Conduktor Gateway on Kubernetes — Helm deployment

We recommend deploying Conduktor Gateway on Kubernetes using the official Helm chart for the best experience and supportability. Kubernetes keeps stateless services like Gateway highly available with built-in routing, scaling and self-healing.

Local example

We recommend running the local-stack example from our Conduktor Reference Architecture repository. This stack creates a production-like local deployment of the entire Conduktor Platform using k3d as a local Kubernetes cluster. It includes:

Component	Required for Gateway?	Details
Conduktor Gateway	Yes	Deployed with security mode `GATEWAY_MANAGED` and SNI routing.
Kafka	Yes	Required by both Gateway and Console.
Conduktor Console	No	UI and API for managing Kafka resources.
PostgreSQL	No	Stores Console state. Required for Console
Conduktor Cortex	No	Metrics collection for Console.
Schema Registry	No	Schema management for Gateway and Console.
HashiCorp Vault	No	Secret storage for Gateway encryption features.
MinIO S3	No	S3-compatible storage for metrics.
Prometheus and Grafana	No	Monitoring dashboards for Gateway and Console.

Gateway will only start if a valid license is provided (version 3.18+). If you’d like to evaluate Gateway, contact us.

Helm values

Inspect the helm values for Gateway. The sensitive configurations are provided by reference to a Kubernetes Secret.

In production, manage secrets with a dedicated secret manager. Don’t store them unencrypted in a git repository.

Preserving client IP address

By default, the Kubernetes load balancer changes the client IP address to its own. If you need Gateway to log the actual client IP address, add externalTrafficPolicy to the Gateway Helm chart:

service:
  external:
    extraSpecs:
      externalTrafficPolicy: Local

This is needed if you need to identify a client that failed to connect during handshake. For example in this log message:

[WARN ] [ProxyChannelInitializer:109] - TLS handshake failed [fecd5b8b]: SslHandshakeCompletionEvent(java.nio.channels.ClosedChannelException) on source IP address /172.16.160.44:59321

Next steps

Configure environment variables to tune Gateway for your environment
Inspect the full Helm values.yaml
Set up Interceptors to apply policies to your traffic
Configure client connections to connect your Kafka clients through Gateway
Hands-on tutorial: Deploy Conduktor Gateway with Kubernetes and Host-based Routing with walkthrough video

Chart dependencies

All charts in this repository depend on bitnami-common .

Compatibility matrix

This compatibility matrix is a resource to help you find which versions of Conduktor Gateway work on which version of our Conduktor Gateway Helm chart.

We recommend you use the version of Gateway that comes pre-configured with the Helm chart. You can adjust the version in your values property according to the supported Gateway version, if required. Breaking changes column only lists a breaking change in the Helm chart. See Conduktor release notes to determine whether there are breaking changes within the artifacts.

Helm chart compatibility

Breaking changes: 🟡 - breaks additional services / small behavior changes (e.g. Grafana dashboard changes) 🔴 - breaks overall deployment of the product (e.g. renaming variables in .values, major product releases)

Chart version	Supported Gateway version	Breaking changes
conduktor-gateway-3.18.0	3.18.0, 3.17.2, 3.17.1, 3.17.0, 3.16.0, 3.15.0, 3.14.0, 3.13.0, 3.12.0
conduktor-gateway-3.17.2	3.17.2, 3.17.1, 3.17.0, 3.16.0, 3.15.0, 3.14.0, 3.13.0, 3.12.0
conduktor-gateway-3.17.1	3.17.1, 3.17.0, 3.16.0, 3.15.0, 3.14.0, 3.13.0, 3.12.0
conduktor-gateway-3.17.0	3.17.0, 3.16.0, 3.15.0, 3.14.0, 3.13.0, 3.12.0
conduktor-gateway-3.16.1	3.16.0, 3.15.0, 3.14.0, 3.13.0, 3.12.0
conduktor-gateway-3.16.0	3.16.0, 3.15.0, 3.14.0, 3.13.0, 3.12.0
conduktor-gateway-3.15.0	3.15.0, 3.14.0, 3.13.0, 3.12.0
conduktor-gateway-3.14.0	3.14.0, 3.13.0 3.12.0
conduktor-gateway-3.13.0	3.13.0, 3.12.0	🟡 Added podAntiAffinity default preset
conduktor-gateway-3.12.1	3.12.0	🔴 Updated startupProbe, livenessProbe, readynessProbe endpoints
conduktor-gateway-3.12.0	3.12.0, 3.11.0, 3.10.0, 3.9.2, 3.9.1, 3.9.0, 3.8.1, 3.8.0, 3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.11.0	3.11.0, 3.10.0, 3.9.2, 3.9.1, 3.9.0, 3.8.1, 3.8.0, 3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.10.0	3.10.0, 3.9.2, 3.9.1, 3.9.0, 3.8.1, 3.8.0, 3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0	🔴 The default value of the environment variable `GATEWAY_ACL_ENABLED` has been switched to `true` 🔴 Deprecated `DELEGATED_SASL_PLAINTEXT` and `DELEGATED_SASL_SSL` security protocols (they remain supported for backward compatibility) Find out more from release notes.
conduktor-gateway-3.9.1	3.9.0, 3.8.1, 3.8.0, 3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.9.0	3.9.0, 3.8.1, 3.8.0, 3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0	🔴 When using PLAIN tokens, Gateway service accounts are now always required 🔴 When using PLAIN tokens, Gateway JWT signing key must always be set
conduktor-gateway-3.8.1	3.8.0, 3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.8.0	3.8.0, 3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.7.1	3.7.1, 3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.7.0	3.7.0, 3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0	🟡 Updated Grafana template 🟡 Removed dependency on in-built Kafka cluster . Now the chart checks that the `KAFKA_BOOTSTRAP_SERVERS` environment variable is set in `gateway.extraSecretEnvVars` or `gateway.env` before deploying the chart.
conduktor-gateway-3.6.1	3.6.1, 3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.6.0	3.6.0, 3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.5.0	3.5.0, 3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.4.1	3.4.1, 3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.4.0	3.4.0, 3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0	🔴 Changed service account creation behavior 🟡 Updated Grafana template
conduktor-gateway-3.3.1	3.3.1, 3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.3.0	3.3.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.2.2	3.2.2, 3.2.1, 3.2.0, 3.1.1, 3.1.0	🟡 Updated Grafana template
conduktor-gateway-3.2.1	3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.2.0	3.2.1, 3.2.0, 3.1.1, 3.1.0
conduktor-gateway-3.1.1	3.1.1, 3.1.0
conduktor-gateway-3.1.0	3.1.1, 3.1.0	🟡 Updated Grafana template
conduktor-gateway-3.0.1	3.0.1, 3.0.0
conduktor-gateway-3.0.0	3.0.0	🔴 Major product update

Conduktor in production

Deploy Console

Deploy Schema Registry Proxy

Deploy Gateway

Initial setup

Conduktor Gateway on Kubernetes — Helm deployment

Local example

Helm values

Preserving client IP address

Next steps

Chart dependencies

Compatibility matrix

Helm chart compatibility

Conduktor in production

Deploy Console

Deploy Schema Registry Proxy

Deploy Gateway

Initial setup

​Local example

​Helm values

​Preserving client IP address

​Next steps

​Chart dependencies

​Compatibility matrix

​Helm chart compatibility

Local example

Helm values

Preserving client IP address

Next steps

Chart dependencies

Compatibility matrix

Helm chart compatibility