- Use JDK HTTP client in the Kubernetes client instead of the OkHttp client
- Add support for Kafka 3.3.2
- Support loadBalancerClass attribute in service with type loadBalancer
- Support for automatically restarting failed Connect or Mirror Maker 2 connectors
- Redesign of Strimzi User Operator to improve its scalability
- Use Java 17 as the runtime for all containers and language level for all modules except
api
,crd-generator
,crd-annotations
, andtest
- Improved FIPS (Federal Information Processing Standards) support
- Upgrade Vert.x to 4.3.5
- Moved from using the Jaeger exporter to OTLP exporter by default
- Kafka Exporter support for
Recreate
deployment strategy ImageStream
validation for Kafka Connect builds on OpenShift- Support for configuring the metadata for the Role / RoleBinding of Entity Operator
- Add liveness and readiness probes specifically for nodes running in KRaft combined mode
- Upgrade HTTP bridge to latest 0.24.0 release
- The TLS passthrough feature of the Ingress-NGINX Controller for Kubernetes is not compatible with some new TLS features supported by Java 17 such as the session tickets extension.
If you use
type: ingress
listener with enabled mTLS authentication, we recommend you to test if your clients are affected or not. If needed, you can also disable the session ticket extension in the Kafka brokers in yourKafka
custom resource by setting thejdk.tls.server.enableSessionTicketExtension
Java system property tofalse
:For more details, see kubernetes/ingress-nginx#9540.apiVersion: kafka.strimzi.io/v1beta2 kind: Kafka metadata: # ... spec: # ... kafka: jvmOptions: javaSystemProperties: - name: jdk.tls.server.enableSessionTicketExtension value: "false" # ...
- The
UseStrimziPodSet
feature gate will move to GA in Strimzi 0.35. Support for StatefulSets will be removed from Strimzi right after the 0.34 release. Please use the Strimzi 0.33 release to test StrimziPodSets in your environment and report any major or blocking issues before the StatefulSet support is removed. - The default length of any new SCRAM-SHA-512 passwords will be 32 characters instead of 12 characters used in the previous Strimzi versions.
Existing passwords will not be affected by this change until they are regenerated (for example because the user secret is deleted).
If you want to keep using the original password length, you can set it using the
STRIMZI_SCRAM_SHA_PASSWORD_LENGTH
environment variable in.spec.entityOperator.template.userOperatorContainer.env
in theKafka
custom resource or in theDeployment
of the standalone User Operator.userOperatorContainer: env: - name: STRIMZI_SCRAM_SHA_PASSWORD_LENGTH value: "12"
- In previous versions, the
ssl.secure.random.implementation
option in Kafka brokers was always set toSHA1PRNG
. From Strimzi 0.33 on, it is using the default SecureRandom implementation from the Java Runtime. If you want to keep usingSHA1PRNG
as your SecureRandom, you can configure it in.spec.kafka.config
in yourKafka
custom resource. - Support for JmxTrans in Strimzi is deprecated. It is currently planned to be removed in Strimzi 0.35.0.
- Support for
type: jaeger
tracing based on Jaeger clients and OpenTracing API was deprecated in the Strimzi 0.31 release. As the Jaeger clients are retired and the OpenTracing project is archived, we cannot guarantee their support for future versions. In Strimzi 0.32 and 0.33, we added support for OpenTelemetry tracing as a replacement. If possible, we will maintain the support fortype: jaeger
tracing until June 2023 and remove it afterwards. Please migrate to OpenTelemetry as soon as possible. - When OpenTelemetry is enabled for tracing, starting from this release, the operator configures the OTLP exporter instead of the Jaeger one by default.
The Jaeger exporter is even not included in the Kafka images anymore, so if you want to use it you have to add the binary by yourself.
The
OTEL_EXPORTER_OTLP_ENDPOINT
environment variable has to be used instead of theOTEL_EXPORTER_JAEGER_ENDPOINT
in order to specify the OTLP endpoint to send traces to. If you are using Jaeger as the backend system for tracing, you need to have 1.35 release at least which is the first one exposing an OTLP endpoint.
- Add support for Kafka 3.3.1 and remove support for Kafka 3.1.0, 3.1.1, and 3.1.2
- Update Open Policy Agent (OPA) Authorizer to 1.5.0
- Update KafkaConnector CR status so the 'NotReady' condition is added if the connector or any tasks are reporting a 'FAILED' state.
- Add auto-approval mechanism on KafkaRebalance resource when an optimization proposal is ready
- The
ControlPlaneListener
feature gate moves to GA - Add client rack-awareness support to Strimzi Bridge pods
- Add support for OpenTelemetry for distributed tracing
- Kafka Connect, Mirror Maker, Mirror Maker 2 and Strimzi Bridge can be configured to use OpenTelemetry
- Using Jaeger exporter by default for backward compatibility
- Updated JMX Exporter dependency to 0.17.2
- ZookeeperRoller considers unready pods
- Support multiple operations per ACLRule
- Upgrade Vert.x to 4.3.4
- Add
cluster-ip
listener. We can use it with a tcp port configuration in an ingress controller to expose kafka with an optional tls encryption and a single LoadBalancer. - Update Strimzi OAuth library to 0.11.0
-
From 0.32.0 on, Strimzi supports only Kubernetes version 1.19 and newer.
-
A connector or task failing triggers a 'NotReady' condition to be added to the KafkaConnector CR status. This is different from previous versions where the CR would report 'Ready' even if the connector or a task had failed.
