From 7cd48b2b5ac927ad9072b0a795c28326cdbfb9ec Mon Sep 17 00:00:00 2001 From: lena-larionova Date: Thu, 18 Jun 2026 11:39:08 -0700 Subject: [PATCH 1/6] draft of changelog for 1.2 --- app/event-gateway/changelog.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/app/event-gateway/changelog.md b/app/event-gateway/changelog.md index 641ca4ebaa..9260be02af 100644 --- a/app/event-gateway/changelog.md +++ b/app/event-gateway/changelog.md @@ -14,6 +14,24 @@ tags: Changelog for supported {{site.event_gateway}} versions. +## 1.2.0 + +**Release date**: TBA + +### Features + +- **Topic aliases**: Virtual clusters can now expose backend Kafka topics under different client-facing names. +Clients see the alias while {{site.event_gateway_short}} transparently routes requests to the original backend topic. +This lets you rename topics for clients without changing client configuration, or provide multiple names for the same backend topic. + - [Virtual cluster reference: Topic aliases](/event-gateway/entities/virtual-cluster/#topic-aliases) + - [How-to: Configure topic aliases](/event-gateway/configure-topic-aliases/) +- **Encrypt Fields policy**: A new produce-phase policy that encrypts fields of schema-validated Kafka messages using AES-256-GCM before they reach the backend cluster. + - [Encrypt Fields policy reference](/event-gateway/policies/encrypt-fields/) +- **Decrypt Fields policy**: A new consume-phase policy that decrypts fields of Kafka messages that were previously encrypted using a referenced key. +Use together with the Encrypt Fields policy to enforce consistent encryption standards across clients. + - [Decrypt Fields policy reference](/event-gateway/policies/decrypt-fields/) + - [How-to: Encrypt and decrypt Kafka message fields](/event-gateway/encrypt-kafka-message-fields-with-event-gateway/) + ## 1.1.0 **Release date**: 2026/03/25 From e56402c3c9d54af07bea1b73f7a098c04e0454d5 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 18 Jun 2026 11:44:58 -0700 Subject: [PATCH 2/6] Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- app/event-gateway/changelog.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/event-gateway/changelog.md b/app/event-gateway/changelog.md index 9260be02af..d9bc4b62a8 100644 --- a/app/event-gateway/changelog.md +++ b/app/event-gateway/changelog.md @@ -25,10 +25,10 @@ Clients see the alias while {{site.event_gateway_short}} transparently routes re This lets you rename topics for clients without changing client configuration, or provide multiple names for the same backend topic. - [Virtual cluster reference: Topic aliases](/event-gateway/entities/virtual-cluster/#topic-aliases) - [How-to: Configure topic aliases](/event-gateway/configure-topic-aliases/) -- **Encrypt Fields policy**: A new produce-phase policy that encrypts fields of schema-validated Kafka messages using AES-256-GCM before they reach the backend cluster. +- **Encrypt Fields policy**: A new produce phase policy that encrypts fields of schema-validated Kafka messages using AES-256-GCM before they reach the backend cluster. - [Encrypt Fields policy reference](/event-gateway/policies/encrypt-fields/) -- **Decrypt Fields policy**: A new consume-phase policy that decrypts fields of Kafka messages that were previously encrypted using a referenced key. -Use together with the Encrypt Fields policy to enforce consistent encryption standards across clients. +- **Decrypt Fields policy**: A new consume phase policy that decrypts fields of Kafka messages that were previously encrypted using a referenced key. +Use it together with the Encrypt Fields policy to enforce consistent encryption standards across clients. - [Decrypt Fields policy reference](/event-gateway/policies/decrypt-fields/) - [How-to: Encrypt and decrypt Kafka message fields](/event-gateway/encrypt-kafka-message-fields-with-event-gateway/) From dd98b284b6928307563fd0501e92892d1e0603ff Mon Sep 17 00:00:00 2001 From: jxs Date: Thu, 25 Jun 2026 14:00:52 +0200 Subject: [PATCH 3/6] update changelog --- app/event-gateway/changelog.md | 50 +++++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/app/event-gateway/changelog.md b/app/event-gateway/changelog.md index d9bc4b62a8..f57445537e 100644 --- a/app/event-gateway/changelog.md +++ b/app/event-gateway/changelog.md @@ -18,6 +18,16 @@ Changelog for supported {{site.event_gateway}} versions. **Release date**: TBA +### **Deprecations & Behavior Changes** + +- **Per-policy `*.attempts` metrics deprecated**: `kong.keg.kafka.decrypt.attempts`, `kong.keg.kafka.encrypt.attempts`, `kong.keg.kafka.kscheme.attempts`, and `kong.keg.kafka.schema.validation.attempts` are deprecated. Use the unified `kong.keg.kafka.policy.invocations` metric instead. +- **`kong/sverr-{part}` header deprecated**: The `schema_validation` policy's `kong/sverr-{part}` header is deprecated. Use `kong/policy-failure-{konnect_id}` instead, which carries the reason for the policy failure. +- **`kong.keg.konnect.analytics.bytes.sent` deprecated**: Replaced by `kong.keg.konnect.analytics.sent`, since the standard unit `By` belongs in metric metadata rather than the metric name. The replacement counter is emitted alongside the deprecated one during the migration window. +- **`kong.keg.result` now always reflects the real policy result**: Previously this label `kong.keg.kafka.policy.invocations` reported `success` even when a policy failed under the +`mark`, `skip`, or `passthrough` failure modes. These invocations now report `kong.keg.result=fail`. Use the `kong.keg.failure_mode` label if you want to ignore failures handled by those modes. +- **Missing fields in parsed-record CEL expressions are now absent rather than null**: Paths like `record.value.content[...]` that do not exist are no longer placed in the context map, +while explicit `null` values remain present. Use `'' in record.value.content` to check for a field before reading or comparing it. + ### Features - **Topic aliases**: Virtual clusters can now expose backend Kafka topics under different client-facing names. @@ -31,6 +41,26 @@ This lets you rename topics for clients without changing client configuration, o Use it together with the Encrypt Fields policy to enforce consistent encryption standards across clients. - [Decrypt Fields policy reference](/event-gateway/policies/decrypt-fields/) - [How-to: Encrypt and decrypt Kafka message fields](/event-gateway/encrypt-kafka-message-fields-with-event-gateway/) +- **Kong Identity principal metadata**: After a client authenticates, the gateway can fetch the principal's metadata from Kong Identity and expose it as auth.principal.id +- **Schema metadata in the CEL context**: Schema metadata is now exposed in the parsed-record CEL context, enabling expressions that reason about a record's schema in addition to its contents. +- **Unified policy failure modes**: Failure-mode handling is now consistent across all policies, including a new `mark` mode and a `passthrough` action for schema validation, giving you predictable control over what happens when a policy fails. +- **Consumer group administration support**: ACL handling now supports consumer group heartbeat and describe operations, and consumer group names are rewritten consistently for namespaced virtual clusters. +- **Observability aligned with OpenTelemetry conventions**: Signals, labels, and metric names were aligned with conventions. Adds virtual cluster authentication observability, additional authentication metrics, and a `result` label on policy invocations. +- **Analytics: error codes and queue visibility**: Analytics events now carry the request error code (reporting the lowest/most significant code), and the analytics pipeline logs when its queue fills and drains. +- **`ca_bundle` no longer requires base64 encoding**: Backend cluster `ca_bundle` values can now be provided directly without base64 encoding. + +### Bug Fixes + +- **Consumer group admin APIs were broken**: Admin calls returned empty members and the API 69 request timed out. Consumer group handling was reworked and unsupported APIs removed. +- **Snappy records failed to decompress with an encryption policy applied**: The gateway now correctly decompresses Snappy-compressed records when an encryption policy is in effect. +- **`acl_mode` hot reload had no effect**: Switching the ACL mode at runtime is now applied without a restart. +- **Schema Registry cache poisoned on transient failures**: A transient Schema Registry error could be cached and served indefinitely. Retriable errors are now evicted from the cache instead of being persisted. +- **Secrets and static keys were logged**: Static keys and other secret