> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conduktor.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Release notes — Console, Gateway & CLI

> Conduktor release notes and changelog for Console, Gateway, and CLI. New features, bug fixes, breaking changes, and security advisories across supported versions.

<Note>
  * Get notified about new releases! Click the **RSS feed** button above.
  * [Try out](https://www.conduktor.io/get-started/) <Icon icon="up-right-from-square" /> the latest Conduktor version for free.
  * Have questions or feedback? [Get in touch](https://support.conduktor.io/hc/en-gb/requests/new) <Icon icon="up-right-from-square" />.
</Note>

<Update label="Console 1.46.1" description="2026-06-29" tags={["Console"]}>
  * [Fixes](#fixes-v1-46-1)
  * [Security advisories](#security-advisories-v1-46-1)

  <h2 id="fixes-v1-46-1">
    Fixes
  </h2>

  * Fixed a regression in group membership reconciliation during single sign-on (SSO) login that affected some SSO providers.
  * Improved performance of the ApplicationGroup API.
  * Improved transactionality and rollback behavior of the ApplicationGroup API.

  <h2 id="security-advisories-v1-46-1">
    Security advisories
  </h2>

  Console v1.46.1 is flagged by image scanners (Trivy, Grype) for [CVE-2026-54512](https://nvd.nist.gov/vuln/detail/CVE-2026-54512) and [CVE-2026-54513](https://nvd.nist.gov/vuln/detail/CVE-2026-54513) against `com.fasterxml.jackson.core:jackson-databind`. Both findings have no practical impact on Console.

  Console's own jackson-databind is already patched (2.21.4 and 3.2.0). The flagged 2.15.2 version comes from a copy of jackson-databind that is shaded and relocated inside a graph library Console uses internally to support stream lineage. Its classes are not on the classpath as `com.fasterxml.jackson.databind.*`, so the vulnerable code paths can't be reached from Console. The library uses its shaded copy for internal serialization, not for deserializing attacker-controlled input.

  We intend to address this finding in the next major Console release.
</Update>

<Update label="Console 1.46.0" description="2026-06-16" tags={["Console"]}>
  * [New and updated features](#new-and-updated-features-v1-46-0)
    * [Stream lineage](#stream-lineage-v1-46-0)
    * [Kafka Connect lifecycle and offsets](#kafka-connect-lifecycle-and-offsets-v1-46-0)
    * [Consumer group protocol reporting](#consumer-group-protocol-reporting-v1-46-0)
    * [Mask all fields in a data masking policy](#mask-all-fields-in-a-data-masking-policy-v1-46-0)
    * [Permission management](#permission-management-v1-46-0)
    * [Resource templates](#resource-templates-v1-46-0)
    * [Chargeback](#chargeback-v1-46-0)
    * [Public API changes](#public-api-changes-v1-46-0)
  * [Fixes](#fixes-v1-46-0)

  <h2 id="new-and-updated-features-v1-46-0">
    New and updated features
  </h2>

  <h3 id="stream-lineage-v1-46-0">
    Stream lineage
  </h3>

  [Stream lineage](/guide/conduktor-concepts/stream-lineage) gives you an interactive map of how data flows across your Kafka estate, with the topics, applications, and service accounts that produce or consume each stream rendered side by side. Use it to trace how a topic is being read and written across applications, identify which service accounts depend on a given topic, and investigate the downstream impact of a topic or application change.

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/conduktor/images/lineage-application-instances-graph.png" alt="Stream lineage application instance graph view" />

  The graph is derived from the Kafka ACLs granted to each service account — including the ACLs generated by Self-service `ApplicationInstance` and `ApplicationInstancePermission` resources — so it stays in sync with the model you've declared in Console. On Confluent Cloud and Confluent Platform clusters configured to use role bindings, the edges are populated from those role bindings instead.

  Stream lineage offers two ways to explore your platform:

  * **Application instance view** — see how Self-service applications connect through the topics they share, with a **Topics** toggle to either include the topics on the graph or collapse them into a compressed application-to-application view
  * **Service account view** — reason about access at the Kafka authorization layer, with each service account as a node and edges drawn straight from the ACLs that grant read or write access to a topic

  For clusters with more than 1,000 nodes, the full graph is truncated to stay responsive; use the per-instance and per-service-account drill-down views to focus on a sub-graph centered on the resource you care about, with a configurable hop count.

  See the [Stream lineage concept page](/guide/conduktor-concepts/stream-lineage) for the full walkthrough, including the performance impact and the `CDK_STREAM_LINEAGE_*` environment variables to tune the in-memory graph cache.

  <h3 id="kafka-connect-lifecycle-and-offsets-v1-46-0">
    Kafka Connect lifecycle and offsets
  </h3>

  * You can now stop a Kafka Connect connector. Stopping a connector releases its tasks and resources, unlike pausing, which keeps them assigned. Manage the new `STOPPED` state from the connector page or the public API.
  * The connector page has a new **Offsets** tab to view a connector's source and sink offsets. To edit or reset offsets, use the public API while the connector is stopped to control where it resumes from.
  * You can set the initial state of a connector when you create it. Set `initialState` to `RUNNING`, `PAUSED`, or `STOPPED` to deploy a connector without immediately starting it.

  <h3 id="consumer-group-protocol-reporting-v1-46-0">
    Consumer group protocol reporting
  </h3>

  Consumer group descriptions now report the group type and protocol (`CLASSIC` or `CONSUMER`) introduced by the next-generation consumer group protocol (KIP-848), so you can tell at a glance which clients have moved to the new protocol.

  <h3 id="mask-all-fields-in-a-data-masking-policy-v1-46-0">
    Mask all fields in a data masking policy
  </h3>

  [Data masking](/guide/conduktor-in-production/admin/data-masking) policies now have a **Mask all fields** toggle. When enabled, Console applies the policy's masking rule to every scalar value it finds in a message — at every nesting depth, including inside arrays — without you needing to enumerate field paths. Numbers are masked to `0` and booleans to `false` so message schemas stay valid; per-field policies that target specific paths still take precedence.

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/conduktor/images/data-policy-mask-all-fields.png" alt="Add a new policy dialog with Mask all fields enabled" />

  See [Mask all fields](/guide/conduktor-in-production/admin/data-masking#mask-all-fields) for conflict rules and how this interacts with other policies.

  <h3 id="permission-management-v1-46-0">
    Permission management
  </h3>

  * Topic owners can now be given access to view the ACLs on their owned topics without needing a cluster-wide permission. To view topic ACLs, a user has to be granted one of:

    * `clusterViewACL` on the related cluster (classic RBAC), which continues to cascade ACL viewing to every topic in the cluster, or
    * one of the Self-service application instance permissions `applicationInstancePermissionGrantAccess` or `applicationInstancePermissionProposeAccess`, assigned through an application group on the owning `ApplicationInstance`.

    Topic ownership alone doesn't grant ACL viewing — the permission has to be explicitly assigned through an application group.

  * Three new Kafka Connect permissions let you grant connector stop and offset operations independently of pause, resume, and restart: stop a connector, view offsets, and manage offsets. These default to off for existing custom roles, so existing permission grants are unchanged until you opt in.

  <h3 id="resource-templates-v1-46-0">
    Resource templates
  </h3>

  Platform teams can now define topic and connector templates that pre-fill the Console creation forms. Admins curate templates with the CLI — set a display name, an optional description, and the default partitions, replication factor, configuration and labels — and application teams pick one to start from a vetted setup instead of a blank form, adjusting the values before they submit. Templates can include `{{placeholder}}` values, such as a team name in a topic naming convention, that the user replaces during creation. Templates are suggestions, not rules: pair them with a [ResourcePolicy](/guide/reference/self-service-reference#resourcepolicy) to enforce the boundaries.

  See the [TopicTemplate](/guide/reference/self-service-reference#topictemplate) and [ConnectorTemplate](/guide/reference/self-service-reference#connectortemplate) reference for the YAML schema.

  <h3 id="chargeback-v1-46-0">
    Chargeback
  </h3>

  * Chargeback is now enabled by default. The `CDK_CHARGEBACKV2_ENABLED` environment variable defaults to `true`; set it to `false` to disable Chargeback.
  * Chargeback now attributes Kafka Connect costs. Set a default connector task hour cost per cluster, with optional per-connector-class overrides, then view Connect costs in the cluster, application, and label views and drill down into individual connectors.
  * Connectors that carry a Chargeback Label can now be grouped and filtered in the Chargeback label view.
  * The Chargeback CSV export now includes connector task hours and connect cost columns.
  * The Chargeback public API now exposes endpoints to manage cost rates and Chargeback Labels, and to export Chargeback data as CSV.

  <h3 id="public-api-changes-v1-46-0">
    Public API changes
  </h3>

  * The public API now exposes connector lifecycle operations: stop, pause, resume, restart, and offset management (view, edit, reset).
  * The public API now exposes consumer group operations: describe a group, view its members and topics, delete a group, and preview or reset offsets.
  * The Chargeback public API now exposes endpoints to manage cost rates and Chargeback Labels, and to export Chargeback data as CSV. See the [Chargeback section](#chargeback-v1-46-0) for the full set of related changes.

  <h2 id="quality-of-life-improvements-v1-46-0">
    Quality of life improvements
  </h2>

  * Export includes Kafka headers {/* REQ-92 */}

  <h2 id="fixes-v1-46-0">
    Fixes
  </h2>

  * Consumer offset retrieval no longer fails when some partition leaders are offline {/* CUS-948 */}
  * Consumer page date-time filters now display time in local time instead of UTC {/* CUS-264 */}
  * SSO test for Azure Entra ID shows explanation why group or email claims are missing {/* CUS-805 */}
  * Added `CORTEX_COMPACTOR_RETENTION_PERIOD` environment variable {/* CUS-972 */}
  * Support nested OIDC group claim {/* CUS-946 */}
</Update>

<Update label="Gateway 3.20.0" description="2026-06-16" tags={["Gateway"]}>
  * [Breaking changes](#breaking-changes-v3-20-0)
    * [Mixed network configuration](#mixed-network-configuration-v3-20-0)
    * [Internal Kafka client upgraded to 4.2](#internal-kafka-client-upgrade-v3-20-0)
  * [New and updated features](#new-and-updated-features-v3-20-0)
    * [New listener configuration GA](#new-listener-configuration-ga-v3-20-0)
    * [Topic views GA](#topic-views-ga-v3-20-0)
    * [Faster ACL authorization](#faster-acl-authorization-v3-20-0)
  * [Preview features](#preview-features-v3-20-0)
    * [Incremental fetch sessions](#incremental-fetch-sessions-v3-20-0)
  * [Deprecated features](#deprecated-features-v3-20-0)
    * [Legacy network configuration](#legacy-network-configuration-v3-20-0)
  * [Quality of life improvements](#quality-of-life-improvements-v3-20-0)
    * [Upgrade to JDK 25](#upgrade-to-jdk-25-v3-20-0)
    * [Automatic OAuth URL allow-list](#automatic-oauth-url-allow-list-v3-20-0)
  * [Fixes](#fixes-v3-20-0)
  * [Security advisories](#security-advisories-v3-20-0)

  <h2 id="breaking-changes-v3-20-0">
    Breaking changes
  </h2>

  <h3 id="mixed-network-configuration-v3-20-0">
    Mixed network configuration
  </h3>

  Gateway now refuses to start if you mix legacy network configuration variables with listener configuration variables. Previously, the legacy variables were silently ignored in that case. See [Migrate to listener configuration](/guide/tutorials/migrate-to-listener-configuration) for a side-by-side mapping and a worked example.

  <h3 id="internal-kafka-client-upgrade-v3-20-0">
    Internal Kafka client upgraded to 4.2
  </h3>

  Gateway now uses the Apache Kafka client 4.2 internally, upgraded from 3.9. This drops support for the oldest client protocol versions, so applications connecting to Gateway need a Kafka client of at least Apache Kafka 2.1 for the Java client, or the equivalent for other libraries (see [KIP-896](https://cwiki.apache.org/confluence/display/KAFKA/KIP-896%3A+Remove+old+client+protocol+API+versions+in+Kafka+4.0)). Only clients older than that are affected. It does not change the minimum Kafka broker version that Gateway supports. We expect low impact for most deployments.

  <Note>
    Gateway does not yet support the new Kafka 4 group protocols and now blocks them for every client, in both API blocking modes:

    * **Share groups (KIP-932)**, also known as Kafka queues.
    * **Streams groups (KIP-1071)**, the new Kafka Streams rebalance protocol.

    This is a behavior change. Previously, with ACLs disabled and `GATEWAY_FEATURE_FLAGS_BLOCK_UNSUPPORTED_APIS=false`, Gateway passed the KIP-932 share-group APIs through to the backing Kafka cluster. They're now always blocked. See [API blocking modes](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#api-blocking-modes).
  </Note>

  <h2 id="new-and-updated-features-v3-20-0">
    New and updated features
  </h2>

  <h3 id="new-listener-configuration-ga-v3-20-0">
    New listener configuration GA
  </h3>

  The new configuration format supporting multiple listeners with `GATEWAY_LISTENER_<NAME>_*` environment variables is now generally available. It graduates from preview to the recommended way to configure Gateway networking.

  The same configuration can define one or many listeners. Each listener has its own security protocol, routing strategy and network bindings, letting you expose Gateway through multiple endpoints (for example, internal `PLAINTEXT` and external `SASL_SSL`) when needed.

  With listener configuration, `GATEWAY_SECURITY_MODE` and `GATEWAY_ACL_ENABLED` have to be set explicitly — they're no longer inferred from the backing Kafka cluster.

  See [Configure Gateway listeners](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/listeners).

  <h3 id="topic-views-ga-v3-20-0">
    Topic views GA
  </h3>

  [Topic views](/guide/conduktor-concepts/logical-topics#topic-views) graduate from tech preview to general availability and are now enabled by default. They provide non-materialized, SQL-filtered views of physical Kafka topics.

  Building on the 3.19.0 preview, topic views now also support:

  * **Consumer `group.id` validation** to prevent the silent data loss that can occur when a consumer group is shared across views of the same backing topic. See [Set the consumer group ID](/guide/conduktor-concepts/logical-topics#set-the-consumer-group-id).
  * **Expanded SQL**: date and time comparisons, record metadata in the `SELECT` clause, and parse-time rejection of unsupported multi-value field paths. See [SQL transformation](/guide/conduktor-concepts/logical-topics#sql-transformation).
  * **`onError` enforced at fetch time**, including `FAIL_FETCH`. See [Error handling](/guide/conduktor-concepts/logical-topics#error-handling).

  <h3 id="faster-acl-authorization-v3-20-0">
    Faster ACL authorization
  </h3>

  ACL evaluation is now more efficient, especially on clusters with many ACLs. Authorization decisions are unchanged. {/* CUS-967 */}

  <h2 id="preview-features-v3-20-0">
    Preview features
  </h2>

  <h3 id="incremental-fetch-sessions-v3-20-0">
    Incremental fetch sessions
  </h3>

  Gateway can now support Apache Kafka incremental fetch sessions ([KIP-227](https://cwiki.apache.org/confluence/display/KAFKA/KIP-227%3A+Introduce+Incremental+FetchRequests+to+Increase+Partition+Scalability)) on the Fetch API, behind a feature flag. Incremental fetch sessions let a consumer send only the partitions that changed after it opens a session, which lowers Fetch request overhead for consumers that read from many partitions.

  Enable it with `GATEWAY_FEATURE_FLAGS_INCREMENTAL_FETCH_SESSIONS_ENABLED=true`. You can't combine it with topic ID support. See [incremental fetch sessions](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#incremental-fetch-sessions-preview) for setup and limitations.

  <h2 id="deprecated-features-v3-20-0">
    Deprecated features
  </h2>

  <h3 id="legacy-network-configuration-v3-20-0">
    Legacy network configuration
  </h3>

  Deprecated in: `v3.20.0`. Removal planned for `v3.23`.

  The global `GATEWAY_PORT_*`, `GATEWAY_ADVERTISED_HOST`, `GATEWAY_HOST`, `GATEWAY_ROUTING_MECHANISM`, `GATEWAY_BIND_HOST`, `GATEWAY_ADVERTISED_SNI_PORT`, `GATEWAY_ADVERTISED_HOST_PREFIX`, `GATEWAY_SNI_HOST_SEPARATOR` and `GATEWAY_SECURITY_PROTOCOL` environment variables are deprecated. New deployments should use [listener configuration](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/listeners).

  Existing deployments continue to work without changes, but Gateway now logs a deprecation warning at startup when it detects any of these variables, pointing to the migration guide.