-
The
ClusterRole
from file020-ClusterRole-strimzi-cluster-operator-role.yaml
was split into two separate roles:- The original
strimzi-cluster-operator-namespaced
ClusterRole
in the file020-ClusterRole-strimzi-cluster-operator-role.yaml
contains the rights related to the resources created based on some Strimzi custom resources. - The new
strimzi-cluster-operator-watched
ClusterRole
in the file023-ClusterRole-strimzi-cluster-operator-role.yaml
contains the rights required to watch and manage the Strimzi custom resources.
When deploying the Strimzi Cluster Operator as cluster-wide, the
strimzi-cluster-operator-watched
ClusterRole
needs to be always granted at the cluster level. But thestrimzi-cluster-operator-namespaced
ClusterRole
might be granted only for the namespaces where any custom resources are created. - The original
-
The
ControlPlaneListener
feature gate moves to GA. Direct upgrade from Strimzi 0.22 or earlier is not possible anymore. You have to upgrade first to one of the Strimzi versions between 0.22 and 0.32 before upgrading to Strimzi 0.32 or newer. Please follow the docs for more details. -
The
spec.authorization.acls[*].operation
field in theKafkaUser
resource has been deprecated in favour of the fieldspec.authorization.acls[*].operations
which allows to set multiple operations per ACLRule.
- Kafka 3.1.2 and 3.2.3 (fixes CVE-2022-34917)
- Make
sasl.server.max.receive.size
broker option user configurable - Documentation improvements
- Configuring number of operator replicas through the Strimzi Helm Chart
- Update Strimzi Kafka Bridge to 0.22.1
- Add support for Kafka 3.2.1
- Update Kaniko builder to 1.9.0 and Maven builder to 1.14
- Update Kafka Exporter to 1.6.0
- Pluggable Pod Security Profiles with built-in support for restricted Kubernetes Security Profile
- Add support for leader election and running multiple operator replicas (1 active leader replicas and one or more stand-by replicas)
- Update Strimzi Kafka Bridge to 0.22.0
- Add support for IPv6 addresses being used in Strimzi issued certificates
- Make it easier to wait for custom resource readiness when using the Strimzi api module
- Add StrimziPodSet reconciliation metrics
- Strimzi 0.31.0 (and any possible patch releases) is the last Strimzi version with support for Kubernetes 1.16, 1.17 and 1.18. From Strimzi 0.32.0 on, we will support only Kubernetes 1.19 and newer. The supported Kubernetes versions will be re-evaluated again in Q1/2023.
- The
type: jaeger
tracing support based on Jaeger clients and OpenTracing API is now deprecated. Because the Jaeger clients are retired and the OpenTracing project is archived, we cannot guarantee their support for future Kafka versions. In the future, we plan to replace it with a new tracing feature based on the OpenTelemetry project.
- Remove Kafka 3.0.0 and 3.0.1
- Add support for
simple
authorization and for the User Operator to the experimentalUseKRaft
feature gate (Note: Due to KAFKA-13909, broker restarts currently don't work when authorization is enabled.) - Add network capacity overrides for Cruise Control capacity config
- The
ServiceAccountPatching
feature gate moves to GA. It cannot be disabled anymore and will be permanently enabled. - The
UseStrimziPodSets
feature gate moves to beta stage. By default, StrimziPodSets are used instead of StatefulSets. If needed,UseStrimziPodSets
can be disabled in the feature gates configuration in the Cluster Operator. - Use better encryption and digest algorithms when creating the PKCS12 stores. For existing clusters, the certificates will not be updated during upgrade but only next time the PKCS12 store is created.
- Add CPU capacity overrides for Cruise Control capacity config
- Use CustomResource existing spec and status to fix Quarkus native build's serialization
- Update JMX Exporter to version 0.17.0
- Operator emits Kubernetes Events to explain why it restarted a Kafka broker
- Better configurability of the Kafka Admin client in the User Operator
- Update Strimzi Kafka Bridge to 0.21.6
- Add support for Apache Kafka 3.0.1, 3.1.1 and 3.2.0
- Increase the size of the
/tmp
volumes to 5Mi to allow unpacking of compression libraries - Use
/healthz
endpoint for Kafka Exporter health checks - Renew user certificates in User Operator only during maintenance windows
- Ensure Topic Operator using Kafka Streams state store can start up successfully
- Update Cruise Control to 2.5.89
- Remove TLS sidecar from Cruise Control pod. Cruise Control is now configured to not using ZooKeeper, so the TLS sidecar is not needed anymore.
- Allow Cruise Control topic names to be configured
- Add support for
spec.rack.topologyKey
property in Mirror Maker 2 to enable "fetch from the closest replica" feature. - Support for the s390x platform (The s390x support is currently considered as experimental. We are not aware of any issues, but the s390x build doesn't at this point undergo the same level of testing as the AMD64 container images.)
- Update Strimzi Kafka Bridge to 0.21.5
- Added rebalancing modes on the
KafkaRebalance
custom resourcefull
: this mode runs a full rebalance moving replicas across all the brokers in the cluster. This is the default one if not specified.add-brokers
: after scaling up the cluster, this mode is used to move replicas to the newly added brokers specified in the custom resource.remove-brokers
: this mode is used to move replicas off the brokers that are going to be removed, before scaling down the cluster.
- Experimental KRaft mode (ZooKeeper-less Kafka) which can be enabled using the
UseKRaft
feature gate. Important: Use it for development and testing only!
- Since the Cruise Control TLS sidecar has been removed, the related configuration options
.spec.cruiseControl.tlsSidecar
and.spec.cruiseControl.template.tlsSidecar
in the Kafka custom resource are now deprecated.