material are no longer written to logs. +- **KScheme failures were logged once per record**: Noisy per-record logging was fixed, and KScheme panics are now caught instead of taking down request handling. +- **Principal metadata was logged**: The gateway no longer logs principal metadata or JWT claims. +- **Misleading errors when fetching a principal**: Invalid or failed principal fetches now return a clear, correct error. +- **Clearer logging when a client disconnects before authenticating**: Connections that close before or during authentication now produce accurate, actionable log messages. + ## 1.1.0 @@ -43,23 +73,23 @@ See the [breaking changes entry for metrics naming](/event-gateway/breaking-chan - **Environment variable names changed**: Legacy Konnect bootstrap environment variables are no longer supported. The variables now have a `KONG_` prefix. The gateway now logs a clear message indicating which variables to migrate if old-style names are detected: ``` - KONNECT_REGION -> KONG_KONNECT_REGION - KONNECT_DOMAIN -> KONG_KONNECT_DOMAIN - KONNECT_GATEWAY_CLUSTER_ID -> KONG_KONNECT_GATEWAY_CLUSTER_ID - KONNECT_API_REQUEST_TIMEOUT -> KONG_KONNECT_API_REQUEST_TIMEOUT - KONNECT_INSECURE_SKIP_VERIFY -> KONG_KONNECT_INSECURE_SKIP_VERIFY - KONNECT_CLIENT_CERT -> KONG_KONNECT_CLIENT_CERT - KONNECT_CLIENT_CERT_PATH -> KONG_KONNECT_CLIENT_CERT_PATH - KONNECT_CLIENT_KEY -> KONG_KONNECT_CLIENT_KEY + KONNECT_REGION -> KONG_KONNECT_REGION + KONNECT_DOMAIN -> KONG_KONNECT_DOMAIN + KONNECT_GATEWAY_CLUSTER_ID -> KONG_KONNECT_GATEWAY_CLUSTER_ID + KONNECT_API_REQUEST_TIMEOUT -> KONG_KONNECT_API_REQUEST_TIMEOUT + KONNECT_INSECURE_SKIP_VERIFY -> KONG_KONNECT_INSECURE_SKIP_VERIFY + KONNECT_CLIENT_CERT -> KONG_KONNECT_CLIENT_CERT + KONNECT_CLIENT_CERT_PATH -> KONG_KONNECT_CLIENT_CERT_PATH + KONNECT_CLIENT_KEY -> KONG_KONNECT_CLIENT_KEY KONNECT_CLIENT_KEY_PATH -> KONG_KONNECT_CLIENT_KEY_PATH ``` - + See the [{{site.event_gateway_short}} configuration reference](/event-gateway/configuration/) for all environment variable options. ### Features - **Minimum runtime version**: Event gateway control planes can now be configured to enforce a minimum version on connecting nodes. Some features are gated behind this setting because they depend on support in the data plane node. -- **mTLS to backend Kafka clusters**: You can now configure mutual TLS authentication between the gateway and your backend Kafka clusters, enabling encrypted and authenticated connections to brokers. +- **mTLS to backend Kafka clusters**: You can now configure mutual TLS authentication between the gateway and your backend Kafka clusters, enabling encrypted and authenticated connections to brokers. - [How-to: Authenticate {{site.event_gateway}} connections to Kafka using mTLS](/event-gateway/configure-mtls-backend-cluster-auth/) - [Backend cluster reference](/event-gateway/entities/backend-cluster/) - **mTLS between clients and the gateway**: Clients can now authenticate to the gateway using TLS client certificates. Supports principal mapping to extract identity information from certificates for From 601ff6fbeb274f921226cc9025334d34624025c9 Mon Sep 17 00:00:00 2001 From: Joshua Schmid Date: Thu, 25 Jun 2026 15:38:51 +0200 Subject: [PATCH 4/6] Update changelog for version 1.2.0 --- app/event-gateway/changelog.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/app/event-gateway/changelog.md b/app/event-gateway/changelog.md index f57445537e..0dcabf5408 100644 --- a/app/event-gateway/changelog.md +++ b/app/event-gateway/changelog.md @@ -55,10 +55,6 @@ Use it together with the Encrypt Fields policy to enforce consistent encryption - **Snappy records failed to decompress with an encryption policy applied**: The gateway now correctly decompresses Snappy-compressed records when an encryption policy is in effect. - **`acl_mode` hot reload had no effect**: Switching the ACL mode at runtime is now applied without a restart. - **Schema Registry cache poisoned on transient failures**: A transient Schema Registry error could be cached and served indefinitely. Retriable errors are now evicted from the cache instead of being persisted. -- **Secrets and static keys were logged**: Static keys and other secret material are no longer written to logs. -- **KScheme failures were logged once per record**: Noisy per-record