Supported releases

• Breaking changes
  • Self-service owner group permissions
  • Conduktor Console Cortex upgrade
• New and updated features
  • Self-service
  • Unified Chargeback
  • AWS Glue schema IaC
  • Subject ACLs for Schema Registry Proxy
  • Confluent Platform role bindings
• Fixes
• Security advisories

​

Breaking changes v1.45.0

​

Self-service owner group permissions v1.45.0

​

You’re impacted if

• Create or delete application instance API keys
• Request access to other teams’ topics through the Topic Catalog
• Grant or approve access requests to your application’s topics
• Manage service accounts for the application instance

​

Do you have to do anything?

• the name is the same as the application name with -owners suffix (e.g. the application my-app will have a mirror group named my-app-owners)
• the description starts with [Default Owner] You can review and adjust these groups after upgrade to restrict specific permissions to specific teams.

​

Conduktor Console Cortex upgrade v1.45.0

​

You’re impacted if

​

Pre-upgrade checklist

1. Back up TSDB storage. Snapshot your TSDB volume or object storage bucket. This is mandatory — there is no in-place downgrade path.
2. Review custom Grafana dashboards. The provided Conduktor Grafana dashboard works without changes, but custom dashboards may need updates due to the PromQL and label changes listed below.

​

PromQL and query behavior changes

​

Scraping and ingestion changes

• Targets that don’t return a valid Content-Type header now fail the scrape instead of falling back to the Prometheus text format. If you see scrape failures after upgrading, set fallback_scrape_protocol in your scrape configuration.
• UTF-8 metric and label names are now accepted by default. To keep strict pre-upgrade behavior, set metric_name_validation_scheme: legacy.
• Prometheus 3 no longer supports Alertmanager’s v1 API. If your Alertmanager configuration uses api_version: v1, update to v2 (requires Alertmanager 0.16.0 or later).

​

Configuration flag changes

• remote_write enable_http2 now defaults to false. If you depend on HTTP/2 multiplexing for remote write, opt in explicitly.
• The log format changed from go-kit/log to slog. Anything parsing Cortex logs (for example, Loki recording rules or log-based alerts) needs adjustment.

​

Cortex-specific changes

• The bucket index is now enabled by default. Disabling it (-blocks-storage.bucket-store.bucket-index.enabled=false) is not recommended for production.
• Ruler API and Alertmanager API flags have graduated from experimental (for example, -experimental.ruler.enable-api is now -ruler.enable-api). The old flags still work but are deprecated.
• The -distributor.otlp.enable-type-and-unit-labels flag is deprecated and replaced by -distributor.enable-type-and-unit-labels. Update your configuration if you use OTLP ingestion.

​

New and updated features v1.45.0

​

Self-service v1.45.0

​

Granular instance permissions for ApplicationGroups

instancePermissions:
  - appInstance: clickstream-app-dev
    permissions: ["requestAccess", "grantAccess", "createApiKey"]

​

Service account management delegation

​

UI updates for ApplicationGroup members

​

Unified Chargeback v1.45.0

• Three views: group costs by Cluster, Application (with drill-down into application instances) or by the values of a configured label key
• Drill-downs: every row can be expanded to show the topics and service accounts that contributed to its cost
• Chargeback Labels: administrators select which label keys are eligible for grouping (for example, team, cost-center, env)
• Settings drawer: cost rates and Chargeback Labels are managed from a single drawer behind the cog icon, replacing the previous gear flow
• CSV export: the Export dropdown downloads the current view honoring the active filters, view, period and search

​

AWS Glue schema IaC v1.45.0

---
apiVersion: kafka/v2
kind: GlueSchema
metadata:
  cluster: shadow-it
  name: myPrefix.topic-value
spec:
  schema: |
    {
      "type": "long"
    }
  format: AVRO
  compatibility: BACKWARD

​

Confluent Platform role bindings v1.45.0

​

Subject ACLs for Schema Registry Proxy v1.45.0

---
apiVersion: v1
kind: ServiceAccount
metadata:
  cluster: shadow-it
  name: clickstream-sa
spec:
  authorization:
    type: KAFKA_ACL
    acls:
      # Read and write on the click.event-stream.avro topic
      - type: TOPIC
        name: 'click.event-stream.avro'
        patternType: LITERAL
        operations:
          - Write
          - Read
  schemaRegistryAuthorization:
    acls:
      # Read and Write on the click.event-stream.avro schemas
      - name: 'click.event-stream.avro-'
        patternType: PREFIXED
        operations:
          - Read
          - Write

​

Fixes v1.45.0

• Added PersonalApiKey audit log type to differentiate from AdminApiKey
• Fixed an error when parsing the Create Connector API response in Kafka Connect 4.2.0+
• Added a detailed cause to deserialization error messages when consuming records
• Fixed a spurious “Subject not found” popup on the record detail view for topics using a Confluent Schema Registry, when deserialization had already succeeded
• Fixed Schema Registry Proxy not syncing subject ACLs to the _conduktor_srp_commands command topic
• Fixed the Schema Registry selection on a cluster reverting to “none” after saving
• Fixed the Kafka Connect UI becoming inaccessible when any connector returned a null version in its status response
• Fixed the list_interceptors Model Context Protocol (MCP) tool failing when called using a personal access token
• Fixed the Resource Access tab showing a blank page for teams with KsqlDB or Connector permissions referencing a cluster that no longer exists
• Fixed topic action menus showing destructive options to users with read-only permissions
• Improved performance of conduktor apply when applying an ApplicationInstance containing many resources

​

Security advisories v1.45.0

​

CVE-2026-22016 — Java API for XML Processing (JAXP) component

​

CVE-2026-34282 — Networking component

• Breaking changes
  • Removed Interceptors
  • Duplicate TLS domain names in the keystore
  • Default for GATEWAY_ACL_ENABLED changed when no network configuration is set
• New features
  • HAProxy Protocol support
  • Plan feature coverage
• Preview features
  • Topic views (new)
  • Topic ID support (new)
  • Multi-listener (updates)
• Deprecated features
  • Virtual SQL Topic Plugin
• Coming in v3.20.0
• Quality of life improvements
  • Simplified Docker image build
• Fixes
• Security advisories

​

Breaking changes v3.19.0

​

Removed Interceptors v3.19.0

• io.conduktor.gateway.interceptor.ProduceJsonataPlugin
• io.conduktor.gateway.interceptor.FetchJsonataPlugin
• io.conduktor.gateway.interceptor.FetchEncryptPlugin
• io.conduktor.gateway.interceptor.FetchEncryptSchemaBasedPlugin

​

Duplicate TLS domain names in the keystore v3.19.0

​

Default for GATEWAY_ACL_ENABLED changed when no network configuration is set v3.19.0

• GATEWAY_SECURITY_PROTOCOL
• GATEWAY_PORT_START
• GATEWAY_PORT_COUNT
• GATEWAY_BIND_HOST
• GATEWAY_ADVERTISED_HOST
• GATEWAY_ADVERTISED_SNI_PORT
• GATEWAY_ROUTING_MECHANISM
• GATEWAY_ADVERTISED_HOST_PREFIX
• GATEWAY_SNI_HOST_SEPARATOR
• GATEWAY_TENANT_IN_HOSTNAME

​

New features v3.19.0

​

HAProxy Protocol support v3.19.0

​

Plan feature coverage v3.19.0

​

Preview features v3.19.0

​

Topic views v3.19.0

​

Topic ID support v3.19.0

​

Multi-listener updates v3.19.0

• GATEWAY_ACL_ENABLED is now required, alongside GATEWAY_SECURITY_MODE. Set it to true or false (typically true for GATEWAY_MANAGED, false for KAFKA_MANAGED).
• Per-listener SSL client authentication: each listener can now have its own mTLS client authentication policy, set via GATEWAY_LISTENER_<NAME>_SSL_CLIENT_AUTH. The global GATEWAY_SSL_CLIENT_AUTH environment variable is ignored in multi-listener configuration.