- Add support for Kafka 3.1.0; remove Kafka 2.8.0 and 2.8.1
- Add support for
StrimziPodSet
resources (disabled by default through theUseStrimziPodSets
feature gate) - Update Open Policy Agent authorizer to 1.4.0 and add support for enabling metrics
- Support custom authentication mechanisms in Kafka listeners
- Intra-broker disk balancing using Cruise Control
- Add connector context to the default logging configuration in Kafka Connect and Kafka Mirror Maker 2
- Added the option
createBootstrapService
in the Kafka Spec to disable the creation of the bootstrap service for the Load Balancer Type Listener. It will save the cost of one load balancer resource, specially in the public cloud. - Added the
connectTimeoutSeconds
andreadTimeoutSeconds
options to OAuth authentication configuration. The default connect and read timeouts are set to 60 seconds (previously there was no timeout). Also addedgroupsClaim
andgroupsClaimDelimiter
options in the listener configuration of Kafka Spec to allow extracting group information from JWT token at authentication time, and making it available to the custom authorizer. These features are enabled by the updated Strimzi Kafka OAuth library (0.10.0). - Add support for disabling the FIPS mode in OpenJDK
- Fix renewing your own CA certificates #5466
- Update Strimzi Kafka Bridge to 0.21.4
- Update Cruise Control to 2.5.82
- The Strimzi Identity Replication Policy (class
io.strimzi.kafka.connect.mirror.IdentityReplicationPolicy
) is now deprecated and will be removed in the future. Please update to Kafka's own Identity Replication Policy (classorg.apache.kafka.connect.mirror.IdentityReplicationPolicy
). - The
type
field inListenerStatus
has been deprecated and will be removed in the future. - The
disk
andcpuUtilization
fields in thespec.cruiseControl.capacity
section of the Kafka resource have been deprecated, are ignored, and will be removed in the future.
- Multi-arch container images with support for x86_64 / AMD64 and AArch64 / ARM64 platforms (The support AArch64 is currently considered as experimental. We are not aware of any issues, but the AArch64 build doesn't at this point undergo the same level of testing as the AMD64 container images.)
- Added the option to configure the Cluster Operator's Zookeeper admin client session timeout via an new env var:
STRIMZI_ZOOKEEPER_ADMIN_SESSION_TIMEOUT_MS
- The
ControlPlaneListener
andServiceAccountPatching
feature gates are now in the beta phase and are enabled by default. - Allow setting any extra environment variables for the Cluster Operator container through Helm using a new
extraEnvs
value. - Added SCRAM-SHA-256 authentication for Kafka clients
- Update OPA Authorizer to 1.3.0
- Update to Cruise Control version 2.5.79
- Update Log4j2 to 2.17.0
- The
ControlPlaneListener
feature gate is now enabled by default. When upgrading from Strimzi 0.22 or earlier, you have to disable theControlPlaneListener
feature gate when upgrading the cluster operator to make sure the Kafka cluster stays available during the upgrade. When downgrading to Strimzi 0.22 or earlier, you have to disable theControlPlaneListener
feature gate before downgrading the cluster operator to make sure the Kafka cluster stays available during the downgrade.
- Add support for Kafka 2.8.1 and 3.0.0; remove Kafka 2.7.0 and 2.7.1
- Update the Open Policy Agent Authorizer to version 1.1.0
- Expose JMX port on Zookeeper nodes via a headless service.
- Allow configuring labels and annotations for JMX authentication secrets
- Enable Cruise Control anomaly.detection configurations
- Add support for building connector images from the Maven coordinates
- Allow Kafka Connect Build artifacts to be downloaded from insecure servers (#5542)
- Add option to specify pull secret in Kafka Connect Build on OpenShift (#5631)
- Configurable authentication, authorization, and SSL for Cruise Control API
- Update to Cruise Control version 2.5.73
- Allow to configure
/tmp
volume size via Pod template. By default1Mi
is used.
- imageRepositoryOverride,imageRegistryOverride and imageTagOverride are now removed from values.yaml. defaultImageRepository, defaultImageRegistry and defaultImageTag values are introduced in helm charts which sets the default registry, repository and tags for the images. Now the registry, repository and tag for a single image can be configured as per the requirement.
- The OpenShift Templates were removed from the examples and are no longer supported (#5548)
- Kafka MirrorMaker 1 has been deprecated in Apache Kafka 3.0.0 and will be removed in Apache Kafka 4.0.0.
As a result, the
KafkaMirrorMaker
custom resource which is used to deploy Kafka MirrorMaker 1 has been deprecated in Strimzi as well. (#5617) TheKafkaMirrorMaker
resource will be removed from Strimzi when we adopt Apache Kafka 4.0.0. As a replacement, use theKafkaMirrorMaker2
custom resource with theIdentityReplicationPolicy
.
- Move from Scala 2.12 to Scala 2.13. (#5192)
- Open Policy Agent authorizer updated to a new version supporting Scala 2.13. See the Changes, deprecations and removals sections for more details. (#5192)
- Allow a custom password to be set for SCRAM-SHA-512 users by referencing a secret in the
KafkaUser
resource - Add support for EnvVar Configuration Provider for Apache Kafka
- Add support for
tls-external
authentication to User Operator to allow management of ACLs and Quotas for TLS users with user certificates generated externally (#5249) - Support for disabling the automatic generation of network policies by the Cluster Operator. Set the Cluster Operator's
STRIMZI_NETWORK_POLICY_GENERATION
environment variable tofalse
to disable network policies. (#5258) - Update User Operator to use Admin API for managing SCRAM-SHA-512 users
- Configure fixed size limit for
emptyDir
volumes used for temporary files (#5340) - Update Strimzi Kafka Bridge to 0.20.2
- The
KafkaConnectS2I
resource has been removed and is no longer supported by the operator. Please use the migration guide to migrate yourKafkaConnectS2I
deployments toKafkaConnect
Build instead. - The Open Policy Agent authorizer has been updated to a new version that supports Scala 2.13. The new release introduces a new format of the input data sent to the Open Policy Agent server. For more information about the new format and how to migrate from the old version, see the OPA Kafka plugin v1.0.0 release notes.
