Update Helm release strimzi-kafka-operator to v0.38.0

[renovate]

This PR contains the following updates:

Package	Update	Change
strimzi-kafka-operator (source)	minor	0.14.0 -> 0.38.0

---

Release Notes

strimzi/strimzi-kafka-operator (strimzi-kafka-operator)

v0.38.0

Compare Source

• Add support for Apache Kafka 3.6.0 and drop support for 3.4.0 and 3.4.1
• Sign containers using cosign
• Generate and publish Software Bill of Materials (SBOMs) of Strimzi containers
• Add support for stopping connectors according to Strimzi Proposal #​54
• Allow manual rolling of Kafka Connect and Kafka Mirror Maker 2 pods using the strimzi.io/manual-rolling-update annotation (supported only when StableConnectIdentities feature gate is enabled)
• Make sure brokers are empty before scaling them down
• Update Cruise Control to 2.5.128
• Add support for pausing reconciliations to the Unidirectional Topic Operator
• Allow running ZooKeeper and KRaft based Apache Kafka clusters in parallel when the +UseKRaft feature gate is enabled
• Add support for metrics to the Unidirectional Topic Operator
• Added the includeAcceptHeader option to OAuth client and listener authentication configuration and to keycloak authorization. If set to false it turns off sending of Accept header when communicating with OAuth / OIDC authorization server. This feature is enabled by the updated Strimzi Kafka OAuth library (0.14.0).
• Update HTTP bridge to latest 0.27.0 release

Changes, deprecations and removals

• The Kafka.KafkaStatus.ListenerStatus.type property has been deprecated for a long time, and now we do not use it anymore.
  The current plan is to completely remove this property in the next schema version.
  If needed, you can use the Kafka.KafkaStatus.ListenerStatus.name property, which has the same value.
• Added strimzi.io/kraft annotation to be applied on Kafka custom resource, together with the +UseKRaft feature gate enabled, to declare a ZooKeeper or KRaft based cluster.
  • if enabled the Kafka resource defines a KRaft-based cluster.
  • if disabled, missing or any other value, the operator handle the Kafka resource as a ZooKeeper-based cluster.
• The io.strimzi.kafka.EnvVarConfigProvider configuration provider is now deprecated and will be removed in Strimzi 0.42. Users should migrate to Kafka's implementation, org.apache.kafka.common.config.provider.EnvVarConfigProvider, which is a drop-in replacement.
  For example:

  config:

...

config.providers: env
config.providers.env.class: io.strimzi.kafka.EnvVarConfigProvider

...