logging was fixed, and KScheme panics are now caught instead of taking down request handling. -- **Principal metadata was logged**: The gateway no longer logs principal metadata or JWT claims. -- **Misleading errors when fetching a principal**: Invalid or failed principal fetches now return a clear, correct error. - **Clearer logging when a client disconnects before authenticating**: Connections that close before or during authentication now produce accurate, actionable log messages. From 8736cbca09c23b6f1604be95d1e81b473cd4b356 Mon Sep 17 00:00:00 2001 From: Angel Date: Thu, 25 Jun 2026 12:30:04 -0400 Subject: [PATCH 5/6] vale --- .github/styles/base/Dictionary.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/styles/base/Dictionary.txt b/.github/styles/base/Dictionary.txt index ec56ab0427..027073516e 100644 --- a/.github/styles/base/Dictionary.txt +++ b/.github/styles/base/Dictionary.txt @@ -661,6 +661,7 @@ resourceVersion response_format resty Resync +Retriable retryOn reusability rockspec From 0ceffce79d086904dff64747a4c6031a848491e0 Mon Sep 17 00:00:00 2001 From: Angel Date: Thu, 25 Jun 2026 12:38:24 -0400 Subject: [PATCH 6/6] style --- app/event-gateway/changelog.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/event-gateway/changelog.md b/app/event-gateway/changelog.md index 0dcabf5408..9589eec827 100644 --- a/app/event-gateway/changelog.md +++ b/app/event-gateway/changelog.md @@ -18,7 +18,7 @@ Changelog for supported {{site.event_gateway}} versions. **Release date**: TBA -### **Deprecations & Behavior Changes** +### Deprecations & Behavior Changes - **Per-policy `*.attempts` metrics deprecated**: `kong.keg.kafka.decrypt.attempts`, `kong.keg.kafka.encrypt.attempts`, `kong.keg.kafka.kscheme.attempts`, and `kong.keg.kafka.schema.validation.attempts` are deprecated. Use the unified `kong.keg.kafka.policy.invocations` metric instead. - **`kong/sverr-{part}` header deprecated**: The `schema_validation` policy's `kong/sverr-{part}` header is deprecated. Use `kong/policy-failure-{konnect_id}` instead, which carries the reason for the policy failure. @@ -41,7 +41,7 @@ This lets you rename topics for clients without changing client configuration, o Use it together with the Encrypt Fields policy to enforce consistent encryption standards across clients. - [Decrypt Fields policy reference](/event-gateway/policies/decrypt-fields/) - [How-to: Encrypt and decrypt Kafka message fields](/event-gateway/encrypt-kafka-message-fields-with-event-gateway/) -- **Kong Identity principal metadata**: After a client authenticates, the gateway can fetch the principal's metadata from Kong Identity and expose it as auth.principal.id +- **Kong Identity principal metadata**: After a client authenticates, the gateway can fetch the principal's metadata from Kong Identity and expose it as `auth.principal.id`. - **Schema metadata in the CEL context**: Schema metadata is now exposed in the parsed-record CEL context, enabling expressions that reason about a record's schema in addition to its contents. - **Unified policy failure modes**: Failure-mode handling is now consistent across all policies, including a new `mark` mode and a `passthrough` action for schema validation, giving you predictable control over what happens when a policy fails. - **Consumer group administration support**: ACL handling now supports consumer group heartbeat and describe operations, and consumer group names are rewritten consistently for namespaced virtual clusters. @@ -49,7 +49,7 @@ Use it together with the Encrypt Fields policy to enforce consistent encryption - **Analytics: error codes and queue visibility**: Analytics events now carry the request error code (reporting the lowest/most significant code), and the analytics pipeline logs when its queue fills and drains. - **`ca_bundle` no longer requires base64 encoding**: Backend cluster `ca_bundle` values can now be provided directly without base64 encoding. -### Bug Fixes +### Fixes - **Consumer group admin APIs were broken**: Admin calls returned empty members and the API 69 request timed out. Consumer group handling was reworked and unsupported APIs removed. - **Snappy records failed to decompress with an encryption policy applied**: The gateway now correctly decompresses Snappy-compressed records when an encryption policy is in effect.