- User Operator now uses Kafka Admin API to manage SCRAM-SHA-512 credentials.
All operations done by the User Operator now use Kafka Admin API and connect directly to Kafka instead of ZooKeeper.
As a result, the environment variables
STRIMZI_ZOOKEEPER_CONNECT
andSTRIMZI_ZOOKEEPER_SESSION_TIMEOUT_MS
were removed from the User Operator configuration. - All
emptyDir
volumes used by Strimzi for temporary files have now configured a fixed size limit. - Annotate Cluster Operator resource metrics with a namespace label
- Add support for Kubernetes Configuration Provider for Apache Kafka
- Use Red Hat UBI8 base image
- Add support for Kafka 2.7.1 and remove support for 2.6.0, 2.6.1, and 2.6.2
- Support for patching of service accounts and configuring their labels and annotations. The feature is disabled by default and enabled using the new
ServiceAccountPatching
feature gate. - Added support for configuring cluster-operator's worker thread pool size that is used for various sync and async tasks
- Add Kafka Quotas plugin with produce, consume, and storage quotas
- Support pausing reconciliation of KafkaTopic CR with annotation
strimzi.io/pause-reconciliation
- Update cruise control to 2.5.57
- Update to Strimzi Kafka Bridge to 0.20.0
- Support for broker load information added to the rebalance optimization proposal. Information on the load difference, before and after a rebalance is stored in a ConfigMap
- Add support for selectively changing the verbosity of logging for individual CRs, using markers.
- Added support for `controller_mutation_rate' quota. Creation/Deletion of topics and creation of partitions can be configured through this.
- Use newer version of Kafka Exporter with different bugfixes
- The deprecated
KafkaConnectS2I
custom resource will be removed after the 0.24.0 release. Please use the migration guide to migrate yourKafkaConnectS2I
deployments toKafkaConnect
Build instead. - The fields
topicsBlacklistPattern
andgroupsBlacklistPattern
in theKafkaMirrorMaker2
resource are deprecated and will be removed in the future. They are replaced by new fieldstopicsExcludePattern
andgroupsExcludePattern
. - The field
whitelist
in theKafkaMirrorMaker
resource is deprecated and will be removed in the future. It is replaced with a new fieldinclude
. bind-utils
removed from containers to improve security posture.- Kafka Connect Build now uses hashes to name downloaded artifact files. Previously, it was using the last segment of the download URL.
If your artifact requires a specific name, you can use the new
type: other
artifact and itsfileName
field. - The option
enableECDSA
of Kafka CRauthentication
of typeoauth
has been deprecated and is ignored. ECDSA token signature support is now always enabled without the need for Strimzi Cluster Operator installing the BouncyCastle JCE crypto provider. BouncyCastle library is no longer packaged with Strimzi Kafka images.
- Add support for Kafka 2.8.0 and 2.6.2, remove support for Kafka 2.5.x
- Make it possible to configure maximum number of connections and maximum connection creation rate in listener configuration
- Add support for configuring finalizers for
loadbalancer
type listeners - Use dedicated Service Account for Kafka Connect Build on Kubernetes
- Remove direct ZooKeeper access for handling user quotas in the User Operator. Add usage of Admin Client API instead.
- Migrate to CRD v1 (required by Kubernetes 1.22+)
- Support for configuring custom Authorizer implementation
- Changed Reconciliation interval for Topic Operator from 90 to 120 seconds (to keep it the same as for other operators)
- Changed Zookeeper session timeout default value to 18 seconds for Topic and User Operators (for improved resiliency)
- Removed requirement for replicas and partitions KafkaTopic spec making these parameters optional
- Support to configure a custom filter for parent CR's labels propagation into subresources
- Allow disabling service links (environment variables describing Kubernetes services) in Pod template
- Update Kaniko executor to 1.6.0
- Add support for separate control plane listener (disabled by default, available via the
ControlPlaneListener
feature gate) - Support for Dual Stack networking
- Strimzi API versions
v1alpha1
andv1beta1
were removed from all Strimzi custom resources apart fromKafkaTopic
andKafkaUser
(usev1beta2
versions instead) - The following annotations have been removed and cannot be used anymore:
cluster.operator.strimzi.io/delete-claim
(used internally only - replaced bystrimzi.io/delete-claim
)operator.strimzi.io/generation
(used internally only - replaced bystrimzi.io/generation
)operator.strimzi.io/delete-pod-and-pvc
(usestrimzi.io/delete-pod-and-pvc
instead)operator.strimzi.io/manual-rolling-update
(usestrimzi.io/manual-rolling-update
instead)
- When the
class
field is configured in theconfiguration
section of an Ingress-type listener, Strimzi will not automatically set the deprecatedkubernetes.io/ingress.class
annotation anymore. In case you still need this annotation, you can set it manually in the listener configuration using theannotations
field or in the.spec.kafka.template
section. - The
.spec.kafkaExporter.template.service
section in theKafka
custom resource has been deprecated and will be removed in the next API version (the service itself was removed several releases ago).