becomes
```yaml
config:
### ...
  config.providers: env
  config.providers.env.class: org.apache.kafka.common.config.provider.EnvVarConfigProvider
### ...

v0.37.0

Compare Source

• The StableConnectIdentites feature gate moves to beta stage.
  By default, StrimziPodSets are used for Kafka Connect and Kafka Mirror Maker 2.
  If needed, StableConnectIdentites can be disabled in the feature gates configuration in the Cluster Operator.
• Support for the ppc64le platform
• Added version fields to the Kafka custom resource status to track install and upgrade state
• Support for infinite auto-restarts of Kafka Connect and Kafka Mirror Maker 2 connectors

Changes, deprecations and removals

• Removed support for OpenTracing:
  • The tracing.type: jaeger configuration, in KafkaConnect, KafkaMirrorMaker, KafkaMirrorMaker2 and KafkaBridge resources, is not supported anymore.
  • The OpenTelemetry based tracing is the only available by using tracing.type: opentelemetry.
• The default behavior of the Kafka Connect connector auto-restart has changed.
  When the auto-restart feature is enabled in KafkaConnector or KafkaMirrorMaker2 custom resources, it will now continue to restart the connectors indefinitely rather than stopping after 7 restarts, as previously.
  If you want to use the original behaviour, use the .spec.autoRestart.maxRestarts option to configure the maximum number of restarts.
  For example:

  apiVersion: kafka.strimzi.io/v1beta2
  kind: KafkaConnector
  metadata:
    labels:
      strimzi.io/cluster: my-connect
    name: echo-sink-connector
  spec:

...

autoRestart:
  enabled: true
  maxRestarts: 7

...

* **The automatic configuration of Cruise Control CPU capacity has been changed in this release**:
* There are three ways to configure Cruise Control CPU capacity values:
  * `.spec.cruiseControl.brokerCapacity` (for all brokers)
  * `.spec.cruiseControl.brokerCapacity.overrides` (per broker)
  * Kafka resource requests and limits (for all brokers).
* The precedence of which Cruise Control CPU capacity configuration is used has been changed.
* In previous Strimzi versions, the Kafka resource limit (if set) took precedence, regardless if any other CPU configurations were set.
  * For example:
    * (1) Kafka resource limits
    * (2) `.spec.cruiseControl.brokerCapacity.overrides`
    * (3) `.spec.cruiseControl.brokerCapacity`
* This previous behavior was identified as a bug and was fixed in this Strimzi release.
* Going forward, the brokerCapacity overrides per broker take top precedence, then general brokerCapacity configuration, and then the Kafka resource requests, then the Kafka resource limits.
  * For example:
    * (1) `.spec.cruiseControl.brokerCapacity.overrides`
    * (2) `.spec.cruiseControl.brokerCapacity`
    * (3) Kafka resource requests
    * (4) Kafka resource limits
  * When none of Cruise Control CPU capacity configurations mentioned above are configured, CPU capacity will be set to `1`.
as any _override_ value configured in the `.spec.cruiseControl` section of the `Kafka` custom resource.

v0.36.1

Compare Source

• Add support for Apache Kafka 3.5.1

v0.36.0

Compare Source

• Add support for Apache Kafka 3.4.1 and 3.5.0, and remove support for 3.3.1 and 3.3.2
• Enable SCRAM-SHA authentication in KRaft mode (supported in Apache Kafka 3.5.0 and newer)
• Add support for insecure flag in Maven artifacts in Kafka Connect Build
• Update Kafka Exporter to 1.7.0
• Improve Kafka rolling update to avoid rolling broker in log recovery
• Added support for Kafka Exporter topic exclude and consumer group exclude parameters
• Update Kaniko container builder to 1.12.1
• Add support for Kafka node pools according to Strimzi Proposal #​50
• Add support for Unidirectional Topic Operator according to Strimzi Proposal #​51
• Update OpenTelemetry 1.19.0
• Fixed ordering of JVM performance options #​8579
• Log a warning when a KafkaTopic has no spec #​8465
• Updated Strimzi OAuth library to 0.13.0 with better support for KRaft

Changes, deprecations and removals

• From Strimzi 0.36.0 on, we support only Kubernetes 1.21 and newer.
  Kubernetes 1.19 and 1.20 are not supported anymore.
• Enabling the UseKRaft feature gate is now possible only together with the KafkaNodePools feature gate.
  To deploy a Kafka cluster in the KRaft mode, you have to use the KafkaNodePool resources.
• The Helm Chart repository at https://strimzi.io/charts/ is now deprecated.
  Please use the Helm Chart OCI artifacts from our Helm Chart OCI repository instead.
• Option customClaimCheck of 'oauth' authentication which relies on JsonPath changed the handling of equal comparison against null as the behaviour was buggy and is now fixed in the updated version of JsonPath library OAuth #​196

v0.35.1

Compare Source

Main changes since 0.35.0

Bug Fixes

• Update Fabric8 Kubernetes Client to 6.7.0

Upgrading from Strimzi 0.35.0

See the documentation for upgrade instructions.

Upgrading from Strimzi 0.22 or earlier

Direct upgrade from Strimzi 0.22 or earlier is not supported anymore! You have to upgrade first to one of the previous versions of Strimzi. You will also need to convert the CRD resources. For more details, see the documentation.

Container images

The following container images are part of this release:

Name	Image
Operators	quay.io/strimzi/operator@sha256:06a94a3021cf028ccc1a49271f35f79216029e344536e664f196c1725ff2c663
Apache Kafka 3.3.1	quay.io/strimzi/kafka@sha256:4de4874a7b722ad813f4dcc58acf509527bca0609999b81e70d81e3b38534d9d
Apache Kafka 3.3.2	quay.io/strimzi/kafka@sha256:0d910e7138cb49e1cd8cd84cef88bce35698b93ddd683a3398f1d485a3162693
Apache Kafka 3.4.0	quay.io/strimzi/kafka@sha256:54c6b25b31f51ef401c1b6e2a1b27432911e819bf3e502e05186f01be3f798e5