​

Deprecated features v3.19.0

​

Virtual SQL Topic Plugin v3.19.0

​

Coming in v3.20.0

​

Quality of life improvements v3.19.0

​

Simplified Docker image build v3.19.0

​

Fixes v3.19.0

• The /metrics endpoint no longer issues blocking listTopics calls during scrapes, which could stall the HTTP event loop and cause health-check timeouts in constrained environments.

​

Security advisories v3.19.0

​

CVE-2026-22016 — Java API for XML Processing (JAXP) component

​

CVE-2026-34282 — Networking component

​

Fixes v1.44.1

• Fixed a bug where changing an ApplicationInstance resource’s ownership mode deleted ACLs for the ApplicationInstance’s service account. All customers using Self-service with limited ownership mode should upgrade to this patch release immediately.
• Fixed an authentication issue that caused auto-restart jobs to fail for Connectors created using specific authentication mechanisms.

• Breaking changes
  • Minimum Gateway version
• New and updated features
  • Self-service
  • Insights
• Quality of life improvements
• Fixes

​

Breaking changes v1.44.0

​

Minimum Gateway version v1.44.0

​

You’re impacted if

​

Do you have to do anything?

​

New and updated features v1.44.0

​

Self-service v1.44.0

​

Topic prefix support

​

Transactional ID resources

​

Insights v1.44.0

​

RBAC Aware

​

Focus and Filtering

​

Quality of life improvements v1.44.0

• Support for Confluent Platform proprietary topic configuration keys when creating topics through the UI and CLI for clusters configured with Confluent Platform as the provider.
• Optimized subject search to be more efficient.
• Added a Bytes as text toggle in topic message details to decode base64-encoded bytes fields as readable UTF-8 text.
• Platform teams can now configure a default number of partitions for topic creation, and custom URLs for the Support and Feedback links in Console. See UI settings properties for details.

​

Fixes v1.44.0

• Producing Protobuf messages no longer fails when schema references have path-like subject names (e.g., org/conduktor/test/schema.proto).
• CSV import now detects the topic’s schema format (Avro, JSON Schema, Protobuf) and pre-selects the matching serializer, instead of defaulting to String/JSON.
• Fixed consumer group lag being incorrectly reported as a negative value.
• Fixed consumer group indexing timeout on large clusters when multiple groups share the same topic-partition.
• Fixed an out-of-memory error when indexing clusters with 100K+ consumer group assignments while handling concurrent API requests.
• Fixed message reprocess issue when the payload is large.
• Fixed message reprocess issue when the payload contains NaN value.
• Fixed an issue with schema actions menu being hidden when the schema is in indexing state.
• Fixed scroll bar overlap in the Produce Message panel when all sections are expanded.
• Fixed LDAP authentication failing when group mappings are configured (regression in 1.43.0).
• Fixed Confluent Cloud metrics indexing failing when the telemetry API is accessed through an outbound proxy.
• Fixed Kafka Connect returning 400 errors when accessed through AWS load balancers due to HTTP/2 upgrade headers.
• Fixed message reprocessing failing for Avro messages with timestamp logical types.

• Breaking changes
  • License key required to start Gateway
  • External storage option removed from encryption Interceptors
• New features
  • Multiple listeners (preview)
  • Message integrity Interceptor
• Deprecated features
  • Gateway metrics
  • Large batch handling plugin
• Fixes

​

Breaking changes v3.18.0

​

License key required to start Gateway

​

Removed external storage option from encryption interceptor

• Interceptor configurations containing externalStorage: true will fail to load
• Messages encrypted with external storage mode cannot be decrypted after upgrading
• The GATEWAY_ENCRYPTION_CONFIGS_TOPIC environment variable is no longer used
• The _conduktor_gateway_encryption_configs Kafka topic is no longer managed by Gateway

• either downgrade to a version before 3.18.0, decrypt affected data and then re-encrypt using the default header-based storage before upgrading;
• or accept that previously encrypted data using the external storage will no longer be decryptable.

1. Remove the externalStorage field from your Interceptor configurations.
2. Optionally delete the orphaned _conduktor_gateway_encryption_configs topic. Find out more about encryption configuration.

​

New features v3.18.0

• Multiple listeners (preview)
• Message integrity Interceptor

​

Multiple listeners (preview)

GATEWAY_SECURITY_MODE=GATEWAY_MANAGED

# External listener - encrypted with authentication
GATEWAY_LISTENER_EXTERNAL_SECURITY_PROTOCOL=SASL_SSL
GATEWAY_LISTENER_EXTERNAL_ROUTING=sni
GATEWAY_LISTENER_EXTERNAL_PORTS=9092
GATEWAY_LISTENER_EXTERNAL_ADVERTISED_HOST_PATTERN=broker-{{physicalCluster}}-{{nodeId}}.kafka.example.com

# Internal listener - plaintext for internal services
GATEWAY_LISTENER_INTERNAL_SECURITY_PROTOCOL=PLAINTEXT
GATEWAY_LISTENER_INTERNAL_ROUTING=port
GATEWAY_LISTENER_INTERNAL_PORTS=19092-19095
GATEWAY_LISTENER_INTERNAL_ADVERTISED_HOST=gateway.internal

​

Message integrity Interceptor

​

Deprecated features v3.18.0

​

Gateway metrics deprecated in v3.18.0

• gateway_upstream_connections_downstream

​

Does this affect me?

• remove all references to the metric.
• replace them with gateway_active_connections_vcluster to monitor active connections per Virtual Cluster.

​

Large batch handling plugin

• io.conduktor.gateway.interceptor.LargeBatchHandlingPlugin

​

Fixes v3.18.0

• Improved the masking of secrets across the codebase in case they are ever serialized in logs in the future.
• Fixed the OpenAPI specification, so UpsertResult enum values are correctly defined as strings, not empty object types.
• Added a timeout to await() operations during shutdown to prevent the process from hanging indefinitely.
• Changed the readiness probe to fail during shutdown to prevent the pod from receiving traffic.
• Fixed an issue where TLS connections mid-handshake were not closed properly during shutdown.
• Fixed an issue where the Vault connection intermittently reported an invalid token error.
• Large message Interceptor: added disableChecksums option in S3 config for S3-compatible storage (MinIO, NetApp ONTAP). When set to true, the SDK uses a checksum format that these backends accept. Otherwise, the uploads can fail because the default checksum is not accepted. Find out more about configuring S3.
• Fixed a bug in the ReadOnlyTopic safeguard policy THROTTLE action.
• Improved performance of Gateway when field-level encryption is configured by doing encryption work on separate thread pool.
• Improved performance of field-level encryption by processing partitions in parallel.
• Fixed default Docker healthcheck (e.g. Docker Compose environments).
• Optimized the keep alive re-auth of Fortanix KMS connections with a dynamic refresh mechanism and use of the refresh() API call.
• Gateway’s Vert.x-based admin API server now explicitly disables HTTP/2 cleartext upgrades on the admin API listener and responds over HTTP/1.1

​

Fixes v1.43.3

• Fixed an issue where navigation failed when Console was configured with a custom base path.
• Fixed an issue where logging output was too verbose.
• Updated the base image to include upstream patches for CVE-2026-24308 and CVE-2026-29062.