- Add
v1beta2
version for all resources.v1beta2
removes all deprecated fields. - Add annotations that enable the operator to restart Kafka Connect connectors or tasks. The annotations can be applied to the KafkaConnector and the KafkaMirrorMaker2 custom resources.
- Add additional configuration options for the Kaniko executor used by the Kafka Connect Build on Kubernetes
- Add support for JMX options configuration of all Kafka Connect (KC, KC2SI, MM2)
- Update Strimzi Kafka OAuth to version 0.7 and add support for new features:
- OAuth authentication over SASL PLAIN mechanism
- Checking token audience
- Validating tokens using JSONPath filter queries to perform custom checks
- Fix Cruise Control crash loop when updating container configurations
- Configure external logging
ConfigMap
name and key. - Add support for configuring labels and annotations in ClusterRoleBindings created as part of Kafka and Kafka Connect clusters
- Add support for Ingress v1 in Kubernetes 1.19 and newer
- Add support for Kafka 2.6.1
- List topics used by a Kafka Connect connector in the
.status
section of theKafkaConnector
custom resource - Bump Cruise Control to v2.5.37 for Kafka 2.7 support. Note this new version of Cruise Control uses
Log4j 2
and is supported by dynamic logging configuration (where logging properties are defined in a ConfigMap). However, existingLog4j
configurations must be updated toLog4j 2
configurations. - Support pausing reconciliation of CR with annotation
strimzi.io/pause-reconciliation
- In the past, when no Ingress class was specified in the Ingress-type listener in the Kafka custom resource, the
kubernetes.io/ingress.class
annotation was automatically set tonginx
. Because of the support for the new IngressClass resource and the newingressClassName
field in the Ingress resource, the default value will not be set anymore. Please use theclass
field in.spec.kafka.listeners[].configuration
to specify the class name. - The
KafkaConnectS2I
custom resource is deprecated and will be removed in the future. You can use the newKafkaConnect
build feature instead. - Removed support for Helm2 charts as that version is now unsupported. There is no longer the need for separate
helm2
andhelm3
binaries, onlyhelm
(version 3) is required. - The following annotations are deprecated for a long time and will be removed in 0.23.0:
cluster.operator.strimzi.io/delete-claim
(used internally only - replaced bystrimzi.io/delete-claim
)operator.strimzi.io/generation
(used internally only - replaced bystrimzi.io/generation
)operator.strimzi.io/delete-pod-and-pvc
(usestrimzi.io/delete-pod-and-pvc
instead)operator.strimzi.io/manual-rolling-update
(usestrimzi.io/manual-rolling-update
instead)
- External logging configuration has changed.
spec.logging.name
is deprecated. Moved tospec.logging.valueFrom.configMapKeyRef.name
. Key in theConfigMap
is configurable viaspec.logging.valueFrom.configMapKeyRef.key
.- from
logging: type: external name: my-config-map
- to
logging: type: external valueFrom: configMapKeyRef: name: my-config-map key: my-key
- Existing Cruise Control logging configurations must be updated from
Log4j
syntax toLog4j 2
syntax.- For existing inline configurations, replace the
cruisecontrol.root.logger
property withrootLogger.level
. - For existing external configurations, replace the existing configuration with a new configuration file named
log4j2.properties
usinglog4j 2
syntax.
- For existing inline configurations, replace the
- Add support for declarative management of connector plugins in Kafka Connect CR
- Add
inter.broker.protocol.version
to the default configuration in example YAMLs - Add support for
secretPrefix
property for User Operator to prefix all secret names created from KafkaUser resource. - Allow configuring labels and annotations for Cluster CA certificate secrets
- Add the JAAS configuration string in the sasl.jaas.config property to the generated secrets for KafkaUser with SCRAM-SHA-512 authentication.
- Strimzi
test-container
has been renamed tostrimzi-test-container
to make the name more clear - Updated the CPU usage metric in the Kafka, ZooKeeper and Cruise Control dashboards to include the CPU kernel time (other than the current user time)
- Allow disabling ownerReference on CA secrets
- Make it possible to run Strimzi operators and operands with read-only root filesystem
- Move from Docker Hub to Quay.io as our container registry
- Add possibility to configure DeploymentStrategy for Kafka Connect, Kafka Mirror Maker (1 and 2), and Kafka Bridge
- Support passing metrics configuration as an external ConfigMap
- Enable CORS configuration for Cruise Control
- Add support for rolling individual Kafka or ZooKeeper pods through the Cluster Operator using an annotation
- Add support for Topology Spread Constraints in Pod templates
- Make Kafka
cluster-id
(KIP-78) available on Kafka CRD status - Add support for Kafka 2.7.0
- The
metrics
field in the Strimzi custom resources has been deprecated and will be removed in the future. For configuring metrics, use the newmetricsConfig
field and pass the configuration via ConfigMap.
Note: This is the last version of Strimzi that will support Kubernetes 1.11 and higher. Future versions will drop support for Kubernetes 1.11-1.15 and support only Kubernetes 1.16 and higher.
- Add support for Kafka 2.5.1 and 2.6.0. Remove support for 2.4.0 and 2.4.1
- Remove TLS sidecars from Kafka pods => Kafka now uses native TLS to connect to ZooKeeper
- Updated to Cruise Control 2.5.11, which adds Kafka 2.6.0 support and fixes a previous issue with CPU utilization statistics for containers. As a result, the CpuCapacityGoal has now been enabled.
