returned an error when KsqlDB permission was added. This error has been resolved.
  • After upgrading to 1.38, users with permissions on all clusters lost menu visibility of brokers and service accounts entries. This visibility issue has been resolved.
  • Creating topics sometimes showed misleading error messages when redirecting before indexing completed. These messages are now accurate.
  • Metrics didn’t display in large clusters due to timeout errors when fetching topic offsets. This timeout issue has been resolved.
  • Database indexing failed after PostgreSQL restarts. Connection resilience has been improved with the new database.options configuration.
  • Resolved migration issue that could affect customers using more than one subject naming strategy when upgrading from 1.38 to 1.39
Gateway 3.15.0
2025-11-13

Breaking changes v3.15.0

Block admin operation APIs

This release blocks 15 low-level admin operation APIs that should be executed directly on the underlying Kafka cluster rather than through Gateway. These APIs have been reclassified from passthrough-supported to stability-blocked.Why this change? The low-level admin operations do not align with Gateway’s security controls and must be performed through direct cluster access.How to know if you’re impacted:
  • Before upgrading, review your applications and scripts to identify any code using these APIs through Gateway.
  • After upgrading:
    • Monitor your logs for errors related to: ALTER_REPLICA_LOG_DIRS, ELECT_LEADERS, ALTER_PARTITION_REASSIGNMENTS, LIST_PARTITION_REASSIGNMENTS, ALTER_PARTITION, ALLOCATE_PRODUCER_IDS, CREATE_DELEGATION_TOKEN, RENEW_DELEGATION_TOKEN, EXPIRE_DELEGATION_TOKEN, DESCRIBE_DELEGATION_TOKEN, DESCRIBE_USER_SCRAM_CREDENTIALS, ALTER_USER_SCRAM_CREDENTIALS, DESCRIBE_CLIENT_QUOTAS, ALTER_CLIENT_QUOTAS, UPDATE_FEATURES
    • Check Gateway error responses indicating blocked API calls
What to do if you’re impacted:
  • Update your applications and workflows to perform admin operations with direct cluster access instead of through Gateway
See the full list of blocked APIs and migration guidance.

Deprecating v1 APIs

v1 APIs are now deprecated in favor of the v2 APIs introduced in Gateway 3.3.0 in September 2024.If you’re using the Conduktor CLI to operate Gateway, you are not impacted.Check out the Gateway API reference to see which APIs are affected.The v1 APIs will be fully removed from the Gateway in three months time. After this date, these endpoints will no longer be available..If you’re using the v1 APIs, please migrate to the v2 APIs as soon as possible. Get in touch if you need support with this migration.

The externalStorage option in encryption interceptors is deprecated

The externalStorage configuration parameter in encryption Interceptors (EncryptPlugin, FetchEncryptPlugin, EncryptSchemaBasedPlugin, FetchEncryptSchemaBasedPlugin) is now deprecated and will be removed in Gateway 3.18.0.This parameter controls whether encryption settings are stored in message headers (false, default) or in a separate topic (true).Action required: If you’re currently using externalStorage: true, you should plan to migrate to the default behavior (storing encryption settings in message headers) before upgrading to Gateway 3.18.0. Find out more about encryption configuration.

Fixes v3.15.0

  • Fixed issue where multiple encryption interceptors could not be applied to the same topic, now allowing priority-based selection.
  • Fixed NullPointerException during Gateway startup when interceptor version constraints specify only min or max values.
  • Updated TopicRequiredSchemaIdPolicyPlugin to allow tombstone records (NULL values) in compacted topics, while still requiring schema IDs for non-null records.

Quality of life improvements v3.15.0

  • When ACL is enabled in GATEWAY_MANAGED security mode, authorization failure will contain additional information in the message like these:
Kafka errorExample message
Topic authorization failure"Topic authorization failed (in Gateway) for [Topic: someTopic, Tenant: someTenant, User: someUser, Host: someHost]"
Group authorization failure"Group authorization failed (in Gateway) for [Group: someGroup, Tenant: someTenant, User: someUser, Host: someHost]"
TransactionalId authorization failure"TransactionalId authorization failed (in Gateway) for [TransactionalId: someKey, Tenant: someTenant, User: someUser, Host: someHost]"
Cluster authorization failure"Cluster authorization failed (in Gateway) for [Tenant: someTenant, User: someUser, Host: someHost]"
Console 1.39.0
2025-10-27

Conduktor Scale

Insights

The brand new Insights dashboard in Console provides a comprehensive analysis of your Kafka infrastructure, helping platform teams to:
  • proactively identify configuration issues,
  • optimize storage costs,
  • track governance metrics,
  • monitor business-critical topics and more.
To access the dashboard, click Insights on the left menu. Find out more about what metrics we provide and how to interpret them.

Collection of product metrics

The global property, enable_product_metrics, with the corresponding environment variable CDK_ENABLE_PRODUCT_METRICS has been updated so that it is only configurable with an enterprise license. Without an enterprise license this property will always default to true meaning product metrics will always be collected by Conduktor.

Data quality observability

Data quality observability enables teams to understand data quality patterns across their entire Kafka environment before making decisions.Data quality Policies can now be configured for non-Gateway topics using the observe action to gather metrics on messages that fail data quality Rules.Find out more about data quality observability with Conduktor.

Conduktor Exchange

Partner Zone traffic analytics tab

You can now show traffic analytics for a Partner Zone using the new Traffic tab on the Partner Zone list page. The analytics will only be displayed for Gateway clusters that have the observability Interceptor enabled.The new tab includes a chart and a table for each Partner Zone for data egress, ingress and all traffic with the option to export this data as a CSV file.To enable Partner Zone analytics, existing observability Interceptors with a non-global scope (where the vcluster scope is set to passthrough) will have to be deleted and re-created with a global scope.Find out about how to configure Partner Zone traffic analytics in Console.

Fixes v1.39.0

  • Added support for SSL connections without authentication when configuring Kafka clusters
  • Fixed http 500 error when forcing a consumer group rebalance
  • Fixed an issue where application instance permissions were being created despite API request validation failures
  • Fixed duplicate operation IDs in OpenAPI specification which caused errors when using OpenAPI code generation tooling
  • Fixed error preventing the user from changing schema compatibility or deleting schemas with forward slashes in their names

Known issue v1.39.0

If you’re using more than one subject naming strategy, migrating to v1.39.0 might fail.If you see an error message similar to Migration of schema "cdk_admin" to version "184 - add unique index to topic analytics" failed!, skip this release and upgrade directly to 1.40 or later.
Gateway 3.14.0
2025-10-27

New feature v3.14.0

Added SSL configuration for Vault KMS with support for trust store (TLS) and key store (mTLS). Find out more about Vault KMS.

Fix v3.14.0

Added configuration options for TLS cipher suites and protocols to allow customization of SSL/TLS security settings.
Console 1.38.0
2025-10-01

Conduktor Scale

Application instance access

The new Access tab provides a detailed view of:
  • All topics this application instance has access to, with the ability to remove this access if you are a member of the owner group for the application.
  • All topics this application instance has granted access to, with the ability to revoke this access if you are a member of the owner group for the application.
The GitOps approved icon will not appear for CLI-created application instance permissions in the Outgoing access section.

Topic catalog access

Displays all applications and application instances with access to this topic:
  • You can remove access for your own applications.
  • If you’re a member of the application owner group of this topic, you can revoke access for other applications.

Grant access to a topic

Access to a topic can now be granted from the topic details page.

Remove or revoke access request

The access request modal now supports removing or revoking access for approved requests based on user role:
  • Application owners: can revoke access using Revoke access in the request details drawer
  • Access requesters: can remove their own access with Remove access in the request details drawer

Confluent Cloud role binding support for Self-service

You can now manage service accounts through Confluent Cloud RBAC role-bindings. This provides the added benefit of provisioning permissions for the subject resources via schema registry RBAC role bindings.For example, a topic request that seeks write access to another ApplicationInstance’s topic will result in the associated application instance’s service account receiving a DeveloperWrite and DeveloperRead role binding.Find out how to migrate RBAC role bindings to Confluent Cloud.

Migrate topic policies

Topic policies will be deprecated in an upcoming release. Please use resource policies with a targetKind of Topic instead.You can migrate the existing topic policies using the Console UI. Go to Settings > Policies migration and click Migrate Policies to migrate the topic policies to resource policies.Topic Policies MigrationTopic policies won’t be removed until support for them is fully deprecated.A topic policy can only be migrated once and the following limitations apply:
  • If a topic policy is migrated and the new resource policy is then deleted, the topic policy can’t be migrated a second time.
  • If a topic policy is migrated and then deleted, then a new topic policy is created with same name as the old one, but the ‘new’ policy can’t be migrated.
  • If a topic policy is migrated and then updated, it can’t be migrated again.
  • When you migrate topic policies, all the application instances referring to those policies will have both the newly migrated resource and the old topic policies. The topic policies will be removed automatically when this feature is deprecated in a future release.

Support for external monitoring solutions

Console now supports the configuration of external monitoring solutions, including Cortex, Mimir and Prometheus.These can be used instead of the default conduktor-console-cortex image.Multi-tenancy is also supported.

Conduktor Exchange

Partner Zone enhancements

  • Partner Zones now support specifying a custom Virtual Cluster name with vclusterName when using the API or CLI. This provides better control over naming conventions and simplifies migration from existing Virtual Clusters.
  • You can now download CA certificates associated with a Partner Zone from the Console UI. This makes sharing certificates with your partners much easier. Find out how to download certificates.

Conduktor Trust

Validate your Rule against sample messages

Added the ability to test data quality Rules with sample data before creation. Find out more about testing Rules before creation.

Custom data quality Rule violation messages

You can now define a custom message that replaces the default [RULE_NAME] did not pass when a Rule is violated. Find out how to set the custom message during Rule creation.

Edit attached Rules from the Policy details page

Added the ability to modify which Rules are attached to a Policy directly from the Policy details page. Find out more about editing attached Rules.

