Overview
From Gateway 3.20.0, networking is configured per listener withGATEWAY_LISTENER_<NAME>_* variables. The global GATEWAY_PORT_*, GATEWAY_ADVERTISED_HOST, GATEWAY_ROUTING_MECHANISM and GATEWAY_SECURITY_PROTOCOL variables — the legacy network configuration — are deprecated and will be removed in Gateway 3.23.
This guide shows how to switch an existing deployment to listener configuration. For how the legacy mode behaves and the full deprecated variable reference, see Legacy network configuration.
Listener configuration removes the inference behavior of legacy network configuration — you set every relevant value explicitly.
Map legacy variables to listener variables
The legacy network variables internally create a single listener namedDEFAULT. Use this mapping as a reference:
| Legacy variable | Listener equivalent |
|---|---|
GATEWAY_BIND_HOST | GATEWAY_LISTENER_<NAME>_BIND_ADDRESS |
GATEWAY_ADVERTISED_HOST | GATEWAY_LISTENER_<NAME>_ADVERTISED_HOST |
GATEWAY_PORT_START and GATEWAY_PORT_COUNT | GATEWAY_LISTENER_<NAME>_PORTS |
GATEWAY_ADVERTISED_SNI_PORT | GATEWAY_LISTENER_<NAME>_PORTS (use advertised:local format) |
GATEWAY_ROUTING_MECHANISM | GATEWAY_LISTENER_<NAME>_ROUTING (host is now called sni) |
GATEWAY_SECURITY_PROTOCOL | GATEWAY_LISTENER_<NAME>_SECURITY_PROTOCOL |
GATEWAY_ADVERTISED_HOST_PREFIX and GATEWAY_SNI_HOST_SEPARATOR | GATEWAY_LISTENER_<NAME>_ADVERTISED_HOST_PATTERN and GATEWAY_LISTENER_<NAME>_BOOTSTRAP_HOST_PATTERN |
GATEWAY_SSL_CLIENT_AUTH | GATEWAY_LISTENER_<NAME>_SSL_CLIENT_AUTH |
GATEWAY_SECURITY_MODE, GATEWAY_ACL_ENABLED, GATEWAY_SSL_KEY_STORE_*, GATEWAY_SSL_TRUST_STORE_*, and all KAFKA_* connection variables. GATEWAY_SECURITY_MODE and GATEWAY_ACL_ENABLED are no longer inferred, though — see Behavior differences to plan for.
If your deployment still uses a
DELEGATED_SASL_PLAINTEXT or DELEGATED_SASL_SSL security protocol, migrate it first: the listener SECURITY_PROTOCOL only accepts PLAINTEXT, SSL, SASL_PLAINTEXT or SASL_SSL. Set GATEWAY_SECURITY_MODE=KAFKA_MANAGED and use the plain protocol (SASL_PLAINTEXT or SASL_SSL) on the listener. See Migrate security mode.Behavior differences to plan for
Three behaviors change when you migrate:-
Security mode and ACL flag have to be set explicitly. Listener configuration does not infer
GATEWAY_SECURITY_MODEorGATEWAY_ACL_ENABLEDfrom the backing Kafka cluster. Set both:GATEWAY_SECURITY_MODEtoGATEWAY_MANAGEDorKAFKA_MANAGED.GATEWAY_ACL_ENABLEDtotrueorfalse(typicallytrueforGATEWAY_MANAGEDandfalseforKAFKA_MANAGED).
-
SNI host patterns have changed. The default advertised host pattern is now
broker-{{physicalCluster}}-{{nodeId}}.{{advertisedHost}}. This differs from the previous default built fromGATEWAY_ADVERTISED_HOST_PREFIX(defaultbroker) andGATEWAY_SNI_HOST_SEPARATOR(default-). If your DNS records and TLS certificates match the old pattern, either update them or set the pattern explicitly to reproduce it: -
mTLS configuration is per listener. Set
GATEWAY_LISTENER_<NAME>_SSL_CLIENT_AUTHfor each listener (for example,GATEWAY_LISTENER_EXTERNAL_SSL_CLIENT_AUTH=REQUIRE). The globalGATEWAY_SSL_CLIENT_AUTHis ignored in listener configuration.
