Confluent Private Cloud Gateway Release Notes

This topic summarizes the technical details of the Confluent Private Cloud Gateway releases.

Confluent Private Cloud Gateway 1.3.0 Release Notes

This release introduces the following new features, enhancements, and bug fixes:

New features

Centralized governance enforcement with Confluent Gateway (Early Access)

Confluent Private Cloud Gateway now validates messages and enforces data contracts centrally with Confluent Schema Registry, ensuring only compliant records reach your Kafka clusters. Enforcing policies at Confluent Gateway reduces the data-cleansing burden on downstream consumers.

  • Four enforcement policy types: Configure independent enforcement policies for record keys and values across four distinct policy types: Schema ID enforcement, deep schema validation, field-level encryption, and full payload encryption for records that use Apache Avro®, JSON Schema, or Protobuf.

  • Per-topic overrides: Apply specific enforcement policies to individual topics to accommodate varying workload requirements.

To learn how to configure and use this feature, see Enforce Data Governance Centrally with Confluent Gateway.

Note

During the Early Access period, this feature supports Docker-based deployments only. Configuration schemas, including property names, enforcement levels, and YAML structure, are subject to change before General Availability (GA) and might not be backward compatible.

Enhancements

OAuth-to-OAuth authentication swapping support

Confluent Gateway now supports SASL/OAUTHBEARER as a client authentication mechanism for authentication swapping. This enables OAuth-to-OAuth swapping between two different identity providers for secure client access.

For more information, see Authentication swapping.

CyberArk Conjur secret store support

Confluent Private Cloud Gateway now supports CyberArk Conjur as a secret store provider.

For more information about configuring CyberArk Conjur, see CyberArk Conjur Secret Store.

Fencing filter processing order change

Confluent Gateway now processes fencing filter requests before the authentication swap filter, so that clients receive a BROKER_NOT_AVAILABLE error immediately when a request is fenced. This change in the processing order speeds up troubleshooting and provides clearer visibility into the route status. For more information, see Fencing filter.

Note

This update changes the processing sequence only and does not alter any core functional behavior of Confluent Gateway.

Bug fixes

SCRAM-to-NONE authentication

Confluent Gateway now correctly resolves the configured secret store when swapping from SASL/SCRAM client authentication to NONE cluster authentication. For more information, see Configure authentication swapping mode.

Confluent Private Cloud Gateway 1.2.0 Release Notes

This release introduces the following new features and improvements:

  • SASL/SCRAM authentication for secure client-to-Confluent Gateway communication. For more information, see Authentication for Gateway.

  • NONE authentication method for:

    • Disabling client-to-Confluent Gateway or Confluent Gateway-to-cluster authentication.

    • Supporting authentication swapping between NONE and SASL mechanisms.

    For more information, see Configure authentication swapping mode.

  • Fencing filter to control and restrict client access based on specific criteria. For more information, see Fencing filter.

  • librdkafka client support for versions 2.0.0 through 2.13.0.

Confluent Private Cloud Gateway 1.1.0 Release Notes

This release introduces license management for Confluent Private Cloud Gateway (Confluent Gateway).

Confluent Gateway now supports two license modes:

  • Trial mode (default) - No license required, and Confluent Gateway starts automatically in the trial mode.

  • Enterprise mode for Confluent Gateway - A valid Confluent Private Cloud license is required to have access to the full functionality of Confluent Gateway.

To learn about license details and configuration, see Configure License using Docker or Configure License using Confluent for Kubernetes.

Confluent Private Cloud Gateway 1.0.0 Release Notes

Confluent Private Cloud Gateway (Confluent Gateway), part of the core Confluent offering Confluent Private Cloud, is an enterprise-grade, stateless, self-managed, on-premises solution. It is Kafka protocol-aware and helps decouple your client applications from the underlying streaming infrastructure.

Major features and highlights

Confluent Gateway is a Kafka protocol-aware proxy positioned between clients and clusters for stateless routing. The first release of Confluent Gateway offers the following features:

  • Enables operational governance and seamless migrations (blue-green upgrades, disaster recovery switch-overs) without client modifications.

  • Facilitates secure external partner access with public endpoints for private Kafka clusters exposure, authentication swapping, and advanced traffic controls.

  • Supports customizable routing and streaming domains.

  • Supports multiple combinations of authentication swapping with secure credential storage and retrieval.

Resources and examples