  When you're ready to migrate, see [Migrate to listener configuration](/guide/tutorials/migrate-to-listener-configuration) for a side-by-side mapping and a worked example.

  <h2 id="quality-of-life-improvements-v3-20-0">
    Quality of life improvements
  </h2>

  <h3 id="upgrade-to-jdk-25-v3-20-0">
    Upgrade to JDK 25
  </h3>

  Conduktor Gateway now runs on **JDK 25**, replacing JDK 21. Both are long-term support (LTS) releases. This is a runtime and toolchain change only — Gateway features and configuration are unchanged — and it is low impact for most deployments. The runtime base image moves from `eclipse-temurin:21-jdk` to `eclipse-temurin:25-jdk`.

  If you build your own image `FROM` the Gateway image, or set custom JVM options, verify any custom `JAVA_OPTS` against the [JVM options removed or obsoleted across JDK 22–25](https://www.oracle.com/java/technologies/javase/25-relnote-issues.html): an unrecognized flag prevents the JVM from starting.

  <h3 id="automatic-oauth-url-allow-list-v3-20-0">
    Automatic OAuth URL allow-list
  </h3>

  The Kafka 4 client library adds a security control: the `org.apache.kafka.sasl.oauthbearer.allowed.urls` system property. The OAuth or OpenID Connect (OIDC) client only calls a URL that's on this allow-list and refuses any URL that isn't. Now that Gateway's internal Kafka client is on 4.2, this property applies to Gateway too.

  Gateway sets the property automatically at startup from the OAuth URLs you already configure: the downstream JSON Web Key Set (JWKS) endpoint and any upstream token endpoints. OAuth authentication continues to work after the upgrade with no extra JVM argument.

  To control the allow-list yourself, for example to add or restrict URLs, you can still set the property manually, which overrides the value Gateway derives.

  <h2 id="fixes-v3-20-0">
    Fixes
  </h2>

  * Include async-profiler to help investigating performance issue {/* TEC-13 */}
  * Secret env vars whose values start with a YAML-special character (such as `[`) no longer cause Gateway to fail at startup. Affected vars: `GATEWAY_SSL_KEY_STORE_PASSWORD`, `GATEWAY_SSL_KEY_PASSWORD`, `GATEWAY_SSL_TRUST_STORE_PASSWORD`, `GATEWAY_HTTPS_KEY_STORE_PASSWORD`, `GATEWAY_HTTPS_TRUST_STORE_PASSWORD`, `GATEWAY_CONFLUENT_CLOUD_API_SECRET`, `GATEWAY_USER_POOL_SECRET_KEY`. {/* CUS-974 */}
  * Fix process hang when startup or shutdown fails {/* CUS-963 */}
  * Prevent reprocessing of deleted interceptor configuration on startup {/* CUS-933 */}

  <h2 id="security-advisories-v3-20-0">
    Security advisories
  </h2>

  Gateway v3.20.0 is affected by [CVE-2026-45799](https://github.com/advisories/GHSA-7xpr-hc2w-34m9). We will address it in a future release once our upstream dependencies allow.
</Update>

<Update label="Console 1.44.2" description="2026-06-04" tags={["Console"]}>
  ## Fixes v1.44.2

  * Fixed erroneous "subject not found" errors appearing in the topic record detail view when the subject exists.

  ## CVEs in conduktor-console-cortex

  Three CVEs are flagged as high severity in the Cortex container image:

  * CVE-2026-34040
  * CVE-2026-41567
  * CVE-2026-42306

  These CVEs are fixed in later versions of the Cortex container image, but the fixes can't be backported to the version shipped with Console 1.44.2. We've investigated their impact and confirmed that none of them are exploitable in the current Cortex container image. All three CVEs relate to Docker and affect parts of the binary that Cortex doesn't expose.

  ### CVE-2026-34040

  This exploit involves an AuthZ plugin bypass in the Docker daemon HTTP API middleware. Cortex doesn't embed or run dockerd, so it isn't affected.

  ### CVE-2026-41567 and CVE-2026-42306

  Both CVEs relate to the `docker cp` command and its implementation in dockerd. Cortex doesn't embed or run dockerd, so it isn't affected.
</Update>

<Update label="Gateway 3.19.1" description="2026-05-15" tags={["Gateway"]}>
  * [New features](#new-features-v3-19-1)
    * [Gateway Community Edition](#passthrough-gateway-plan-v3-19-1)
  * [Security advisories](#security-advisories-v3-19-1)

  <h2 id="new-features-v3-19-1">
    New features
  </h2>

  <h3 id="passthrough-gateway-plan-v3-19-1">
    Gateway Community Edition
  </h3>

  Conduktor Gateway introduces a new edition: **Gateway Community Edition** — a Kafka-managed passthrough proxy with no Gateway-managed features. Standard Conduktor Gateway licenses are unaffected by this release.

  [See Gateway Community Edition](/guide/conduktor-in-production/manage-licenses/gateway-community-edition) for included capabilities, excluded features, customer-visible restrictions, and how to obtain a license.

  <h2 id="security-advisories-v3-19-1">
    Security advisories
  </h2>

  This release resolves [CVE-2026-22016](https://nvd.nist.gov/vuln/detail/CVE-2026-22016) (Java API for XML Processing) and [CVE-2026-34282](https://nvd.nist.gov/vuln/detail/CVE-2026-34282) (Networking), both [flagged in Gateway v3.19.0](/guide/release-notes#security-advisories-v3-19-0).
</Update>

<Update label="Console 1.45.1" description="2026-05-14" tags={["Console"]}>
  * [Fixes](#fixes-v1-45-1)
  * [Security advisories](#security-advisories-v1-45-1)

  <h2 id="fixes-v1-45-1">
    Fixes
  </h2>

  * Fixed an issue where Chargeback did not attribute costs to applications managed through Self-service in the service accounts panel.
  * Fixed a Chargeback issue where costs could be assigned to the wrong day for users in non-UTC timezones.

  <h2 id="security-advisories-v1-45-1">
    Security advisories
  </h2>

  * Updated the JDK 21 base image to include upstream patches for [CVE-2026-34282](https://nvd.nist.gov/vuln/detail/CVE-2026-34282).
  * Updated the bundled Netty dependency to address recently disclosed CVEs.
</Update>

<Update label="Console 1.45.0" description="2026-05-05" tags={["Console"]}>
  * [Breaking changes](#breaking-changes-v1-45-0)
    * [Self-service owner group permissions](#self-service-owner-group-permissions-v1-45-0)
    * [Conduktor Console Cortex upgrade](#conduktor-console-cortex-upgrade-v1-45-0)
  * [New and updated features](#new-and-updated-features-v1-45-0)
    * [Self-service](#self-service-v1-45-0)
    * [Unified Chargeback](#unified-chargeback-v1-45-0)
    * [AWS Glue schema IaC](#aws-glue-schema-iac-v1-45-0)
    * [Subject ACLs for Schema Registry Proxy](#subject-acls-for-schema-registry-proxy-v1-45-0)
    * [Confluent Platform role bindings](#confluent-platform-role-bindings-v1-45-0)
  * [Fixes](#fixes-v1-45-0)
  * [Security advisories](#security-advisories-v1-45-0)

  <h2 id="breaking-changes-v1-45-0">
    Breaking changes
  </h2>

  <h3 id="self-service-owner-group-permissions-v1-45-0">
    Self-service owner group permissions
  </h3>

  Starting with Console 1.45.0, application owner groups no longer have implicit permissions to create API keys, request or grant access, or manage resources at the application instance level. Owner groups can now **only create ApplicationGroups**.

  All previous owner group permissions have to be explicitly assigned through ApplicationGroups using the new `instancePermissions` field.

  #### You're impacted if

  You rely on application owner group members to:

  * Create or delete application instance API keys
  * Request access to other teams' topics through the Topic Catalog
  * Grant or approve access requests to your application's topics
  * Manage service accounts for the application instance

  #### Do you have to do anything?

  **In most cases, no.** On upgrade to Console 1.45.0, an automatic migration creates a mirror ApplicationGroup for each existing application owner group. This mirror group is assigned all instance permissions (`applicationInstancePermissionRequestAccess`, `applicationInstancePermissionGrantAccess`, `applicationInstancePermissionProposeAccess`, `applicationInstanceApiKeyManage`, `serviceAccountManage`) so that existing users keep their current access.

  The mirror group is labeled for identification with the following conventions:

  * the name is the same as the application name with `-owners` suffix (e.g. the application `my-app` will have a mirror group named `my-app-owners`)
  * the description starts with `[Default Owner]`
    You can review and adjust these groups after upgrade to restrict specific permissions to specific teams.

  If you manage Self-service resources through GitOps, update your ApplicationGroup YAML definitions to include the new `instancePermissions` field where needed. See the [Self-service resource reference](/guide/reference/self-service-reference#applicationgroup) for the updated schema.

  <Note>
    The automatic migration only applies to applications that exist at upgrade time. For new applications created after upgrading, the platform team or application owner has to create an ApplicationGroup with the appropriate `instancePermissions` as a first step, otherwise the team will not be able to request or grant access, create API keys, or manage service accounts.
  </Note>

  <h3 id="conduktor-console-cortex-upgrade-v1-45-0">
    Conduktor Console Cortex upgrade
  </h3>

  Console 1.45.0 upgrades the bundled Cortex image from 1.18 to 1.21, which includes an upgrade from Prometheus 2.54 to 3.8. This is a **one-way upgrade** — you cannot roll back to the previous image once data has been written by the new one.

  <Warning>
    Back up your TSDB volume or object storage bucket before upgrading. The new Prometheus 3.x storage format is not readable by the previous image (Prometheus 2.54). Without a backup, rollback requires accepting data loss for the period since the upgrade.
  </Warning>

  #### You're impacted if

  All deployments running Conduktor Console Cortex are impacted.

  #### Pre-upgrade checklist

  1. **Back up TSDB storage.** Snapshot your TSDB volume or object storage bucket. This is mandatory — there is no in-place downgrade path.
  2. **Review custom Grafana dashboards.** The provided Conduktor Grafana dashboard works without changes, but custom dashboards may need updates due to the PromQL and label changes listed below.

  #### PromQL and query behavior changes

  These changes can silently alter query results in custom dashboards, recording rules and alerts:

  | Change                                                                  | Impact                                                                                                           | Action                                                                                              |
  | ----------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- |
  | `.` in regular expressions now matches newline characters               | Patterns like `.*` match strings that include `\n`                                                               | Replace `.` with `[^\n]` in regex patterns where newline matching is not intended                   |
  | Range selectors are now left-open, right-closed                         | Subqueries like `foo[1m:1m]` may return one point instead of two, causing `rate` or `increase` to return no data | Widen the range window in affected subqueries                                                       |
  | `le` and `quantile` label values are normalized to float representation | `le="1"` becomes `le="1.0"`                                                                                      | Update alerts, recording rules and dashboards that reference whole-number `le` or `quantile` values |
  | `holt_winters` renamed to `double_exponential_smoothing`                | The old name still works inside Cortex, but external Prometheus instances querying Cortex won't recognize it     | Use `double_exponential_smoothing` in new queries                                                   |

  #### Scraping and ingestion changes

  * Targets that don't return a valid `Content-Type` header now fail the scrape instead of falling back to the Prometheus text format. If you see scrape failures after upgrading, set `fallback_scrape_protocol` in your scrape configuration.
  * UTF-8 metric and label names are now accepted by default. To keep strict pre-upgrade behavior, set `metric_name_validation_scheme: legacy`.
  * Prometheus 3 no longer supports Alertmanager's v1 API. If your Alertmanager configuration uses `api_version: v1`, update to v2 (requires Alertmanager 0.16.0 or later).

  #### Configuration flag changes

  The following feature flags have been removed and are now default behavior. Passing them with `--enable-feature` produces a warning but has no effect:

  `promql-at-modifier`, `promql-negative-offset`, `new-service-discovery-manager`, `expand-external-labels`, `no-default-scrape-port`, `agent`, `remote-write-receiver`, `auto-gomemlimit`, `auto-gomaxprocs`

  Of these, `no-default-scrape-port` may change metric label values — targets like `https://example.com/metrics` no longer have `:443` appended.

  Other flag changes:

  * `remote_write` `enable_http2` now defaults to `false`. If you depend on HTTP/2 multiplexing for remote write, opt in explicitly.
  * The log format changed from `go-kit/log` to `slog`. Anything parsing Cortex logs (for example, Loki recording rules or log-based alerts) needs adjustment.

  #### Cortex-specific changes

  * The bucket index is now enabled by default. Disabling it (`-blocks-storage.bucket-store.bucket-index.enabled=false`) is not recommended for production.
  * Ruler API and Alertmanager API flags have graduated from experimental (for example, `-experimental.ruler.enable-api` is now `-ruler.enable-api`). The old flags still work but are deprecated.
  * The `-distributor.otlp.enable-type-and-unit-labels` flag is deprecated and replaced by `-distributor.enable-type-and-unit-labels`. Update your configuration if you use OTLP ingestion.

  #### Disk usage on Kubernetes

  In Cortex 1.21, the compactor and cleanup jobs run in parallel rather than sequentially. On large Consoles with significant metric volume, this can cause peak local disk usage to grow enough to fill the pod's ephemeral storage and trigger eviction.

  For Kubernetes deployments running large workloads, we recommend attaching a persistent volume to the Cortex pod instead of relying on ephemeral storage, so the compactor has headroom to run alongside cleanup. See [Store platform data into a persistent volume](https://github.com/conduktor/conduktor-public-charts/tree/main/charts/console#store-platform-data-into-a-persistent-volume) in our Helm chart docs for configuration details.

  <h2 id="new-and-updated-features-v1-45-0">
    New and updated features
  </h2>

  <h3 id="self-service-v1-45-0">
    Self-service
  </h3>

  #### Granular instance permissions for ApplicationGroups

  ApplicationGroups now support a new `instancePermissions` field, separate from the existing resource-level `permissions` field. This lets platform teams delegate application-instance-level actions to specific groups rather than granting them implicitly to all owner group members.

  | Permission                                   | Description                                                                                                                                 |
  | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
  | `applicationInstancePermissionRequestAccess` | Request access to other teams' topics through the Topic Catalog                                                                             |
  | `applicationInstancePermissionGrantAccess`   | Approve or grant access requests to owned topics                                                                                            |
  | `applicationInstancePermissionProposeAccess` | Propose access via GitOps — view incoming access requests and copy the CLI snippet, without being able to approve them directly from the UI |
  | `applicationInstanceApiKeyManage`            | Create and delete application instance API keys                                                                                             |
  | `serviceAccountManage`                       | Manage service accounts for the application instance                                                                                        |

  ```yaml theme={null} theme={null}
  instancePermissions:
    - appInstance: clickstream-app-dev
      permissions: ["applicationInstancePermissionRequestAccess", "applicationInstancePermissionGrantAccess", "applicationInstanceApiKeyManage"]
  ```

  See the [Self-service resource reference](/guide/reference/self-service-reference#instance-permissions-reference) for full details.

  #### Service account management delegation

  The new `serviceAccountManage` instance permission allows platform teams to delegate service account management to specific ApplicationGroups. Previously, service account management was only available to owner group members.

  #### UI updates for ApplicationGroup members

  The Console UI now checks ApplicationGroup instance permissions when determining access to Self-service actions. ApplicationGroup members with the `applicationInstancePermissionRequestAccess` permission can request topic access, and members with `applicationInstancePermissionGrantAccess` can approve or grant requests directly from the **Topic Catalog** and **Application Catalog** pages.

  #### Enforce restrictions on ApplicationGroups with a ResourcePolicy

  After the migration, application teams own their ApplicationGroups and choose which `permissions` and `instancePermissions` to assign. Platform teams can keep guardrails on what teams are allowed to grant themselves with a `ResourcePolicy` of `targetKind: ApplicationGroup`, linked through `spec.policyRef`.

