Konnect Control Plane Default Changes due to 3.14 Release and Secure by Default

We have completed the rollback to the original default values. Customers applying their configurations without explicitly defining ssl_verify and hide_credentials will default to `false` again.

The issue has been identified and a fix is being implemented.

With the release of 3.14 and changes to default security settings for Kong’s secure by default initiatives, Konnect customers running dataplanes less than 3.14 and updating certain plugins without providing overrides to the new defaults began experiencing the following issues:


Konnect would begin reporting that a default had been overridden that did not apply to the connected dataplane. This is a warning that Konnect gives when the configuration on Konnect control plane appears to have user-defined changes that do not apply to the dataplane version the customer is using. This message is provided to avoid a user configuring properties on a plugin that their dataplane would not utilize, to make it clear to users why a new field isn’t taking effect.  Since our defaults changed, this caused the reporting in some cases to see this as an ‘override’ if the configuration didn’t match the new default, causing the message.  This had no impact on dataplane configurations or behavior, but it was a confusing message, and we have removed it.



The second and more impactful issue is the updating of default values in 3.14. After the 3.14 release, some fields like ssl_verify and hide_credentials in various entities started defaulting to true instead of false . This is causing customers who run a deck sync without these fields defined, will see their config values change from false to true which is an issue. Konnect is working on rolling back to the old default values. Once the default values are restored on the API, the next time the config is updated without the default values, the previous values will be applied.

Plugins using ssl_verify:
ace
acme
ai-aws-guardrail
ai-azure-content-safety
ai-llm-as-judge
ai-proxy-advanced
ai-rag-injector
ai-rate-limiting-advanced
ai-request-transformer
ai-response-transformer
ai-semantic-cache
ai-semantic-prompt-guard
ai-semantic-response-guard
aws-lambda
azure-functions
basic-auth
confluent
confluent-consume
datakit
forward-proxy
graphql-proxy-cache-advanced
graphql-rate-limiting-advanced
header-cert-auth
http-log
jwt-signer
kafka-consume
kafka-log
kafka-upstream
ldap-auth
ldap-auth-advanced
mtls-auth
opa
openid-connect
proxy-cache-advanced
rate-limiting
rate-limiting-advanced
request-callout
response-ratelimiting
saml
service-protection
tcp-log
upstream-oauth

Plugins using hide_credentials:
Key-auth
Key-auth-enc
Basic-auth
Hmac-authldap-auth
Oauth2
Oauth2-introspection
vault-auth (EE)
ldap-auth-advanced (EE)