Quality of life improvements v1.38.0

We’ve completely redesigned the main cluster selector, introducing a number of usability improvements:
  • Added an option to pin clusters - your frequently used ones can now be pinned to the top of the list
  • Improved keyboard navigation for faster cluster switching and enhanced accessibility
  • For admins, added the ability to easily jump to the configuration page for any cluster
You can now add custom labels to any cluster for better organization and categorization on large cluster environments. Easily filter clusters by labels in both the cluster selector and the cluster settings page.You can now search for an application in the Application filter dropdown on the Topic Catalog page. You can also search for a cluster in the cluster filter dropdown on the Topic Catalog page.

Fixes v1.38.0

  • Fixed an issue where closing the templates drawer in the topic consume view would prevent the user from interacting with the rest of the page.
  • Fixed searching within groups to allow filtering on “contains” instead of “starts with” for improved search experience.
  • Fixed SSO configuration to support configurable email claims for special identity types.
  • Fixed connector creation modal to show validation warnings instead of blocking creation, allowing you to proceed with caution (matching CLI behavior).
  • Fixed access control vulnerabilities preventing low-privileged users from accessing and modifying data masking policies.
  • Fixed ‘Last active’ sorting in group members list to properly handle users who have never been active.
  • Fixed SQL indexed topics page to stay on the correct tab when refreshing instead of redirecting to a different URL.
  • Fixed duplicate topic subscription requests for already approved subscriptions in the Self-service catalog.
  • Fixed record view to show header keys in their original casing instead of uppercase.
  • Fixed topic template duplication functionality that was failing silently.
  • Fixed cluster creation validation to prevent duplicate technical IDs with better user experience.
  • Fixed data policies display layout to properly wrap field badges and prevent overlap.
  • Fixed CEL expression evaluation in resource policies to handle missing spec.configs correctly.
Gateway 3.13.0
2025-10-01

New features v3.13.0

Enhanced audit logging for authorization failures

Block unsupported APIs with Gateway

This release introduces the GATEWAY_FEATURE_FLAGS_BLOCK_UNSUPPORTED_APIS environment variable which gives you control over how Gateway handles Kafka APIs that aren’t explicitly supported.See the full configuration details and usage modes.

New encryption error policy

Added errorPolicy configuration to encryption Interceptors that allows skipping already encrypted messages.The default behavior maintains current functionality (an exception is thrown). To allow skipping, add this new option to your configuration.See configuration details in the Interceptor Reference.

Quality of life improvement v3.13.0

Added blacklist configuration support to the topic policy. Check out more about the CreateTopicPolicyPlugin.

Fixes v3.13.0

  • Fixed the principal resolver failure to resolve the Confluent Cloud service account from an API Key.
  • Added round-robin Gateway endpoint allocation to prevent all traffic from being directed to the same Gateway node. Find out more about Gateway internal load balancing.
  • Improved customer experience for Vault KMS configuration by removing a confusing version field. The encryption Interceptor uses Vault Transit engine which only supports version 1 (hardcoded), but the configuration incorrectly exposed it as configurable. This change removes the misleading field from configuration examples while maintaining backward compatibility.
  • Fixed the error when connecting with super user and Virtual Cluster(s) is mandatory.
  • Fixed Fetch Policy Interceptor isolation level configuration to accept lowercase values, matching Kafka standards.
  • Fixed Confluent Cloud principal resolver to handle API keys for both service accounts and user accounts.
  • Fixed Azure OAuth authentication method priority to respect explicit configuration over environment variables.
  • Relaxed name validation in service-account v2 API to support dots, equals signs, and commas.
Gateway 3.12.1
2025-10-08

New feature

Support restriction of TLS protocols and cipher suites

Introduced optional environment variables to allow for restriction of which TLS protocols and cipher suites the Gateway server offers during the TLS handshake. Find out more.
Console 1.37.1
2025-09-18

Fixes v1.37.1

  • Fixed an issue where resource policies were not applied when editing application groups from the UI.
  • Fixed an issue where members from external groups were not synchronized if an application group without permissions existed.
Console 1.37.0
2025-08-21

Breaking changes v1.37.0

Gateway 3.12 dependency

Starting from Console 1.37, Conduktor Trust Mark action and Conduktor Exchange Partner Zone functionality will require Gateway 3.12 or later.

Email address storage

In this release, we’ve made a change to how we store user email addresses in Console. All emails are now stored in lowercase to ensure consistency and prevent issues with SSO or RBAC.
We strongly recommend that you back up your Console database before upgrading to this version.If two users have the same email address but with different casing, the migration will fail. In this case, we recommend that you resolve the conflict by either deleting one of the users or changing their email address before upgrading.

Prometheus configuration overrides

Before Console v1.37.0, Prometheus configuration was overridden using the replace strategy. Since v1.37.0 it’s changed to the patch (YAML merging) strategy.Prometheus configuration can be patched by mounting a YAML file to path /opt/override-configs/prometheus.yaml. To set an alternative path, use the PROMETHEUS_OVERRIDE_CONFIG_FILE environment variable.

Conduktor Scale

Application groups management

New application group management in Self-service provides full lifecycle management through improved UI workflows.The Members tab offers an enhanced interface for managing group membership, making it easier for teams to control access and visibility. The Resource access tab enables granular control over topic, consumer group, subject, and connector permissions for precise access management. Application groups can also map to external groups like Console user groups for streamlined access management.

Application Instance resources

Application instances now feature comprehensive resource management capabilities. The new Resources tab provides a detailed view of all the resources associated with application instances, giving teams better visibility into their resource usage and dependencies.

Subject strategies support

Support for Confluent subject strategies has been added to the produce page for topics. This enhancement gives users more control over how schemas are referenced when producing messages, providing flexibility in schema organization and naming conventions.

External group management improvements

The External groups UI has been enhanced for mapping external authentication groups, making it easier for administrators to configure and maintain user access patterns.Both the Console user groups and application groups now support external group regex functionality, enabling dynamic group assignment based on external authentication patterns. This allows organizations to automatically map users from identity providers to appropriate application groups, based on configurable regex patterns.

Conduktor Exchange

Partner Zone out of preview

Partner Zones are now generally available and out of preview. This means that all features are fully supported, production-ready, and can be used in production environments.

Partner Zone multi-cluster support

Console now supports creating Partner Zones against a multi-clustered Gateway configuration. This allows for a Partner Zone to be created against any of the configured Kafka clusters behind Gateway (previously, a Gateway was required per Kafka cluster for a Partner Zone).Check out the tutorial on creating Partner Zones with multi-cluster Gateway, as well as the Console resources for Partner Zones.

Partner Zone breaking changes

With the multi-cluster support in Gateway 3.12, all existing Partner Zones created prior to this version of Console are incompatible and cannot be migrated or updated to support the new capability. Hence, existing Partner Zones will stop functioning after the upgrade if not recreated.
Action required:
  • Delete all existing Partner Zones before upgrading
  • Upgrade Console and Gateway to the latest version
  • Recreate all Partner Zones with the same configuration

Conduktor Trust

Regex library

Added an option to Show regex library when creating a new rule in Console. This provides a list of pre-built regex examples that can be used to speed up rule creation.

Mark action

You can now toggle the Mark action on data quality Policies. When enabled, messages that violate the rule(s) are tagged with a special header.Check out the Mark action use case.

JSON schema rule type

You can now create JSON schema rules to validate message structure and content.Check out the JSON schema use case.

Quality of life improvements v1.37.0

You can now fine-tune Cortex and Prometheus retention with the new environment variables. We’ve also updated the default values to reduce disk usage.You can patch (instead of replacing) the YAML configuration. Find out more about overriding the configuration with YAML.The Self-service experience has been improved with updated terminology for managing access requests.Ambiguous and inconsistent references to various terminology such as ‘subscriptions’, ‘subscribing’, ‘access requests’, ‘sharing’, ‘requests’, have been standardized throughout the application, placing emphasis on a single unified concept of access request.You can now view the Resource Policies in the Application details page, and the Consumer Group ownerships in the Application instance details page.The Trust Rules and Policies pages are now hidden for users without Trust in their license.

Fixes v1.37.0

  • Fixed production rate metrics getting stuck at high values when producer rates drop instantly to zero, which was causing artificially inflated metrics in systems with bursty production patterns.
  • Errors preventing users from logging in are now prominently displayed on the login page.
  • To prevent disclosure of password length in configuration forms, password fields are now consistently obfuscated regardless of the length of the actual password.
  • Secrets in AWS Glue and other cluster configuration forms are no longer shown in clear text.
  • Fixed error logs appearing when SQL features are not enabled, reducing unnecessary log noise.
  • Fixed onboarding page checkbox labels not being clickable, improving user experience during account setup.
  • Schema registry naming strategies now include namespace in generated subject names.
  • Fixed issue where topic navigation tab was missing from main menu for certain user roles despite having proper permissions.
  • Self-service configuration now correctly handles multiple Kafka Connect clusters connected to a single application instance.
  • Duplicate users can no longer be created using the same email username but in different casing.
  • In the metadata of the records, the schema names are no longer truncated.
  • Add error messages on Connector failure, helping troubleshooting.
  • Fixed topic policies not being visible in application instances after upgrading from version 1.35 to 1.36.
  • Fixed a ‘404 group does not exist’ error incorrectly showing up when upgrading from version 1.35 to 1.36.
  • Deleting the Kafka Connect cluster now deletes the associated permissions, solving the permission errors on user and group GET operations.
  • Improved groups API performance, preventing timeouts for big organizations with thousands of users and groups.
  • Improved indexer performance, preventing timeouts for big organizations with thousands of consumer groups.
  • JVM metrics renamed in the Console and the Grafana dashboard, based on Prometheus changes.
Gateway 3.12.0
2025-08-21

Breaking changes v3.12.0

New APIs for health and versions

To improve the reliability and monitoring of the Gateway service, we’ve introduced new API endpoints for health checks and version information.These changes align our service with Kubernetes health check standards and will provide a more robust way to monitor Gateway’s status.Find out more from the monitoring reference.
The old /health API is now deprecated but it will continue to function.Please update your configuration to use the new liveness and readiness probe endpoints.

