Release date: 2025-04-09
Breaking changes
New backing topic required for Gateway
An upcoming data quality feature requires a new backing topic in Gateway.
When you upgrade to Gateway 3.8.0, a new topic _conduktor_gateway_data_quality_violation
will be created.
To change this default topic name, use the GATEWAY_DATA_QUALITY_TOPIC
variable. Find out more about environment variables.
Deprecating v1 APIs
The v1 APIs are now deprecated in favor of v2, introduced in Gateway v3.3.0 in September 2024.
If you're using the Conduktor CLI to operate Gateway, you're not impacted. Find out which Gateway APIs are affected.
We plan to remove the V1 APIs from the Gateway in two releases (Gateway 3.10.0). If you're using the v1 APIs, migrate to v2 APIs as soon as possible. Get in touch for support with the migration.
Conduktor Shield
General availability: cost-effective Crypto Shredding with Gateway KMS
This release includes general availability of the Gateway native Crypto Shredding feature for Conduktor Shield customers. The 'gateway' KMS type on encryption/decryption interceptors allows you to manage granular encryption keys for individual users/records without the prohibitive costs of storing each key in AWS KMS (which costs approximately $1 per key).
Any messages encrypted with 'gateway' KMS type in Gateway v3.7.0 will not be de-cryptable in v3.8.0. Find out how to re-configure the Gateway KMS.
Changes since v3.7.0:
- when multiple Gateway nodes are simultaneously processing data with the same secret Id for the first time, it's now possible for multiple Gateway keys to be stored per secret Id. Crypto Shredding requires every one of these keys to be deleted. To do so, the key store topic needs to be fully consumed and all of the keys associated with the required secret Id determined. Each will have a separate
UUID
. Find out more. - to efficiently re-use Gateway KMS keys for secret Ids, a new configuration option
maxKeys
has been added toconfig/kmsConfig/gateway/
. It should be set to a number larger than the expected number of secret Ids. - the
masterKeyId
in config/kmsConfig/gateway/ is now validated and can't use template variables.
New features
Support for delegated authentication using OAUTHBEARER
When using the OAUTHBEARER authentication mechanism, you can now use GATEWAY_SECURITY_PROTOCOL=DELEGATED_SASL_xxx
. By default, Gateway will use the sub
claim as the principal name. You can override this by setting the GATEWAY_OAUTH_SUB_CLAIM_NAME
environment variable to the claim you want to use as the principal name.
Support for Confluent Cloud Identity Pool
If you're using OAuth support on Confluent Cloud, you can also set GATEWAY_OAUTH_USE_CC_POOL_ID
environment variable to true
to use the identity pool ID as the principal name.
Support for delegated authentication using AWS_MSK_IAM
When using the AWS_MSK_IAM authentication mechanism, you can now use GATEWAY_SECURITY_PROTOCOL=DELEGATED_SASL_xxx
. By default, Gateway will use the AWS access key ID as the principal name.