  For example, to enforce **GitOps-only approval**, restrict ApplicationGroups to a read-only resource permission set and to safe instance permissions — any write operation (`topicDelete`, `topicEditConfig`, `applicationInstancePermissionGrantAccess`, `serviceAccountManage`) then has to go through the CLI:

  ```yaml theme={null} theme={null}
  ---
  apiVersion: self-serve/v1
  kind: ResourcePolicy
  metadata:
    name: applicationgroup-gitops-only
  spec:
    targetKind: ApplicationGroup
    description: Restrict ApplicationGroups to read-only resource permissions and GitOps-only access approval
    rules:
      - condition: spec.permissions.all(p, p.permissions.all(x, x in ["topicViewConfig", "consumerGroupView", "subjectView", "kafkaConnectorStatus"]))
        errorMessage: resource permissions are limited to topicViewConfig, consumerGroupView, subjectView and kafkaConnectorStatus. Permissions like topicDelete and topicEditConfig have to go through the CLI
      - condition: '!has(spec.instancePermissions) || spec.instancePermissions.all(p, p.permissions.all(x, x in ["applicationInstancePermissionRequestAccess", "applicationInstancePermissionProposeAccess", "applicationInstanceApiKeyManage"]))'
        errorMessage: applicationInstancePermissionGrantAccess and serviceAccountManage are not allowed. Use applicationInstancePermissionProposeAccess and approve access via GitOps
      - condition: size(metadata.members) == 0
        errorMessage: spec.members not allowed. Use external group mapping instead
  ```

  Once linked, members of any ApplicationGroup created under that application are limited to the permissions the policy allows. See [Restricting ApplicationGroup permissions](/guide/reference/self-service-reference#restricting-applicationgroup-permissions) for the full example, including a sample ApplicationGroup that passes validation.

  <h3 id="unified-chargeback-v1-45-0">
    Unified Chargeback
  </h3>

  Chargeback now measures four cost axes — **storage**, **partitions**, **ingress** and **egress** — across vanilla Kafka, Confluent Cloud and Gateway clusters from a single page:

  * **Three views**: group costs by Cluster, Application (with drill-down into application instances) or by the values of a configured label key
  * **Drill-downs**: every row can be expanded to show the topics and service accounts that contributed to its cost
  * **Chargeback Labels**: administrators select which label keys are eligible for grouping (for example, `team`, `cost-center`, `env`)
  * **Settings drawer**: cost rates and Chargeback Labels are managed from a single drawer behind the cog icon, replacing the previous gear flow
  * **CSV export**: the **Export** dropdown downloads the current view honoring the active filters, view, period and search

  Capabilities depend on the cluster type. Confluent Cloud and Gateway clusters expose throughput; Gateway is the only source for per-topic service account breakdowns.

  [Use Chargeback](/guide/use-cases/chargeback) · [Configure Chargeback](/guide/tutorials/configure-chargeback) · [Chargeback concepts](/guide/conduktor-concepts/chargeback)

  <h3 id="aws-glue-schema-iac-v1-45-0">
    AWS Glue schema IaC
  </h3>

  Application teams can now manage their Glue schema resources lifecycle through IaC with the addition of the [GlueSchema](/guide/reference/kafka-reference#glueschema) object.

  ```yaml theme={null} theme={null}
  ---
  apiVersion: kafka/v2
  kind: GlueSchema
  metadata:
    cluster: shadow-it
    name: myPrefix.topic-value
  spec:
    schema: |
      {
        "type": "long"
      }
    format: AVRO
    compatibility: BACKWARD
  ```

  <h3 id="confluent-platform-role-bindings-v1-45-0">
    Confluent Platform role bindings
  </h3>

  Console now supports Confluent Platform Role-Based Access Control (RBAC) role bindings for Self-service. To enable role bindings, go to the Confluent Platform cluster's provider settings and turn on the role bindings flag.

  Once enabled, applying a Self-service resource creates Confluent Platform role bindings for the service account instead of Kafka ACLs. Role bindings are also visible in the service account UI for Confluent Platform clusters that have the flag enabled.

  See the [Self-service resource reference](/guide/reference/self-service-reference#applicationinstance) for the role bindings created for each resource type, and the [Confluent Platform RBAC migration tutorial](/guide/tutorials/migrate-confluent-platform-rbac) for step-by-step setup.

  <h3 id="subject-acls-for-schema-registry-proxy-v1-45-0">
    Subject ACLs for Schema Registry Proxy
  </h3>

  Subject ACLs can now be created on [application-managed service accounts](/guide/reference/self-service-reference#application-managed-service-account) to control access to specific subjects via the Schema Registry Proxy. This isn't available on standard ServiceAccount resources, and only takes effect when the service account's application instance is on a cluster whose Schema Registry is fronted by a Schema Registry Proxy.

  This provides more granular access control for teams using the Schema Registry Proxy to manage their schemas.

  <Note>
    Schema Registry Proxy is a preview feature — reach out to your solutions architect for more information.
  </Note>

  ```yaml theme={null} theme={null}
  ---
  apiVersion: v1
  kind: ServiceAccount
  metadata:
    cluster: shadow-it
    name: clickstream-sa
  spec:
    authorization:
      type: KAFKA_ACL
      acls:
        # Read and write on the click.event-stream.avro topic
        - type: TOPIC
          name: 'click.event-stream.avro'
          patternType: LITERAL
          operations:
            - Write
            - Read
    schemaRegistryAuthorization:
      acls:
        # Read and Write on the click.event-stream.avro schemas
        - name: 'click.event-stream.avro-'
          patternType: PREFIXED
          operations:
            - Read
            - Write
  ```

  See the [ServiceAccount resource reference](/guide/reference/kafka-reference#serviceaccount) for details on how to create subject ACLs.

  <h2 id="fixes-v1-45-0">
    Fixes
  </h2>

  * Added PersonalApiKey audit log type to differentiate from AdminApiKey {/* CUS-915 */}
  * Fixed an error when parsing the Create Connector API response in Kafka Connect 4.2.0+ {/* CUS-925 */}
  * Added a detailed cause to deserialization error messages when consuming records {/* CUS-928 */}
  * Fixed a spurious "Subject not found" popup on the record detail view for topics using a Confluent Schema Registry, when deserialization had already succeeded {/* CUS-920 */}
  * Fixed Schema Registry Proxy not syncing subject ACLs to the `_conduktor_srp_commands` command topic {/* CUS-909 */}
  * Fixed the Schema Registry selection on a cluster reverting to "none" after saving {/* CUS-909 */}
  * Fixed the Kafka Connect UI becoming inaccessible when any connector returned a null version in its status response {/* CUS-934 */}
  * Fixed the `list_interceptors` Model Context Protocol (MCP) tool failing when called using a personal access token {/* CUS-926 */}
  * Fixed the **Resource Access** tab showing a blank page for teams with KsqlDB or Connector permissions referencing a cluster that no longer exists {/* CUS-936 */}
  * Fixed topic action menus showing destructive options to users with read-only permissions {/* CUS-906 */}
  * Improved performance of `conduktor apply` when applying an `ApplicationInstance` containing many resources {/* CUS-937 */}

  <h2 id="security-advisories-v1-45-0">
    Security advisories
  </h2>

  ### CVE-2026-22016 — Java API for XML Processing (JAXP) component

  The Eclipse Temurin JDK 21 base image contains [CVE-2026-22016](https://nvd.nist.gov/vuln/detail/CVE-2026-22016), a vulnerability in the Java API for XML Processing (JAXP) component of Oracle Java SE. Exploitation requires the application to use JAXP APIs to process untrusted XML data. Conduktor products do not process XML through JAXP, so the vulnerability is not exploitable in our deployments.

  ### CVE-2026-34282 — Networking component

  The Eclipse Temurin JDK 21 base image contains [CVE-2026-34282](https://nvd.nist.gov/vuln/detail/CVE-2026-34282), a vulnerability in the Networking component of Oracle Java SE, allowing a denial of service attack. We will issue patched versions of our products once a fix is available upstream.
</Update>

<Update label="Gateway 3.19.0" description="2026-05-05" tags={["Gateway"]}>
  * [Breaking changes](#breaking-changes-v3-19-0)
    * [Removed Interceptors](#removed-interceptors-v3-19-0)
    * [Duplicate TLS domain names in the keystore](#duplicate-tls-domain-names-in-the-keystore-v3-19-0)
    * [Default for `GATEWAY_ACL_ENABLED` changed when no network configuration is set](#default-for-gateway_acl_enabled-changed-when-no-network-configuration-is-set-v3-19-0)
  * [New features](#new-features-v3-19-0)
    * [HAProxy Protocol support](#haproxy-protocol-support-v3-19-0)
    * [Plan feature coverage](#plan-feature-coverage-v3-19-0)
  * [Preview features](#preview-features-v3-19-0)
    * [Topic views (new)](#topic-views-v3-19-0)
    * [Topic ID support (new)](#topic-id-support-v3-19-0)
    * [Multi-listener (updates)](#multi-listener-updates-v3-19-0)
  * [Deprecated features](#deprecated-features-v3-19-0)
    * [Virtual SQL Topic Plugin](#virtual-sql-topic-plugin-v3-19-0)
  * [Coming in v3.20.0](#coming-in-v3-20-0)
  * [Quality of life improvements](#quality-of-life-improvements-v3-19-0)
    * [Faster bulk Interceptor apply](#faster-bulk-interceptor-apply-v3-19-0)
    * [Simplified Docker image build](#simplified-docker-image-build-v3-19-0)
  * [Fixes](#fixes-v3-19-0)
  * [Security advisories](#security-advisories-v3-19-0)

  <h2 id="breaking-changes-v3-19-0">
    Breaking changes
  </h2>

  <h3 id="removed-interceptors-v3-19-0">
    Removed Interceptors
  </h3>

  The following Interceptors were deprecated in [v3.16.0](/guide/release-notes#deprecated-features-v3-16-0) and have been removed in this release:

  Affected Interceptors:

  * `io.conduktor.gateway.interceptor.ProduceJsonataPlugin`
  * `io.conduktor.gateway.interceptor.FetchJsonataPlugin`
  * `io.conduktor.gateway.interceptor.FetchEncryptPlugin`
  * `io.conduktor.gateway.interceptor.FetchEncryptSchemaBasedPlugin`

  Any existing configurations using these plugins will fail to load after upgrading to v3.19.0. See [removed Interceptors](/guide/reference/removed-interceptors) for the original documentation.

  <h3 id="duplicate-tls-domain-names-in-the-keystore-v3-19-0">
    Duplicate TLS domain names in the keystore
  </h3>

  If the Gateway keystore had two or more private key entries whose certificates mapped to the same hostname (overlapping Subject Alternative Name (SAN) or Common Name (CN)), earlier versions kept one entry and ignored the other without reporting an error. From this release, Gateway **rejects** that configuration and fails to load TLS contexts. The error identifies the conflicting domain. Remove the duplicate key entry or give each entry distinct SANs or CNs so each hostname maps to one certificate.

  <h3 id="default-for-gateway_acl_enabled-changed-when-no-network-configuration-is-set-v3-19-0">
    Default for `GATEWAY_ACL_ENABLED` changed when no network configuration is set
  </h3>

  Without any networking configuration (see details below), `GATEWAY_ACL_ENABLED` now defaults to `false` regardless of the security mode inferred from the backing Kafka.
  This change is part of the new multi-listener configuration zero-config mode, which enables a quick way for developers to get started with Gateway without needing to set up a full network configuration.
  In this zero-config mode, Gateway assumes that ACLs are not needed and disables them by default for simplicity.

  Setting any of the following environment variables will keep the previous default behavior of `GATEWAY_ACL_ENABLED` (`true` for `GATEWAY_MANAGED`, `false` for `KAFKA_MANAGED`), ensuring no breaking changes for most production deployments:

  * `GATEWAY_SECURITY_PROTOCOL`
  * `GATEWAY_PORT_START`
  * `GATEWAY_PORT_COUNT`
  * `GATEWAY_BIND_HOST`
  * `GATEWAY_ADVERTISED_HOST`
  * `GATEWAY_ADVERTISED_SNI_PORT`
  * `GATEWAY_ROUTING_MECHANISM`
  * `GATEWAY_ADVERTISED_HOST_PREFIX`
  * `GATEWAY_SNI_HOST_SEPARATOR`
  * `GATEWAY_TENANT_IN_HOSTNAME`

  <h2 id="new-features-v3-19-0">
    New features
  </h2>

  <h3 id="haproxy-protocol-support-v3-19-0">
    HAProxy Protocol support
  </h3>

  Gateway now supports [HAProxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) if enabled by setting `GATEWAY_FEATURE_FLAGS_HAPROXY_PROTOCOL` to `true`.

  This allows it to know the original client IP address (that was replaced by the external load balancer's own IP address) and then use it in audit logs and error logs. Load balancers like HA Proxy or Nginx supports this protocol.

  [See the complete explanation about HAProxy Protocol](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/load-balancing#capturing-the-client-ip-address).

  <h3 id="plan-feature-coverage-v3-19-0">
    Plan feature coverage
  </h3>

  From v3.19.0, Gateway enforces that the features used by newly configured Interceptors are included in your license. The Admin API returns `403 Forbidden` when you create or update an Interceptor requiring a feature your license doesn't include, and the response identifies the feature.

  <h2 id="preview-features-v3-19-0">
    Preview features
  </h2>

  <h3 id="topic-views-v3-19-0">
    Topic views
  </h3>

  Topic views provide non-materialized views of physical Kafka topics, similar to database views. They apply transformations to records as they're consumed, without modifying the underlying data. In this tech preview, topic views support SQL-based filtering and projection on schema-less JSON. Topic views are an iteration on the SQL Topic Plugin, which is now deprecated.

  SQL `WHERE` clauses can filter on record keys, headers, partition, offset and timestamp

  [See the complete guide to topic views](/guide/conduktor-concepts/logical-topics#topic-views).

  <h3 id="topic-id-support-v3-19-0">
    Topic ID support
  </h3>

  The Gateway now supports topic-ID based Kafka protocol handling.

  Initial coverage is limited to the Fetch API. Previously, ApiVersions negotiation advertised Fetch up to v12 to force topic-name fetches; with this feature enabled, clients can negotiate Fetch v13 or higher.
  Additional APIs will land behind the same flag in upcoming releases.

  Opt in by setting feature flag via environment variable:

  `${GATEWAY_FEATURE_FLAGS_TOPIC_ID_SUPPORT=true}.`

  As this is a preview feature, we recommend enabling it only in non production environments.

  <h3 id="multi-listener-updates-v3-19-0">
    Multi-listener updates
  </h3>

  This release changes the behavior of the [multi-listener configuration (preview)](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/multiple-listeners):

  * **`GATEWAY_ACL_ENABLED` is now required**, alongside `GATEWAY_SECURITY_MODE`. Set it to `true` or `false` (typically `true` for `GATEWAY_MANAGED`, `false` for `KAFKA_MANAGED`).
  * **Per-listener SSL client authentication**: each listener can now have its own mTLS client authentication policy, set via `GATEWAY_LISTENER_<NAME>_SSL_CLIENT_AUTH`. The global `GATEWAY_SSL_CLIENT_AUTH` environment variable is ignored in multi-listener configuration.

  See [Configure multiple listeners](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/multiple-listeners) for details.

  <h2 id="deprecated-features-v3-19-0">
    Deprecated features
  </h2>

  <h3 id="virtual-sql-topic-plugin-v3-19-0">
    Virtual SQL Topic Plugin
  </h3>

  Deprecated in: `v3.19.0`
  Planned removal: `v3.22.0`
  Full plugin name: `io.conduktor.gateway.interceptor.VirtualSqlTopicPlugin`

  <Info>
    [Topic views](/guide/conduktor-concepts/logical-topics#topic-views) **(tech preview)** provide an SQL transformation option which will provide all of the functionality of the SQL Topic Plugin.
  </Info>

  ## Coming in v3.20.0

  **Internal Kafka client upgrade.** Gateway v3.20.0 will upgrade the internal Apache Kafka client from version 3.9 to version 4.0 or later. The upgrade drops support for early versions of some Kafka protocol API keys, but does not change the minimum Kafka broker version that Gateway supports. The change is expected to have low impact for most deployments.

  <h2 id="quality-of-life-improvements-v3-19-0">
    Quality of life improvements
  </h2>

  <h3 id="faster-bulk-interceptor-apply-v3-19-0">
    Faster bulk Interceptor apply
  </h3>

  Bulk Interceptor configuration updates through **`conduktor apply`** and the **Admin API** are **up to 10x faster with lower CPU use** than on **v3.18.x** when you apply many Interceptors in sequence. {/* CUS-902 */}

  <h3 id="simplified-docker-image-build-v3-19-0">
    Simplified Docker image build
  </h3>

  The Gateway Docker image is now built from a single `Dockerfile`, replacing the previous three-stage Maven/Jib pipeline. The runtime entrypoint and HEALTHCHECK behavior are unchanged.

  If you extend the Gateway image in your own Dockerfile (for example, `FROM conduktor/conduktor-gateway:3.18`), verify your custom build against 3.19.0, as the internal image layer structure differs from previous releases.