Rename of Virtual Cluster Id

When a Kafka client requests the cluster Id of a Virtual Cluster through Gateway, the returned cluster Id will be different - it will be renamed.Previously, the returned cluster Id was the native Kafka cluster Id of the Virtual Cluster’s physical cluster.The new cluster Id that’s returned will be be in the form of: {virtual-cluster-name}@{physical-cluster-id}.

New features v3.12.0

New environment variable

This release introduces the GATEWAY_AUDIT_LOG_EVENT_TYPES environment variable which controls the types of events recorded in the audit log.It provides flexibility to enable/disable specific event types, such as CONNECTION.See the full list and explanations of the event types.This change is backwards compatible, as the default value is ALL (which means that all event types are logged by default).

Enhanced crypto shredding behavior for decryption

The decryption Interceptor now includes improved error handling behavior specifically for crypto shredding scenarios.A new crypto_shred_safe_fail_fetch error policy has been introduced. It returns encrypted data when decryption fails due to missing encryption keys, but throws exceptions for other types of decryption failures (e.g., authentication errors). This ensures that crypto-shredded data remains protected while still failing fast for other issues that require attention.

Client throttling for encryption and decryption

Gateway now supports client throttling when encryption or decryption operations fail, helping to protect your system from being overwhelmed during error conditions.
  • New throttleTimeMs configuration: Set throttleTimeMs to control how long clients will be throttled when encryption/decryption fails (in milliseconds, default: 0)
  • Automatic system protection: When encryption or decryption fails, Gateway can automatically throttle the problematic client for the specified duration, preventing system overload
  • Configurable behavior: You can enable and adjust throttling based on your system’s needs and error tolerance
Find out more about client throttling.

Fixes v3.12.0

  • KUBERNETES Vault authentication now gets the JWT from the default Vault location (/var/run/secrets/kubernetes.io/serviceaccount/token). You can configure this location using path (VAULT_KUBERNETES_PATH). The jwt configuration key is no longer needed. See Kubernetes authentication under Vault authentication types.
  • Enriched the REST_API audit log events with the request body, which was previously not captured.
  • Resolved GATEWAY_TOPIC_STORE_KCACHE_REPLICATION_FACTOR configuration to properly default to the Kafka cluster’s default replication factor settings.
  • Supported Protobuf schemas for SchemaPayloadValidationPolicyPlugin.
  • Updated the SSL handshake failure logging to include client IP addresses (which were previously missing from error logs), helping you identify applications that are affected by certificate issues.
Console 1.36.2
2025-08-04

Improvements v1.36.2

  • Added support for SMTPS servers in email alerting to allow TLS-enabled SMTP servers, as well as the previously available option for StartTLS.

Fixes v1.36.2

  • Fixed an issue where the Console UI would prevent Debezium connector creation when required metadata was missing, even though the CLI would allow creation successfully.
  • Fixed a permissions bug where users who were members of multiple ApplicationGroups would only inherit permissions from one group instead of receiving the combined permissions from all their groups. This was causing users to have incomplete access rights.
  • Updated the base image to include upstream patches for CVE-2025-30749, CVE-2025-50059, and CVE-2025-50106 affecting Oracle Java SE and GraalVM.
Console 1.36.1
2025-07-21

Fixes v1.36.1

  • Fixed an issue where the default produce header used a problematic naming format (app.name) that could cause compatibility issues with certain connectors
  • Resolved the known issue from 1.36.0 where Self-service resource policies attached to Self-service application instances would display validation errors on the details page in Console
Gateway 3.11.0
2025-07-18
New features

New features v3.11.0

Set Virtual Cluster ACLs directly using REST

Gateway now supports managing the ACLs for Virtual Clusters directly using the REST API. (This is a backwards compatible change.)Previously, the only way to set ACLs on a Virtual Cluster was to:
  1. create a Virtual Cluster with a Kafka super user defined, then
  2. as the Kafka super user, individually create ACLs using the Kafka admin API.
By allowing nearly any Kafka ACL setup to be configured using a single call to the Virtual Cluster REST endpoint (some cluster ACLs are restricted), the overall complexity is greatly simplified for most use cases.We’ll continue to support setting ACLs directly using the Kafka admin API as a super user, since this change won’t be useful in all scenarios and use cases.Find out more about the new ACLs features in the Virtual Cluster resource reference.

Auto-create topics

You can now create topics automatically when producing or consuming through Gateway. To enable/disable this, we’ve added a new GATEWAY_AUTO_CREATE_TOPICS_ENABLED environment variable (default: false).
  • Kafka property integration: leverages the Kafka property auto.create.topics.enable when the feature is enabled.
  • Concentrated topics limitation: when this feature is enabled, topics that would normally be concentrated will be created as physical topics instead.
  • ACL authorization: implements proper access control for auto-create topics:
    • permission requirements: requires CREATE permission on either the topic or the cluster.
    • security: ensures access control while maintaining flexibility for different permission models.
Find out more about configuring Gateway to accept client connections and auto-create topics authorization.
Console 1.36.0
2025-07-18

Conduktor Scale

New alert destination: email

You can now set emails as alert destinations. Set up your SMTP server with TLS encryption and authentication to enable secure email delivery directly to your inbox.Create customized email alerts with custom subjects and body content per alert. Dynamic variables like {{clusterName}} and {{threshold}} can be embedded using handlebars syntax for context-aware notifications that provide meaningful alert details.Find out how to configure email integration.

Configurable Webhook body

Webhook alert destinations now support full payload customization. In addition to existing header customizations, you can now secure your webhooks with basic auth or bearer token authentication and customize the body of the webhook payload to be sent when an alert is triggered.Like email alerts, webhook bodies support dynamic variable insertion using handlebars syntax, allowing you to create context-aware webhook payloads tailored to your specific monitoring needs.

Redesigned Application Catalog and Application details pages in Console

Application details page:
  • displays a list of the application instances with labels and stats.
  • includes an editor for modifying the application description.
  • shows the application groups list with the owner group pinned.
Application instance page:
  • header section displays stats and labels, with the ability to manage labels.
  • contains multiple tabs: Details, External access, Alerts, and API keys.
  • within the Details tab, information is divided into two sections: ownership and resource policies.

Labels for Consumer groups

Labels are now shown across various consumer groups views, along with new filtering capabilities:
  • The consumer groups list now shows labels and allows filtering by them.
  • Topic lists within both the consumer groups and member details pages now support label-based filtering.
  • In the topic details view for consumer groups, labels are visible and can be added, edited, or deleted.

More information on tasks with errors

A connector that’s in the RUNNING state can also return errors that are only visible within the Confluent Cloud UI. When a connector is in this state:
  • a warning icon will be shown next to the item in the list view and
  • an error returned from the Confluent Cloud API will be displayed.

Conduktor Exchange

Breaking changes - Partner Zones support for mTLS

With support for mTLS connections, Partner Zones now have breaking changes: all existing Partner Zones have to be re-created (even if not using mTLS).Partners can now connect their clients to your Partner Zone using mTLS.This is an additional option of MTLS for the spec.authenticationMode.type.Find out more about prerequisites for creating Partner Zones.

Quality of life improvements v1.36.0

  • Users will now be redirected to the page they were on when they logged in again after session expiry.
  • Improved navigation between Partner Zones in the list view when using keyboard.
  • Improved configurability of circuit breaker behavior for indexed tasks. Each indexed task now includes configurable sequentialFailureThreshold and blockingDuration parameters, giving administrators fine-grained control over when indexing operations pause due to failures and how long they remain paused before attempting recovery. This provides predictable recovery behavior and prevents extended indexing outages that previously required Console restarts to resolve. Learn more about circuit breaker configuration.

Fixes v1.36.0

  • Partner Zones are now created instantly, instead of waiting for the next reconciliation loop to pass. Other updates will continue to sync in line with the reconciliation loop.
  • Fixed an error that occurred when no partitions were selected in the topic consume view. You will now see a warning that no messages will be shown, if partitions filter is set to none.
  • The JSON view of a message in a topic now correctly displays negative numbers and numbers in scientific notation.
  • Kafka Connect clusters are no longer visible to users who don’t have the permission on any of their connectors.
  • Error messages are now more informative when attempting to create a service account on a resource for which the caller lacks permission.
  • Resolved a case sensitivity issue with email addresses in the application group payload that caused mismatch in the RBAC configuration.

Known issue v1.36.0

If a Self-service resource policy is attached to a Self-service application instance, the details page for it may display a validation error in Console.
Console 1.35.2
2025-07-03

Fixes v1.35.2

  • Improved performance of a database migration to ensure completion within the startup probe time limit
  • Fixed a database deadlock issue caused by the indexer
Console 1.35.1
2025-06-26

Fixes v1.35.1

  • Fixed an issue with creating Kafka Connect alerts through the UI
  • Improved lag exporter performances
Conduktor CLI 0.6.1
2025-06-24

Fixes

  • Fixed an issue introduced in v0.6.0, where intermittent failure on some apply runs where kind ordering would not be respected. In some scenarios the parent resource is not made before the child (e.g. ApplicationInstances being created before Applications) and the run would fail, this could be fixed by attempting a retry.
  • Fixed an issue introduced in v0.6.0 where failed runs would not return an exit code, leading to silent failures in CI actions.
Find out more.
Conduktor CLI 0.6.0
2025-06-23

Changes

This release introduced a couple of bugs that were fixed in CLI v0.6.1, please use that version instead of v0.6.0.
Significant performance improvements when applying a large number of resources. To control the maximum number of concurrent resource apply operations, use the --parallelism flag.The flag accepts integer values between 1 and 100. If a value outside this range is provided, the command will show an error and exit. Find out more.
Gateway 3.10.0
2025-06-18

New feature v3.10.0

New GATEWAY_SECURITY_MODE environment variable

This release introduces the GATEWAY_SECURITY_MODE environment variable which simplifies the security configuration by splitting out what manages authentication/authorization (valid values: KAFKA_MANAGED or GATEWAY_MANAGED) from how it should be managed (still set in the GATEWAY_SECURITY_PROTOCOL environment variable).This change:
  • deprecates the DELEGATED_SASL_PLAINTEXT and DELEGATED_SASL_SSL security protocols (though they remain supported for backward compatibility)
  • enables ACLs by default when managing security on the Gateway, by changing the default behaviour of the GATEWAY_ACL_ENABLED environment variable. ACL behavior is now derived from the security mode
  • is backwards compatible, supporting existing configurations while encouraging the new approach
Check out the tutorial on migrating to the new security mode.
Console 1.35.0
2025-06-18