Strimzi Bridge	quay.io/strimzi/kafka-bridge@sha256:d6be183e492f8f88157ab9fe0af53950df8b6711a8a8c33da465de6064f6f86e
Kaniko executor	quay.io/strimzi/kaniko-executor@sha256:39778b90c2b2afc30261e4ad5135805e1a10a2b60e2e53108fb9f80487f1208a
Maven Builder	quay.io/strimzi/maven-builder@sha256:88a79eff3b3a386880a630658964b7754caed9e99dd6e645a4c0d23d0fdb47ee

v0.35.0

Compare Source

• Redesigned the Cluster and User Operator configuration to make it more efficient and flexible
• Allow multiple imagePullSecrets in the Strimzi Helm chart
• Remove support for JMX Trans
• Move feature gate UseStrimziPodSets to GA and remove support for StatefulSets
• Add flag to load Grafana dashboards from Helm Chart

Changes, deprecations and removals

• Strimzi 0.35.0 (and any possible patch releases) is the last Strimzi version with support for Kubernetes 1.19 and 1.20.
  From Strimzi 0.36.0 on, we will support only Kubernetes 1.21 and newer.
• Support for JMX Trans has been removed in Strimzi 0.35.0.
  If you have JMX Trans enabled in your Kafka custom resource in the .spec.jmxTrans section, you should remove it.
  If you upgrade to Strimzi 0.35.0 or newer with JMX Trans deployed / enabled in the Kafka custom resource, Strimzi will be automatically deleted after the upgrade.
• The feature gate UseStrimziPodSets has graduated to GA and cannot be disabled anymore.
  The StatefulSet template properties in the Kafka custom resource in .spec.zookeeper.template.statefulSet and .spec.kafka.template.statefulSet are deprecated and will be ignored.
  You should remove them from your custom resources.

v0.34.0

Compare Source

• Add support for Kafka 3.4.0 and remove support for Kafka 3.2.x
• Stable Pod identities for Kafka Connect and MirrorMaker 2 (Feature Gate StableConnectIdentities)
• Use JDK HTTP client in the Kubernetes client instead of the OkHttp client
• Add truststore configuration for HTTPS connections to OPA server
• Add image digest support in Helm chart
• Added the httpRetries and httpRetryPauseMs options to OAuth authentication configuration. They are set to 0 by default - no retries, no backoff between retries. Also added analogous httpRetries option in the keycloak authorization configuration. These features are enabled by the updated Strimzi Kafka OAuth library (0.12.0).

v0.33.2

Compare Source

Main changes since 0.33.1

⚠️ Important: Strimzi 0.33.2 supports only Kubernetes 1.19 and newer! Kubernetes versions 1.16, 1.17 and 1.18 are not supported anymore since Strimzi 0.32.

⚠️ Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore!

Bug Fixes

• Support for Kafka 3.4.0 which fixes CVE-2023-25194
• Fix RBAC files in standalone User Operator installation files

v0.33.1

Compare Source

Main changes since 0.33.0

⚠️ Important: Strimzi 0.33.1 supports only Kubernetes 1.19 and newer! Kubernetes versions 1.16, 1.17 and 1.18 are not supported anymore since Strimzi 0.32.

⚠️ Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore!

Bug Fixes

• Remove the Lease resource from installation files

v0.33.0

Compare Source

• Add support for Kafka 3.3.2
• Support loadBalancerClass attribute in service with type loadBalancer
• Support for automatically restarting failed Connect or Mirror Maker 2 connectors
• Redesign of Strimzi User Operator to improve its scalability
• Use Java 17 as the runtime for all containers and language level for all modules except api, crd-generator, crd-annotations, and test
• Improved FIPS (Federal Information Processing Standards) support
• Upgrade Vert.x to 4.3.5
• Moved from using the Jaeger exporter to OTLP exporter by default
• Kafka Exporter support for Recreate deployment strategy
• ImageStream validation for Kafka Connect builds on OpenShift
• Support for configuring the metadata for the Role / RoleBinding of Entity Operator
• Add liveness and readiness probes specifically for nodes running in KRaft combined mode
• Upgrade HTTP bridge to latest 0.24.0 release

Known issues

• The TLS passthrough feature of the Ingress-NGINX Controller for Kubernetes is not compatible with some new TLS features supported by Java 17 such as the session tickets extension.
  If you use type: ingress listener with enabled mTLS authentication, we recommend you to test if your clients are affected or not.
  If needed, you can also disable the session ticket extension in the Kafka brokers in your Kafka custom resource by setting the jdk.tls.server.enableSessionTicketExtension Java system property to false:

  apiVersion: kafka.strimzi.io/v1beta2
  kind: Kafka
  metadata:

...

spec:

...

kafka:
  jvmOptions:
    javaSystemProperties:
      - name: jdk.tls.server.enableSessionTicketExtension
        value: "false"

...

For more details, see [kubernetes/ingress-nginx#9540](https://togithub.com/kubernetes/ingress-nginx/issues/9540).
##### Changes, deprecations and removals

* The `UseStrimziPodSet` feature gate will move to GA in Strimzi 0.35.
Support for StatefulSets will be removed from Strimzi right after the 0.34 release.
Please use the Strimzi 0.33 release to test StrimziPodSets in your environment and report any major or blocking issues before the StatefulSet support is removed.
* The default length of any new SCRAM-SHA-512 passwords will be 32 characters instead of 12 characters used in the previous Strimzi versions.
Existing passwords will not be affected by this change until they are regenerated (for example because the user secret is deleted).
If you want to keep using the original password length, you can set it using the `STRIMZI_SCRAM_SHA_PASSWORD_LENGTH` environment variable in `.spec.entityOperator.template.userOperatorContainer.env` in the `Kafka` custom resource or in the `Deployment` of the standalone User Operator.
```yaml
userOperatorContainer:
  env:
    - name: STRIMZI_SCRAM_SHA_PASSWORD_LENGTH
      value: "12"