​

Fixes v1.43.2

• Reduced memory usage and improved performance of the Consumer Group Indexer task.
• Fixed an issue where the “Create Connector” button was not displayed for users with permission to create connectors.

​

Fixes v3.17.2

• Disabled topic ID support to resolve a known issue. This will be re-enabled in a future release once the issue is resolved.

​

Fixes v1.43.1

• Reduced the risk of sensitive information appearing in logs when Console is configured to log at DEBUG level.
• Fixed an issue where some identity pools in the service account UI failed to retrieve identity pool information correctly.

• Conduktor Scale:
  • Community Edition
• Quality of life improvements
• Fixes
• Upcoming changes: deprecation notice for Self-service topic policies

​

Conduktor Scale

​

Community Edition

​

Quality of life improvements v1.43.0

• Added support for Boolean, Short, Int and UUID format types when producing and consuming topic messages.
• Kafka Connect UI now enforces RBAC permissions and hides actions the user is not permitted to perform.
• Moved the MCP navigation link to the Settings page to reduce the number of items in the main menu.
• Added support for managing Kafka Connect connector resource policies in the UI.
• Improved the Topic consume page to return more explicit errors and to include a retry option.
• Added a new Kafka.ConsumerGroup.Create event type that tracks consumer group creation events in the audit log.
• Added a public API endpoint to manage Kafka Connect connectors’ auto-restart.

​

Fixes v1.43.0

• The Request access button in the Topic Catalog is now disabled when the user doesn’t own any applications.
• After deleting a cluster, the deletion dialog now closes and cluster list is refreshed.
• Alert history now shows correct time ranges for 1D/7D/30D views and accurate tooltip dates spanning midnight.
• The Reset Offset and Add Partitions drawers now stay open as expected on Firefox ESR.
• The CDK_DATAPOLICY_DISABLEKEYMASKING setting now correctly disables key masking in data policies.
• Exporting large topic messages (over 100 KB) now includes the full message content instead of empty values.
• Connector auto-restart settings are no longer unexpectedly disabled when connectors are temporarily unavailable.

​

Upcoming deprecation notice v1.43.0

​

Fixes v3.17.1

• Fixed a bug where consumer group names and transaction IDs containing colons caused an error in the Virtual Cluster passthrough mode.
• Fixed DescribeGroups returning incorrect groupInstanceId in the multi-tenant mode.

• Conduktor Scale:
  • Chargeback without Gateway
  • Insights filtering and sorting
  • Cluster-wide resource policies
• Quality of life improvements
• Fixes

​

Conduktor Scale

​

Chargeback without Gateway

​

Insights filtering and sorting

• Global filtering - filter all Insights data by label or topic type (internal, streams, user). Click any label in a table to apply it as a filter.
• Sorting and searching - tables in risk analysis, VIP topics and governance sections now support column sorting and search.
• Topic classification - topic type labels are now shown alongside custom labels for easier identification.
• Filtered exports - when filters are applied, exported CSV files include a -filtered suffix and contain only the filtered data.

​

Cluster wide resource policies

​

New resource policies page

​

Quality of life improvements v1.42.0

• Added support for optional basic auth for the metric scraping endpoints (/api/monitoring/metrics and /monitoring/metrics/). To configure, use CDK_MONITORING_BASICAUTH_EMAIL and CDK_MONITORING_BASICAUTH_PASSWORD. Find out more.
• Sensitive information such as passwords, tokens, keys and secrets are now redacted in audit logs.
• Made a number of visual improvements to the topic consume message drawer
• Added support for environment variables in webhook alert configurations, allowing secrets to be injected securely using {{env.*}} syntax (for environment variables prefixed with CDK_WEBHOOK_, with the prefix stripped).
• Added basic authentication support for outbound Prometheus/Cortex/Mimir queries via the monitoring.prometheus-auth configuration.
• Added a new consumer value format SchemaRegistry to prevent a poison pill when the first record(s) are not in the expected format.
• Refactored topic indexing to reduce memory consumption and remove hard-coded timeout for retrieving offsets.
• Refactored consumer group indexing to reduce the number of queries to the database.
• Cluster selection menu moved to the top of the page for better user experience.

​

Fixes v1.42.0

• Fixed Reset Topics functionality for some Kafka Connect servers where topics weren’t being correctly refreshed.
• Fixed a bug where identity providers for Confluent Cloud weren’t displaying all known identity providers in the Service Accounts UI.
• Fixed override of CDK_GLOBAL_JAVA_OPTS environment variable that was not working as expected.
• Fixed an error that occurred when Confluent CLI applied new subject with --dry-run.
• Fixed the group v2 API to include ksqlDB permissions in the response.
• Fixed performance regression on the group v2 API
• Exporting large topic messages no longer results in empty values for truncated data.
• Improved login performance for LDAP users with many groups.
• Changed the topic list implementation to query the database instead of kafka, allowing a much faster response.
• The logical connector ID is now displayed for Confluent Cloud managed connectors.
• Fixed ksqlDB custom headers not being applied, which prevented combining mTLS authentication with Basic Auth headers.
• Fixed AWS Glue schema ID display in consumed messages - UUID-based schema IDs are now handled correctly without causing errors.
• Added configuration of PKCE method for better support of OIDC providers.

• New features
  • Support for tokenization and Vault Transform Secrets Engine
  • Customize low level network configuration
• Deprecated features:
  • Filtering topics with CEL
• Fixes
• Quality of life improvements

​

New features

​

Support for Vault Transform Secrets Engine

• tokenization: sensitive data is replaced with tokens that are deterministically generated when the same key is used, while also storing the original values securely in HashiCorp Vault’s transform secrets engine.
• format-preserving encryption: data is still encrypted but the format and length of the original field data is preserved.

​

Low level network configuration

​

Deprecated features v3.17.0

​

Filtering topics with CEL

​

Fixes v3.17.0

• If Confluent Cloud Principal Resolver is configured, the Confluent Cloud API Secret is now masked.
• Fixed a bug causing duplicate broker connections and incorrect client disconnections.
• Fixed FindCoordinator to preserve all Kafka error codes instead of incorrectly converting them to COORDINATOR_NOT_AVAILABLE, ensuring clients receive accurate error information from Kafka.
• Fixed Fetch v16 response handling to prevent invalid MessageSetSize errors

​

Quality of life improvements v3.17.0

• General improvements to log messages for better readability and clarity.
• Adjusted log level for better operational visibility.