  <h2 id="fixes-v3-19-0">
    Fixes
  </h2>

  * The `/metrics` endpoint no longer issues blocking `listTopics` calls during scrapes, which could stall the HTTP event loop and cause health-check timeouts in constrained environments. {/* CUS-940 */}

  <h2 id="security-advisories-v3-19-0">
    Security advisories
  </h2>

  ### CVE-2026-22016 — Java API for XML Processing (JAXP) component

  The Eclipse Temurin JDK 21 base image contains [CVE-2026-22016](https://nvd.nist.gov/vuln/detail/CVE-2026-22016), a vulnerability in the Java API for XML Processing (JAXP) component of Oracle Java SE. Exploitation requires the application to use JAXP APIs to process untrusted XML data. Conduktor products do not process XML through JAXP, so the vulnerability is not exploitable in our deployments.

  ### CVE-2026-34282 — Networking component

  The Eclipse Temurin JDK 21 base image contains [CVE-2026-34282](https://nvd.nist.gov/vuln/detail/CVE-2026-34282), a vulnerability in the Networking component of Oracle Java SE, allowing a denial of service attack. We will issue patched versions of our products once a fix is available upstream.
</Update>

<Update label="Console 1.44.1" description="2026-03-26" tags={["Console"]}>
  ## Fixes v1.44.1

  * Fixed a bug where changing an ApplicationInstance resource's ownership mode deleted ACLs for the ApplicationInstance's service account. All customers using Self-service with limited ownership mode should upgrade to this patch release immediately.
  * Fixed an authentication issue that caused auto-restart jobs to fail for Connectors created using specific authentication mechanisms.
</Update>

<Update label="Console 1.44.0" description="2026-03-18" tags={["Console"]}>
  * [Breaking changes](#breaking-changes-v1-44-0)
    * [Minimum Gateway version](#minimum-gateway-version-v1-44-0)
  * [New and updated features](#new-and-updated-features-v1-44-0)
    * [Self-service](#self-service-v1-44-0)
    * [Insights](#insights-v1-44-0)
  * [Quality of life improvements](#quality-of-life-improvements-v1-44-0)
  * [Fixes](#fixes-v1-44-0)

  ## Breaking changes v1.44.0

  ### Minimum Gateway version v1.44.0

  Console 1.44.0 has migrated from Gateway v1 APIs to v2 APIs. This requires **Gateway 3.12.0 or later**.

  #### You're impacted if

  You are running a Gateway version older than 3.12.0 alongside Console.

  #### Do you have to do anything?

  Upgrade Gateway to 3.12.0 or later before upgrading to Console 1.44.0.

  Gateway v1 API support will be removed in an upcoming Gateway release. Console versions prior to 1.44.0 will not be compatible with that Gateway release - upgrade Console first.

  ## New and updated features v1.44.0

  ### Self-service v1.44.0

  #### Topic prefix support

  Self-service now supports requesting and granting access to topic prefixes through the Console UI. This feature enables teams to manage permissions for multiple topics that share a common prefix, streamlining access management for applications that work with groups of related topics.

  To use this feature, navigate to **Application Catalog** > **Application** > select the **Application Instance** you want to request access from > **Ownership** section of the Application Instance. From there, you can request access to topic prefixes in addition to individual topics.

  #### Transactional ID resources

  Self-service now supports TRANSACTIONAL\_ID resources for ApplicationInstances and application-managed service accounts, enabling teams to manage transactional IDs as part of their application resources.

  TRANSACTIONAL\_ID resources support the standard ACL operations (Write and Describe). For Confluent Cloud clusters with role bindings enabled, DeveloperRead and DeveloperWrite role bindings are automatically created.

  This enhancement allows applications using transactional Kafka producers to provision and manage their transactional IDs through Self-service. [See the Self-service reference documentation](/guide/reference/self-service-reference) for configuration examples.

  ### Insights v1.44.0

  #### RBAC Aware

  Insights are now available for all teams using Console. Access is based on the RBAC setup, a user can see insights for the topics where they have permission to view or edit the topic configuration.

  #### Focus and Filtering

  To provide a more focussed experience when viewing Insights the views have been expanded out into dedicated pages for risks, costs and VIP topics. Across all of these areas the ability to filter the information shown has also been extended, with each view now being filterable by topic name patterns and by the Self-service application owning the resources.

  These changes allow specific areas of interest of ownership to be analysed, while still providing a high level overview of system health.

  ## Quality of life improvements v1.44.0

  * Support for Confluent Platform proprietary topic configuration keys when creating topics through the UI and CLI for clusters configured with Confluent Platform as the provider.
  * Optimized subject search to be more efficient. {/* CUS-899 */}
  * Added a **Bytes as text** toggle in topic message details to decode base64-encoded bytes fields as readable UTF-8 text. {/* CUS-881 */}
  * Platform teams can now configure a default number of partitions for topic creation, and custom URLs for the **Support** and **Feedback** links in Console. See [UI settings properties](/guide/conduktor-in-production/deploy-artifacts/deploy-console/environment-variables#ui-settings-properties) for details. {/* PROD-55 */}

  ## Fixes v1.44.0

  * Producing Protobuf messages no longer fails when schema references have path-like subject names (e.g., `org/conduktor/test/schema.proto`). {/* CUS-827 */}
  * CSV import now detects the topic's schema format (Avro, JSON Schema, Protobuf) and pre-selects the matching serializer, instead of defaulting to String/JSON. {/* CUS-643 */}
  * Fixed consumer group lag being incorrectly reported as a negative value. {/* CUS-900 */}
  * Fixed consumer group indexing timeout on large clusters when multiple groups share the same topic-partition. {/* CUS-888 */}
  * Fixed an out-of-memory error when indexing clusters with 100K+ consumer group assignments while handling concurrent API requests. {/* CUS-889 */}
  * Fixed message reprocess issue when the payload is large. {/* CUS-667 */}
  * Fixed message reprocess issue when the payload contains NaN value. {/* CUS-491 */}
  * Fixed an issue with schema actions menu being hidden when the schema is in indexing state. {/* CUS-598 */}
  * Fixed scroll bar overlap in the Produce Message panel when all sections are expanded. {/* CUS-742 */}
  * Fixed LDAP authentication failing when group mappings are configured (regression in 1.43.0). {/* CUS-904 */}
  * Fixed Confluent Cloud metrics indexing failing when the telemetry API is accessed through an outbound proxy. {/* CUS-893 */}
  * Fixed Kafka Connect returning 400 errors when accessed through AWS load balancers due to HTTP/2 upgrade headers. {/* CUS-887 */}
  * Fixed message reprocessing failing for Avro messages with timestamp logical types. {/* CUS-702 */}
</Update>

<Update label="Gateway 3.18.0" description="2026-03-18" tags={["Gateway"]}>
  * [Breaking changes](#breaking-changes-v3-18-0)
    * [License key required to start Gateway](#license-key-required-to-start-gateway)
    * [External storage option removed from encryption Interceptors](#removed-external-storage-option-from-encryption-interceptor)
  * [New features](#new-features-v3-18-0)
    * [Multiple listeners (preview)](#multiple-listeners-preview)
    * [Message integrity Interceptor](#message-integrity-interceptor)
  * [Deprecated features](#deprecated-features-v3-18-0)
    * [Gateway metrics](#gateway-metrics-deprecated-in-v3-18-0)
    * [Large batch handling plugin](#large-batch-handling-plugin)
  * [Fixes](#fixes-v3-18-0)

  ## Breaking changes v3.18.0

  ### License key required to start Gateway

  From v3.18.0, Gateway will only start if a valid license is provided. If you're already using a license, no changes are required.

  If you'd like to trial Gateway, [contact us](https://www.conduktor.io/contact).

  Once you've migrated to Gateway v3.18.0, you can remove the license topic `_conduktor_gateway_license` or `_conduktor_${GATEWAY_CLUSTER_ID}_license` from your Kafka cluster.

  ### Removed external storage option from encryption interceptor

  The deprecated `externalStorage` configuration parameter has been removed from encryption Interceptors (`EncryptPlugin`, `FetchEncryptPlugin`, `EncryptSchemaBasedPlugin`, `FetchEncryptSchemaBasedPlugin`).

  **Impact:**

  * Interceptor configurations containing `externalStorage: true` will fail to load
  * Messages encrypted with external storage mode cannot be decrypted after upgrading
  * The `GATEWAY_ENCRYPTION_CONFIGS_TOPIC` environment variable is no longer used
  * The `_conduktor_gateway_encryption_configs` Kafka topic is no longer managed by Gateway

  **Does it affect me?**
  Yes, if you're using `externalStorage: true`.

  **If you haven't migrated yet**
  Messages encrypted with external storage mode can't be decrypted after upgrading to v3.18.0.

  You should:

  * either downgrade to a version before 3.18.0, decrypt affected data and then re-encrypt using the default header-based storage before upgrading;
  * or accept that previously encrypted data using the external storage will no longer be decryptable.

  **After migrating or if you have no data to recover:**

  1. Remove the `externalStorage` field from your Interceptor configurations.
  2. Optionally delete the orphaned `_conduktor_gateway_encryption_configs` topic.
     [Find out more about encryption configuration](/guide/reference/data-security#encryption-configuration).

  ## New features v3.18.0

  * [Multiple listeners (preview)](#multiple-listeners-preview)
  * [Message integrity Interceptor](#message-integrity-interceptor)

  ### Multiple listeners (preview)

  Gateway now supports multiple listeners, allowing you to expose different network endpoints with independent security protocols, routing strategies and network bindings.
  This is a preview feature and is subject to change.

  Configure listeners using the new `GATEWAY_LISTENER_<NAME>_*` environment variables:

  ```bash theme={null} theme={null}
  GATEWAY_SECURITY_MODE=GATEWAY_MANAGED

  # External listener - encrypted with authentication
  GATEWAY_LISTENER_EXTERNAL_SECURITY_PROTOCOL=SASL_SSL
  GATEWAY_LISTENER_EXTERNAL_ROUTING=sni
  GATEWAY_LISTENER_EXTERNAL_PORTS=9092
  GATEWAY_LISTENER_EXTERNAL_ADVERTISED_HOST_PATTERN=broker-{{physicalCluster}}-{{nodeId}}.kafka.example.com

  # Internal listener - plaintext for internal services
  GATEWAY_LISTENER_INTERNAL_SECURITY_PROTOCOL=PLAINTEXT
  GATEWAY_LISTENER_INTERNAL_ROUTING=port
  GATEWAY_LISTENER_INTERNAL_PORTS=19092-19095
  GATEWAY_LISTENER_INTERNAL_ADVERTISED_HOST=gateway.internal
  ```

  [See the complete guide to configure listeners](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/multiple-listeners).

  ### Message integrity Interceptor

  The message integrity Interceptor lets you sign Kafka records on produce and verify them on fetch so consumers can detect if a record was modified after it was produced. Two plugins work together: **ProduceIntegrityPolicyPlugin** (signs with HMAC-SHA256 via Tink) and **FetchIntegrityPolicyPlugin** (verifies and drops or allows records by policy). Signing keys are stored in HashiCorp Vault KV v2 and cached locally; credentials are taken from the Interceptor config (including `${VAR}` placeholders).

  See [Data security](/guide/reference/data-security#message-integrity-interceptor) for configuration, Vault auth types, and key setup.

  ## Deprecated features v3.18.0

  ### Gateway metrics deprecated in v3.18.0

  The following three metrics are being deprecated in v3.18.0 and we plan to remove them completely in v3.21.0:

  * `gateway_upstream_connections_downstream`

  #### Does this affect me?

  Yes, if you're using this metric. Check your Grafana dashboards and alerting rules for references to it.

  If you have any:

  * remove all references to the metric.
  * replace them with `gateway_active_connections_vcluster` to monitor active connections per Virtual Cluster.

  ### Large batch handling plugin

  Deprecated in: `v3.18.0`
  Planned removal: `v3.21.0`
  Affected Interceptors:

  * `io.conduktor.gateway.interceptor.LargeBatchHandlingPlugin`

  ## Fixes v3.18.0

  * Improved the masking of secrets across the codebase in case they are ever serialized in logs in the future.
  * Fixed the OpenAPI specification, so `UpsertResult` enum values are correctly defined as strings, not empty object types. {/* CUS-879 */}
  * Added a timeout to `await()` operations during shutdown to prevent the process from hanging indefinitely. {/* CUS-901 */}
  * Changed the readiness probe to fail during shutdown to prevent the pod from receiving traffic. {/* CUS-901 */}
  * Fixed an issue where TLS connections mid-handshake were not closed properly during shutdown. {/* CUS-898 */}
  * Fixed an issue where the Vault connection intermittently reported an `invalid token` error. {/* CUS-897 */}
  * Large message Interceptor: added **disableChecksums** option in S3 config for S3-compatible storage (MinIO, NetApp ONTAP). When set to **true**, the SDK uses a checksum format that these backends accept. Otherwise, the uploads can fail because the default checksum is not accepted. [Find out more about configuring S3](/guide/use-cases/manage-large-messages#amazon-s3). {/* CUS-876 */}
  * Fixed a bug in the ReadOnlyTopic safeguard policy THROTTLE action.
  * Improved performance of Gateway when field-level encryption is configured by doing encryption work on separate thread pool.
  * Improved performance of field-level encryption by processing partitions in parallel.
  * Fixed default Docker healthcheck (e.g. Docker Compose environments).
  * Optimized the keep alive re-auth of Fortanix KMS connections with a dynamic refresh mechanism and use of the `refresh()` API call. {/* CUS-885 */}
  * Gateway's Vert.x-based admin API server now explicitly disables HTTP/2 cleartext upgrades on the admin API listener and responds over HTTP/1.1
</Update>

<Update label="Console 1.43.3" description="2026-03-11" tags={["Console"]}>
  ## Fixes v1.43.3

  * Fixed an issue where navigation failed when Console was configured with a custom base path.
  * Fixed an issue where logging output was too verbose.
  * Updated the base image to include upstream patches for CVE-2026-24308 and CVE-2026-29062.
</Update>

<Update label="Console 1.43.2" description="2026-02-27" tags={["Console"]}>
  ## Fixes v1.43.2

  * Reduced memory usage and improved performance of the Consumer Group Indexer task.
  * Fixed an issue where the "Create Connector" button was not displayed for users with permission to create connectors.
</Update>

<Update label="Gateway 3.17.2" description="2026-02-19" tags={["Gateway"]}>
  ## Fixes v3.17.2

  * Disabled topic ID support to resolve a known issue. This will be re-enabled in a future release once the issue is resolved.
</Update>

<Update label="Console 1.43.1" description="2026-02-16" tags={["Console"]}>
  ## Fixes v1.43.1

  * Reduced the risk of sensitive information appearing in logs when Console is configured to log at DEBUG level.
  * Fixed an issue where some identity pools in the service account UI failed to retrieve identity pool information correctly.
</Update>

<Update label="Console 1.43.0" description="2026-02-11" tags={["Console"]}>
  * Conduktor Scale:
    * [Community Edition](#community-edition)
  * [Quality of life improvements](#quality-of-life-improvements-v1-43-0)
  * [Fixes](#fixes-v1-43-0)
  * [Upcoming changes: deprecation notice for Self-service topic policies](#upcoming-deprecation-notice-v1-43-0)

  ## Conduktor Scale

  ### Community Edition

  We've overhauled our free license. If you're currently using it, the changes will only be applied when you upgrade to Console v1.43.0.

  [Find out more about the Community Edition](/guide/conduktor-in-production/manage-licenses/community-edition).

  ## Quality of life improvements v1.43.0

  * Added support for Boolean, Short, Int and UUID format types when producing and consuming topic messages.
  * Kafka Connect UI now enforces RBAC permissions and hides actions the user is not permitted to perform.
  * Moved the MCP navigation link to the **Settings** page to reduce the number of items in the main menu.
  * Added support for managing Kafka Connect connector resource policies in the UI.
  * Improved the Topic consume page to return more explicit errors and to include a retry option.
  * Added a new `Kafka.ConsumerGroup.Create` event type that tracks consumer group creation events in the audit log.
  * Added a public API endpoint to manage Kafka Connect connectors' auto-restart.

  ## Fixes v1.43.0

  * The **Request access** button in the Topic Catalog is now disabled when the user doesn't own any applications.
  * After deleting a cluster, the deletion dialog now closes and cluster list is refreshed.
  * Alert history now shows correct time ranges for 1D/7D/30D views and accurate tooltip dates spanning midnight.
  * The Reset Offset and Add Partitions drawers now stay open as expected on Firefox ESR.
  * The `CDK_DATAPOLICY_DISABLEKEYMASKING` setting now correctly disables key masking in data policies.
  * Exporting large topic messages (over 100 KB) now includes the full message content instead of empty values.
  * Connector auto-restart settings are no longer unexpectedly disabled when connectors are temporarily unavailable.

