Skip to main content

Release date: 2025-02-12

Features

Kafka Cluster connection management

This release includes a set of enhancements to how Gateway manages connectivity to a Kafka Cluster. This provides greater stability and flexibility for how Gateway can be configured with the Kafka Clusters it's connected to, and is a precursor change for future product releases.

Encryption improvements

Encryption Secret Id Mustache Templates

The encryption now allows multiple mustache substitutions in a key secret Id configuration. Previously, only a single substitution was supported. E.g. This is now allowed:

"keySecretId": "vault-kms://my-vault:8200/transit/keys/{{record.key}}-{{record.header.someHeader}}"

Decryption failure modes

This release adds a new optional configuration to the decryption plugin to allow different modes of handling errors. There are two supported modes:

  • errorPolicy: "return_encrypted" Previous - if there's an error during decryption, then the encrypted data is returned.
  • errorPolicy: "fail_fetch" New - if there's an error during decryption, then the fetch that was reading the data is failed and the client will receive an error.

In both cases, we have enhanced the logging, so issues during decryption are more fully reported.

Schema Registry access improvements

Read only Schema Registry access

Some of our Gateway plugins will deserialize and re-serialize messages in order to perform their functions. A side effect of this is that the serializer code would unnecessarily require write access to the Schema Registry. While there was no situation where Gateway would actually cause any updated or additional schema to appear, - we've altered the Schema Registry access to be read only. This avoids having to unnecessarily assign write permission for our Gateway Schema Registry connections if you're using ACLs on your Schema Registry.

Plugin validation of Schema Registry access

All Gateway plugins which access the Schema Registry will now validate that the configuration for the Schema Registry is correct when it's added or updated in Gateway. Previously, this behavior was inconsistent and a few of our plugins would only detect incorrect configurations when they processed a message rather than when they were setup.

Quality of life improvements

  • Added a new CLI command conduktor run generateServiceAccountToken to generate the JWT for local service accounts. Update your CLI to version 0.4.0 or higher.

Fixes

  • Fix: CreateTopicPolicy and AlterTopicPolicy overrides. There were some edge cases where the desired overrides from the plugin config would not be applied. These plugins now behave consistently in all situations.
  • Improvement: Removed some verbose logs and updated logging to be clearer. A general set of improvements has been made to Gateway logging, making some errors clearer and reducing repetition.