- Cruise Control metrics integration:
- Enable metrics JMX exporter configuration in the
cruiseControl
property of the Kafka custom resource - New Grafana dashboard for the Cruise Control metrics
- Enable metrics JMX exporter configuration in the
- Configure Cluster Operator logging using ConfigMap instead of environment variable and support dynamic changes
- Switch to use the
AclAuthorizer
class for thesimple
Kafka authorization type.AclAuthorizer
contains new features such as the ability to control the amount of authorization logs in the broker logs. - Support dynamically changeable logging configuration of Kafka Connect and Kafka Connect S2I
- Support dynamically changeable logging configuration of Kafka brokers
- Support dynamically changeable logging configuration of Kafka MirrorMaker2
- Add support for
client.rack
property for Kafka Connect to usefetch from closest replica
feature. - Refactored operators Grafana dashboard
- Fixed bug on maximum reconcile time graph
- Removed the avarage reconcile time graph
- Rearranged graphs
- Make
listeners
configurable as an array and add support for more different listeners in single cluster - Add support for configuring
hostAliases
in Pod templates - Add new resource state metric in the operators for reflecting the reconcile result on a specific resource
- Add improvements for
oauth
authentication, andkeycloak
authorization:- Support for re-authentication was added, which also enforces access token lifespan on the Kafka client session
- Permission changes through Keycloak Authorization Services are now detected by Kafka Brokers
The .spec.kafka.listeners
section of the Kafka CRD has been redesigned to allow configuring more different listeners.
The old listeners
object which allowed only configuration of oneplain
, one tls
, and one external
listener is now deprecated and will be removed in the future.
It is replaced with an array allowing configuration of multiple different listeners:
listeners:
- name: local
port: 9092
type: internal
tls: true
- name: external1
port: 9093
type: loadbalancer
tls: true
- name: external2
port: 9094
type: nodeport
tls: true
This change includes some other changes:
- The
tls
field is now required. - The former
overrides
section is now merged with theconfiguration
section. - The
dnsAnnotations
field has been renamed toannotations
since we found out it has wider use. - Configuration of
loadBalancerSourceRanges
andexternalTrafficPolicy
has been moved into listener configuration. Its use in thetemplate
section is now deprecated. - For
type: internal
listeners, you can now use the flaguseServiceDnsDomain
to define whether they should use the fully qualified DNS names including the cluster service suffix (usually.cluster.local
). This option defaults to false. - All listeners now support configuring the advertised hostname and port.
preferredAddressType
has been removed topreferredNodePortAddressType
.
To convert the old format into the new format with backwards compatibility, you should use following names and types:
- For the old
plain
listener, use the nameplain
, port9092
and typeinternal
. - For the old
tls
listener, use the nametls
, port9093
and typeinternal
. - For the old
external
listener, use the nameexternal
, port9094
.
For example the following old configuration:
listeners:
plain:
# ...
tls:
# ...
external:
type: loadbalancer
# ...
Will look like this in the new format:
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
- name: external
port: 9094
type: loadbalancer
tls: true
The PodMonitor
resource is now used instead of the ServiceMonitor
for scraping metrics from Kafka, ZooKeeper, Kafka Connect and so on.
For this reason, we have removed the monitoring port tcp-prometheus
(9404) on all the services where it is declared (Kafka bootstrap, ZooKeeper client and so on).
It was already deprecated in the previous 0.19.0 release.
Together with it we have also removed the Prometheus annotations from the services. If you want to add them, you can use the templates.
See here https://strimzi.io/docs/operators/master/using.html#assembly-customizing-kubernetes-resources-str for more details about templates usage.
Finally, the Kafka Exporter service was has been removed because it was used just for the monitoring port.
Since the Kafka TLS sidecar has been removed, the related configuration options in the Kafka custom resource are now deprecated:
.spec.kafka.tlsSidecar
.spec.kafka.template.tlsSidecar
- Add support for authorization using Open Policy Agent
- Add support for scale subresource to make scaling of following resources easier:
- KafkaConnect
- KafkaConnectS2I
- KafkaBridge
- KafkaMirrorMaker
- KafkaMirrorMaker2
- KafkaConnector
- Remove deprecated
Kafka.spec.topicOperator
classes and deployment logic - Use Java 11 as the Java runtime
- Removed the need to manually create Cruise Control metrics topics if topic auto creation is disabled.
- Migration to Helm 3
- Refactored the format of the
KafkaRebalance
resource's status. The state of the rebalance is now displayed in the associatedCondition
'stype
field rather than thestatus
field. This was done so that the information would display correctly in various Kubernetes tools. - Added performance tuning options to the
KafkaRebalance
CR and the ability to define a regular expression that will exclude matching topics from a rebalance optimization proposal. - Use Strimzi Kafka Bridge 0.18.0
- Make it possible to configure labels and annotations for secrets created by the User Operator
- Strimzi Kafka Bridge metrics integration:
- enable/disable metrics in the KafkaBridge custom resource
- new Grafana dashboard for the bridge metrics
- Support dynamically changeable logging in the Entity Operator and Kafka Bridge
- Extended the Grafana example dashboard for Kafka Connect to provide more relevant information
The Helm v2 support will end soon. Bug fixing should stop on August 13th 2020 and security fixes on November 13th. See https://helm.sh/blog/covid-19-extending-helm-v2-bug-fixes/ for more details.
In sync with that, the Helm v2 chart of Strimzi Cluster Operator is now deprecated and will be removed in the future as Helm v2 support ends. Since Strimzi 0.19.0, we have a new chart for Helm v3 which can be used instead.