Conduktor Scale

Resource policies now covers Subject and ApplicationGroup

Central platform teams can further define the ways of working for their teams by assigning resource policies for subjects and application groups. A few interesting use cases include:
  • Restricting application teams to only using Avro or enforce a specific compatibility mode, such as FORWARD_TRANSITIVE.
  • Preventing application teams from adding members to application groups directly, directing them to use the external group mapping instead.
  • Limiting the actions that can be performed in the UI by locking certain permissions.
---
apiVersion: self-service/v1
kind: ResourcePolicy
metadata:
  name: 'applicationgroup-restrictions'
  labels:
    business-unit: delivery
spec:
  targetKind: ApplicationGroup
  description: Enfore External Group Mapping and prevent TopicDelete permission in ApplicationGroup
  rules:
    - condition: size(metadata.members) == 0
      errorMessage: spec.members not allowed. Use external group mapping instead
    - condition: '!spec.permissions.exists(p, p.permissions.exists(x, x == "TopicDelete"))'
      errorMessage: TopicDelete permission is not allowed. Topic must only be deleted via CLI

---
apiVersion: self-service/v1
kind: ResourcePolicy
metadata:
  name: 'subject-format-and-compatibility-policy'
  labels:
    business-unit: delivery
spec:
  targetKind: Subject
  description: Enforces allowed schema formats and compatibility level for subjects
  rules:
    - condition: spec.format in ["AVRO", "PROTOBUF"]
      errorMessage: Only AVRO or PROTOBUF formats are allowed
    - condition: spec.compatibility == "FORWARD_TRANSITIVE"
      errorMessage: compatibility mode must be FORWARD_TRANSITIVE
ResourcePolicy that target ApplicationGroup must be defined at the Application level:
# Application
---
apiVersion: self-service/v1
kind: Application
metadata:
  name: 'clickstream-app'
spec:
  title: 'Clickstream App'
  description: 'FreeForm text, probably multiline markdown'
  owner: 'groupA' # technical-id of the Conduktor Console Group
  policyRef:
    - 'applicationgroup-restrictions'
Additionally, ResourcePolicy targeting Topic, Subject or Connector configured at Application level will be applied to all Application Instances under that Application.

Revamped Application Catalog

The Application Catalog page has been completely redesigned to improve application discovery and team collaboration.The new application list page provides a unified view of all accessible applications with advanced search and filtering capabilities, including filtering by ownership and labels. Clear team ownership visibility, topic and subscription information, as well as hover cards showing instance details at a glance will help you find what you need quickly.Application CatalogThe enhanced application details page now supports adding application labels for better categorization and organization. A new dedicated access requests page provides better management of requests specific to each application, making it easier to track and handle permission requests while maintaining clear visibility into application access patterns.

Topic-level consumer group lag alerts

Consumer group lag alerts now support topic-level scoping, allowing you to create more focused alerts for specific topics within a consumer group instead of monitoring the entire group.This makes it easier for teams sharing consumer groups who need topic-specific visibility.

Quality of life improvements v1.35.0

  • Added new fields to the onboarding page.
  • CRUD operations for the labels added in the consumer group details page.
  • Leading and trailing white spaces will now be printed as ”⎵” for display purposes and to provide more clarity to user. A tooltip will additionally be added to let users know when this is happening and to give them the “raw” value if they need it. The actual value will not be changed, this is just a visual helper.
  • Improve container security context configuration on Conduktor Console and Cortex containers that allow to :
    • run with different UID and GID than default 10001:0
    • run unprivileged with all linux capabilities dropped

Fixes v1.35.0

  • Fixed an issue where changing the cluster did not clear the search filter in consumer groups and topic pages.
  • Fixed an issue where navigating to a schema registry with a name containing non-escaped characters such as / would redirect to the home page.
  • Fixed an issue where the equality filter on JSON number fields wasn’t working correctly against large numbers in the topic consume view.
  • The JSON view of a message in a topic no longer coerces large number fields to a string.
  • Fixed an issue where the full message was not displayed correctly in the tooltip when hovering over it in the topic consume view table.
  • Fixed an issue where the UI didn’t redirect to the correct cluster when switching Console instances.
  • Fixed the logo in the onboarding page dark mode.
  • The screenshot showing users how to find the project name and service name in Aiven Cloud is displayed correctly again.
  • Fixed an error that would occur when no partitions were selected in Topics page filters.
  • Fixed a bug that would cause service accounts with white spaces to not be accessible correctly.
  • Cleanup data volume on start to ensure that old data is not re-used when using persistent volume between restarts.
Gateway 3.9.2
2025-06-11

Fixes v3.9.2

Fixed a security vulnerability in commons-beanutils (CVE-2025-48734).This release fixes the affected dependency to mitigate the risk associated with this CVE.
Console 1.34.3
2025-06-03

Fixes v1.34.3

  • Improved support of Kafka Connect from Confluent Cloud (more connector statuses supported, better error messages, fixed list of topics).
  • Improved caching strategy of the RBAC model resulting in faster UI and API.
  • Fixed dependencies vulnerable to CVE-2025-48734
Console 1.34.2
2025-05-26

Fixes v1.34.2

  • Improved memory efficiency when consuming messages from Kafka
  • Added support of audit log events related to the ApplicationInstancePermissionRequest and ResourcePolicy resources
Console 1.34.1
2025-05-20

Fixes v1.34.1

  • Fixed an issue with selecting groups and Slack channels when creating alerts
  • Fixed an issue with the license plan page for licenses containing the Trust product
Gateway 3.9.0
2025-05-14

Breaking changes v3.9.0

1. Gateway service accounts are now always required, when using PLAIN tokens

You’re impacted if

  • your Gateway was not previously configured with the environment variable GATEWAY_USER_POOL_SERVICE_ACCOUNT_REQUIRED=true
  • and your clients are connecting using PLAIN tokens without having a corresponding local service account already created.
Note: Customers using either mTLS or DELEGATED security protocol are unaffected.

Do you have to do anything?

  • You must create any missing local service accounts that your tokens rely on.
  • You can do this using the following command, adjusting your admin API credentials, host and name as appropriate
curl -X PUT -u admin:conduktor http://localhost:8888/gateway/v2/service-account \
        -H 'accept: application/json' \
        -d '{"kind": "GatewayServiceAccount", "apiVersion": "gateway/v2", "metadata": { "name": "admin", "vCluster": "passthrough"  }, "spec": { "type": "LOCAL" }}'
Find out about creating service accounts and ACLs.

Why did we make this change?

Previously, PLAIN tokens could be issued to connect to Gateway without having to create the service account they are linked to. This could be configured to require that the service account exists using the environment variable GATEWAY_USER_POOL_SERVICE_ACCOUNT_REQUIRED.This change improves security and consistency by enforcing that all PLAIN tokens must correspond to a pre-existing local service account. The GATEWAY_USER_POOL_SERVICE_ACCOUNT_REQUIRED variable is now deprecated and will behave as if it was set to true.This enforces best practices that were previously only encouraged, meaning all tokens must have their service account already created on Gateway before they’re allowed to connect.We expect most customers to be unaffected as this setup is actively discouraged in the onboarding experience, as we recommend creating the service account before creating tokens.

2. Local service account token signing key is now mandatory

You’re impacted if:

  • your Gateway security protocol (for the client connection to Gateway) is SASL_SSL or SASL_PLAINTEXT
  • and GATEWAY_USER_POOL_SECRET_KEY wasn’t already set

Do you have to do anything?

  • Yes. Set GATEWAY_USER_POOL_SECRET_KEY. We recommend using the following command line to generate the hash:
openssl rand -base64 32

Why did we make this change?

Previously, when we signed the tokens for the local service accounts, we used a key that’s set to a default value. The issue with that is that anybody who knows that default value is able to create their own tokens and connect to Gateway, if you’ve not changed the key.To prevent this, we now ask you to set the key and store it safely, so that nobody unauthorized could create identities.

New features v3.9.0

Enhanced Confluent Cloud authentication with service account mapping

When using Confluent Cloud with delegated authentication, Gateway now supports automatically resolving API keys to their associated service account. This feature addresses key limitations of the previous approach:
  • Improved Interceptor targeting: Interceptors can now target service accounts directly
  • Enhanced Chargeback capabilities: Usage tracking by service account instead of API key
  • Elimination of manual mappings: Removes the need for administrators to maintain user mappings

Dynamic header Injection from record payloads

The header injection Interceptor has been enhanced to support deriving header values directly from record payloads.This powerful feature allows you to extract:
  • the entire record key or value and inject it as a header
  • specific fields from record keys or values and inject them as headers
You can now reference record fields using mustache syntax:
{
  "config": {
    "topic": "topic.*",
    "headers": {
      "X-CLIENT_IP": "{{userIp}} testing",
      "X-USER-ID": "{{record.key.id}}",
      "X-USER-EMAIL": "{{record.value.email}}"
    },
    "overrideIfExists": true
  }
}
This feature supports:
  • Extracting values from JSON, AVRO, PROTOBUF serialized records
  • Accessing record fields using dot notation
  • Referencing the entire key or value payload
  • Using mustache syntax for dynamic header values

Fix v3.9.0

HashiCorp Vault token refresh resilience

Fixed a problem where Gateway would stop scheduling HashiCorp Vault token refreshes after encountering an error during the refresh process. Previously, if Gateway attempted to refresh its Vault token during a Vault outage, it would fail to recover even after Vault became available again, requiring a Gateway restart.With this fix, Gateway will now:
  • continue scheduling token refreshes at the regular intervals
  • automatically recover once Vault becomes available again
Console 1.34.0
2025-05-14

Conduktor Scale

Kafka Connect policies

Central teams can now configure Self-service policies targeting Connector resources.
---
apiVersion: self-service/v1
kind: ResourcePolicy
metadata:
  name: "limit-max-tasks"
spec:
  targetKind: Connector
  description: "Limit max tasks to 1"
  rules:
    - condition: spec.configs["tasks.max"] == "1"
      errorMessage: Connector tasks.max must be set to 1
The new policies use the CEL language to express the rule. Supported targetKind are Connector and Topic.