• Breaking changes
• Conduktor Scale:
  • MCP server
  • Chargeback without Gateway
  • Configurable context path
  • Key masking in data policies
• Conduktor Shield
• Conduktor Trust
• Quality of life improvements
• Fixes

​

Breaking changes v1.41.0

​

Conduktor Scale

​

MCP server

​

Chargeback without Gateway

• track costs based on storage consumption (byte-hours) and partition counts (partition-hours) per topic,
• view costs aggregated by day or month, with percentage attribution showing each cluster’s contribution to total spend,
• set cost rates per cluster for both storage and partitions,
• see overall costs, storage-only costs, or partition-only costs.

​

Configurable context path

​

Key masking in data policies can be disabled

​

Conduktor Trust

​

Quality of life improvements v1.41.0

• Refactored topic and consumer group indexing tasks to reduce load on Kafka clusters and improve CPU and memory usage. Timeouts may need to be adjusted to align with the updated duration of these indexing tasks.
• Added usage data to help admins track Console usage and monitor license utilization. Admins can view active users, see Self-service applications and instances, access requests, view total Partner Zones and shared topics across three time periods: last 30 days, current month and the last 12 months. This feature includes a monthly trends graph and CSV export for offline analysis. Historical data builds up over time as Console collects usage metrics. Find out more about usage data.
• The consumer group offset lag graph previously displayed the max offset lag value, but has been adjusted to display the sum value to correspond with its alerting behaviour.

​

Fixes v1.41.0

• Resolved IO exceptions that were happening for customers with long-running queries.
• Improved performance of Insights data collection by 2-3x through various optimizations, reducing resource usage and speeding up metrics gathering.
• Adjusted default Insights refresh frequency from 5 minutes to 15 minutes, freeing up system resources.
• ksqlDB server configuration now accepts the authorization HTTP header, allowing you to use both SSL and basic authentication.
• Added configuration option to disable data masking on record keys, allowing you to see and filter by keys that are not structured data.
• Self-service RBAC operations now happen in a single transaction, preventing incomplete object creation when deploying via CI/CD.
• Conduktor CLI dry-run mode now correctly reports NotChanged when there are no actual changes to Self-service application resources.

• Breaking changes:
  • Metric ‘gateway_license_remaining_days’ is now a positive number
• New features:
  • New v2 APIs for clusters
  • Added support for Fortanix KMS
• Deprecated features:
  • Fetch encryption Interceptors
  • JSONata transformer Interceptors
  • The GATEWAY_INTERCEPTOR_CONFIG_LOCATION environment variable
  • Delegated security modes
• Fixes

​

Breaking changes

​

The metric gateway_license_remaining_days is now a positive number

​

New features

​

New v2 APIs for clusters

​

Support for Fortanix KMS

​

Deprecated features v3.16.0

​

Fetch encryption Interceptors

• io.conduktor.gateway.interceptor.FetchEncryptPlugin
• io.conduktor.gateway.interceptor.FetchEncryptSchemaBasedPlugin

​

JSONata transformer Interceptors

• io.conduktor.gateway.interceptor.FetchJsonataPlugin
• io.conduktor.gateway.interceptor.ProduceJsonataPlugin

​

The GATEWAY_INTERCEPTOR_CONFIG_LOCATION environment variable

​

Delegated security modes

​

Fixes v3.16.0

• The metric gateway_license_remaining_days is now a positive number when there is time remaining on the license, instead of negative.
• Gateway now preserves upstream Kafka errors in metadata responses instead of unconditionally overwriting them with unknown topic errors, allowing clients to see the actual error from Kafka.
• Data masking now gracefully skips records with full payload encryption headers, preventing errors when both Interceptors are applied to the same topic. This applies when using header-based encryption storage (externalStorage: false which is the default).

• Conduktor Exchange:
  • Breaking changes - Partner Zone PENDING status
• Conduktor Scale:
  • SSO login
  • Enhanced login and onboarding experience
  • Added size information for Confluent Cloud topics
• Quality of life improvements
• Fixes

​

Breaking changes - Partner Zone PENDING status

• PENDING_CREATE on initial creation
• PENDING_UPDATE on subsequent updates

​

Conduktor Scale

​

SSO login

​

Enhanced login and onboarding experience

​

Topic size information for Confluent Cloud topics

​

Quality of life improvements v1.40.0

• Improved Insights dashboard user experience with enhanced usability and navigation.
• CSV export of Insights data now supports zip compression for easier file management.
• Labels filter dropdown now supports search functionality for easier label selection.
• Improved navigation in Topic Catalog with clickable links to the application, instance, and owner group.
• Added database.options and kafka_sql.database.options configuration to pass any valid JDBC or Hikari options, as an alternative to database.url and kafka_sql.database.url, respectively. Find out more about Console database properties.
• We have added the new metric console_license_remaining_days which can be used to monitor the remaining days on your console license.
  • Check out the metrics reference for a full list of available metrics.

​

Fixes v1.40.0

• The connector form didn’t update when switching connector type during creation. This has now been resolved.
• Duplicate operationId values in the OpenAPI specification prevented code generation with openapi-generator-cli. The specification has been corrected.
• The Group API returned an error when KsqlDB permission was added. This error has been resolved.
• After upgrading to 1.38, users with permissions on all clusters lost menu visibility of brokers and service accounts entries. This visibility issue has been resolved.
• Creating topics sometimes showed misleading error messages when redirecting before indexing completed. These messages are now accurate.
• Metrics didn’t display in large clusters due to timeout errors when fetching topic offsets. This timeout issue has been resolved.
• Database indexing failed after PostgreSQL restarts. Connection resilience has been improved with the new database.options configuration.
• Resolved migration issue that could affect customers using more than one subject naming strategy when upgrading from 1.38 to 1.39

• Breaking changes
  • Block admin operation APIs
  • Deprecating v1 APIs
  • The externalStorage option in encryption Interceptors is deprecated
• Fixes
• Quality of life improvements

​

Breaking changes v3.15.0

​

Block admin operation APIs

• Before upgrading, review your applications and scripts to identify any code using these APIs through Gateway.
• After upgrading:
  • Monitor your logs for errors related to: ALTER_REPLICA_LOG_DIRS, ELECT_LEADERS, ALTER_PARTITION_REASSIGNMENTS, LIST_PARTITION_REASSIGNMENTS, ALTER_PARTITION, ALLOCATE_PRODUCER_IDS, CREATE_DELEGATION_TOKEN, RENEW_DELEGATION_TOKEN, EXPIRE_DELEGATION_TOKEN, DESCRIBE_DELEGATION_TOKEN, DESCRIBE_USER_SCRAM_CREDENTIALS, ALTER_USER_SCRAM_CREDENTIALS, DESCRIBE_CLIENT_QUOTAS, ALTER_CLIENT_QUOTAS, UPDATE_FEATURES
  • Check Gateway error responses indicating blocked API calls

• Update your applications and workflows to perform admin operations with direct cluster access instead of through Gateway

​

Deprecating v1 APIs

​

The externalStorage option in encryption interceptors is deprecated

​

Fixes v3.15.0

• Fixed issue where multiple encryption interceptors could not be applied to the same topic, now allowing priority-based selection.
• Fixed NullPointerException during Gateway startup when interceptor version constraints specify only min or max values.
• Updated TopicRequiredSchemaIdPolicyPlugin to allow tombstone records (NULL values) in compacted topics, while still requiring schema IDs for non-null records.

