Kong Event Gateway changelog

Changelog for supported Kong Event Gateway versions.

1.2.0

Release date: 2026/06/29

Deprecations & Behavior Changes

  • Per-policy *.attempts metrics deprecated: kong.keg.kafka.decrypt.attempts, kong.keg.kafka.encrypt.attempts, kong.keg.kafka.kscheme.attempts, and kong.keg.kafka.schema.validation.attempts are deprecated. Use the unified kong.keg.kafka.policy.invocations metric instead.
  • kong/sverr-{part} header deprecated: The schema_validation policy’s kong/sverr-{part} header is deprecated. Use kong/policy-failure-{konnect_id} instead, which carries the reason for the policy failure.
  • kong.keg.konnect.analytics.bytes.sent deprecated: Replaced by kong.keg.konnect.analytics.sent, since the standard unit By belongs in metric metadata rather than the metric name. The replacement counter is emitted alongside the deprecated one during the migration window.
  • kong.keg.result now always reflects the real policy result: Previously this label kong.keg.kafka.policy.invocations reported success even when a policy failed under the mark, skip, or passthrough failure modes. These invocations now report kong.keg.result=fail. Use the kong.keg.failure_mode label if you want to ignore failures handled by those modes.
  • Missing fields in parsed-record CEL expressions are now absent rather than null: Paths like record.value.content[...] that do not exist are no longer placed in the context map, while explicit null values remain present. Use '<path>' in record.value.content to check for a field before reading or comparing it.

Features

  • Topic aliases: Virtual clusters can now expose backend Kafka topics under different client-facing names. Clients see the alias while Event Gateway transparently routes requests to the original backend topic. This lets you rename topics for clients without changing client configuration, or provide multiple names for the same backend topic.
  • Encrypt Fields policy: A new produce phase policy that encrypts fields of schema-validated Kafka messages using AES-256-GCM before they reach the backend cluster.
  • Decrypt Fields policy: A new consume phase policy that decrypts fields of Kafka messages that were previously encrypted using a referenced key. Use it together with the Encrypt Fields policy to enforce consistent encryption standards across clients.
  • Kong Identity principal metadata: After a client authenticates, the gateway can fetch the principal’s metadata from Kong Identity and expose it as auth.principal.id.
  • Schema metadata in the CEL context: Schema metadata is now exposed in the parsed-record CEL context, enabling expressions that reason about a record’s schema in addition to its contents.
  • Unified policy failure modes: Failure-mode handling is now consistent across all policies, including a new mark mode and a passthrough action for schema validation, giving you predictable control over what happens when a policy fails.
  • Consumer group administration support: ACL handling now supports consumer group heartbeat and describe operations, and consumer group names are rewritten consistently for namespaced virtual clusters.
  • Observability aligned with OpenTelemetry conventions: Signals, labels, and metric names were aligned with conventions. Adds virtual cluster authentication observability, additional authentication metrics, and a result label on policy invocations.
  • Analytics: error codes and queue visibility: Analytics events now carry the request error code (reporting the lowest/most significant code), and the analytics pipeline logs when its queue fills and drains.
  • ca_bundle no longer requires base64 encoding: Backend cluster ca_bundle values can now be provided directly without base64 encoding.

Fixes

  • Consumer group admin APIs were broken: Admin calls returned empty members and the API 69 request timed out. Consumer group handling was reworked and unsupported APIs removed.
  • Snappy records failed to decompress with an encryption policy applied: The gateway now correctly decompresses Snappy-compressed records when an encryption policy is in effect.
  • acl_mode hot reload had no effect: Switching the ACL mode at runtime is now applied without a restart.
  • Schema Registry cache poisoned on transient failures: A transient Schema Registry error could be cached and served indefinitely. Retriable errors are now evicted from the cache instead of being persisted.
  • Clearer logging when a client disconnects before authenticating: Connections that close before or during authentication now produce accurate, actionable log messages.

1.1.1

Release date: 2026/06/16

Fixes

  • Updated vulnerable dependencies and container base images: Refreshed the runtime distroless base (patched OpenSSL/glibc) and removed the legacy rustls/rustls-webpki stack, clearing the outstanding advisories.
  • Bumped aws-lc-sys / aws-lc-rs: Pulled in the fixed AWS-LC bindings (RUSTSEC-2026-0044, -0048).
  • Namespacing: consumer group rewrite: Corrects how consumer group identifiers are rewritten when proxying, so group operations resolve to the right backend.
  • ACLs: drop unsupported APIs: Removes Kafka APIs that aren’t supported under ACL handling, avoiding incorrect authorization behavior.
  • Snappy decompression under encryption policies: In some rare cases, raw (non-xerial-framed) Snappy records caused the gateway to fail with a snappy: corrupt input error when an encryption policy was applied on the produce chain and the producer’s compression was set to Snappy.