• In previous versions, the ssl.secure.random.implementation option in Kafka brokers was always set to SHA1PRNG.
  From Strimzi 0.33 on, it is using the default SecureRandom implementation from the Java Runtime.
  If you want to keep using SHA1PRNG as your SecureRandom, you can configure it in .spec.kafka.config in your Kafka custom resource.
• Support for JmxTrans in Strimzi is deprecated.
  It is currently planned to be removed in Strimzi 0.35.0.
• Support for type: jaeger tracing based on Jaeger clients and OpenTracing API was deprecated in the Strimzi 0.31 release.
  As the Jaeger clients are retired and the OpenTracing project is archived, we cannot guarantee their support for future versions.
  In Strimzi 0.32 and 0.33, we added support for OpenTelemetry tracing as a replacement.
  If possible, we will maintain the support for type: jaeger tracing until June 2023 and remove it afterwards.
  Please migrate to OpenTelemetry as soon as possible.
• When OpenTelemetry is enabled for tracing, starting from this release, the operator configures the OTLP exporter instead of the Jaeger one by default.
  The Jaeger exporter is even not included in the Kafka images anymore, so if you want to use it you have to add the binary by yourself.
  The OTEL_EXPORTER_OTLP_ENDPOINT environment variable has to be used instead of the OTEL_EXPORTER_JAEGER_ENDPOINT in order to specify the OTLP endpoint to send traces to.
  If you are using Jaeger as the backend system for tracing, you need to have 1.35 release at least which is the first one exposing an OTLP endpoint.