​

Quality of life improvements v3.15.0

• When ACL is enabled in GATEWAY_MANAGED security mode, authorization failure will contain additional information in the message like these:

• Conduktor Scale:
  • Insights
  • Collection of product metrics
• Conduktor Exchange:
  • Partner Zone traffic analytics tab
• Conduktor Trust:
  • Data quality observability
• Fixes
• Known issues v1.39.0

​

Conduktor Scale

​

Insights

• proactively identify configuration issues,
• optimize storage costs,
• track governance metrics,
• monitor business-critical topics and more.

​

Collection of product metrics

​

Data quality observability

​

Conduktor Exchange

​

Partner Zone traffic analytics tab

​

Fixes v1.39.0

• Added support for SSL connections without authentication when configuring Kafka clusters
• Fixed http 500 error when forcing a consumer group rebalance
• Fixed an issue where application instance permissions were being created despite API request validation failures
• Fixed duplicate operation IDs in OpenAPI specification which caused errors when using OpenAPI code generation tooling
• Fixed error preventing the user from changing schema compatibility or deleting schemas with forward slashes in their names

​

Known issue v1.39.0

​

New feature v3.14.0

​

Fix v3.14.0

• Conduktor Scale:
  • Application instance access
  • Topic catalog access
  • Grant access to a topic
  • Remove or revoke access request
  • Confluent Cloud role binding support for Self-service
  • Migrate topic policies
  • Support for external monitoring solutions
• Conduktor Exchange:
  • Partner Zone enhancements
• Conduktor Trust:
  • Validate your Rule against sample messages
  • Custom data quality Rule violation messages
  • Edit attached Rules from the Policy details page
• Quality of life improvements
• Fixes

​

Conduktor Scale

​

Application instance access

• All topics this application instance has access to, with the ability to remove this access if you are a member of the owner group for the application.
• All topics this application instance has granted access to, with the ability to revoke this access if you are a member of the owner group for the application.

​

Topic catalog access

• You can remove access for your own applications.
• If you’re a member of the application owner group of this topic, you can revoke access for other applications.

​

Grant access to a topic

​

Remove or revoke access request

• Application owners: can revoke access using Revoke access in the request details drawer
• Access requesters: can remove their own access with Remove access in the request details drawer

​

Confluent Cloud role binding support for Self-service

​

Migrate topic policies

• If a topic policy is migrated and the new resource policy is then deleted, the topic policy can’t be migrated a second time.
• If a topic policy is migrated and then deleted, then a new topic policy is created with same name as the old one, but the ‘new’ policy can’t be migrated.
• If a topic policy is migrated and then updated, it can’t be migrated again.
• When you migrate topic policies, all the application instances referring to those policies will have both the newly migrated resource and the old topic policies. The topic policies will be removed automatically when this feature is deprecated in a future release.

​

Support for external monitoring solutions

​

Conduktor Exchange

​

Partner Zone enhancements

• Partner Zones now support specifying a custom Virtual Cluster name with vclusterName when using the API or CLI. This provides better control over naming conventions and simplifies migration from existing Virtual Clusters.
• You can now download CA certificates associated with a Partner Zone from the Console UI. This makes sharing certificates with your partners much easier. Find out how to download certificates.

​

Conduktor Trust

​

Validate your Rule against sample messages

​

Custom data quality Rule violation messages

​

Edit attached Rules from the Policy details page

​

Quality of life improvements v1.38.0

• Added an option to pin clusters - your frequently used ones can now be pinned to the top of the list
• Improved keyboard navigation for faster cluster switching and enhanced accessibility
• For admins, added the ability to easily jump to the configuration page for any cluster

​

Fixes v1.38.0

• Fixed an issue where closing the templates drawer in the topic consume view would prevent the user from interacting with the rest of the page.
• Fixed searching within groups to allow filtering on “contains” instead of “starts with” for improved search experience.
• Fixed SSO configuration to support configurable email claims for special identity types.
• Fixed connector creation modal to show validation warnings instead of blocking creation, allowing you to proceed with caution (matching CLI behavior).
• Fixed access control vulnerabilities preventing low-privileged users from accessing and modifying data masking policies.
• Fixed ‘Last active’ sorting in group members list to properly handle users who have never been active.
• Fixed SQL indexed topics page to stay on the correct tab when refreshing instead of redirecting to a different URL.
• Fixed duplicate topic subscription requests for already approved subscriptions in the Self-service catalog.
• Fixed record view to show header keys in their original casing instead of uppercase.
• Fixed topic template duplication functionality that was failing silently.
• Fixed cluster creation validation to prevent duplicate technical IDs with better user experience.
• Fixed data policies display layout to properly wrap field badges and prevent overlap.
• Fixed CEL expression evaluation in resource policies to handle missing spec.configs correctly.

• New features
  • Enhanced audit logging for authorization failures
  • Block unsupported APIs with Gateway
  • New encryption error policy
• Quality of life improvement
• Fixes

​

New features v3.13.0

​

Enhanced audit logging for authorization failures

• An audit log event is now generated for authorization failures (when ACL permissions deny an operation on a resource). Find out more about the authorization failure events.
• Improved error message verbosity with enableDetailedErrorLogging property in GCP KMS exception handling. Find out more about the GCP KMS configuration.

​

Block unsupported APIs with Gateway

​

New encryption error policy

​

Quality of life improvement v3.13.0

​

Fixes v3.13.0

• Fixed the principal resolver failure to resolve the Confluent Cloud service account from an API Key.
• Added round-robin Gateway endpoint allocation to prevent all traffic from being directed to the same Gateway node. Find out more about Gateway internal load balancing.
• Improved customer experience for Vault KMS configuration by removing a confusing version field. The encryption Interceptor uses Vault Transit engine which only supports version 1 (hardcoded), but the configuration incorrectly exposed it as configurable. This change removes the misleading field from configuration examples while maintaining backward compatibility.
• Fixed the error when connecting with super user and Virtual Cluster(s) is mandatory.
• Fixed Fetch Policy Interceptor isolation level configuration to accept lowercase values, matching Kafka standards.
• Fixed Confluent Cloud principal resolver to handle API keys for both service accounts and user accounts.
• Fixed Azure OAuth authentication method priority to respect explicit configuration over environment variables.
• Relaxed name validation in service-account v2 API to support dots, equals signs, and commas.

​

New feature

​

Support restriction of TLS protocols and cipher suites

​

Fixes v1.37.1

• Fixed an issue where resource policies were not applied when editing application groups from the UI.
• Fixed an issue where members from external groups were not synchronized if an application group without permissions existed.