Worked example
The migration depends on your routing mechanism. Pick the tab that matches yourGATEWAY_ROUTING_MECHANISM.
These examples name the listener DEFAULT to mirror the listener that legacy mode creates internally, which keeps the mapping one-to-one. The name is a label you choose — use any name that fits your setup (for example, INTERNAL or EXTERNAL) and apply it consistently across that listener’s GATEWAY_LISTENER_<NAME>_* variables.
- Port routing
- SNI routing
This legacy network configuration:Becomes:What changed:
GATEWAY_PORT_START=9092withGATEWAY_PORT_COUNT=6maps to the port range9092-9097.GATEWAY_MIN_BROKERIDis unchanged — it still maps ports to broker IDs in order under listener configuration.
Verify the migration
Restart Gateway and check the startup logs. Confirm that:- The legacy deprecation warning (
Legacy environment variables detected (GATEWAY_PORT_START, etc.)) no longer appears. If it does, a legacy variable is still set — Gateway refuses to start when legacy variables and an explicit listener configuration are both present, so unset every legacy variable it names. - The
Computed configurationblock lists each listener you defined, with the ports, advertised host, routing and security protocol you intended.
DEFAULT listener (this output is from Gateway 3.20.0 and may change in later versions):
-L) to confirm the metadata response advertises the expected hostnames and ports.
Kubernetes (Helm chart)
The Conduktor Gateway Helm chart manages listener environment variables for you. From chart version 3.21.0, multi-listener mode is the default — the chart translatesgateway.listeners.* values into GATEWAY_LISTENER_<NAME>_* env vars automatically.
The chart creates two listeners — INTERNAL (cluster traffic) and EXTERNAL (client traffic, enabled via service.external.enable: true) — each with its own ports, security protocol and routing mode.
Upgrade from a chart version before 3.21.0
Previous chart versions usedgateway.portRange (which generated GATEWAY_PORT_START and GATEWAY_PORT_COUNT). On upgrade you have two options:
Option A — Preserve legacy behavior temporarily
Add gateway.portRange.enable: true to keep the old single-listener mode while you plan the migration:
gateway.portRange with gateway.listeners. The migration depends on your routing mode.
- Port routing
- SNI routing
Helm values to listener variable mapping
The chart translates thesevalues.yaml paths into the listener env vars from the mapping table above:
| Helm value | Generated env var |
|---|---|
gateway.securityMode | GATEWAY_SECURITY_MODE |
gateway.aclEnabled | GATEWAY_ACL_ENABLED |
gateway.listeners.<name>.securityProtocol | GATEWAY_LISTENER_<NAME>_SECURITY_PROTOCOL |
gateway.listeners.<name>.routing | GATEWAY_LISTENER_<NAME>_ROUTING |
gateway.listeners.<name>.ports | GATEWAY_LISTENER_<NAME>_PORTS |
gateway.listeners.<name>.advertisedHost | GATEWAY_LISTENER_<NAME>_ADVERTISED_HOST |
gateway.listeners.<name>.advertisedHostPattern | GATEWAY_LISTENER_<NAME>_ADVERTISED_HOST_PATTERN |
gateway.listeners.<name>.bootstrapHostPattern | GATEWAY_LISTENER_<NAME>_BOOTSTRAP_HOST_PATTERN |
gateway.listeners.<name>.sslClientAuth | GATEWAY_LISTENER_<NAME>_SSL_CLIENT_AUTH |
<name> is internal or external in values, mapped to INTERNAL or EXTERNAL in the env var.
Verify the Helm upgrade
Preview the manifest changes before applying:Computed configuration block lists your expected listeners.
Clean up
After confirming the new config works, remove these legacy keys fromgateway.env in your values file:
GATEWAY_SECURITY_PROTOCOLGATEWAY_ROUTING_MECHANISMGATEWAY_ADVERTISED_HOSTGATEWAY_ADVERTISED_HOST_PREFIXGATEWAY_SNI_HOST_SEPARATORGATEWAY_ADVERTISED_SNI_PORT
gateway.portRange entirely.
Related resources
- Legacy network configuration — how the deprecated mode behaves and the full variable reference
- Configure Gateway listeners
- Configure Gateway listener security
- Migrate security mode (v3.10–3.19) — migrate from the deprecated
DELEGATED_*security protocols