v0.32.0

Compare Source

• Add support for Kafka 3.3.1 and remove support for Kafka 3.1.0, 3.1.1, and 3.1.2
• Update Open Policy Agent (OPA) Authorizer to 1.5.0
• Update KafkaConnector CR status so the 'NotReady' condition is added if the connector or any tasks are reporting a 'FAILED' state.
• Add auto-approval mechanism on KafkaRebalance resource when an optimization proposal is ready
• The ControlPlaneListener feature gate moves to GA
• Add client rack-awareness support to Strimzi Bridge pods
• Add support for OpenTelemetry for distributed tracing
  • Kafka Connect, Mirror Maker, Mirror Maker 2 and Strimzi Bridge can be configured to use OpenTelemetry
  • Using Jaeger exporter by default for backward compatibility
• Updated JMX Exporter dependency to 0.17.2
• ZookeeperRoller considers unready pods
• Support multiple operations per ACLRule
• Upgrade Vert.x to 4.3.4
• Add cluster-ip listener. We can use it with a tcp port configuration in an ingress controller to expose kafka with an optional tls encryption and a single LoadBalancer.
• Update Strimzi OAuth library to 0.11.0

Changes, deprecations and removals

• From 0.32.0 on, Strimzi supports only Kubernetes version 1.19 and newer.
• A connector or task failing triggers a 'NotReady' condition to be added to the KafkaConnector CR status. This is different from previous versions where the CR would report 'Ready' even if the connector or a task had failed.
• The ClusterRole from file 020-ClusterRole-strimzi-cluster-operator-role.yaml was split into two separate roles:
  • The original strimzi-cluster-operator-namespaced ClusterRole in the file 020-ClusterRole-strimzi-cluster-operator-role.yaml contains the rights related to the resources created based on some Strimzi custom resources.
  • The new strimzi-cluster-operator-watched ClusterRole in the file 023-ClusterRole-strimzi-cluster-operator-role.yaml contains the rights required to watch and manage the Strimzi custom resources.
    When deploying the Strimzi Cluster Operator as cluster-wide, the strimzi-cluster-operator-watched ClusterRole needs to be always granted at the cluster level.
    But the strimzi-cluster-operator-namespaced ClusterRole might be granted only for the namespaces where any custom resources are created.
• The ControlPlaneListener feature gate moves to GA.
  Direct upgrade from Strimzi 0.22 or earlier is not possible anymore.
  You have to upgrade first to one of the Strimzi versions between 0.22 and 0.32 before upgrading to Strimzi 0.32 or newer.
  Please follow the docs for more details.
• The spec.authorization.acls[*].operation field in the KafkaUser resource has been deprecated in favour of the field
  spec.authorization.acls[*].operations which allows to set multiple operations per ACLRule.

v0.31.1

Compare Source

• Kafka 3.1.2 and 3.2.3 (fixes CVE-2022-34917)
• Make sasl.server.max.receive.size broker option user configurable
• Documentation improvements
• Configuring number of operator replicas through the Strimzi Helm Chart
• Update Strimzi Kafka Bridge to 0.22.1

v0.31.0

Compare Source

• Add support for Kafka 3.2.1
• Update Kaniko builder to 1.9.0 and Maven builder to 1.14
• Update Kafka Exporter to 1.6.0
• Pluggable Pod Security Profiles with built-in support for restricted Kubernetes Security Profile
• Add support for leader election and running multiple operator replicas (1 active leader replicas and one or more stand-by replicas)
• Update Strimzi Kafka Bridge to 0.22.0
• Add support for IPv6 addresses being used in Strimzi issued certificates
• Make it easier to wait for custom resource readiness when using the Strimzi api module
• Add StrimziPodSet reconciliation metrics