1.1.0

Release date: 2026/03/25

Breaking Changes

  • Observability stack migrated to OpenTelemetry: All metrics, traces, and logs now use OpenTelemetry-native naming. Prometheus is still enabled by default but metric names, attribute keys, and duration units (all now in seconds) have changed. If you have dashboards or alerts based on previous metric names, you will need to update them. See the breaking changes entry for metrics naming for more details.
  • Environment variable names changed: Legacy Konnect bootstrap environment variables are no longer supported. The variables now have a KONG_ prefix. The gateway now logs a clear message indicating which variables to migrate if old-style names are detected:

      KONNECT_REGION -> KONG_KONNECT_REGION
      KONNECT_DOMAIN -> KONG_KONNECT_DOMAIN
      KONNECT_GATEWAY_CLUSTER_ID -> KONG_KONNECT_GATEWAY_CLUSTER_ID
      KONNECT_API_REQUEST_TIMEOUT -> KONG_KONNECT_API_REQUEST_TIMEOUT
      KONNECT_INSECURE_SKIP_VERIFY -> KONG_KONNECT_INSECURE_SKIP_VERIFY
      KONNECT_CLIENT_CERT -> KONG_KONNECT_CLIENT_CERT
      KONNECT_CLIENT_CERT_PATH -> KONG_KONNECT_CLIENT_CERT_PATH
      KONNECT_CLIENT_KEY -> KONG_KONNECT_CLIENT_KEY
      KONNECT_CLIENT_KEY_PATH -> KONG_KONNECT_CLIENT_KEY_PATH

    See the Event Gateway configuration reference for all environment variable options.

Features

  • Minimum runtime version: Event gateway control planes can now be configured to enforce a minimum version on connecting nodes. Some features are gated behind this setting because they depend on support in the data plane node.
  • mTLS to backend Kafka clusters: You can now configure mutual TLS authentication between the gateway and your backend Kafka clusters, enabling encrypted and authenticated connections to brokers.
  • mTLS between clients and the gateway: Clients can now authenticate to the gateway using TLS client certificates. Supports principal mapping to extract identity information from certificates for use in authorization policies.
  • JWT claims in ACL expressions: OAuth/JWT claims are now available in the authentication context and can be used in resource_names expressions on ACL rules, enabling dynamic, claim-based access control per topic.
  • Improved policy failure observability: Policy evaluation errors (CEL, schema validation, encryption) now emit detailed metrics and logs with sampling, making it easier to diagnose why requests are being rejected without overwhelming your logging pipeline.
  • Header modification policy: A new policy execution model is now available for header modification policies, providing a more flexible and extensible approach to transforming Kafka request and response headers.
  • Backend clusters sharing SNI suffix: Multiple backend clusters can now share a common SNI suffix, simplifying TLS configuration when clusters are behind a shared domain.
  • Analytics for record count and message size: Analytics events now include the number of records and byte sizes, giving you more granular visibility into traffic patterns in the Konnect analytics dashboard.
  • Long polling for control plane configuration: The gateway now supports long polling when fetching configuration from the Konnect control plane, reducing latency for configuration updates.
  • Enhanced validate subcommand: The validate CLI command now performs more thorough validation of your configuration, catching additional issues before startup.
  • Configuration change observability: Changes to the gateway’s configuration (from the control plane or bootstrap) are now logged with details about what changed, making it easier to audit and debug configuration drift.

Fixes

  • Expressions using the in operator failed to parse: ACL expressions containing the in keyword were incorrectly parsed by a regex-based parser. Switched to AST-based parsing to handle all valid expression syntax.
  • Cryptic validation errors when environment variables resolved to empty strings: Setting an env var reference (e.g., for SASL credentials) to an empty value produced an unhelpful error like virtual_clusters.demo[1].auth.password: length is lower than 1. Empty values are now caught at resolution time with a clear error message.
  • Analytics payloads were double-compressed: Analytics data sent to Konnect was being compressed twice, causing the backend to fail to decode it. Also fixed the healthcheck ping interval (was 5s, now uses the configured value).
  • ACL default policy had no name in observability data: Metrics and logs for the built-in default ACL policy were missing a policy name, making it difficult to distinguish from other policies in dashboards. Default policies now use the __internal prefix.
  • Principal information missing for unauthenticated requests: When running without authentication, the auth.type and auth.principal.name context values were not set, which could cause downstream policies or analytics to behave unexpectedly.
  • Traces showed a misleading gap before authentication: Request traces appeared to show a large delay before authentication started, but this was caused by the trace span starting before the full request was received. Traces now begin after the request is fully read.

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!