• Breaking changes
  • Gateway 3.12 dependency
  • Email address storage
  • Prometheus configuration overrides
• Conduktor Scale:
  • Application groups management
  • Application Instance resources
  • Subject strategies support
  • External group management improvements
• Conduktor Exchange:
  • Partner Zone out of preview
  • Partner Zone multi-cluster support
  • Partner Zone breaking changes
• Conduktor Trust:
  • Regex library
  • Mark action
  • JSON schema rule type
• Quality of life improvements
• Fixes

​

Breaking changes v1.37.0

​

Gateway 3.12 dependency

​

Email address storage

​

Prometheus configuration overrides

​

Conduktor Scale

​

Application groups management

​

Application Instance resources

​

Subject strategies support

​

External group management improvements

​

Conduktor Exchange

​

Partner Zone out of preview

​

Partner Zone multi-cluster support

​

Partner Zone breaking changes

​

Conduktor Trust

​

Regex library

​

Mark action

​

JSON schema rule type

​

Quality of life improvements v1.37.0

​

Fixes v1.37.0

• Fixed production rate metrics getting stuck at high values when producer rates drop instantly to zero, which was causing artificially inflated metrics in systems with bursty production patterns.
• Errors preventing users from logging in are now prominently displayed on the login page.
• To prevent disclosure of password length in configuration forms, password fields are now consistently obfuscated regardless of the length of the actual password.
• Secrets in AWS Glue and other cluster configuration forms are no longer shown in clear text.
• Fixed error logs appearing when SQL features are not enabled, reducing unnecessary log noise.
• Fixed onboarding page checkbox labels not being clickable, improving user experience during account setup.
• Schema registry naming strategies now include namespace in generated subject names.
• Fixed issue where topic navigation tab was missing from main menu for certain user roles despite having proper permissions.
• Self-service configuration now correctly handles multiple Kafka Connect clusters connected to a single application instance.
• Duplicate users can no longer be created using the same email username but in different casing.
• In the metadata of the records, the schema names are no longer truncated.
• Add error messages on Connector failure, helping troubleshooting.
• Fixed topic policies not being visible in application instances after upgrading from version 1.35 to 1.36.
• Fixed a ‘404 group does not exist’ error incorrectly showing up when upgrading from version 1.35 to 1.36.
• Deleting the Kafka Connect cluster now deletes the associated permissions, solving the permission errors on user and group GET operations.
• Improved groups API performance, preventing timeouts for big organizations with thousands of users and groups.
• Improved indexer performance, preventing timeouts for big organizations with thousands of consumer groups.
• JVM metrics renamed in the Console and the Grafana dashboard, based on Prometheus changes.

• Breaking changes
  • New APIs for health and versions
  • Rename of the Virtual Cluster Id
• New features
  • New GATEWAY_AUDIT_LOG_EVENT_TYPES environment variable
  • Enhanced crypto shredding behavior for decryption
  • Client throttling for encryption and decryption
• Fixes

​

Breaking changes v3.12.0

​

New APIs for health and versions

​

Rename of Virtual Cluster Id

​

New features v3.12.0

​

New environment variable

​

Enhanced crypto shredding behavior for decryption

​

Client throttling for encryption and decryption

• New throttleTimeMs configuration: Set throttleTimeMs to control how long clients will be throttled when encryption/decryption fails (in milliseconds, default: 0)
• Automatic system protection: When encryption or decryption fails, Gateway can automatically throttle the problematic client for the specified duration, preventing system overload
• Configurable behavior: You can enable and adjust throttling based on your system’s needs and error tolerance

​

Fixes v3.12.0

• KUBERNETES Vault authentication now gets the JWT from the default Vault location (/var/run/secrets/kubernetes.io/serviceaccount/token). You can configure this location using path (VAULT_KUBERNETES_PATH). The jwt configuration key is no longer needed. See Kubernetes authentication under Vault authentication types.
• Enriched the REST_API audit log events with the request body, which was previously not captured.
• Resolved GATEWAY_TOPIC_STORE_KCACHE_REPLICATION_FACTOR configuration to properly default to the Kafka cluster’s default replication factor settings.
• Supported Protobuf schemas for SchemaPayloadValidationPolicyPlugin.
• Updated the SSL handshake failure logging to include client IP addresses (which were previously missing from error logs), helping you identify applications that are affected by certificate issues.

​

Improvements v1.36.2

• Added support for SMTPS servers in email alerting to allow TLS-enabled SMTP servers, as well as the previously available option for StartTLS.

​

Fixes v1.36.2

• Fixed an issue where the Console UI would prevent Debezium connector creation when required metadata was missing, even though the CLI would allow creation successfully.
• Fixed a permissions bug where users who were members of multiple ApplicationGroups would only inherit permissions from one group instead of receiving the combined permissions from all their groups. This was causing users to have incomplete access rights.
• Updated the base image to include upstream patches for CVE-2025-30749, CVE-2025-50059, and CVE-2025-50106 affecting Oracle Java SE and GraalVM.

​

Fixes v1.36.1

• Fixed an issue where the default produce header used a problematic naming format (app.name) that could cause compatibility issues with certain connectors
• Resolved the known issue from 1.36.0 where Self-service resource policies attached to Self-service application instances would display validation errors on the details page in Console

• Use REST to set Virtual Cluster ACLs
• Auto-create topics

​

New features v3.11.0

​

Set Virtual Cluster ACLs directly using REST

1. create a Virtual Cluster with a Kafka super user defined, then
2. as the Kafka super user, individually create ACLs using the Kafka admin API.

​

Auto-create topics

• Kafka property integration: leverages the Kafka property auto.create.topics.enable when the feature is enabled.
• Concentrated topics limitation: when this feature is enabled, topics that would normally be concentrated will be created as physical topics instead.
• ACL authorization: implements proper access control for auto-create topics:
  • permission requirements: requires CREATE permission on either the topic or the cluster.
  • security: ensures access control while maintaining flexibility for different permission models.

• Conduktor Scale:
  • New alert destination: email
  • Configurable Webhook body
  • Redesigned Application Catalog and Application details pages
  • Labels for Consumer groups
  • More information on tasks with errors
• Conduktor Exchange:
  • Breaking changes - Partner Zones support for mTLS
• Quality of life improvements
• Fixes
• Known issue

​

Conduktor Scale

​

New alert destination: email

​

Configurable Webhook body

​

Redesigned Application Catalog and Application details pages in Console

• displays a list of the application instances with labels and stats.
• includes an editor for modifying the application description.
• shows the application groups list with the owner group pinned.

• header section displays stats and labels, with the ability to manage labels.
• contains multiple tabs: Details, External access, Alerts, and API keys.
• within the Details tab, information is divided into two sections: ownership and resource policies.

​

Labels for Consumer groups

• The consumer groups list now shows labels and allows filtering by them.
• Topic lists within both the consumer groups and member details pages now support label-based filtering.
• In the topic details view for consumer groups, labels are visible and can be added, edited, or deleted.

​

More information on tasks with errors

• a warning icon will be shown next to the item in the list view and
• an error returned from the Confluent Cloud API will be displayed.

​

Conduktor Exchange

​

Breaking changes - Partner Zones support for mTLS

​

Quality of life improvements v1.36.0

• Users will now be redirected to the page they were on when they logged in again after session expiry.
• Improved navigation between Partner Zones in the list view when using keyboard.
• Improved configurability of circuit breaker behavior for indexed tasks. Each indexed task now includes configurable sequentialFailureThreshold and blockingDuration parameters, giving administrators fine-grained control over when indexing operations pause due to failures and how long they remain paused before attempting recovery. This provides predictable recovery behavior and prevents extended indexing outages that previously required Console restarts to resolve. Learn more about circuit breaker configuration.

​

Fixes v1.36.0

• Partner Zones are now created instantly, instead of waiting for the next reconciliation loop to pass. Other updates will continue to sync in line with the reconciliation loop.
• Fixed an error that occurred when no partitions were selected in the topic consume view. You will now see a warning that no messages will be shown, if partitions filter is set to none.
• The JSON view of a message in a topic now correctly displays negative numbers and numbers in scientific notation.
• Kafka Connect clusters are no longer visible to users who don’t have the permission on any of their connectors.
• Error messages are now more informative when attempting to create a service account on a resource for which the caller lacks permission.
• Resolved a case sensitivity issue with email addresses in the application group payload that caused mismatch in the RBAC configuration.