  ## Upcoming deprecation notice v1.43.0

  Self-service topic policies will be deprecated in Console v1.46.0. We recommend that you **convert all your existing topic policies to resource policies** as soon as possible. The resource policies have feature parity with the legacy topic policies.

  Use the Console UI to do this easily: go to **Settings** > **Policies migration**.
</Update>

<Update label="Gateway 3.17.1" description="2026-02-10" tags={["Gateway"]}>
  <Warning>
    **Do not upgrade to Gateway 3.17.1.** This version contains a known issue related to topic ID support. We recommend staying on your current version and upgrading directly to Gateway 3.17.2 when it becomes available.
  </Warning>

  ## Fixes v3.17.1

  * Fixed a bug where consumer group names and transaction IDs containing colons caused an error in the Virtual Cluster passthrough mode.
  * Fixed `DescribeGroups` returning incorrect *groupInstanceId* in the multi-tenant mode.
</Update>

<Update label="Console 1.42.0" description="2026-01-29" tags={["Console"]}>
  * Conduktor Scale:
    * [Chargeback without Gateway](#chargeback-without-gateway)
    * [Insights filtering and sorting](#insights-filtering-and-sorting)
    * [Cluster-wide resource policies](#cluster-wide-resource-policies)
  * [Quality of life improvements](#quality-of-life-improvements-v1-42-0)
  * [Fixes](#fixes-v1-42-0)

  ## Conduktor Scale

  ### Chargeback without Gateway

  This Console version introduces new Chargeback capabilities that do not require Gateway. Metrics and costs can be viewed by application, application instance and topic.

  [Find out more about Chargeback without Gateway](/guide/use-cases/chargeback-without-gateway).

  ### Insights filtering and sorting

  The Insights dashboard now offers enhanced filtering, sorting and search capabilities:

  * **Global filtering** - filter all Insights data by label or topic type (internal, streams, user). Click any label in a table to apply it as a filter.
  * **Sorting and searching** - tables in risk analysis, VIP topics and governance sections now support column sorting and search.
  * **Topic classification** - topic type labels are now shown alongside custom labels for easier identification.
  * **Filtered exports** - when filters are applied, exported CSV files include a **-filtered** suffix and contain only the filtered data.

  [Find out more about Insights filtering](/guide/insights#filter-data).

  ### Cluster wide resource policies

  Platform teams can now enforce resource policies at the cluster level, ensuring that all your Kafka resources follow the best practices across the entire platform.

  With cluster-wide policies, you can set standards across all the resources for replication factor, minimum in-sync replicas, schema restrictions and much more, without having to specify them individually for each application.

  #### New resource policies page

  The new **Resource policies** page replaces the **Topic Policies** page and provides a centralized view of all the policies with enhanced filtering and navigation.

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/conduktor/images/changelog/platform/v42/resource-policies-page.png" alt="Resource Policies Page" />

  View policies defined at any level: cluster, application or application instance and see what resources they've been applied to.

  To create or edit a resource policy, use the [Conduktor CLI](/guide/conduktor-in-production/automate/cli-automation).

  ## Quality of life improvements v1.42.0

  * Added support for optional basic auth for the metric scraping endpoints (`/api/monitoring/metrics` and `/monitoring/metrics/`). To configure, use `CDK_MONITORING_BASICAUTH_EMAIL` and `CDK_MONITORING_BASICAUTH_PASSWORD`. [Find out more](/guide/conduktor-in-production/deploy-artifacts/deploy-external-monitoring#basic-auth-for-metrics-scraping).
  * Sensitive information such as passwords, tokens, keys and secrets are now redacted in audit logs.
  * Made a number of visual improvements to the topic consume message drawer
  * Added support for [environment variables in webhook alert configurations](/guide/monitor-brokers-apps/alerts#using-environment-variables-in-webhooks), allowing secrets to be injected securely using `{{env.*}}` syntax (for environment variables prefixed with `CDK_WEBHOOK_`, with the prefix stripped).
  * Added [basic authentication support](/guide/conduktor-in-production/deploy-artifacts/deploy-console/environment-variables#monitoring-properties) for outbound Prometheus/Cortex/Mimir queries via the `monitoring.prometheus-auth` configuration.
  * Added a new consumer value format `SchemaRegistry` to prevent a poison pill when the first record(s) are not in the expected format.
  * Refactored topic indexing to reduce memory consumption and remove hard-coded timeout for retrieving offsets.
  * Refactored consumer group indexing to reduce the number of queries to the database.
  * Cluster selection menu moved to the top of the page for better user experience.

  ## Fixes v1.42.0

  * Fixed Reset Topics functionality for some Kafka Connect servers where topics weren't being correctly refreshed.
  * Fixed a bug where identity providers for Confluent Cloud weren't displaying all known identity providers in the Service Accounts UI.
  * Fixed override of `CDK_GLOBAL_JAVA_OPTS` environment variable that was not working as expected.
  * Fixed an error that occurred when Confluent CLI applied new subject with `--dry-run`.
  * Fixed the group v2 API to include ksqlDB permissions in the response.
  * Fixed performance regression on the group v2 API
  * Exporting large topic messages no longer results in empty values for truncated data.
  * Improved login performance for LDAP users with many groups.
  * Changed the topic list implementation to query the database instead of kafka, allowing a much faster response.
  * The logical connector ID is now displayed for Confluent Cloud managed connectors.
  * Fixed ksqlDB custom headers not being applied, which prevented combining mTLS authentication with Basic Auth headers.
  * Fixed AWS Glue schema ID display in consumed messages - UUID-based schema IDs are now handled correctly without causing errors.
  * Added configuration of PKCE method for better support of OIDC providers.
</Update>

<Update label="Gateway 3.17.0" description="2026-01-29" tags={["Gateway"]}>
  <Warning>
    **Do not upgrade to Gateway 3.17.0.** This version contains a known issue related to topic ID support. We recommend staying on your current version and upgrading directly to Gateway 3.17.2 when it becomes available.
  </Warning>

  * New features
    * [Support for tokenization and Vault Transform Secrets Engine](#support-for-vault-transform-secrets-engine)
    * [Customize low level network configuration](#low-level-network-configuration)
  * Deprecated features:
    * [Filtering topics with CEL](#filtering-topics-with-cel)
  * [Fixes](#fixes-v3-17-0)
  * [Quality of life improvements](#quality-of-life-improvements-v3-17-0)

  ## New features

  ### Support for Vault Transform Secrets Engine

  Gateway's encryption/decryption Interceptors now support the Vault [Transform Secrets Engine](https://developer.hashicorp.com/vault/docs/secrets/transform) in addition to the default [Transit Secrets Engine](https://developer.hashicorp.com/vault/docs/secrets/transit).

  This means that Gateway now provides an alternative method for protecting sensitive data in Kafka messages: **tokenization** and **format-preserving encryption**:

  * tokenization: sensitive data is replaced with tokens that are deterministically generated when the same key is used, while also storing the original values securely in HashiCorp Vault's transform secrets engine.
  * format-preserving encryption: data is still encrypted but the format and length of the original field data is preserved.

  To configure this, use the existing encryption Interceptors (`EncryptPlugin`, `DecryptPlugin`, etc.).

  Simply specify a `vault-transform://` prefix in your `keySecretId` (e.g. `vault-transform://my-role`).

  [Find out more about Vault KMS configuration](/guide/reference/data-security#vault-kms).

  ### Low level network configuration

  Added the ability to customize some of the [low level network configuration](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#low-level-network-configuration).

  ## Deprecated features v3.17.0

  ### Filtering topics with CEL

  Deprecated in: `v3.17.0`
  Planned removal: `v3.20.0`
  Full plugin name: - `io.conduktor.gateway.interceptor.CelTopicPlugin`

  <Info>
    [Topic views](/guide/conduktor-concepts/logical-topics#topic-views) **(tech preview)** provide an will provide a CEL transformation option in a future release which will provide all of the functionality of the CEL Topic Plugin.
  </Info>

  ## Fixes v3.17.0

  * If [Confluent Cloud Principal Resolver](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#principal-resolver) is configured, the Confluent Cloud API Secret is now masked.
  * Fixed a bug causing duplicate broker connections and incorrect client disconnections.
  * Fixed FindCoordinator to preserve all Kafka error codes instead of incorrectly converting them to `COORDINATOR_NOT_AVAILABLE`, ensuring clients receive accurate error information from Kafka.
  * Fixed Fetch v16 response handling to prevent invalid MessageSetSize errors

  ## Quality of life improvements v3.17.0

  * General improvements to log messages for better readability and clarity.
  * Adjusted log level for better operational visibility.
</Update>

<Update label="Console 1.41.0" description="2025-12-12" tags={["Console"]}>
  * [Breaking changes](#breaking-changes-v1-41-0)
  * Conduktor Scale:
    * [MCP server](#mcp-server)
    * [Chargeback without Gateway](#chargeback-without-gateway)
    * [Configurable context path](#configurable-context-path)
    * [Key masking in data policies](#key-masking-in-data-policies-can-be-disabled)
  * [Conduktor Shield](#conduktor-shield)
  * [Conduktor Trust](#conduktor-trust)
  * [Quality of life improvements](#quality-of-life-improvements-v1-41-0)
  * [Fixes](#fixes-v1-41-0)

  ## Breaking changes v1.41.0

  If you currently use Chargeback, please note that we have folded this into a broader Chargeback feature, including costs based on topic storage and partitions.
  To continue to use the existing feature you will need to set an environment variable, documented [here](/guide/tutorials/configure-chargeback-with-gateway#prerequisites).

  This will also enable the [new Chargeback functionality](#chargeback-without-gateway) that does not depend upon Gateway.

  ## Conduktor Scale

  ### MCP server

  <Check>
    **Preview functionality:** This is currently a preview feature and is subject to change as we continue working on it.
  </Check>

  Console now provides a set of MCP tools for exploring and analyzing your Kafka clusters with an AI assistant. These tools cover access to information on clusters, topics, schemas and consumer groups - as well as access to the new [Insights feature](/guide/insights).

  [Find out more about Console MCP](/guide/conduktor-in-production/automate/mcp).

  ### Chargeback without Gateway

  This Console version introduces Chargeback for storage and partitions which allows tracking of byte and partition usage across clusters.

  It works directly with Console's metadata indexer - there's no need to set up or maintain Gateway.

  You can:

  * track costs based on storage consumption (byte-hours) and partition counts (partition-hours) per topic,
  * view costs aggregated by day or month, with percentage attribution showing each cluster's contribution to total spend,
  * set cost rates per cluster for both storage and partitions,
  * see overall costs, storage-only costs, or partition-only costs.

  [Use Chargeback without Gateway](/guide/use-cases/chargeback-without-gateway).

  ### Configurable context path

  Console now supports context path configuration for deployments such as `https://company.com/conduktor`. This is especially useful for restricted Kubernetes environments with ingress controllers. [Find out how to deploy with a context path](/guide/conduktor-in-production/deploy-artifacts/deploy-console/kubernetes#deploy-console-with-a-context-path).

  ### Key masking in data policies can be disabled

  Data masking policies for keys that are not JSON or schema-based can be disabled.

  [Find out about data policy properties](/guide/conduktor-in-production/deploy-artifacts/deploy-console/environment-variables#data-policy-properties).

  ## Conduktor Trust

  Added onboarding banners to the Rules and Policies pages to help users get started with data quality.

  The banners will disappear as soon as you create your first Rule or Policy.

  [Find out about data quality](/guide/conduktor-concepts/data-quality-policies).

  ## Quality of life improvements v1.41.0

  * Refactored topic and consumer group indexing tasks to reduce load on Kafka clusters and improve CPU and memory usage. Timeouts may need to be adjusted to align with the updated duration of these indexing tasks.
  * Added usage data to help admins track Console usage and monitor license utilization. Admins can view active users, see Self-service applications and instances, access requests, view total Partner Zones and shared topics across three time periods: last 30 days, current month and the last 12 months. This feature includes a monthly trends graph and CSV export for offline analysis. Historical data builds up over time as Console collects usage metrics.
    [Find out more about usage data](/guide/conduktor-in-production/manage-licenses/console#track-console-usage).
  * The consumer group offset lag graph previously displayed the *max* offset lag value, but has been adjusted to display the *sum* value to correspond with its alerting behaviour.

  ### Fixes v1.41.0

  * Resolved IO exceptions that were happening for customers with long-running queries.
  * Improved performance of Insights data collection by 2-3x through various optimizations, reducing resource usage and speeding up metrics gathering.
  * Adjusted default Insights refresh frequency from 5 minutes to 15 minutes, freeing up system resources.
  * ksqlDB server configuration now accepts the authorization HTTP header, allowing you to use both SSL and basic authentication.
  * Added configuration option to disable data masking on record keys, allowing you to see and filter by keys that are not structured data.
  * Self-service RBAC operations now happen in a single transaction, preventing incomplete object creation when deploying via CI/CD.
  * Conduktor CLI dry-run mode now correctly reports `NotChanged` when there are no actual changes to Self-service application resources.
</Update>

<Update label="Gateway 3.16.0" description="2025-12-12" tags={["Gateway"]}>
  * Breaking changes:
    * [Metric 'gateway\_license\_remaining\_days' is now a positive number](#the-metric-gateway-license-remaining-days-is-now-a-positive-number)
  * New features:
    * [New v2 APIs for clusters](#new-v2-apis-for-clusters)
    * [Added support for Fortanix KMS](#support-for-fortanix-kms)
  * Deprecated features:
    * [Fetch encryption Interceptors](#fetch-encryption-interceptors)
    * [JSONata transformer Interceptors](#jjsonata-transformer-interceptors)
    * [The GATEWAY\_INTERCEPTOR\_CONFIG\_LOCATION environment variable](#the-gateway-interceptor-config-location-environment-variable)
    * [Delegated security modes](#delegated-security-modes)
  * [Fixes](#fixes-v3-16-0)

  ## Breaking changes

  ### The metric `gateway_license_remaining_days` is now a positive number

  If you have set up any alerts on the metric `gateway_license_remaining_days` in your own monitoring stack, please check them prior to this release.
  The metric was incorrectly reporting a negative number when time remained on the license, and this has now been corrected.

  ## New features

  ### New v2 APIs for clusters

  The v2 API now supports cluster switching operations and retrieving physical cluster connection configurations.

  A new endpoint `v2/cluster-switching/check` is available to check which physical cluster is currently active (main or failover).

  [Check out the Gateway v2 API reference for more details](https://developers.conduktor.io/?product=gateway\&version=3.16.0\&gatewayApiVersion=v2).

  ### Support for Fortanix KMS

  Gateway now supports field-level and full payload encryption/decryption using Fortanix Data Security Manager (DSM) as the Key Management Service (KMS). This integration enables secure encryption of Kafka messages with keys managed by Fortanix. [Find out how to configure Fortanix KMS](/guide/reference/data-security#fortanix-kms).

  ## Deprecated features v3.16.0

  ### Fetch encryption Interceptors

  Deprecated in: `v3.16.0`
  Planned removal: `v3.19.0`
  Affected Interceptors:

  * `io.conduktor.gateway.interceptor.FetchEncryptPlugin`
  * `io.conduktor.gateway.interceptor.FetchEncryptSchemaBasedPlugin`

  These Interceptors provided encryption of data during fetch/consume operations, even though data stored in Kafka was not encrypted.

  We recommend creating [data masking policies](/guide/conduktor-in-production/admin/data-masking) instead.

  ### JSONata transformer Interceptors

  Deprecated in: `v3.16.0`
  Planned removal: `v3.19.0`
  Affected Interceptors:

  * `io.conduktor.gateway.interceptor.FetchJsonataPlugin`
  * `io.conduktor.gateway.interceptor.ProduceJsonataPlugin`

  These Interceptors allowed transformation of message data using JSONata expressions on both produce and fetch operations.

  ### The GATEWAY\_INTERCEPTOR\_CONFIG\_LOCATION environment variable

  Deprecated in: `v3.16.0`
  Planned removal: `v3.19.0`

  This variable allowed users to configure global Interceptors by pointing to a configuration file location.

  We recommend using Gitops tooling instead.

  ### Delegated security modes

  Deprecated in: `v3.10.0`
  Planned removal: `v3.19.0`

  We'll remove support for delegated security modes in v3.19.0. Currently, we support backwards compatibility for configurations using `DELEGATED_XXX` environment variables.

  If you're still using these, you should migrate to the `GATEWAY_SECURITY_MODE`. [Check out the migration guide](/guide/tutorials/migrate-gateway-security).