Subscribe to application topics

Application owners now have the ability to manage topic subscriptions across their organization.Using the Topic Catalog, owners can subscribe to topics outside of their own application, selecting from their list of applications and focusing only on valid instances that share the same Kafka cluster.The new interface provides flexible permission configuration, enabling read or write permissions for each subscription, as well as granular control over both user and service account permissions.Topic catalog subscribe modalSubscription request management has also been enhanced, giving application owners the ability to review pending requests and approve or deny them through both the UI and CLI.During this process, administrators can modify the originally requested permissions to better align with organizational requirements. For teams preferring infrastructure-as-code approaches, approving requests using YAML configuration automatically closes the request, streamlining the workflow.Application catalog request approval

Conduktor Exchange

Extended authentication mechanisms for Partner Zones

Partner applications can now authenticate to your Partner Zones using client IDs & secrets managed by your OAuth/OIDC provider. The Partner Zone schema is changed to reflect the new authentication modes. This is a breaking change which should be updated as below:
kind: PartnerZone
metadata:
  name: external-partner-zone
spec:
  cluster: partner1
  displayName: External Partner Zone
  url: https://partner1.com
  # serviceAccount: johndoe # <-- Previously, spec.serviceAccount
  authenticationMode: # New schema. spec.authenticationMode.serviceAccount , and, spec.authenticationMode.type of PLAIN or OAUTHBEARER
        serviceAccount: partner-external-partner
        type: PLAIN
  topics:
    - name: topic-a
      backingTopic: kafka-topic-a
      permission: WRITE
For more information see the reference page.

Quality of life improvements v1.34.0

  • Added selectors for key and value formats on the single Kafka message page, enabling the use of custom deserializers.
  • You can now see clusters referenced by each alert in the Settings > Alerts page.

Fixes v1.34.0

  • To avoid timeouts when indexing consumer groups, added a new configuration variable to limit the number of consumer groups requested per describe query.
  • Fixed an issue where in Topic Consume page, JQ filters against big numbers loses precision in Safari.
  • Fixed an issue where messages with big number fields lose precision when being copied over to be reprocessed in the Topic Produce page.
  • Fixed an issue where only the first 1,000 schemas were indexed
  • Fixed an issue where opening a message with more than 1MB of data would freeze the UI because of the table view. It now defaults to the JSON view.
  • Fixed an issue impacting Kafka Connect sink connectors where providing consumer override values as configuration would lead to a validation failure.
  • Fixed an issue where deleted clusters were still present in the RBAC system, causing issues on the CLI api.
  • Kafka config on huge numbers is now displayed correctly in the UI.
  • Fixed an issue with Partition on topic details was not sorted correctly.
  • Fixed an issue where lag wasn’t correctly calculated after a topic was deleted and recreated with the same name.
  • The list of consumer groups in the topic details page using RBAC is now correctly displayed.

Known issue v1.34.0

In the Topic Consume view, equality filters (==) on JSON number fields aren’t working correctly when the number exceeds JavaScript’s safe integer limit of 2^53-1. Note that while range operators (>, <, >=, <=) still work with large numbers, there’s currently no workaround for exact equality filtering. We’ll address this in a future release.
Conduktor CLI 0.5.1
2025-05-14

Change

  • The -o flags are now visible at the get root command level, making output options more discoverable.

Fix

  • Fixed an issue where alerts could not be deleted via the CLI when using the metadata group. Find out more.
Gateway 3.8.1
2025-04-18

Conduktor Shield: optional compression before encryption when using full payload encryption

Kafka supports compression out of the box but with limited effect when the data is already encrypted. To improve this, Gateway now supports compressing full payload data before it’s encrypted (when the encryption Interceptor is configured).This new functionality is not enabled by default. To enable it, add the new compressionType entry in the encryption Interceptor configuration to either ‘gzip’, ‘snappy’, ‘lz4’ or ‘zstd’.If the full payload encryption is configured for headers, record keys or record values, the respective data will now be compressed before it is encrypted.Find out more about encryption configuration.

Fixes v3.8.1

  • When using the alter topic policy Interceptor, allow updating only a subset of the enforced configurations.
  • Correctly camel case capitalize upsertResult properties in API v2 responses
Gateway 3.8.0
2025-04-09

Breaking changes v3.8.0

New backing topic required for Gateway

An upcoming data quality feature requires a new backing topic in Gateway.When you upgrade to Gateway 3.8.0, a new topic _conduktor_gateway_data_quality_violation will be created.To change this default topic name, use the GATEWAY_DATA_QUALITY_TOPIC variable. Find out more about environment variables.

Deprecating v1 APIs

The v1 APIs are now deprecated in favor of v2, introduced in Gateway v3.3.0 in September 2024.If you’re using the Conduktor CLI to operate Gateway, you’re not impacted. Find out which Gateway APIs are affected.
We plan to remove the V1 APIs from Gateway in two releases (Gateway 3.10.0). If you’re using the v1 APIs, migrate to v2 APIs as soon as possible. Get in touch for support with the migration.

Conduktor Shield

General availability of cost-effective Crypto Shredding with Gateway KMS

This release includes general availability of the Gateway native crypto shredding feature for Conduktor Shield customers.The ‘gateway’ KMS type on encryption/decryption interceptors allows you to manage granular encryption keys for individual users/records without the prohibitive costs of storing each key in AWS KMS (which costs approximately $1 per key).Try out crypto shredding with our tutorial.
Breaking changes for v3.7.0 Crypto Shredding users: any messages encrypted with ‘gateway’ KMS type in Gateway v3.7.0 will not be de-cryptable in v3.8.0.
Improvements since v3.7.0:
  • When multiple Gateway nodes are simultaneously processing data with the same secret Id for the first time, it’s now possible for multiple Gateway keys to be stored per secret Id. Crypto Shredding requires every one of these keys to be deleted. To do so, the key store topic needs to be fully consumed and all of the keys associated with the required secret Id determined. Each will have a separate UUID.
  • To efficiently re-use Gateway KMS keys for secret Ids, a new configuration option maxKeys has been added to config/kmsConfig/gateway/. It should be set to a number larger than the expected number of secret Ids.
  • The masterKeyId in config/kmsConfig/gateway/ is now validated and can’t use template variables.

New features v3.8.0

Support for delegated authentication using OAUTHBEARER

When using the OAUTHBEARER authentication mechanism, you can now use GATEWAY_SECURITY_PROTOCOL=DELEGATED_SASL_xxx. By default, Gateway will use the sub claim as the principal name. You can override this by setting the GATEWAY_OAUTH_SUB_CLAIM_NAME environment variable to the claim you want to use as the principal name.

Support for Confluent Cloud Identity Pool

If you’re using OAuth support on Confluent Cloud, you can also set GATEWAY_OAUTH_USE_CC_POOL_ID environment variable to true to use the identity pool ID as the principal name.

Support for delegated authentication using AWS_MSK_IAM

When using the AWS_MSK_IAM authentication mechanism, you can now use GATEWAY_SECURITY_PROTOCOL=DELEGATED_SASL_xxx. By default, Gateway will use the AWS access key ID as the principal name.
Console 1.33.0
2025-04-09

Conduktor Scale

Kafka Chargeback - group by labels

Introducing labels for Chargeback - you can now filter and group Kafka usage by team, environment, project or business unit.Go to the Chargeback page, select the required service account and add relevant label(s). You can then use these labels to filter your view or usage reports and action as necessary.Manage Chargeback labels in the service account details page

Self-service - improved cross-team access control

We’ve enhanced permission management for cross-team access. You can now assign different permissions to users in the UI from the Kafka service accounts, allowing for more precise access control.Here’s an example granting READ access to the service account and denying access to members of the application through Console:
# Permission granted to other applications
---
apiVersion: self-service/v1
kind: ApplicationInstancePermission
metadata:
  application: "clickstream-app"
  appInstance: "clickstream-app-dev"
  name: "clickstream-app-dev-to-another"
spec:
  resource:
    type: TOPIC
    name: "click.event-stream.avro"
    patternType: LITERAL
  userPermission: NONE
  serviceAccountPermission: READ
  grantedTo: "another-appinstance-dev"

Support for Aiven service accounts

We’ve added the support for Aiven service accounts in our API and CLI.Here’s an example granting READ and WRITE access to the click.event-stream.avro topic and its schema.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  cluster: aiven
  name: clickstream-sa
spec:
  authorization:
    type: AIVEN_ACL
    acls:
      - resourceType: TOPIC
        name: 'click.event-stream.avro'
        permission: readwrite
      - type: SCHEMA
        name: 'Subject:click.event-stream.avro'
        permission: schema_registry_write

Service account labels

You can now annotate all service accounts with Conduktor labels:
  • Any Kafka cluster
  • Conduktor Gateway
  • Confluent Cloud
  • Aiven Cloud (currently using API/CLI only)
To can add/edit labels, click Edit next to the labels, shown under the service account name:Service account label details
We’re working to add support for labels on all Conduktor resources.

Conduktor Exchange

Improvements to Partner Zones

Rename shared topics

You can now add aliases to the topics shared via Partner Zones. This prevents the sharing of any internal naming conventions or sensitive information, without replication.Rename shared topics in the UI

Modify Partner Zone details

Partner Zones can now be easily edited using the UI. You can edit the following:
  • name
  • URL
  • description
  • contact information
  • traffic control policy details
  • topics (add new or rename existing) editing a partner zone
Find out more about Partner Zones or Conduktor Exchange.

Quality of life improvements v1.33.0

  • Add selectors for key and value formats on the single Kafka message page, enabling the use of customer deserializers.
  • Creating resources owned by an Application Instance using an Admin API Key now bypasses Self-service topic policies.