In Strimzi 0.12.0, the v1alpha1
versions of the following resources have been deprecated and replaced by v1beta1
:
Kafka
KafkaConnect
KafkaConnectS2I
KafkaMirrorMaker
KafkaTopic
KafkaUser
In the next release, the v1alpha1
versions of these resources will be removed.
Please follow the guide for upgrading the resources: https://strimzi.io/docs/operators/latest/full/deploying.html#assembly-upgrade-resources-str.
The pod_name
and container_name
labels provided on the cadvisor metrics are now just pod
and container
starting from Kubernetes 1.16.
We removed the old ones from the Prometheus scraping configuration/alerts and on the Kafka and ZooKeeper dashboard as well.
It means that the charts related to memory and CPU usage are not going to work on Kuvbernetes version previous 1.14.
For more information on what is changed: strimzi#3312
The PodMonitor
resource is now used instead of the ServiceMonitor
for scraping metrics from Kafka, ZooKeeper, Kafka Connect and so on.
For this reason, we are deprecating the monitoring port tcp-prometheus
(9404) on all the services where it is declared (Kafka bootstrap, ZooKeeper client and so on).
This port will be removed in the next release.
Together with it we will also remove the Prometheus annotation from the service.
Because of the new Cluster Operator dynamic logging configuration via PR#3328 we are going to remove the STRIMZI_LOG_LEVEL
environment variable from the Cluster Operator deployment YAML file in the 0.20.0 release.
- Add possibility to set Java System Properties for User Operator and Topic Operator via
Kafka
CR. - Make it possible to configure PodManagementPolicy for StatefulSets
- Update build system to use
yq
version 3 (https://github.com/mikefarah/yq) - Add more metrics to Cluster and User Operators
- New Grafana dashboard for Operator monitoring
- Allow
ssl.cipher.suites
,ssl.protocol
andssl.enabled.protocols
to be configurable for Kafka and the different components supported by Strimzi - Add support for user configurable SecurityContext for each Strimzi container
- Allow standalone User Operator to modify status on KafkaUser
- Add support for Kafka 2.4.1
- Add support for Kafka 2.5.0
- Remove TLS sidecars from ZooKeeper pods, using native ZooKeeper TLS support instead
- Add metrics for Topic Operator
- Use Strimzi Kafka Bridge 0.16.0
- Add support for CORS in the HTTP Kafka Bridge
- Pass HTTP Proxy configuration from operator to operands
- Add Cruise Control support, KafkaRebalance resource and rebalance operator
- Add possibility to set Java System Properties via CR yaml
- Add support for Mirror Maker 2.0
- Add Jmxtrans deployment
- Add public keys of TLS listeners to the status section of the Kafka CR
- Add support for using a Kafka authorizer backed by Keycloak Authorization Services
- Add support for Kafka 2.4.0 and upgrade from Zookeeper 3.4.x to 3.5.x
- Drop support for Kafka 2.2.1 and 2.3.0
- Add KafkaConnector resource and connector operator
- Let user choose which node address will be used as advertised host (
ExternalDNS
,ExternalIP
,InternalDNS
,InternalIP
orHostname
) - Add support for tini
- When not explicitly configured by the user in
jvmOptions
,-Xmx
option is calculated from memory requests rather than from memory limits - Expose JMX port on Kafka brokers via an internal service
- Add support for
externalTrafficPolicy
andloadBalancerSourceRanges
properties on loadbalancer and nodeport type services - Add support for user quotas
- Add support for Istio protocol selection in service port names
Note: Strimzi is essentially adding atcp-
prefix to the port names in Kafka services and headless services.
(e.g clientstls -> tcp-clientstls) - Add service discovery labels and annotations
- Add possibility to specify custom server certificates to TLS based listeners
- Drop support for Kafka 2.1.0, 2.1.1, and 2.2.0
- Add support for Kafka 2.3.1
- Improved Kafka rolling update
- Improve Kafka Exporter Grafana dashboard
- Add sizeLimit option to ephemeral storage (#1505)
- Add
schedulerName
topodTemplate
(#2114) - Allow overriding the auto-detected Kubernetes version
- Garbage Collection (GC) logging disabled by default
- Providing PKCS12 truststore and password in the cluster and clients CA certificates Secrets
- Providing PKCS12 keystore and password in the TLS based KafkaUser related Secret
- Add support for configuring Ingress class (#1716)
- Add support for setting custom environment variables in all containers
- Add liveness and readiness checks to Mirror Maker
- Allow configuring loadBalancerIP for LoadBalancer type services
- Allow setting labels and annotations for Persistent Volume Claims
- Add support for Jaeger tracing in Kafka Mirror Maker and Kafka Connect
- Add support for deploying Kafka Exporter
- Add initial support for OAuth authentication
- Allow users to manually configure ACL rules (for example, using
kafka-acls.sh
) for special Kafka users*
andANONYMOUS
without them being deleted by the User Operator - Add support for configuring a Priority Class name for Pods deployed by Strimzi
- Add support for Kafka 2.3.0
- Add support for Kafka User resource status
- Add support for Kafka Connect resource status
- Add support for Kafka Connect S2I resource status
- Add support for Kafka Bridge resource status
- Add support for Kafka Mirror Maker resource status
- Add support for DNS annotations to
nodeport
type external listeners
- Drop support for Kubernetes 1.9 and 1.10 and OpenShift 3.9 and 3.10. Versions supported since Strimzi 0.12.0 are Kubernetes 1.11 and higher and OpenShift 3.11 and higher. This was required because the CRD versioning and CRD subresources support.