  ## Fixes v3.16.0

  * The metric `gateway_license_remaining_days` is now a positive number when there is time remaining on the license, instead of negative.
  * Gateway now preserves upstream Kafka errors in metadata responses instead of unconditionally overwriting them with unknown topic errors, allowing clients to see the actual error from Kafka.
  * Data masking now gracefully skips records with full payload encryption headers, preventing errors when both Interceptors are applied to the same topic. This applies when using header-based encryption storage (`externalStorage: false` which is the default).
</Update>

<Update label="Console 1.40.0" description="2025-11-17" tags={["Console"]}>
  * Conduktor Exchange:
    * [Breaking changes - Partner Zone PENDING status](#breaking-changes---partner-zone-pending-status)
  * Conduktor Scale:
    * [SSO login](#sso-login)
    * [Enhanced login and onboarding experience](#enhanced-login-and-onboarding-experience)
    * [Added size information for Confluent Cloud topics](#topic-size-information-for-confluent-cloud-topics)
  * [Quality of life improvements](#quality-of-life-improvements-v1-40-0)
  * [Fixes](#fixes-v1-40-0)

  ## Breaking changes - Partner Zone PENDING status

  The `PENDING` status has been replaced with:

  * `PENDING_CREATE` on initial creation
  * `PENDING_UPDATE` on subsequent updates

  No action is required - existing Partner Zones will be automatically migrated to `PENDING_UPDATE`.

  The Partner Zone status appears only in the API responses and will not have impact on usage of the CLI.

  ## Conduktor Scale

  ### SSO login

  Console now supports browser-based Single Sign-On (SSO) with external JWT tokens. Once users are authenticated to their organization's Identity Provider, they are also automatically logged in to Console.

  This feature supports organizations that require centralized authentication management and provides a seamless single sign-on experience across applications.

  [Find out more about configuring browser-based SSO with external JWT tokens](/guide/conduktor-in-production/admin/user-access/delegated-jwt-authentication#browser-based-sso-with-external-jwt).

  ### Enhanced login and onboarding experience

  The login and onboarding experience has been redesigned with a modern, streamlined interface. The updated design improves visual consistency, enhances usability, and provides a more intuitive user experience for both new and returning users.

  ### Topic size information for Confluent Cloud topics

  We now support showing Confluent Cloud topic sizes (storage in bytes) throughout the product.

  To enable visibility of topic storage information for Confluent Cloud clusters, you have to configure the Confluent Cloud provider and [add a Confluent Cloud API key with the MetricsViewer role](/guide/manage-kafka/kafka-resources/service-accounts-acls#confluent-cloud).

  ## Quality of life improvements v1.40.0

  * Improved Insights dashboard user experience with enhanced usability and navigation.
  * CSV export of Insights data now supports zip compression for easier file management.
  * Labels filter dropdown now supports search functionality for easier label selection.
  * Improved navigation in Topic Catalog with clickable links to the application, instance, and owner group.
  * Added `database.options` and `kafka_sql.database.options` configuration to pass any valid JDBC or Hikari options, as an alternative to `database.url` and `kafka_sql.database.url`, respectively. [Find out more about Console database properties](/guide/conduktor-in-production/deploy-artifacts/deploy-console/environment-variables#database-properties).
  * We have added the new metric `console_license_remaining_days` which can be used to monitor the remaining days on your console license.
    * [Check out the metrics reference for a full list of available metrics.](/guide/reference/metric-reference)

  ## Fixes v1.40.0

  * The connector form didn't update when switching connector type during creation. This has now been resolved.
  * Duplicate operationId values in the OpenAPI specification prevented code generation with openapi-generator-cli. The specification has been corrected.
  * The Group API returned an error when KsqlDB permission was added. This error has been resolved.
  * After upgrading to 1.38, users with permissions on all clusters lost menu visibility of brokers and service accounts entries. This visibility issue has been resolved.
  * Creating topics sometimes showed misleading error messages when redirecting before indexing completed. These messages are now accurate.
  * Metrics didn't display in large clusters due to timeout errors when fetching topic offsets. This timeout issue has been resolved.
  * Database indexing failed after PostgreSQL restarts. Connection resilience has been improved with the new `database.options` configuration.
  * Resolved migration issue that could affect customers using more than one subject naming strategy when upgrading from 1.38 to 1.39
</Update>

<Update label="Gateway 3.15.0" description="2025-11-17" tags={["Gateway"]}>
  * [Breaking changes](#breaking-changes-v3-15-0)
    * [Block admin operation APIs](#block-admin-operation-apis)
    * [Deprecating v1 APIs](#deprecating-v1-apis)
    * [The externalStorage option in encryption Interceptors is deprecated](#the-externalstorage-option-in-encryption-interceptors-is-deprecated)
  * [Fixes](#fixes-v3-15-0)
  * [Quality of life improvements](#quality-of-life-improvements-v3-15-0)

  ## Breaking changes v3.15.0

  ### Block admin operation APIs

  This release blocks 15 low-level admin operation APIs that should be executed directly on the underlying Kafka cluster rather than through Gateway. These APIs have been reclassified from passthrough-supported to stability-blocked.

  **Why this change?**
  The low-level admin operations do not align with Gateway's security controls and must be performed through direct cluster access.

  **How to know if you're impacted:**

  * Before upgrading, review your applications and scripts to identify any code using these APIs through Gateway.
  * After upgrading:
    * Monitor your logs for errors related to: `ALTER_REPLICA_LOG_DIRS`, `ELECT_LEADERS`, `ALTER_PARTITION_REASSIGNMENTS`, `LIST_PARTITION_REASSIGNMENTS`, `ALTER_PARTITION`, `ALLOCATE_PRODUCER_IDS`, `CREATE_DELEGATION_TOKEN`, `RENEW_DELEGATION_TOKEN`, `EXPIRE_DELEGATION_TOKEN`, `DESCRIBE_DELEGATION_TOKEN`, `DESCRIBE_USER_SCRAM_CREDENTIALS`, `ALTER_USER_SCRAM_CREDENTIALS`, `DESCRIBE_CLIENT_QUOTAS`, `ALTER_CLIENT_QUOTAS`, `UPDATE_FEATURES`
    * Check Gateway error responses indicating blocked API calls

  **What to do if you're impacted:**

  * Update your applications and workflows to perform admin operations with direct cluster access instead of through Gateway

  [See the full list of blocked APIs and migration guidance](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#api-blocking-modes).

  ### Deprecating v1 APIs

  v1 APIs are now deprecated in favor of the v2 APIs introduced in Gateway 3.3.0 in September 2024.

  If you're using the Conduktor CLI to operate Gateway, you are not impacted.

  [Check out the Gateway API reference to see which APIs are affected](https://developers.conduktor.io/?product=gateway\&version=3.14.0\&gatewayApiVersion=v1).

  **All the v1 APIs will be **no longer available** from Gateway v3.18.0**.

  If you're using the v1 APIs, please migrate to the v2 APIs as soon as possible. [Get in touch if you need support with this migration](https://support.conduktor.io/hc/en-gb/requests/new?ticket_form_id=17438363566609).

  ### The externalStorage option in encryption interceptors is deprecated

  The `externalStorage` configuration parameter in encryption Interceptors (`EncryptPlugin`, `FetchEncryptPlugin`, `EncryptSchemaBasedPlugin`, `FetchEncryptSchemaBasedPlugin`) is now deprecated and will be removed in Gateway 3.18.0.

  This parameter controls whether encryption settings are stored in message headers (`false`, default) or in a separate topic (`true`).

  **Action required:** If you're currently using `externalStorage: true`, you should plan to migrate to the default behavior (storing encryption settings in message headers) before upgrading to Gateway 3.18.0. [Find out more about encryption configuration](/guide/reference/data-security#encryption-configuration).

  ## Fixes v3.15.0

  * Fixed issue where multiple encryption interceptors could not be applied to the same topic, now allowing priority-based selection.
  * Fixed NullPointerException during Gateway startup when interceptor version constraints specify only min or max values.
  * Updated `TopicRequiredSchemaIdPolicyPlugin` to allow tombstone records (NULL values) in compacted topics, while still requiring schema IDs for non-null records.

  ### Quality of life improvements v3.15.0

  * When ACL is enabled in `GATEWAY_MANAGED` security mode, authorization failure will contain additional information in the message like these:

  | **Kafka error**                       | **Example message**                                                                                                                      |
  | :------------------------------------ | :--------------------------------------------------------------------------------------------------------------------------------------- |
  | Topic authorization failure           | `"Topic authorization failed (in Gateway) for [Topic: someTopic, Tenant: someTenant, User: someUser, Host: someHost]"`                   |
  | Group authorization failure           | `"Group authorization failed (in Gateway) for [Group: someGroup, Tenant: someTenant, User: someUser, Host: someHost]"`                   |
  | TransactionalId authorization failure | `"TransactionalId authorization failed (in Gateway) for [TransactionalId: someKey, Tenant: someTenant, User: someUser, Host: someHost]"` |
  | Cluster authorization failure         | `"Cluster authorization failed (in Gateway) for [Tenant: someTenant, User: someUser, Host: someHost]"`                                   |
</Update>

<Update label="Console 1.39.0" description="2025-10-27" tags={["Console"]}>
  * Conduktor Scale:
    * [Insights](#insights)
    * [Collection of product metrics](#collection-of-product-metrics)
  * Conduktor Exchange:
    * [Partner Zone traffic analytics tab](#partner-zone-traffic-analytics-tab)
  * Conduktor Trust:
    * [Data quality observability](#data-quality-observability)
  * [Fixes](#fixes-v1-39-0)
  * [Known issues v1.39.0](#known-issues-v1-39-0)

  ## Conduktor Scale

  ### Insights

  The brand new **Insights** dashboard in Console provides a comprehensive analysis of your Kafka infrastructure, helping platform teams to:

  * proactively identify configuration issues,
  * optimize storage costs,
  * track governance metrics,
  * monitor business-critical topics and more.

  To access the dashboard, click **Insights** on the left menu. [Find out more about what metrics we provide and how to interpret them](/guide/insights).

  ### Collection of product metrics

  The global property, `enable_product_metrics`, with the corresponding environment variable `CDK_ENABLE_PRODUCT_METRICS` has been updated so that it is only configurable with an enterprise license. Without an enterprise license this property will always
  default to `true` meaning product metrics will *always* be collected by Conduktor.

  ### Data quality observability

  Data quality observability enables teams to understand data quality patterns **across their entire Kafka environment** before making decisions.

  Data quality Policies can now be configured for non-Gateway topics using the **observe** action to gather metrics on messages that fail data quality Rules.

  [Find out more about data quality observability with Conduktor](/guide/use-cases/observe-data-quality).

  ## Conduktor Exchange

  ### Partner Zone traffic analytics tab

  You can now show traffic analytics for a Partner Zone using the new **Traffic** tab on the Partner Zone list page. The analytics will only be displayed for Gateway clusters that have the observability Interceptor enabled.

  The new tab includes a chart and a table for each Partner Zone for data egress, ingress and all traffic with the option to export this data as a CSV file.

  To enable Partner Zone analytics, existing observability Interceptors with a non-global scope (where the vcluster scope is set to `passthrough`) will have to be deleted and re-created *with a global scope*.

  [Find out about how to configure Partner Zone traffic analytics in Console](/guide/tutorials/configure-partner-zone-traffic-analytics).

  ## Fixes v1.39.0

  * Added support for SSL connections without authentication when configuring Kafka clusters
  * Fixed http 500 error when forcing a consumer group rebalance
  * Fixed an issue where application instance permissions were being created despite API request validation failures
  * Fixed duplicate operation IDs in OpenAPI specification which caused errors when using OpenAPI code generation tooling
  * Fixed error preventing the user from changing schema compatibility or deleting schemas with forward slashes in their names

  ## Known issue v1.39.0

  If you're using more than one subject naming strategy, migrating to v1.39.0 might fail.

  If you see an error message similar to `Migration of schema "cdk_admin" to version "184 - add unique index to topic analytics" failed!`, skip this release and upgrade directly to 1.40 or later.
</Update>

<Update label="Gateway 3.14.0" description="2025-10-27" tags={["Gateway"]}>
  ## New feature v3.14.0

  Added SSL configuration for Vault KMS with support for trust store (TLS) and key store (mTLS). [Find out more about Vault KMS](/guide/reference/data-security#vault-kms).

  ## Fix v3.14.0

  Added configuration options for TLS cipher suites and protocols to allow customization of SSL/TLS security settings.
</Update>

<Update label="Gateway 3.12.1" description="2025-10-10" tags={["Gateway"]}>
  ## New feature

  ### Support restriction of TLS protocols and cipher suites

  Introduced optional environment variables to allow for restriction of which TLS protocols and cipher suites the Gateway server offers during the TLS handshake. [Find out more](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#ssl-authentication).
</Update>

<Update label="Console 1.38.0" description="2025-10-01" tags={["Console"]}>
  * Conduktor Scale:
    * [Application instance access](#application-instance-access)
    * [Topic catalog access](#topic-catalog-access)
    * [Grant access to a topic](#grant-access-to-a-topic)
    * [Remove or revoke access request](#remove-or-revoke-access-request)
    * [Confluent Cloud role binding support for Self-service](#confluent-cloud-role-binding-support-for-self-service)
    * [Migrate topic policies](#migrate-topic-policies)
    * [Support for external monitoring solutions](#support-for-external-monitoring-solutions)
  * Conduktor Exchange:
    * [Partner Zone enhancements](#partner-zone-enhancements)
  * Conduktor Trust:
    * [Validate your Rule against sample messages](#validate-your-rule-against-sample-messages)
    * [Custom data quality Rule violation messages](#custom-data-quality-rule-violation-messages)
    * [Edit attached Rules from the Policy details page](#edit-attached-rules-from-the-policy-details-page)
  * [Quality of life improvements](#quality-of-life-improvements-v1-38-0)
  * [Fixes](#fixes-v1-38-0)

  ## Conduktor Scale

  ### Application instance access

  The new **Access** tab provides a detailed view of:

  * All topics this application instance has access to, with the ability to remove this access if you are a member of the owner group for the application.
  * All topics this application instance has granted access to, with the ability to revoke this access if you are a member of the owner group for the application.

  <Note> The GitOps approved icon will not appear for CLI-created application instance permissions in the **Outgoing** access section.</Note>

  ### Topic catalog access

  Displays all applications and application instances with access to this topic:

  * You can remove access for your own applications.
  * If you're a member of the application owner group of this topic, you can revoke access for other applications.

  ### Grant access to a topic

  Access to a topic can now be granted from the topic details page.

  ### Remove or revoke access request

  The access request modal now supports removing or revoking access for approved requests based on user role:

  * **Application owners**: can revoke access using **Revoke access** in the request details drawer
  * **Access requesters**: can remove their own access with **Remove access** in the request details drawer

  ### Confluent Cloud role binding support for Self-service

  You can now manage service accounts through Confluent Cloud RBAC role-bindings. This provides the added benefit of provisioning permissions for the *subject* resources via schema registry RBAC role bindings.

  For example, a topic request that seeks `write` access to another ApplicationInstance's topic will result in the associated application instance's service account receiving a `DeveloperWrite` and `DeveloperRead` role binding.

  [Find out how to migrate RBAC role bindings to Confluent Cloud](/guide/tutorials/migrate-confluent-cloud-rbac).

  ### Migrate topic policies

  Topic policies will be deprecated in an upcoming release.  Please use resource policies with a `targetKind` of `Topic` instead.

  You can migrate the existing topic policies using the Console UI. Go to **Settings** > **Policies migration** and click **Migrate Policies** to migrate the topic policies to resource policies.

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/conduktor/images/changelog/platform/v38/topic-policies-migration.png" alt="Topic Policies Migration" />

  Topic policies won't be removed until support for them is fully deprecated.

  A topic policy can only be migrated once and the following limitations apply:

  * If a topic policy is migrated and the new resource policy is then deleted, the topic policy can't be migrated a second time.
  * If a topic policy is migrated and then deleted, then a new topic policy is created with same name as the old one, but the 'new' policy can't be migrated.
  * If a topic policy is migrated and then updated, it can't be migrated again.
  * When you migrate topic policies, all the application instances referring to those policies will have both the newly migrated resource and the old topic policies. The topic policies will be removed automatically when this feature is deprecated in a future release.

  ### Support for external monitoring solutions

  Console now supports the configuration of external monitoring solutions, including Cortex, Mimir and Prometheus.

  These can be used instead of the default `conduktor-console-cortex` image.

  [Multi-tenancy is also supported](/guide/conduktor-in-production/deploy-artifacts/deploy-external-monitoring).