Fixes v1.33.0

  • Glue: improve deserialization of Avro schemas containing a nullable union
  • Fixed an issue preventing the use of protobuf schemas with references
  • Added a fallback mechanism to use the standard Kafka Connect API call when encountering an error on Confluent Cloud. If all attempts fail, the Confluent Cloud error message is now displayed to provide better clarity and troubleshooting information.
  • Improved performance of API for applying users and groups with many permissions
  • Errors thrown while producing to a topic are now properly displayed in the UI
  • Fixed the computation of the controller of a KRaft cluster in the Brokers page
  • Fixed an issue that prevented the storage of the NUL character in Kafka Connect error messages
  • Failure to create the topic for audit log is now recorded in the logs
  • Prevent Application Instance Token to be able to overwrite the Service Account permissions
  • Update the database schema to not use ‘partition’ as a column name due to conflicts with SQL keywords on EnterpriseDB
  • Align LDAP user retrieval behavior with binding/connection requests to resolve issues with federated Active Directory/LDAP where users aren’t found.

Known issue v1.33.0

In the Topic Consume view, equality filters (==) on JSON number fields aren’t working correctly when the number exceeds JavaScript’s safe integer limit of 2^53-1. Note that while range operators (>, <, >=, <=) still work with large numbers, there’s currently no workaround for exact equality filtering. We’ll address this in a future release.
Console 1.32.1
2025-03-24

Fixes v1.32.1

  • Fixed dependencies vulnerable to the following CVEs:
  • Fixed an issue where web browsers would try to autofill Kafka Connect configuration form fields with saved passwords
Gateway 3.7.0
2025-03-21

Breaking changes v3.7.0

New backing topic required for Gateway

The Gateway KMS feature introduced in this release requires a new backing topic to store the keys.When you upgrade to Gateway 3.7.0, a new topic _conduktor_gateway_encryption_keys will be created.To change this default topic name, use the GATEWAY_ENCRYPTION_KEYS_TOPIC variable.Find out more about environment variables.

Separator for super users

Super users in Gateway (specified in the GATEWAY_SUPER_USERS environment variable) are now separated by a semicolon ; instead of a comma ,.This change is to allow super users identified with mTLS using their full DN form (CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown), and makes Gateway aligned with the Kafka configuration.
This change doesn’t affect super users specified in virtual clusters, as they are specified using the YAML array.

Deprecating v1 APIs

V1 APIs are now deprecated in favor of the V2 APIs introduced in Gateway 3.3.0 in September 2024.
If you’re using the Conduktor CLI to operate Gateway, you are not impacted.Check out the Gateway API reference to see which APIs are affected.We plan to remove the V1 APIs from the Gateway in three releases time, in Gateway 3.10.0.If you’re using the v1 APIs, please migrate to the V2 APIs as soon as possible. Get in touch if you need support with this migration.

New features v3.7.0

Preview feature - introducing cost-effective crypto shredding with Gateway KMS

This feature is currently in preview mode and will be available soon. We recommend that you don’t use it in the production workloads.
This release introduces a preview feature that significantly reduces the cost and complexity of implementing crypto shredding at scale. The new ‘gateway’ KMS type allows you to manage granular encryption keys for individual users or records without the prohibitive costs of storing each key in AWS KMS (which costs approximately $1 per key).With this feature, you can maintain regulatory compliance and honor user deletion requests more efficiently by:
  1. Storing only a single master key in your external KMS
  2. Securely managing thousands of individual encryption keys in Gateway’s internal key store
  3. Deleting specific user keys when needed, rendering their data permanently inaccessible
This approach is particularly valuable for organizations that need to implement crypto shredding across large user bases or high-volume data sets, offering both substantial cost savings and improved performance compared to managing individual keys directly in AWS KMS.crypto-shredding-conceptThe keys stored by Gateway are all encrypted themselves via a configured master key externally held in your KMS - ensuring they remain secure and useless without access to the external KMS.

Support for AWS Glue schema registry

This release extends the support in Gateway for schema registries to include AWS Glue schema registry.The default choice is Confluent like schema registries, and is backwards compatible with previous gateway configurations.For AWS Glue schema registry, different settings are required to connect - check out the relevant plugin documentation.

Feature changes v3.7.0

  • Added support for . in the name of the Virtual Cluster APIs
  • More detailed errors unrelated to Interceptor validation added

Fixes v3.7.0

  • Added aws-java-sdk-sts dependency to allow assume role profiles when using AWS KMS
  • Added jcl-over-slf4j dependency to see logs from AWS SDK
Console 1.32.0
2025-03-12

Breaking changes for Partner Zones

Improvements to Partner Zones require Gateway 3.6.1 to be deployed with this release of Console.

Conduktor Scale

Alert history

In the alert details page you can now also see the history of an alert’s status and notifications which may have failed to send.Alert details page. The left-hand side lists alert properties like name and description. The right-hand side displays a heatmap-style chart with red and grey squares indicating alert health and a table below listing recent alert notifications.

Audit logs

You can now view the new CloudEvents-based audit log events with enhanced filtering capabilities for the new resource and event types, including Conduktor platform triggered events.While legacy audit log events will stop being captured in this release, existing legacy events will remain accessible through a dedicated page until a future release.The audit log settings page shows a list of audit log events, with a drawer showing details of an event

Service account labels

You can now edit labels on service accounts in plain Kafka clusters through the UI, in addition to the existing CLI & API support.Support for labels on Aiven and Confluent Cloud service accounts is coming soon.The service account details page shows labels underneath the service account name heading. Next to existing labels there is an edit button which you can click to open a drawer with a form to add and edit labels

RBAC-aware menu

The left-hand menu is now RBAC (Role Based Access Control) aware, dynamically showing/hiding menu items based on users’ permissions. Hiding functionality that users don’t have access to makes onboarding easier and reduces confusion.In Console, menu items are shown based on the user’s Resource access permissions on individual clusters, while the Settings menu items are shown according to the Service access permissions.

Conduktor Exchange

Exchange is a new Conduktor product that enables you to share data securely with your external partners. Find out more about the Exchange product.

Introducing Partner Zones UI

Partner Zones is currently a Preview feature and is subject to change as we continue working on it.
Partner Zones enable you to securely share your Kafka streaming data with external partners, without the need to replicate that data into a second, physical Kafka cluster.In this release we’re introducing the option to create Partner Zones using the Console UI in just few steps, including the ability to set traffic control policies.In upcoming releases we’ll be adding further enhancements, such as:
  • an ability to edit Partner Zone configurations
  • the option to rename shared topics, securing your data even further by ensuring that no internal information is shared
Find out more about Partner Zones.

Quality of life improvements v1.32.0

  • Enabled the confirmation of resource deletion using the Enter key.
  • Updated the connector restart button labels and toast messages to accurately reflect their behavior for Confluent Cloud connectors.
  • Removed a legacy option to disable monitoring.

Fixes v1.32.0

  • Fixed an issue where editing a schema registry subject would overwrite its compatibility mode with the global compatibility setting.
  • Fixed an issue where creating an ACL for a service account with a duplicate name could override the existing ACL.
  • Fixed an issue where you could not remove the last ACL and Save in the Service Account UI.
  • Fixed an issue where the Kafka Connect failed task heatmap didn’t display data for days in 2025.
  • Fixed an issue where the CLI would report incorrect actions taken (although the correct actions were shown when the --dry-run flag was used).
  • When Azure Active Directory is used as an LDAP server, the userPrincipalName field can now be set as the field containing the email address.
  • Fixed an issue where very large numbers would show rounded in the details view of a topic message (e.g. 7777705807840271771 would display as 7777705807840271000).
  • Fixed the UI issue where the option to reset a consumer group offset would disappear off the screen, if the partition count was too large.

Known issue v1.32.0

In the Topic Consume view, equality filters (==) on JSON number fields isn’t working correctly when the number exceeds JavaScript’s safe integer limit of 2^53-1. Note that while range operators (>, <, >=, <=) still work with large numbers, there’s currently no workaround for exact equality filtering. We’ll address this in a future release.
Conduktor CLI 0.5.0
2025-03-10

Changes

  • Included Gateway resources in get all
  • Added cause to ApiError responses
  • Fixed apply template comment in YAML file
  • Added option to edit and apply immediately to template command
  • Standardized flag descriptions

Fix

  • Fixed verbose mode in single client configuration
Find out more.
Gateway 3.6.1
2025-03-05

New features v3.6.1

  • New metric gateway.apiKeys.throttle_ms : sets the throttling time in Kafka responses per apiKey in milliseconds
  • Updated existing metric gateway.apiKeys.latency.request_response : sets the latency to process a request and generate a response for each API key
    • It now tracks latency for all verbs (eg CONNECTION) not just FETCH/PRODUCE

Feature changes v3.6.1

  • Changes to Limit Commit Offset Plugin:
    • accuracy of rate limiting has been improved
    • action/throttleTimeInMs properties did not work correctly and are now ignored
  • Changes to cluster ACLs:
    • when creating cluster ACLs using a programmatic API, only allow kafka-cluster for the name part of the resource. This makes Gateway consistent with Kafka.

Fixes v3.6.1

  • Fixed a problem with the Create Topic Policy plugin which would not apply overrides to default configurations from the underlying Kafka setup.
  • Fixed a problem with CreateTopics ACLs in Gateway which previously also required the Create cluster permission enabled.
  • Addressed a problem with Non Delegated SASL/PLAIN token credentials, where Gateway would continue to work after service account has been deleted. To enable this feature set the environment variable GATEWAY_USER_POOL_SERVICE_ACCOUNT_REQUIRED to true (it currently defaults to false).
  • Fixed a problem in AddPartitionsToTxnRequest where ACLs on transactionIds in new location were not being checked when Kafka API version was >= 4.
  • An un-authorized idempotent producer will now throw a ClusterAuthorizationException instead of a TransactionalIdAuthorizationException, making Conduktor Gateway consistent with Kafka.
Console 1.31.2
2025-03-03

Fixes v1.31.2

  • Fixed prefixed ACLs not displaying correctly in the Service Account UI
  • Fixed an issue where Service Accounts with no ACL were incorrectly shown in the UI
  • Fixed an issue allowing creation of Service Accounts without ACLs

Known issues v1.31.2

  • When removing ACLs in the Service Account UI, you cannot remove the last ACL
  • As a workaround, you can remove that last ACL, then create a new ACL against a resource name that does not exist.
  • We will address this issue in the next release
Console 1.31.1
2025-02-18

Console metrics performance and configuration

To address issues related to monitoring graph timeouts and OutOfMemory issues when Console is connected with large Kafka clusters, we’ve introduced a change to how metrics are collected in Console.This feature is currently optional but will be enabled by default in the next release.If you’re experiencing graph timeouts or OutOfMemory issues, upgrade to 1.31.1 and configure the following additional environment variables:
CDK_MONITORING_ENABLENONAGGREGATEDMETRICS: false
CDK_MONITORING_USEAGGREGATEDMETRICS: true
This configuration will disable the collection of obsolete granular metrics and use the new aggregated metrics in the Console graphs.