Deprecations and removals

• Strimzi 0.31.0 (and any possible patch releases) is the last Strimzi version with support for Kubernetes 1.16, 1.17 and 1.18.
  From Strimzi 0.32.0 on, we will support only Kubernetes 1.19 and newer.
  The supported Kubernetes versions will be re-evaluated again in Q1/2023.
• The type: jaeger tracing support based on Jaeger clients and OpenTracing API is now deprecated.
  Because the Jaeger clients are retired and the OpenTracing project is archived, we cannot guarantee their support for future Kafka versions.
  In the future, we plan to replace it with a new tracing feature based on the OpenTelemetry project.

v0.30.0

Compare Source

• Remove Kafka 3.0.0 and 3.0.1
• Add support for simple authorization and for the User Operator to the experimental UseKRaft feature gate
  (Note: Due to KAFKA-13909, broker restarts currently don't work when authorization is enabled.)
• Add network capacity overrides for Cruise Control capacity config
• The ServiceAccountPatching feature gate moves to GA.
  It cannot be disabled anymore and will be permanently enabled.
• The UseStrimziPodSets feature gate moves to beta stage.
  By default, StrimziPodSets are used instead of StatefulSets.
  If needed, UseStrimziPodSets can be disabled in the feature gates configuration in the Cluster Operator.
• Use better encryption and digest algorithms when creating the PKCS12 stores.
  For existing clusters, the certificates will not be updated during upgrade but only next time the PKCS12 store is created.
• Add CPU capacity overrides for Cruise Control capacity config
• Use CustomResource existing spec and status to fix Quarkus native build's serialization
• Update JMX Exporter to version 0.17.0
• Operator emits Kubernetes Events to explain why it restarted a Kafka broker
• Better configurability of the Kafka Admin client in the User Operator
• Update Strimzi Kafka Bridge to 0.21.6

v0.29.0

Compare Source

• Add support for Apache Kafka 3.0.1, 3.1.1 and 3.2.0
• Increase the size of the /tmp volumes to 5Mi to allow unpacking of compression libraries
• Use /healthz endpoint for Kafka Exporter health checks
• Renew user certificates in User Operator only during maintenance windows
• Ensure Topic Operator using Kafka Streams state store can start up successfully
• Update Cruise Control to 2.5.89
• Remove TLS sidecar from Cruise Control pod. Cruise Control is now configured to not using ZooKeeper, so the TLS sidecar is not needed anymore.
• Allow Cruise Control topic names to be configured
• Add support for spec.rack.topologyKey property in Mirror Maker 2 to enable "fetch from the closest replica" feature.
• Support for the s390x platform
  (The s390x support is currently considered as experimental. We are not aware of any issues, but the s390x build doesn't at this point undergo the same level of testing as the AMD64 container images.)
• Update Strimzi Kafka Bridge to 0.21.5
• Added rebalancing modes on the KafkaRebalance custom resource
  • full: this mode runs a full rebalance moving replicas across all the brokers in the cluster. This is the default one if not specified.
  • add-brokers: after scaling up the cluster, this mode is used to move replicas to the newly added brokers specified in the custom resource.
  • remove-brokers: this mode is used to move replicas off the brokers that are going to be removed, before scaling down the cluster.
• Experimental KRaft mode (ZooKeeper-less Kafka) which can be enabled using the UseKRaft feature gate.
  Important: Use it for development and testing only!