  ## Conduktor Exchange

  ### Partner Zone enhancements

  * Partner Zones now support specifying a custom Virtual Cluster name with `vclusterName` when using the API or CLI. This provides better control over naming conventions and simplifies migration from existing Virtual Clusters.
  * You can now download CA certificates associated with a Partner Zone from the Console UI. This makes sharing certificates with your partners much easier. [Find out how to download certificates](/guide/use-cases/third-party-data#download-ca-certificates).

  ## Conduktor Trust

  ### Validate your Rule against sample messages

  Added the ability to test data quality Rules with sample data before creation. [Find out more about testing Rules before creation](/guide/use-cases/enforce-data-quality#test-rules-before-creation).

  ### Custom data quality Rule violation messages

  You can now define a custom message that replaces the default `[RULE_NAME] did not pass` when a Rule is violated. [Find out how to set the custom message during Rule creation](/guide/use-cases/enforce-data-quality#create-a-rule).

  ### Edit attached Rules from the Policy details page

  Added the ability to modify which Rules are attached to a Policy directly from the Policy details page. [Find out more about editing attached Rules](/guide/use-cases/enforce-data-quality#manage-a-policy).

  ## Quality of life improvements  v1.38.0

  We've completely redesigned the main cluster selector, introducing a number of usability improvements:

  * Added an option to pin clusters - your frequently used ones can now be pinned to the top of the list
  * Improved keyboard navigation for faster cluster switching and enhanced accessibility
  * For admins, added the ability to easily jump to the configuration page for any cluster

  You can now add custom labels to any cluster for better organization and categorization on large
  cluster environments. Easily filter clusters by labels in both the cluster selector and the cluster settings page.

  You can now search for an application in the Application filter dropdown on the Topic Catalog page.
  You can also search for a cluster in the cluster filter dropdown on the Topic Catalog page.

  ## Fixes v1.38.0

  * Fixed an issue where closing the templates drawer in the topic consume view would prevent the user from interacting with the rest of the page.
  * Fixed searching within groups to allow filtering on "contains" instead of "starts with" for improved search experience.
  * Fixed SSO configuration to support configurable email claims for special identity types.
  * Fixed connector creation modal to show validation warnings instead of blocking creation, allowing you to proceed with caution (matching CLI behavior).
  * Fixed access control vulnerabilities preventing low-privileged users from accessing and modifying data masking policies.
  * Fixed 'Last active' sorting in group members list to properly handle users who have never been active.
  * Fixed SQL indexed topics page to stay on the correct tab when refreshing instead of redirecting to a different URL.
  * Fixed duplicate topic subscription requests for already approved subscriptions in the Self-service catalog.
  * Fixed record view to show header keys in their original casing instead of uppercase.
  * Fixed topic template duplication functionality that was failing silently.
  * Fixed cluster creation validation to prevent duplicate technical IDs with better user experience.
  * Fixed data policies display layout to properly wrap field badges and prevent overlap.
  * Fixed CEL expression evaluation in resource policies to handle missing spec.configs correctly.
</Update>

<Update label="Gateway 3.13.0" description="2025-10-01" tags={["Gateway"]}>
  * [New features](#new-features-v3-13-0)
    * [Enhanced audit logging for authorization failures](#enhanced-audit-logging-for-authorization-failures)
    * [Block unsupported APIs with Gateway](#block-unsupported-apis-with-gateway)
    * [New encryption error policy](#new-encryption-error-policy)
  * [Quality of life improvement](#quality-of-life-improvement-v3-13-0)
  * [Fixes](#fixes-v3-13-0)

  ## New features v3.13.0

  ### Enhanced audit logging for authorization failures

  * An audit log event is now generated for authorization failures (when ACL permissions deny an operation on a resource). [Find out more about the authorization failure events](/guide/conduktor-in-production/admin/audit-logs#authorization-failure-event).
  * Improved error message verbosity with `enableDetailedErrorLogging` property in GCP KMS exception handling. [Find out more about the GCP KMS configuration](/guide/reference/interceptor-reference#google-cloud-platform-kms).

  ### Block unsupported APIs with Gateway

  This release introduces the `GATEWAY_FEATURE_FLAGS_BLOCK_UNSUPPORTED_APIS` environment variable which gives you control over how Gateway handles Kafka APIs that aren't explicitly supported.

  [See the full configuration details and usage modes](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#api-blocking-modes).

  ### New encryption error policy

  Added `errorPolicy` configuration to encryption Interceptors that allows skipping already encrypted messages.

  The default behavior maintains current functionality (an exception is thrown). To allow skipping, add this new option to your configuration.

  [See configuration details in the Interceptor Reference](/guide/reference/interceptor-reference#encryption-error-policy).

  ## Quality of life improvement v3.13.0

  Added blacklist configuration support to the topic policy. [Check out more about the CreateTopicPolicyPlugin](/guide/use-cases/apply-traffic-control-policies/#create-topic-policy).

  ## Fixes v3.13.0

  * Fixed the principal resolver failure to resolve the Confluent Cloud service account from an API Key.
  * Added round-robin Gateway endpoint allocation to prevent all traffic from being directed to the same Gateway node. [Find out more about Gateway internal load balancing](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/load-balancing#internal-load-balancing).
  * Improved customer experience for Vault KMS configuration by removing a confusing version field. The encryption Interceptor uses Vault Transit engine which only supports version 1 (hardcoded), but the configuration incorrectly exposed it as configurable. This change removes the misleading field from configuration examples while maintaining backward compatibility.
  * Fixed the error when connecting with super user and Virtual Cluster(s) is mandatory.
  * Fixed Fetch Policy Interceptor isolation level configuration to accept lowercase values, matching Kafka standards.
  * Fixed Confluent Cloud principal resolver to handle API keys for both service accounts and user accounts.
  * Fixed Azure OAuth authentication method priority to respect explicit configuration over environment variables.
  * Relaxed name validation in service-account v2 API to support dots, equals signs, and commas.
</Update>

<Update label="Console 1.37.1" description="2025-09-18" tags={["Console"]}>
  ## Fixes v1.37.1

  * Fixed an issue where resource policies were not applied when editing application groups from the UI.
  * Fixed an issue where members from external groups were not synchronized if an application group without permissions existed.
</Update>

<Update label="Console 1.37.0" description="2025-08-21" tags={["Console"]}>
  * [Breaking changes](#breaking-changes-v1-37-0)
    * [Gateway 3.12 dependency](#gateway-3.12-dependency)
    * [Email address storage](#email-address-storage)
    * [Prometheus configuration overrides](#prometheus-configuration-overrides)
  * Conduktor Scale:
    * [Application groups management](#application-groups-management)
    * [Application Instance resources](#application-instance-resources)
    * [Subject strategies support](#subject-strategies-support)
    * [External group management improvements](#external-group-management-improvements)
  * Conduktor Exchange:
    * [Partner Zone out of preview](#partner-zone-out-of-preview)
    * [Partner Zone multi-cluster support](#partner-zone-multi-cluster-support)
    * [Partner Zone breaking changes](#partner-zone-breaking-changes)
  * Conduktor Trust:
    * [Regex library](#regex-library)
    * [Mark action](#mark-action)
    * [JSON schema rule type](#json-schema-rule-type)
  * [Quality of life improvements](#quality-of-life-improvements-v1-37-0)
  * [Fixes](#fixes-v1-37-0)

  ## Breaking changes v1.37.0

  ### Gateway 3.12 dependency

  Starting from Console 1.37, Conduktor Trust [Mark action](#mark-action) and Conduktor Exchange [Partner Zone](#partner-zone-breaking-changes) functionality will require Gateway 3.12 or later.

  ### Email address storage

  In this release, we've made a change to how we store user email addresses in Console. All emails are now stored in lowercase to ensure consistency and prevent issues with SSO or RBAC.

  <Warning>
    We **strongly recommend** that you back up your Console database before upgrading to this version.

    If two users have the same email address but with different casing, the migration will fail. In this case, we recommend that you resolve the conflict by either deleting one of the users or changing their email address before upgrading.
  </Warning>

  ### Prometheus configuration overrides

  Before Console v1.37.0, Prometheus configuration was overridden using the **replace** strategy. Since **v1.37.0** it's changed to the **patch** (YAML merging) strategy.

  Prometheus configuration can be **patched** by mounting a YAML file to path `/opt/override-configs/prometheus.yaml`. To set an alternative path, use the `PROMETHEUS_OVERRIDE_CONFIG_FILE` environment variable.

  ## Conduktor Scale

  ### Application groups management

  New application group management in Self-service provides full lifecycle management through improved UI workflows.

  The **Members** tab offers an enhanced interface for managing group membership, making it easier for teams to control access and visibility. The **Resource access** tab enables granular control over topic, consumer group, subject, and connector permissions for precise access management. Application groups can also map to external groups like Console user groups for streamlined access management.

  ### Application Instance resources

  Application instances now feature comprehensive resource management capabilities. The new **Resources** tab provides a detailed view of all the resources associated with application instances, giving teams better visibility into their resource usage and dependencies.

  ### Subject strategies support

  Support for **Confluent subject strategies** has been added to the produce page for topics. This enhancement gives users more control over how schemas are referenced when producing messages, providing flexibility in schema organization and naming conventions.

  ### External group management improvements

  The **External groups UI** has been enhanced for mapping external authentication groups, making it easier for administrators to configure and maintain user access patterns.

  Both the Console user groups and application groups now support **external group regex** functionality, enabling dynamic group assignment based on external authentication patterns. This allows organizations to automatically map users from identity providers to appropriate application groups, based on configurable regex patterns.

  ## Conduktor Exchange

  ### Partner Zone out of preview

  Partner Zones are now generally available and out of preview. This means that all features are fully supported, production-ready, and can be used in production environments.

  ### Partner Zone multi-cluster support

  Console now supports creating Partner Zones against a multi-clustered Gateway configuration. This allows for a Partner Zone to be created against any of the configured Kafka clusters behind Gateway (previously, a Gateway was required per Kafka cluster for a Partner Zone).

  [Check out the tutorial on creating Partner Zones with multi-cluster Gateway](/guide/tutorials/partner-zone-multi-cluster), as well as the [Console resources for Partner Zones](/guide/reference/console-reference#partner-zones).

  ### Partner Zone breaking changes

  With the multi-cluster support in Gateway 3.12, all existing Partner Zones created prior to this version of Console are incompatible and cannot be migrated or updated to support the new capability. Hence, existing Partner Zones will stop functioning after the upgrade if not recreated.

  <Warning>
    **Action required:**

    * Delete all existing Partner Zones before upgrading
    * Upgrade Console and Gateway to the latest version
    * Recreate all Partner Zones with the same configuration
  </Warning>

  ## Conduktor Trust

  ### Regex library

  Added an option to **Show regex library** when creating a new rule in Console. This provides a list of pre-built regex examples that can be used to speed up rule creation.

  ### Mark action

  You can now toggle the **Mark action** on data quality Policies. When enabled, messages that violate the rule(s) are tagged with a special header.

  [Check out the Mark action use case.](/guide/use-cases/enforce-data-quality#mark-action)

  ### JSON schema rule type

  You can now create JSON schema rules to validate message structure and content.

  [Check out the JSON schema use case.](/guide/use-cases/enforce-data-quality#json-schema-rule)

  ## Quality of life improvements v1.37.0

  You can now fine-tune Cortex and Prometheus retention with the new environment variables. We've also updated the default values to reduce disk usage.

  You can **patch** (instead of replacing) the YAML configuration. [Find out more about overriding the configuration with YAML](/guide/conduktor-in-production/deploy-artifacts/deploy-cortex#overriding-with-yaml).

  The Self-service experience has been improved with **updated terminology** for managing access requests.

  Ambiguous and inconsistent references to various terminology such as 'subscriptions', 'subscribing', 'access requests', 'sharing', 'requests', have been standardized throughout the application, placing emphasis on a single unified concept of **access request**.

  You can now view the Resource Policies in the Application details page, and the Consumer Group ownerships in the Application instance details page.

  The Trust Rules and Policies pages are now hidden for users without [Trust](https://conduktor.io/trust) in their license.

  ## Fixes v1.37.0

  * Fixed production rate metrics getting stuck at high values when producer rates drop instantly to zero, which was causing artificially inflated metrics in systems with bursty production patterns.
  * Errors preventing users from logging in are now prominently displayed on the login page.
  * To prevent disclosure of password length in configuration forms, password fields are now consistently obfuscated regardless of the length of the actual password.
  * Secrets in AWS Glue and other cluster configuration forms are no longer shown in clear text.
  * Fixed error logs appearing when SQL features are not enabled, reducing unnecessary log noise.
  * Fixed onboarding page checkbox labels not being clickable, improving user experience during account setup.
  * Schema registry naming strategies now include namespace in generated subject names.
  * Fixed issue where topic navigation tab was missing from main menu for certain user roles despite having proper permissions.
  * Self-service configuration now correctly handles multiple Kafka Connect clusters connected to a single application instance.
  * Duplicate users can no longer be created using the same email username but in different casing.
  * In the metadata of the records, the schema names are no longer truncated.
  * Add error messages on Connector failure, helping troubleshooting.
  * Fixed topic policies not being visible in application instances after upgrading from version 1.35 to 1.36.
  * Fixed a '404 group does not exist' error incorrectly showing up when upgrading from version 1.35 to 1.36.
  * Deleting the Kafka Connect cluster now deletes the associated permissions, solving the permission errors on user and group GET operations.
  * Improved groups API performance, preventing timeouts for big organizations with thousands of users and groups.
  * Improved indexer performance, preventing timeouts for big organizations with thousands of consumer groups.
  * JVM metrics renamed in the Console and the Grafana dashboard, based on [Prometheus changes](https://prometheus.github.io/client_java/migration/simpleclient/#jvm-metrics).
</Update>

<Update label="Gateway 3.12.0" description="2025-08-20" tags={["Gateway"]}>
  * [Breaking changes](#breaking-changes-v3-12-0)
    * [New APIs for health and versions](#new-apis-for-health-and-versions)
    * [Rename of the Virtual Cluster Id](#rename-of-virtual-cluster-id)
  * [New features](#new-features-v3-12-0)
    * [New `GATEWAY_AUDIT_LOG_EVENT_TYPES` environment variable](#new-environment-variable)
    * [Enhanced crypto shredding behavior for decryption](#enhanced-crypto-shredding-behavior-for-decryption)
    * [Client throttling for encryption and decryption](#client-throttling-for-encryption-and-decryption)
  * [Fixes](#fixes-v3-12-0)

  ## Breaking changes v3.12.0

  ### New APIs for health and versions

  To improve the reliability and monitoring of the Gateway service, we've introduced new API endpoints for health checks and version information.

  These changes align our service with Kubernetes health check standards and will provide a more robust way to monitor Gateway's status.

  [Find out more from the monitoring reference](/guide/conduktor-in-production/monitor#liveness-endpoint).

  <Warning>
    The old */health* API is now deprecated but it will continue to function.

    Please update your configuration to use the new liveness and readiness probe endpoints.
  </Warning>

  ### Rename of Virtual Cluster Id

  When a Kafka client requests the cluster Id of a Virtual Cluster through Gateway, the returned cluster Id will be different - it will be renamed.

  Previously, the returned cluster Id was the native Kafka cluster Id of the Virtual Cluster's physical cluster.

  The new cluster Id that's returned will be be in the form of: `{virtual-cluster-name}@{physical-cluster-id}`.

  ## New features v3.12.0

  ### New environment variable

  This release introduces the `GATEWAY_AUDIT_LOG_EVENT_TYPES` environment variable which controls the types of events recorded in the audit log.

  It provides flexibility to enable/disable specific event types, such as `CONNECTION`.

  [See the full list and explanations of the event types](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/environment-variables#audit).

  This change is backwards compatible, as the default value is `ALL` (which means that all event types are logged by default).

  ### Enhanced crypto shredding behavior for decryption

  The decryption Interceptor now includes improved error handling behavior specifically for crypto shredding scenarios.

  A new `crypto_shred_safe_fail_fetch` error policy has been introduced. It returns encrypted data when decryption fails due to missing encryption keys, but throws exceptions for other types of decryption failures (e.g., authentication errors). This ensures that crypto-shredded data remains protected while still failing fast for other issues that require attention.

  ### Client throttling for encryption and decryption

  Gateway now supports client throttling when encryption or decryption operations fail, helping to protect your system from being overwhelmed during error conditions.