Fixes v1.31.0

  • Fixed dependencies vulnerable to the following CVEs:
  • Resolved an issue related to SSL checks between the Console and Cortex where bad certificates caused communication issues
  • Fixed an issue with user email addresses containing a ' character that blocked database migrations
  • Reduced the memory consumption and improved the performance of metrics under heavy load that prevented them from displaying
  • Partner Zones: configuration updates are now applied correctly
  • Partner Zones: partners can now utilize consumer groups
Gateway 3.6.0
2025-02-12

Features v3.6.0

Kafka cluster connection management

This release includes a set of enhancements to how Gateway manages connectivity to a Kafka Cluster. This provides greater stability and flexibility for how Gateway can be configured with the Kafka Clusters it’s connected to, and is a precursor change for future product releases.

Encryption improvements

Encryption secret Id Mustache templates

The encryption now allows multiple mustache substitutions in a key secret Id configuration. Previously, only a single substitution was supported. E.g. This is now allowed:"keySecretId": "vault-kms://my-vault:8200/transit/keys/{{record.key}}-{{record.header.someHeader}}"

Decryption failure modes

This release adds a new optional configuration to the decryption plugin to allow different modes of handling errors. There are two supported modes:
  • errorPolicy: "return_encrypted" Previous - if there’s an error during decryption, then the encrypted data is returned.
  • errorPolicy: "fail_fetch" New - if there’s an error during decryption, then the fetch that was reading the data is failed and the client will receive an error.
In both cases, we have enhanced the logging, so issues during decryption are more fully reported.

Schema registry access improvements

Read only schema registry access

Some of our Gateway plugins will deserialize and re-serialize messages in order to perform their functions. A side effect of this is that the serializer code would unnecessarily require write access to the Schema Registry. While there was no situation where Gateway would actually cause any updated or additional schema to appear, - we’ve altered the Schema Registry access to be read only. This avoids having to unnecessarily assign write permission for our Gateway Schema Registry connections if you’re using ACLs on your Schema Registry.

Plugin validation of schema registry access

All Gateway plugins which access the Schema Registry will now validate that the configuration for the Schema Registry is correct when it’s added or updated in Gateway. Previously, this behavior was inconsistent and a few of our plugins would only detect incorrect configurations when they processed a message rather than when they were setup.

Quality of life improvement v3.6.0

Added a new CLI command conduktor run generateServiceAccountToken to generate the JWT for local service accounts. Update your CLI to version 0.4.0 or higher.

Fixes v3.6.0

  • Fix: CreateTopicPolicy and AlterTopicPolicy overrides. There were some edge cases where the desired overrides from the plugin config would not be applied. These plugins now behave consistently in all situations.
  • Improvement: Removed some verbose logs and updated logging to be clearer. A general set of improvements has been made to Gateway logging, making some errors clearer and reducing repetition.
Conduktor CLI 0.4.0
2025-02-07

Changes

  • Environment variable references can now be passed to Gateway or Console, allowing you to store references to secret variables used by the host within your configuration.
  • Partner Zones are now available, allowing you to securely share your streaming Kafka data with external partners without the need to replicate the data.
  • More informative error responses in certain situations
  • Console API schema updated
  • Added run
  • Schema code reorg
  • Ops 630 pass external environment variable reference
  • Introduced dev mode for hidden command
  • Panic replaced with graceful exit
  • Included Partner Zones Gateway API changes

Fixes

  • buildAlias duplication fixed
  • Fixed ServiceAccount check when defining commands
  • Release Action fixed
  • Various doc fixes
  • Fixed duplicate printout statements
Find out more.
Console 1.31.0
2025-02-05

Breaking changes

Removed v1 alerts

Original alerts created in the Monitoring/Alerts section are no longer available.

Changes to v2 alerts

V2 Alerts, that can be created since Console 1.28 on the dedicated resource page (Topics, Brokers, etc.) are still available and active, but have been migrated with the following rules:
  • Alerts have been automatically configured with the previously globally configured channel (Teams or Slack).
  • Alerts have been assigned to the individual who created them.
Find out more about alerts using webhooks.

Id of certificates

The Id of certificates in the public/v1/certificates API endpoints were modified to represent the fingerprint of the certificate. It brings a more stable way to identify certificates in audit log and prevent multiple uploads of the same certificate.

Conduktor Scale

Enhanced alerting with webhooks support

We have made significant improvements to the alerting system in Console. Here are some of the changes:
  • Alerts are now owned by individuals, groups, or applications
  • We added Webhook destination to alerts notifications
  • Destinations are now configurable per-alert
  • API / CLI support for Alerts is now available
apiVersion: console/v3
kind: Alert
metadata:
  name: messages-in-dead-letter-queue
  group: support-team
spec:
  cluster: my-dev-cluster
  type: TopicAlert
  topicName: wikipedia-parsed-DLQ
  metric: MessageCount
  operator: GreaterThan
  threshold: 0
  destination:
    type: Slack
    channel: "alerts-p1"
Alert creation workflow has been updated to allow you to configure the alert destination and ownership in the UI.Application permissions on RBAC screen

API and CLI support for service accounts

We’ve added support for Service Accounts in the API and CLI.Declaring ServiceAccount resource lets you manage the ACLs of a service account in Kafka.At the moment we only support Kafka ACLs (calls to Kafka APIs) but we plan to add support for Aiven ACLs in ServiceAccount resource in the future.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  cluster: shadow-it
  name: clickstream-sa
spec:
  authorization:
    type: KAFKA_ACL
    acls:
      - type: TOPIC
        name: click.event-stream.avro
        patternType: PREFIXED
        operations:
          - Write
      - type: CLUSTER
        name: kafka-cluster
        patternType: LITERAL
        operations:
          - DescribeConfigs
      - type: CONSUMER_GROUP
        name: cg-name
        patternType: LITERAL
        operations:
          - Read

Labels support for service accounts

We have added support for labels in the ServiceAccount resource.For now you can only edit labels through ServiceAccount resource in the API and CLI.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  cluster: shadow-it
  name: clickstream-sa
  labels:
    domain: payment
    region: EMEA
    application: clickstream
spec:
  ...
The labels are used to filter the Service Accounts in the UI. Editing labels in the UI will be available in the next release.Application permissions on RBAC screen

Self-service support for application managed service accounts

We’ve added a new mode for ApplicationInstance that allows application teams to have full control over their service accounts.This mode can be enabled in the ApplicationInstance with the spec.applicationManagedServiceAccount flag set to true.When enabled, Self-service will not synchronize the service account with the ApplicationInstance and will let the application team manage the service account directly.Application managed service accounts can be declared in the API and CLI using the application API key.
---
apiVersion: v1
kind: ServiceAccount
metadata:
  appInstance: "clickstream-app-dev" # Mandatory to link the Service Account to the ApplicationInstance
  cluster: shadow-it
  name: clickstream-sa
spec:
  authorization:
    type: KAFKA_ACL
    acls:
...

Application group permissions now available on user permissions page

The user permissions page has been updated to show the permissions inherited when they belong to an ApplicationGroup.Application permissions on RBAC screen

Conduktor Exchange

Exchange is a new Conduktor product aimed at helping you share your data securely with your external partners.Find out more about Conduktor Exchange.

Introducing Partner Zones for third-party data sharing

Partner Zones is currently a Preview feature and is subject to change as we continue working on it.
Partner Zones enable you to securely share your streaming data with external partners, without needing to replicate the data into a second, physical Kafka cluster.In the upcoming releases, we will be adding the following:
  • Dedicated pages that allows you to manage Partner Zones completely from the UI
  • Support for Traffic Control Policies to limit the amount of data that can be consumed or produced by your partners
  • Topic renaming capability to avoid leaking internal topic names to your partners
Find out more about Partner Zones.

Quality of life improvements v1.31.0

  • Added a “Groups” tab in the Application page which shows all of the Application Groups created via Self-service
  • Improved the license plan page to show the start and end date of the license, as well as the packages included in the license
  • Added the remaining days left in the sidebar when the license is expiring in less than 30 days
  • Improved how a connector’s configuration is displayed in the raw JSON view by sorting the properties alphabetically

Fixes v1.31.0

  • Fixed several issues Confluent Cloud Managed Connectors
    • Fixed Pause/Resume connector
    • Fixed Connector and Task Restart
    • Fixed Connector Status (Running, Paused, etc.), previously displayed as “Unknown”
  • Fixed a permission check issue when adding partitions to a topic
  • Improved the serialization of String and com.fasterxml.jackson.databind.JsonNode types returned by custom deserializers
  • Fixed an issue parsing masked data when choosing the String format on data that cannot be parsed as JSON
  • Added topics ending with -subscription-registration-topic and -subscription-response-topic to the Kafka Stream filter
  • Fixed the edition of ownership mode of application instances
  • Fixed the form for saving producer templates
  • Fixed the navigation to go back to the home page of connectors when switching clusters

Known issues v1.31.0

  • We are aware of more inconsistencies with Confluent Cloud Managed Connector support in Console. We are working on it.
    • Task status is not always correctly displayed
    • Various UI responsiveness issues
Gateway 3.5.2
2025-01-17

Feature v3.5.2

Added support for sourcing environment variables from a file.