- Added support for Kafka 2.2.0 and 2.1.1, dropped support for Kafka 2.0.0 and 2.0.1
- Persistent storage improvements
- Add resizing of persistent volumes
- Allow to specify different storage class for every broker
- Adding and removing volumes in Jbod Storage
- Custom Resources improvements
- New CRD version
v1beta1
. See documentation for more information about upgrading fromv1alpha1
tov1beta1
. - Log at the warn level when a custom resource uses deprecated or unknown properties
- Add initial support for the
status
sub-resource in theKafka
custom resource
- New CRD version
- Add support for Strimzi Kafka Bridge for HTTP protocol
- Reduce the number of container images needed to run Strimzi to just two:
kafka
andoperator
. - Add support for unprivileged users to install the operator with Helm
- Support experimental off-cluster access using Kubernetes Nginx Ingress
- Add ability to configure Image Pull Secrets for all pods in Cluster Operator
- Support for SASL PLAIN mechanism in Kafka Connect and Mirror Maker (for use with non-Strimzi Kafka cluster)
- Add support for JBOD storage for Kafka brokers
- Allow users to configure the default ImagePullPolicy
- Add Prometheus alerting
- Resources for alert manager deployment and configuration
- Alerting rules with alert examples from Kafka and Zookeeper metrics
- Enrich configuration options for off cluster access
- Support for watching all namespaces
- Operator Lifecycle Manager integration
- Support for Kafka 2.1.0
- Support for Kafka upgrades
- Add healthchecks to TLS sidecars
- Add support for new fields in the Pod template: terminationGracePeriod, securityContext and imagePullSecrets
- Rename annotations to use the
strimzi.io
domain consistently (The old annotations are deprecated, but still functional):cluster.operator.strimzi.io/delete-claim
→strimzi.io/delete-claim
operator.strimzi.io/manual-rolling-update
→strimzi.io/manual-rolling-update
operator.strimzi.io/delete-pod-and-pvc
→strimzi.io/delete-pod-and-pvc
operator.strimzi.io/generation
→strimzi.io/generation
- Add support for mounting Secrets and Config Maps into Kafka Connect and Kafka Connect S2I
- Add support for NetworkPolicy peers in listener configurations
- Make sure the TLS sidecar pods shutdown only after the main container
- Add support for Pod Disruption Budgets
- Add possibility to label and annotate different resources (#1039)
- Add support for TransactionalID in KafkaUser resource
- Update to Kafka 2.0.1
- Add maintenance time windows support for allowing CA certificates renewal rolling update started only in specific times (#1117)
- Add support for upgrading between Kafka versions (#1103). This removes support for
STRIMZI_DEFAULT_KAFKA_IMAGE
environment variable in the Cluster Operator, replacing it withSTRIMZI_KAFKA_IMAGES
.
- Run images under group 0 to avoid storage issues
- Fix certificate renewal issues
- Support for unencrypted connections on LoadBalancers and NodePorts.
- Better support for TLS hostname verification for external connections
- Certificate renewal / expiration
- Mirror Maker operator
- Triggering rolling update / pod deletion manually
- Exposing Kafka to the outside using:
- OpenShift Routes
- LoadBalancers
- NodePorts
- Use less wide RBAC permissions (
ClusterRoleBindings
where converted toRoleBindings
where possible) - Support for SASL authentication using the SCRAM-SHA-512 mechanism added to Kafka Connect and Kafka Connect with S2I support
- Network policies for managing access to Zookeeper ports and Kafka replication ports
- Use OwnerReference and Kubernetes garbage collection feature to delete resources and to track the ownership
- Helm chart for Strimzi Cluster Operator
- Topic Operator moving to Custom Resources instead of Config Maps
- Make it possible to enabled and disable:
- Listeners
- Authorization
- Authentication
- Configure Kafka super users (
super.users
field in Kafka configuration) - User Operator
- Managing users and their ACL rights
- Added new Entity Operator for deploying:
- User Operator
- Topic Operator
- Deploying the Topic Operator outside of the new Entity Operator is now deprecated
- Kafka 2.0.0
- Kafka Connect:
- Added TLS support for connecting to the Kafka cluster
- Added TLS client authentication when connecting to the Kafka cluster
- The Cluster Operator now manages RBAC resource for managed resources:
ServiceAccount
andClusterRoleBindings
for Kafka podsServiceAccount
andRoleBindings
for the Topic Operator pods
- Renaming of Kubernetes services (Backwards incompatible!)
- Kubernetes services for Kafka, Kafka Connect and Zookeeper have been renamed to better correspond to their purpose
xxx-kafka
->xxx-kafka-bootstrap
xxx-kafka-headless
->xxx-kafka-brokers
xxx-zookeeper
->xxx-zookeeper-client
xxx-zookeeper-headless
->xxx-zookeeper-nodes
xxx-connect
->xxx-connect-api
- Cluster Operator moving to Custom Resources instead of Config Maps
- TLS support has been added to Kafka, Zookeeper and Topic Operator. The following channels are now encrypted:
- Zookeeper cluster communication
- Kafka cluster commbunication
- Communication between Kafka and Zookeeper
- Communication between Topic Operator and Kafka / Zookeeper
- Logging configuration for Kafka, Kafka Connect and Zookeeper
- Add support for Pod Affinity and Anti-Affinity
- Add support for Tolerations
- Configuring different JVM options
- Support for broker rack in Kafka
- Better configurability of Kafka, Kafka Connect, Zookeeper
- Support for Kubernetes request and limits
- Support for JVM memory configuration of all components
- Controllers renamed to operators
- Improved log verbosity of Cluster Operator
- Update to Kafka 1.1.0