  * **New throttleTimeMs configuration**: Set `throttleTimeMs` to control how long clients will be throttled when encryption/decryption fails (in milliseconds, default: 0)
  * **Automatic system protection**: When encryption or decryption fails, Gateway can automatically throttle the problematic client for the specified duration, preventing system overload
  * **Configurable behavior**: You can enable and adjust throttling based on your system's needs and error tolerance

  [Find out more about client throttling](/guide/reference/data-security#client-throttling).

  ## Fixes v3.12.0

  * `KUBERNETES` Vault authentication now gets the JWT from the default Vault location (`/var/run/secrets/kubernetes.io/serviceaccount/token`). You can configure this location using `path` (`VAULT_KUBERNETES_PATH`). The `jwt` configuration key is no longer needed. [See **Kubernetes authentication** under Vault authentication types](/guide/reference/interceptor-reference#vault-kms).

  * Enriched the `REST_API` audit log events with the request body, which was previously not captured.

  * Resolved `GATEWAY_TOPIC_STORE_KCACHE_REPLICATION_FACTOR` configuration to properly default to the Kafka cluster's default replication factor settings.

  * Supported Protobuf schemas for `SchemaPayloadValidationPolicyPlugin`.

  * Updated the SSL handshake failure logging to include client IP addresses (which were previously missing from error logs), helping you identify applications that are affected by certificate issues.
</Update>

<Update label="Console 1.36.2" description="2025-08-05" tags={["Console"]}>
  ## Improvements v1.36.2

  * Added support for SMTPS servers in email alerting to allow TLS-enabled SMTP servers, as well as the previously available option for StartTLS.

  ## Fixes v1.36.2

  * Fixed an issue where the Console UI would prevent Debezium connector creation when required metadata was missing, even though the CLI would allow creation successfully.
  * Fixed a permissions bug where users who were members of multiple ApplicationGroups would only inherit permissions from one group instead of receiving the combined permissions from all their groups. This was causing users to have incomplete access rights.
  * Updated the base image to include upstream patches for CVE-2025-30749, CVE-2025-50059, and CVE-2025-50106 affecting Oracle Java SE and GraalVM.
</Update>

<Update label="Console 1.36.1" description="2025-07-21" tags={["Console"]}>
  ## Fixes v1.36.1

  * Fixed an issue where the default produce header used a problematic naming format (app.name) that could cause compatibility issues with certain connectors
  * Resolved the known issue from 1.36.0 where Self-service resource policies attached to Self-service application instances would display validation errors on the details page in Console
</Update>

<Update label="Gateway 3.11.0" description="2025-07-18" tags={["Gateway"]}>
  [New features](#new-features-v3-11-0)

  * [Use REST to set Virtual Cluster ACLs](#set-virtual-cluster-acls-directly-using-rest)
  * [Auto-create topics](#auto-create-topics)

  ## New features v3.11.0

  ### Set Virtual Cluster ACLs directly using REST

  Gateway now supports managing the ACLs for Virtual Clusters directly using the REST API. (This is a backwards compatible change.)

  Previously, the only way to set ACLs on a Virtual Cluster was to:

  1. create a Virtual Cluster with a Kafka super user defined, then
  2. as the Kafka super user, individually create ACLs using the Kafka admin API.

  By allowing nearly any Kafka ACL setup to be configured using a single call to the Virtual Cluster REST endpoint (some cluster ACLs are restricted), the overall complexity is greatly simplified for most use cases.

  We'll continue to support setting ACLs directly using the Kafka admin API as a super user, since this change won't be useful in all scenarios and use cases.

  [Find out more about the new ACLs features in the Virtual Cluster resource reference](/guide/reference/gateway-reference#acls-configurable-via-rest).

  ### Auto-create topics

  You can now create topics automatically when producing or consuming through Gateway. To enable/disable this, we've added a new `GATEWAY_AUTO_CREATE_TOPICS_ENABLED` environment variable (default: `false`).

  * **Kafka property integration**: leverages the Kafka property `auto.create.topics.enable` when the feature is enabled.
  * **Concentrated topics limitation**: when this feature is enabled, topics that would normally be concentrated will be created as physical topics instead.
  * **ACL authorization**: implements proper access control for auto-create topics:
    * **permission requirements**: requires `CREATE` permission on either the topic or the cluster.
    * **security**: ensures access control while maintaining flexibility for different permission models.

  [Find out more about configuring Gateway to accept client connections](/guide/conduktor-in-production/deploy-artifacts/deploy-gateway/listener-security) and [auto-create topics authorization](/guide/tutorials/manage-gateway-service-accounts#auto-create-topic-authorization).
</Update>

<Update label="Console 1.36.0" description="2025-07-18" tags={["Console"]}>
  * Conduktor Scale:
    * [New alert destination: email](#new-alert-destination-email)
    * [Configurable Webhook body](#configurable-webhook-body)
    * [Redesigned Application Catalog and Application details pages](#redesigned-application-catalog-and-application-details-pages-in-console)
    * [Labels for Consumer groups](#labels-for-consumer-groups)
    * [More information on tasks with errors](#more-information-on-tasks-with-errors)
  * Conduktor Exchange:
    * [Breaking changes - Partner Zones support for mTLS](#breaking-changes---partner-zones-support-for-mtls)
  * [Quality of life improvements](#quality-of-life-improvements-v1-36-0)
  * [Fixes](#fixes-v1-36-0)
  * [Known issue](#known-issue-v1-36-0)

  ## Conduktor Scale

  ### New alert destination: email

  You can now set emails as alert destinations. Set up your SMTP server with TLS encryption and authentication to enable secure email delivery directly to your inbox.

  Create customized email alerts with custom subjects and body content per alert. Dynamic variables like `{{clusterName}}` and `{{threshold}}` can be embedded using handlebars syntax for context-aware notifications that provide meaningful alert details.

  [Find out how to configure email integration](/guide/monitor-brokers-apps/alerts#email-integration).

  ### Configurable Webhook body

  Webhook alert destinations now support full payload customization. In addition to existing header customizations, you can now secure your webhooks with **basic auth** or **bearer token** authentication and customize the body of the webhook payload to be sent when an alert is triggered.

  Like email alerts, webhook bodies support dynamic variable insertion using handlebars syntax, allowing you to create context-aware webhook payloads tailored to your specific monitoring needs.

  ### Redesigned Application Catalog and Application details pages in Console

  Application details page:

  * displays a list of the application instances with labels and stats.
  * includes an editor for modifying the application description.
  * shows the application groups list with the owner group pinned.

  Application instance page:

  * header section displays stats and labels, with the ability to manage labels.
  * contains multiple tabs: Details, External access, Alerts, and API keys.
  * within the Details tab, information is divided into two sections: ownership and resource policies.

  ### Labels for Consumer groups

  Labels are now shown across various consumer groups views, along with new filtering capabilities:

  * The consumer groups list now shows labels and allows filtering by them.
  * Topic lists within both the consumer groups and member details pages now support label-based filtering.
  * In the topic details view for consumer groups, labels are visible and can be added, edited, or deleted.

  ### More information on tasks with errors

  A connector that's in the `RUNNING` state can also return errors that are only visible within the Confluent Cloud UI. When a connector is in this state:

  * a warning icon will be shown next to the item in the list view and
  * an error returned from the Confluent Cloud API will be displayed.

  ## Conduktor Exchange

  ### Breaking changes - Partner Zones support for mTLS

  With support for mTLS connections, Partner Zones now have breaking changes: all **existing Partner Zones have to be re-created** (even if not using mTLS).

  Partners can now connect their clients to your Partner Zone using mTLS.

  This is an additional option of `MTLS` for the `spec.authenticationMode.type`.

  [Find out more about prerequisites for creating Partner Zones](/guide/conduktor-concepts/partner-zones#prerequisites).

  ### Quality of life improvements v1.36.0

  * Users will now be redirected to the page they were on when they logged in again after session expiry.
  * Improved navigation between Partner Zones in the list view when using keyboard.
  * Improved configurability of circuit breaker behavior for indexed tasks. Each indexed task now includes configurable `sequentialFailureThreshold` and `blockingDuration` parameters, giving administrators fine-grained control over when indexing operations pause due to failures and how long they remain paused before attempting recovery. This provides predictable recovery behavior and prevents extended indexing outages that previously required Console restarts to resolve. [Learn more about circuit breaker configuration](/guide/conduktor-concepts/indexing#circuit-breaker-configuration).

  ## Fixes v1.36.0

  * Partner Zones are now created instantly, instead of waiting for the next reconciliation loop to pass. Other updates will continue to sync in line with the reconciliation loop.
  * Fixed an error that occurred when no partitions were selected in the topic consume view. You will now see a warning that no messages will be shown, if partitions filter is set to none.
  * The JSON view of a message in a topic now correctly displays negative numbers and numbers in scientific notation.
  * Kafka Connect clusters are no longer visible to users who don't have the permission on any of their connectors.
  * Error messages are now more informative when attempting to create a service account on a resource for which the caller lacks permission.
  * Resolved a case sensitivity issue with email addresses in the application group payload that caused mismatch in the RBAC configuration.

  ## Known issue v1.36.0

  If a Self-service resource policy is attached to a Self-service application instance, the details page for it may display a validation error in Console.
</Update>

<Update label="Conduktor CLI 0.6.1" description="2025-06-24" tags={["CLI"]}>
  ## Fixes

  * Fixed an issue introduced in `v0.6.0`, where intermittent failure on some apply runs where kind ordering would not be respected. In some scenarios the parent resource is not made before the child (e.g.  ApplicationInstances being created before Applications) and the run would fail, this could be fixed by attempting a retry.
  * Fixed an issue introduced in `v0.6.0` where failed runs would not return an exit code, leading to silent failures in CI actions.

  [Find out more](https://github.com/conduktor/ctl/releases/tag/v0.6.1).
</Update>

<Update label="Conduktor CLI 0.6.0" description="2025-06-23" tags={["CLI"]}>
  ## Changes

  <Note> This release introduced a couple of bugs that were fixed in **CLI v0.6.1**, please use that version instead of v0.6.0. </Note>

  Significant performance improvements when applying a large number of resources. To control the maximum number of concurrent resource `apply` operations, use the `--parallelism` flag.

  The flag accepts `integer` values between 1 and 100. If a value outside this range is provided, the command will show an error and exit. [Find out more](https://github.com/conduktor/ctl/releases/tag/v0.6.0).
</Update>

<Update label="Conduktor CLI 0.5.1" description="2025-05-14" tags={["CLI"]}>
  ## Change

  * The -o flags are now visible at the get root command level, making output options more discoverable.

  ## Fix

  * Fixed an issue where alerts could not be deleted via the CLI when using the metadata group.
    [Find out more](https://github.com/conduktor/ctl/releases/tag/v0.5.1).
</Update>

<Update label="Conduktor CLI 0.5.0" description="2025-03-10" tags={["CLI"]}>
  ## Changes

  * Included Gateway resources in `get all`
  * Added cause to ApiError responses
  * Fixed apply template comment in YAML file
  * Added option to edit and apply immediately to template command
  * Standardized flag descriptions

  ## Fix

  * Fixed verbose mode in single client configuration

  [Find out more](https://github.com/conduktor/ctl/releases/tag/v0.5.0).
</Update>

<Update label="Conduktor CLI 0.4.0" description="2025-02-07" tags={["CLI"]}>
  ## Changes

  * Environment variable references can now be passed to Gateway or Console, allowing you to store references to secret variables used by the host within your configuration.
  * Partner Zones are now available, allowing you to securely share your streaming Kafka data with external partners without the need to replicate the data.
  * More informative error responses in certain situations
  * Console API schema updated
  * Added `run`
  * Schema code reorg
  * Ops 630 pass external environment variable reference
  * Introduced dev mode for hidden command
  * Panic replaced with graceful exit
  * Included Partner Zones Gateway API changes

  ## Fixes

  * buildAlias duplication fixed
  * Fixed ServiceAccount check when defining commands
  * Release Action fixed
  * Various doc fixes
  * Fixed duplicate printout statements

  [Find out more](https://github.com/conduktor/ctl/releases/tag/v0.4.0).
</Update>

<Update label="Conduktor CLI 0.3.4" description="2025-01-10" tags={["CLI"]}>
  ## Changes

  * Added support of query params for parent
  * Added `template`

  ## Fix

  * Fixed the issue when deleting virtual clusters does nothing
</Update>

<Update label="Conduktor CLI 0.3.3" description="2024-12-16" tags={["CLI"]}>
  ## Changes

  * Updated default kind for 1.30
  * Added basic auth for Gateway API support

  ## Fix

  * Fixed default vCluster set to null for delete interceptors
</Update>

<Update label="Conduktor CLI 0.3.2" description="2024-11-25" tags={["CLI"]}>
  ## Change

  * Updated Console schema with latest version

  ## Fix

  * Changed ordering between groups and service accounts in Gateway entities
</Update>

<Update label="Conduktor CLI 0.3.1" description="2024-10-14" tags={["CLI"]}>
  ## Changes

  * Added handling of environment variables for YAML
  * Added description for token CMD
  * Updated README.md
  * Added `run sql`
  * Updated with latest Gateway API changes
  * Added `all`

  ## Fixes

  * Fixed release version check
  * Fixed version bump in Homebrew PRs
  * Fixed releases prefix to prevent errors
</Update>

<Update label="Conduktor CLI 0.3.0" description="2024-09-17" tags={["CLI"]}>
  ## Changes

  * Added support for `-o json` and `-o name` on `get`
  * Updated to latest Gateway API
  * Added support for Gateway API v2
  * Clarified version with a `v`

  ## Fixes

  * Fixed the release tag
  * Fixed missing key retrieval from environment

  [Find out more](https://github.com/conduktor/ctl/releases/tag/v0.3.0).
</Update>

<Update label="Conduktor CLI 0.2.7" description="2024-07-22" tags={["CLI"]}>
  ## Changes

  * Made `/api` not mandatory when setting base URL
  * Updated offline schema for future
  * Added support for description from file in topic resources
  * Added support for  `delete -f`
  * Improved client interface
  * Improved CLI API for terraform provider POC
  * Added a command to create token
  * Added a login command

  ## Fix

  * Fixed auto login in client
</Update>

<Update label="Conduktor CLI 0.2.6" description="2024-06-25" tags={["CLI"]}>
  ## Changes

  * Started with v to solve issue with go package
  * Use resource priority from default catalog if catalog doesn't have any
  * Added resource priority
  * Keep order from API response
  * Updated offline kind
</Update>

<Update label="Conduktor CLI 0.2.5" description="2024-06-18" tags={["CLI"]}>
  ## Changes

  * Expended *Subject schemaFile* on `apply`

  ## Fixes

  * Fixed an issue on apiVersion where apiVersion is put at the end
</Update>

<Update label="Conduktor CLI 0.2.4" description="2024-05-02" tags={["CLI"]}>
  ## Breaking changes

  * CDK\_TOKEN is now CDK\_API\_KEY

  This also includes **Conduktor CLI v 0.2.3** wih a fix for

  * automation update brew formula

  This also includes **Conduktor CLI v 0.2.2** wih a fix for

  * improved docs
</Update>

<Update label="Conduktor CLI 0.2.1" description="2024-04-29" tags={["CLI"]}>
  ## Features

  * Added CA cert
  * This release is **only compatible with Console 1.23 or above**

  ## Fixes

  * Fixed an issue with insecure
</Update>

<Update label="Conduktor CLI 0.2.0" description="2024-04-22" tags={["CLI"]}>
  ## Features

  * This release is **only compatible with Console 1.23 or above**
  * Made CTL work with complex path
  * Set CDK-CLIENT header to improve analytics

  ## Fixes

  * Fix for adding `prefix X-` to custom header

  [Find out more](https://github.com/conduktor/ctl/releases/tag/0.2.0/).
</Update>

<Update label="Conduktor CLI 0.1.1" description="2024-04-15" tags={["CLI"]}>
  ## Features

  * Add uniform CLI help commands/flags descriptions
  * Use alpine as base Docker image with custom user
  * Added support for multiple failing apply to get a detailed summary
</Update>

<Update label="Conduktor CLI 0.1.0" description="2024-03-26" tags={["CLI"]}>
  Conduktor CLI allows you to perform operations directly from your command line or a CI/CD pipeline to a Conduktor Console instance.

  ## Features

  * Support for `get`, `apply` (upsert) and `delete` commands for the following Conduktor Console resources:
    * Application
    * ApplicationInstance
    * ApplicationInstancePermission
  * Support for `--dry-run` on `apply` and `delete`
  * Support `completion` that generates the autocompletion script for the specified shell
  * Support for proxy auth using certificate and key
  * Support `ignore` untrusted certificates environment variable
  * Configurable environment variables

  [Find out more](https://github.com/conduktor/ctl/releases/tag/0.1.0/).
</Update>