​

Known issue v1.36.0

​

Fixes v1.35.2

• Improved performance of a database migration to ensure completion within the startup probe time limit
• Fixed a database deadlock issue caused by the indexer

​

Fixes v1.35.1

• Fixed an issue with creating Kafka Connect alerts through the UI
• Improved lag exporter performances

​

Fixes

• Fixed an issue introduced in v0.6.0, where intermittent failure on some apply runs where kind ordering would not be respected. In some scenarios the parent resource is not made before the child (e.g. ApplicationInstances being created before Applications) and the run would fail, this could be fixed by attempting a retry.
• Fixed an issue introduced in v0.6.0 where failed runs would not return an exit code, leading to silent failures in CI actions.

​

Changes

​

New feature v3.10.0

​

New GATEWAY_SECURITY_MODE environment variable

• deprecates the DELEGATED_SASL_PLAINTEXT and DELEGATED_SASL_SSL security protocols (though they remain supported for backward compatibility)
• enables ACLs by default when managing security on the Gateway, by changing the default behaviour of the GATEWAY_ACL_ENABLED environment variable. ACL behavior is now derived from the security mode
• is backwards compatible, supporting existing configurations while encouraging the new approach

• Conduktor Scale:
  • Resource policies now covers Subject and ApplicationGroup
  • Revamped Application Catalog
  • Topic-level consumer group lag alerts
• Quality of life improvements
• Fixes

​

Conduktor Scale

​

Resource policies now covers Subject and ApplicationGroup

• Restricting application teams to only using Avro or enforce a specific compatibility mode, such as FORWARD_TRANSITIVE.
• Preventing application teams from adding members to application groups directly, directing them to use the external group mapping instead.
• Limiting the actions that can be performed in the UI by locking certain permissions.

---
apiVersion: self-service/v1
kind: ResourcePolicy
metadata:
  name: 'applicationgroup-restrictions'
  labels:
    business-unit: delivery
spec:
  targetKind: ApplicationGroup
  description: Enfore External Group Mapping and prevent TopicDelete permission in ApplicationGroup
  rules:
    - condition: size(metadata.members) == 0
      errorMessage: spec.members not allowed. Use external group mapping instead
    - condition: '!spec.permissions.exists(p, p.permissions.exists(x, x == "TopicDelete"))'
      errorMessage: TopicDelete permission is not allowed. Topic must only be deleted via CLI

---
apiVersion: self-service/v1
kind: ResourcePolicy
metadata:
  name: 'subject-format-and-compatibility-policy'
  labels:
    business-unit: delivery
spec:
  targetKind: Subject
  description: Enforces allowed schema formats and compatibility level for subjects
  rules:
    - condition: spec.format in ["AVRO", "PROTOBUF"]
      errorMessage: Only AVRO or PROTOBUF formats are allowed
    - condition: spec.compatibility == "FORWARD_TRANSITIVE"
      errorMessage: compatibility mode must be FORWARD_TRANSITIVE

# Application
---
apiVersion: self-service/v1
kind: Application
metadata:
  name: 'clickstream-app'
spec:
  title: 'Clickstream App'
  description: 'FreeForm text, probably multiline markdown'
  owner: 'groupA' # technical-id of the Conduktor Console Group
  policyRef:
    - 'applicationgroup-restrictions'

​

Revamped Application Catalog

​

Topic-level consumer group lag alerts

​

Quality of life improvements v1.35.0

• Added new fields to the onboarding page.
• CRUD operations for the labels added in the consumer group details page.
• Leading and trailing white spaces will now be printed as ”⎵” for display purposes and to provide more clarity to user. A tooltip will additionally be added to let users know when this is happening and to give them the “raw” value if they need it. The actual value will not be changed, this is just a visual helper.
• Improve container security context configuration on Conduktor Console and Cortex containers that allow to :
  • run with different UID and GID than default 10001:0
  • run unprivileged with all linux capabilities dropped

​

Fixes v1.35.0

• Fixed an issue where changing the cluster did not clear the search filter in consumer groups and topic pages.
• Fixed an issue where navigating to a schema registry with a name containing non-escaped characters such as / would redirect to the home page.
• Fixed an issue where the equality filter on JSON number fields wasn’t working correctly against large numbers in the topic consume view.
• The JSON view of a message in a topic no longer coerces large number fields to a string.
• Fixed an issue where the full message was not displayed correctly in the tooltip when hovering over it in the topic consume view table.
• Fixed an issue where the UI didn’t redirect to the correct cluster when switching Console instances.
• Fixed the logo in the onboarding page dark mode.
• The screenshot showing users how to find the project name and service name in Aiven Cloud is displayed correctly again.
• Fixed an error that would occur when no partitions were selected in Topics page filters.
• Fixed a bug that would cause service accounts with white spaces to not be accessible correctly.
• Cleanup data volume on start to ensure that old data is not re-used when using persistent volume between restarts.

​

Fixes v3.9.2

​

Fixes v1.34.3

• Improved support of Kafka Connect from Confluent Cloud (more connector statuses supported, better error messages, fixed list of topics).
• Improved caching strategy of the RBAC model resulting in faster UI and API.
• Fixed dependencies vulnerable to CVE-2025-48734

​

Fixes v1.34.2

• Improved memory efficiency when consuming messages from Kafka
• Added support of audit log events related to the ApplicationInstancePermissionRequest and ResourcePolicy resources

​

Fixes v1.34.1

• Fixed an issue with selecting groups and Slack channels when creating alerts
• Fixed an issue with the license plan page for licenses containing the Trust product

• Breaking changes
  • Gateway service accounts are now always required when using PLAIN tokens
  • Local service account token signing key is now mandatory
• New features
  • Enhanced Confluent Cloud authentication with service account mapping
  • Dynamic header injection from record payloads
• Fix
  • HashiCorp Vault token refresh resilience

​

Breaking changes v3.9.0

​

1. Gateway service accounts are now always required, when using PLAIN tokens

​

You’re impacted if

• your Gateway was not previously configured with the environment variable GATEWAY_USER_POOL_SERVICE_ACCOUNT_REQUIRED=true
• and your clients are connecting using PLAIN tokens without having a corresponding local service account already created.

​

Do you have to do anything?

• You must create any missing local service accounts that your tokens rely on.
• You can do this using the following command, adjusting your admin API credentials, host and name as appropriate

curl -X PUT -u admin:conduktor http://localhost:8888/gateway/v2/service-account \
        -H 'accept: application/json' \
        -d '{"kind": "GatewayServiceAccount", "apiVersion": "gateway/v2", "metadata": { "name": "admin", "vCluster": "passthrough"  }, "spec": { "type": "LOCAL" }}' 

​

Why did we make this change?

​

2. Local service account token signing key is now mandatory

​

You’re impacted if:

• your Gateway security protocol (for the client connection to Gateway) is SASL_SSL or SASL_PLAINTEXT
• and GATEWAY_USER_POOL_SECRET_KEY wasn’t already set

​

Do you have to do anything?

