Skip to main content

Release date: 2025-03-21

Breaking changes

New backing topic required for Gateway

The Gateway KMS feature introduced in this release requires a new backing topic to store the keys.

When you upgrade to Gateway 3.7.0, a new topic _conduktor_gateway_encryption_keys will be created.

To change this default topic name, use the GATEWAY_ENCRYPTION_KEYS_TOPIC variable.

Find out more about environment variables.

Separator for super users

Super users in Gateway (specified in the GATEWAY_SUPER_USERS environment variable) are now separated by a semicolon ; instead of a comma ,.

This change is to allow super users identified with mTLS using their full DN form (CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown), and makes Gateway aligned with the Kafka configuration.

info

This change doesn't affect super users specified in virtual clusters, as they are specified using the YAML array.

Deprecating V1 APIs

V1 APIs are now deprecated in favor of the V2 APIs introduced in Gateway 3.3.0 in September 2024.
If you are using the Conduktor CLI to operate the Gateway, you are not impacted. Check the following link to understand which APIs are deprecated: Gateway API Doc. We plan to remove the V1 APIs from the Gateway in three releases time, in Gateway 3.10.0.
If you are using the V1 APIs, please migrate to the V2 APIs as soon as possible.
If you need support with this migration, please let us know.

Preview feature: introducing cost-effective Crypto Shredding with Gateway KMS

Preview functionality

This feature is currently in preview mode and will be available soon. We recommend that you don't use it in the production workloads.

This release introduces a preview feature that significantly reduces the cost and complexity of implementing crypto shredding at scale. The new 'gateway' KMS type allows you to manage granular encryption keys for individual users or records without the prohibitive costs of storing each key in AWS KMS (which costs approximately $1 per key).

With this feature, you can maintain regulatory compliance and honor user deletion requests more efficiently by:

  1. Storing only a single master key in your external KMS
  2. Securely managing thousands of individual encryption keys in Gateway's internal key store
  3. Deleting specific user keys when needed, rendering their data permanently inaccessible

This approach is particularly valuable for organizations that need to implement crypto shredding across large user bases or high-volume data sets, offering both substantial cost savings and improved performance compared to managing individual keys directly in AWS KMS.

crypto-shredding-concept

The keys stored by Gateway are all encrypted themselves via a configured master key externally held in your KMS - ensuring they remain secure and useless without access to the external KMS.

Find out how to configure the Gateway KMS.

Support for AWS Glue Schema Registry

This release extends the support in Gateway for schema registries to include AWS Glue schema registry. The default choice is Confluent like schema registries, and is backwards compatible with previous gateway configurations. For AWS Glue schema registry, different settings are required to connect, and this is covered in the plugin documentation.

Feature changes

  • Added support for . in the name of the Virtual Cluster APIs
  • More detailed errors unrelated to interceptor validation added

Bug fixes

  • Added aws-java-sdk-sts dependency to allow assume role profiles when using AWS KMS
  • Added jcl-over-slf4j dependency to see logs from AWS SDK