Fix v3.5.2

Add automatic refresh of HashiCorp Vault authentication tokens.
Conduktor CLI 0.3.4
2025-01-10

Changes

  • Added support of query params for parent
  • Added template

Fix

  • Fixed the issue when deleting virtual clusters does nothing
Gateway 3.5.1
2025-01-08

Feature v3.5.1

Added support for Hashicorp Vault Enterprise namespaces.
Conduktor CLI 0.3.3
2024-12-16

Changes

  • Updated default kind for 1.30
  • Added basic auth for Gateway API support

Fix

  • Fixed default vCluster set to null for delete interceptors
Console 1.30.0
2024-12-16

Features v1.30.0

RBAC support for Conduktor SQL

In a previous release, we introduced Conduktor SQL. It was restricted to Admins because it did not apply any permission model.This new update brings full RBAC support on Conduktor SQL:
  • Users & Groups can only see and query the tables for which they have an associated Topic permission in Console
  • Data masking policies are applied (with limitations)
You can now bring SQL to all users within your organization.

Add support for multi-hosts database configuration

You can now setup Console’s backing database for high availability(HA). If you have a PostgreSQL HA setup with multiple hosts, you can now configure a Console to JDBC connection to the database using a list of hosts.
CDK_DATABASE_URL: jdbc:postgresql://user:password@host1:5432,host2:5433/console_database
CDK_KAFKASQL_DATABASE_URL: jdbc:postgresql://user:password@host1:5432,host2:5433/kafka_sql_database

Delegating authentication to an identity provider

Console can now be configured to accept a JWT token from an external identity provider. It allows you to directly use your identity provider for managing access to Console. A common use case of this feature is to delegate authentication to your API gateway.

More Audit Log CloudEvents into Kafka

We have made more events available for the Audit Log Publisher:
  • Kafka.Subject.ChangeCompatibility
  • Kafka.Topic.Browse
  • Kafka.Topic.ProduceRecord
  • Kafka.Topic.SqlQuery
  • Kafka.Connector.Restart
  • Kafka.Connector.Pause
  • Kafka.Connector.Resume
  • Kafka.Connector.RestartTask
  • Kafka.Connector.AutoRestartActivate
  • Kafka.Connector.AutoRestartStop
A full list of all the exported audit log event types is published on the Audit Log page.

Quality of life improvements v1.30.0

  • Alert lists in the resource pages have been updated to show the metric and condition, the alert state and a new column “Last Triggered”
  • Chargeback data can now be exported into a CSV file to enable easier integration with existing organization cost management data.
  • The User permission page provides a clearer distinction between inherited and user-specific permissions.
  • Topic policy validation errors message are easier to read when using the CLI
  • Added support for Array and Boolean types in Conduktor SQL
  • Added Kafka Key column and other metadata in Conduktor SQL Topics

Fixes v1.30.0

  • Fixed a pagination issue in the SQL Indexed Topics view
  • Fixed several instances where the CLI would not report the expected state change (Updated vs. Not Changed) on apply
Gateway 3.5.0
2024-12-16

Breaking changes: local users

This breaking change only impacts Local Gateway service accounts generated through our token endpoints:
  • POST /admin/username/{username}
  • POST /admin/vclusters/v1/vcluster/{vcluster}/username/{username}
If you’re using Gateway services accounts from OIDC, mTLS, Delegated Kafka, you are not impacted.
From this release, we will now strictly enforce that the username and the token matches in requests made to the Gateway where local service accounts are used. This will help reduce inconsistencies and avoid unexpected behaviors. If they do not match, requests will fail to authenticate.

Breaking changes: default SNI Host Separator

In this release we have changed the default value for the separator used in the SNI routing configuration from a period . to a dash -. This is in order to better allow the use of wild card certificates when certificates are in use.The format of the SNI routing host names is now as below:
 <host_prefix><cluster_id><broker_id>-<advertised_host>
The previous behavior of Gateway can be configured by simply adding this to your configuration:GATEWAY_SNI_HOST_SEPARATOR=.Find out more about SNI routing.

Features v3.5.0

Use of In-memory KMS for encryption

Gateway has always supported the use of an in memory KMS for encryption in order to provide an easy-to-use setting for testing and developing your encryption config. This mode is not however meant for production use as the state of the KMS is lost when Gateway restarts, rendering any data encrypted with it unrecoverable.Before this release, the in memory mode was the default setting and would be used as a fallback if no valid external KMS was detected in the encryption setup.From this release, you must now explicitly opt-in to the in-memory mode for encryption using the prefix:in-memory-kms://If this, or any other valid KMS identifier, is not present the encryption plugin will now fail. This change is a precaution to prevent accidental misconfigurations resulting in the use of in memory mode and subsequent data loss.

License expiry

We have altered the behavior of the Gateway when your license expires to provide a better experience. The behavior is now as below:
  • We have added new metric gateway_license_remaining_days which you can monitor to track the time left on your license
  • If the Gateway is currently running, do not automatically exit on license expiry. Rather, Gateway will now log a warning every hour that your license is expired:
License has expired! You need to add a valid license to continue using Conduktor Gateway. Checkout our documentation if unsure how to set the license
  • These warnings will start 1 week before expiry occurs as a notification, in the format:
License will expire in less than {N} day(s)! You need to renew your license to continue using Conduktor Gateway
  • Finally, we now check your license earlier in the bootstrap sequence for Gateway, so it will fail fast with a clear message when your license is expired.
The key change here is that if your license does expire, Gateway will not exit automatically anymore. It will continue running, logging warnings. Should you restart the Gateway in this state, it will then fail to start up - but there is no automatic shutdown.

Quality of life Improvements v3.5.0

  • Support for Kafka Clients up to v3.9
  • Improved compatibility and logging for dealing with kafka-client versions and version negotiations
  • Added support for multiple authentication mechanisms against Vault (AppRole, LDAP, …)
  • Introduced a new configuration enableAuditLogOnError (default: true) which enhances the errors which are logged when encryption/decryption fails
  • Improved error logging for expired tokens on authentication, to replace large stack traces with concise information
  • Performance improvements for TLS handshakes, in particular to prevent repeated failed attempts overloading the gateway
  • Several improvements to data quality and encryption config validation to provide better error reporting and feedback in the case of problems

General fixes v3.5.0

  • Fixed an issue in ACL handling which caused an error if no topics were passed for an offset fetch request (being the case where the caller wants to retrieve offsets for all topics).
  • Fixed an issue in Virtual Clusters which in some cases meant the ACLs for the physical Kafka clusters where exposed in error.
  • Fixed an issue in the regular expression application in the data quality and SQL plugins, where .* would not always match the entire value for a field
  • Fix an issue when creating both a service account and a service account group through the cli to ensure the order of operations is always correct, preventing intermittent failures in this case.

Known issues v3.5.0

  • We are aware of an issue with kcat when the new environment variable GATEWAY_MIN_BROKERID is not aligned with the first BrokerId of your Kafka cluster
    • As a workaround, you can either define GATEWAY_MIN_BROKERID to your first Kafka BrokerId or use kcat with the -E flag
Conduktor CLI 0.3.2
2024-11-25

Change

  • Updated Console schema with latest version

Fix

  • Changed ordering between groups and service accounts in Gateway entities
Conduktor CLI 0.3.1
2024-10-14

Changes

  • Added handling of environment variables for YAML
  • Added description for token CMD
  • Updated README.md
  • Added run sql
  • Updated with latest Gateway API changes
  • Added all

Fixes

  • Fixed release version check
  • Fixed version bump in Homebrew PRs
  • Fixed releases prefix to prevent errors
Conduktor CLI 0.3.0
2024-09-17

Changes

  • Added support for -o json and -o name on get
  • Updated to latest Gateway API
  • Added support for Gateway API v2
  • Clarified version with a v

Fixes

  • Fixed the release tag
  • Fixed missing key retrieval from environment
Find out more.
Conduktor CLI 0.2.7
2024-07-22

Changes

  • Made /api not mandatory when setting base URL
  • Updated offline schema for future
  • Added support for description from file in topic resources
  • Added support for delete -f
  • Improved client interface
  • Improved CLI API for terraform provider POC
  • Added a command to create token
  • Added a login command

Fix

  • Fixed auto login in client
Conduktor CLI 0.2.6
2024-06-25

Changes

  • Started with v to solve issue with go package
  • Use resource priority from default catalog if catalog doesn’t have any
  • Added resource priority
  • Keep order from API response
  • Updated offline kind
Conduktor CLI 0.2.5
2024-06-18

Changes

  • Expended Subject schemaFile on apply

Fixes

  • Fixed an issue on apiVersion where apiVersion is put at the end
Conduktor CLI 0.2.4
2024-05-02

Breaking changes

  • CDK_TOKEN is now CDK_API_KEY
This also includes Conduktor CLI v 0.2.3 wih a fix for
  • automation update brew formula
This also includes Conduktor CLI v 0.2.2 wih a fix for
  • improved docs
Conduktor CLI 0.2.1
2024-04-29

Features

  • Added CA cert
  • This release is only compatible with Console 1.23 or above

Fixes

  • Fixed an issue with insecure
Conduktor CLI 0.2.0
2024-04-22

Features

  • This release is only compatible with Console 1.23 or above
  • Made CTL work with complex path
  • Set CDK-CLIENT header to improve analytics

Fixes

  • Fix for adding prefix X- to custom header
Find out more.
Conduktor CLI 0.1.1
2024-04-15

Features

  • Add uniform CLI help commands/flags descriptions
  • Use alpine as base Docker image with custom user
  • Added support for multiple failing apply to get a detailed summary
Conduktor CLI 0.1.0
2024-03-26
Conduktor CLI allows you to perform operations directly from your command line or a CI/CD pipeline to a Conduktor Console instance.

Features

  • Support for get, apply (upsert) and delete commands for the following Conduktor Console resources:
    • Application
    • ApplicationInstance
    • ApplicationInstancePermission
  • Support for --dry-run on apply and delete
  • Support completion that generates the autocompletion script for the specified shell
  • Support for proxy auth using certificate and key
  • Support ignore untrusted certificates environment variable
  • Configurable environment variables
Find out more.