• Yes. Set GATEWAY_USER_POOL_SECRET_KEY. We recommend using the following command line to generate the hash:

openssl rand -base64 32

​

Why did we make this change?

​

New features v3.9.0

​

Enhanced Confluent Cloud authentication with service account mapping

• Improved Interceptor targeting: Interceptors can now target service accounts directly
• Enhanced Chargeback capabilities: Usage tracking by service account instead of API key
• Elimination of manual mappings: Removes the need for administrators to maintain user mappings

​

Dynamic header Injection from record payloads

• the entire record key or value and inject it as a header
• specific fields from record keys or values and inject them as headers

{
  "config": {
    "topic": "topic.*",
    "headers": {
      "X-CLIENT_IP": "{{userIp}} testing",
      "X-USER-ID": "{{record.key.id}}",
      "X-USER-EMAIL": "{{record.value.email}}"
    },
    "overrideIfExists": true
  }
}

• Extracting values from JSON, AVRO, PROTOBUF serialized records
• Accessing record fields using dot notation
• Referencing the entire key or value payload
• Using mustache syntax for dynamic header values

​

Fix v3.9.0

​

HashiCorp Vault token refresh resilience

• continue scheduling token refreshes at the regular intervals
• automatically recover once Vault becomes available again

• Conduktor Scale:
  • Kafka Connect policies
• Subscribe to application topics
• Conduktor Exchange:
  • Extended authentication mechanisms for Partner Zones
• Quality of life improvements
• Fixes
• Known issue

​

Conduktor Scale

​

Kafka Connect policies

---
apiVersion: self-service/v1
kind: ResourcePolicy
metadata:
  name: "limit-max-tasks"
spec:
  targetKind: Connector
  description: "Limit max tasks to 1"
  rules:
    - condition: spec.configs["tasks.max"] == "1"
      errorMessage: Connector tasks.max must be set to 1

​

Subscribe to application topics

​

Conduktor Exchange

​

Extended authentication mechanisms for Partner Zones

kind: PartnerZone
metadata:
  name: external-partner-zone
spec:
  cluster: partner1
  displayName: External Partner Zone
  url: https://partner1.com
  # serviceAccount: johndoe # <-- Previously, spec.serviceAccount
  authenticationMode: # New schema. spec.authenticationMode.serviceAccount , and, spec.authenticationMode.type of PLAIN or OAUTHBEARER
        serviceAccount: partner-external-partner
        type: PLAIN
  topics:
    - name: topic-a
      backingTopic: kafka-topic-a
      permission: WRITE

​

Quality of life improvements v1.34.0

• Added selectors for key and value formats on the single Kafka message page, enabling the use of custom deserializers.
• You can now see clusters referenced by each alert in the Settings > Alerts page.

​

Fixes v1.34.0

• To avoid timeouts when indexing consumer groups, added a new configuration variable to limit the number of consumer groups requested per describe query.
• Fixed an issue where in Topic Consume page, JQ filters against big numbers loses precision in Safari.
• Fixed an issue where messages with big number fields lose precision when being copied over to be reprocessed in the Topic Produce page.
• Fixed an issue where only the first 1,000 schemas were indexed
• Fixed an issue where opening a message with more than 1MB of data would freeze the UI because of the table view. It now defaults to the JSON view.
• Fixed an issue impacting Kafka Connect sink connectors where providing consumer override values as configuration would lead to a validation failure.
• Fixed an issue where deleted clusters were still present in the RBAC system, causing issues on the CLI api.
• Kafka config on huge numbers is now displayed correctly in the UI.
• Fixed an issue with Partition on topic details was not sorted correctly.
• Fixed an issue where lag wasn’t correctly calculated after a topic was deleted and recreated with the same name.
• The list of consumer groups in the topic details page using RBAC is now correctly displayed.

​

Known issue v1.34.0

​

Change

• The -o flags are now visible at the get root command level, making output options more discoverable.

​

Fix

• Fixed an issue where alerts could not be deleted via the CLI when using the metadata group. Find out more.

​

Changes

• Included Gateway resources in get all
• Added cause to ApiError responses
• Fixed apply template comment in YAML file
• Added option to edit and apply immediately to template command
• Standardized flag descriptions

​

Fix

• Fixed verbose mode in single client configuration

​

Changes

• Environment variable references can now be passed to Gateway or Console, allowing you to store references to secret variables used by the host within your configuration.
• Partner Zones are now available, allowing you to securely share your streaming Kafka data with external partners without the need to replicate the data.
• More informative error responses in certain situations
• Console API schema updated
• Added run
• Schema code reorg
• Ops 630 pass external environment variable reference
• Introduced dev mode for hidden command
• Panic replaced with graceful exit
• Included Partner Zones Gateway API changes

​

Fixes

• buildAlias duplication fixed
• Fixed ServiceAccount check when defining commands
• Release Action fixed
• Various doc fixes
• Fixed duplicate printout statements

​

Changes

• Added support of query params for parent
• Added template

​

Fix

• Fixed the issue when deleting virtual clusters does nothing

​

Changes

• Updated default kind for 1.30
• Added basic auth for Gateway API support

​

Fix

• Fixed default vCluster set to null for delete interceptors

​

Change

• Updated Console schema with latest version

​

Fix

• Changed ordering between groups and service accounts in Gateway entities

​

Changes

• Added handling of environment variables for YAML
• Added description for token CMD
• Updated README.md
• Added run sql
• Updated with latest Gateway API changes
• Added all

​

Fixes

• Fixed release version check
• Fixed version bump in Homebrew PRs
• Fixed releases prefix to prevent errors

​

Changes

• Added support for -o json and -o name on get
• Updated to latest Gateway API
• Added support for Gateway API v2
• Clarified version with a v

​

Fixes

• Fixed the release tag
• Fixed missing key retrieval from environment

​

Changes

• Made /api not mandatory when setting base URL
• Updated offline schema for future
• Added support for description from file in topic resources
• Added support for delete -f
• Improved client interface
• Improved CLI API for terraform provider POC
• Added a command to create token
• Added a login command

​

Fix

• Fixed auto login in client

​

Changes

• Started with v to solve issue with go package
• Use resource priority from default catalog if catalog doesn’t have any
• Added resource priority
• Keep order from API response
• Updated offline kind

​

Changes

• Expended Subject schemaFile on apply

​

Fixes

• Fixed an issue on apiVersion where apiVersion is put at the end

​

Breaking changes

• CDK_TOKEN is now CDK_API_KEY

• automation update brew formula

• improved docs

​

Features

• Added CA cert
• This release is only compatible with Console 1.23 or above

​

Fixes

• Fixed an issue with insecure

​

Features

• This release is only compatible with Console 1.23 or above
• Made CTL work with complex path
• Set CDK-CLIENT header to improve analytics

​

Fixes

• Fix for adding prefix X- to custom header

​

Features

• Add uniform CLI help commands/flags descriptions
• Use alpine as base Docker image with custom user
• Added support for multiple failing apply to get a detailed summary

​

Features

• Support for get, apply (upsert) and delete commands for the following Conduktor Console resources:
  • Application
  • ApplicationInstance
  • ApplicationInstancePermission
• Support for --dry-run on apply and delete
• Support completion that generates the autocompletion script for the specified shell
• Support for proxy auth using certificate and key
• Support ignore untrusted certificates environment variable
• Configurable environment variables