Changes, deprecations and removals

• Since the Cruise Control TLS sidecar has been removed, the related configuration options .spec.cruiseControl.tlsSidecar and .spec.cruiseControl.template.tlsSidecar in the Kafka custom resource are now deprecated.

v0.28.0

Compare Source

• Add support for Kafka 3.1.0; remove Kafka 2.8.0 and 2.8.1
• Add support for StrimziPodSet resources (disabled by default through the UseStrimziPodSets feature gate)
• Update Open Policy Agent authorizer to 1.4.0 and add support for enabling metrics
• Support custom authentication mechanisms in Kafka listeners
• Intra-broker disk balancing using Cruise Control
• Add connector context to the default logging configuration in Kafka Connect and Kafka Mirror Maker 2
• Added the option createBootstrapService in the Kafka Spec to disable the creation of the bootstrap service for the Load Balancer Type Listener. It will save the cost of one load balancer resource, specially in the public cloud.
• Added the connectTimeoutSeconds and readTimeoutSeconds options to OAuth authentication configuration. The default connect and read timeouts are set to 60 seconds (previously there was no timeout). Also added groupsClaim and groupsClaimDelimiter options in the listener configuration of Kafka Spec to allow extracting group information from JWT token at authentication time, and making it available to the custom authorizer. These features are enabled by the updated Strimzi Kafka OAuth library (0.10.0).
• Add support for disabling the FIPS mode in OpenJDK
• Fix renewing your own CA certificates #​5466
• Update Strimzi Kafka Bridge to 0.21.4
• Update Cruise Control to 2.5.82

Changes, deprecations and removals

• The Strimzi Identity Replication Policy (class io.strimzi.kafka.connect.mirror.IdentityReplicationPolicy) is now deprecated and will be removed in the future.
  Please update to Kafka's own Identity Replication Policy (class org.apache.kafka.connect.mirror.IdentityReplicationPolicy).
• The type field in ListenerStatus has been deprecated and will be removed in the future.
• The disk and cpuUtilization fields in the spec.cruiseControl.capacity section of the Kafka resource have been deprecated, are ignored, and will be removed in the future.

v0.27.1

Compare Source

Main changes since 0.27.0

• Fix Helm Chart issue when configuring additional environment variables
• Update Log4j2 to 2.17.1
• Update Fabric8 Kubernetes Client to 5.10.2

All changes can be found under the 0.27.1 milestone.

Upgrading from previous Strimzi versions

See the documentation for upgrade instructions.

Upgrading from Strimzi 0.22 or earlier

This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. If upgrading from Strimzi 0.22, migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.27 is done! If upgrading from Strimzi version earlier than 0.22, you need to first install the CRDs from Strimzi 0.22 and complete the migration to v1beta2 for all Strimzi CRDs and CRs before the upgrade to 0.27 is done!

For more details about the CRD upgrades, see the documentation.

v0.27.0

Compare Source

• Multi-arch container images with support for x86_64 / AMD64 and AArch64 / ARM64 platforms
  (The support AArch64 is currently considered as experimental. We are not aware of any issues, but the AArch64 build doesn't at this point undergo the same level of testing as the AMD64 container images.)
• Added the option to configure the Cluster Operator's Zookeeper admin client session timeout via an new env var: STRIMZI_ZOOKEEPER_ADMIN_SESSION_TIMEOUT_MS
• The ControlPlaneListener and ServiceAccountPatching feature gates are now in the beta phase and are enabled by default.
• Allow setting any extra environment variables for the Cluster Operator container through Helm using a new extraEnvs value.
• Added SCRAM-SHA-256 authentication for Kafka clients
• Update OPA Authorizer to 1.3.0
• Update to Cruise Control version 2.5.79
• Update Log4j2 to 2.17.0

Changes, deprecations and removals

• The ControlPlaneListener feature gate is now enabled by default.
  When upgrading from Strimzi 0.22 or earlier, you have to disable the ControlPlaneListener feature gate when upgrading the cluster operator to make sure the Kafka cluster stays available during the upgrade.
  When downgrading to Strimzi 0.22 or earlier, you have to disable the ControlPlaneListener feature gate before downgrading the cluster operator to make sure the Kafka cluster stays available during the downgrade.

v0.26.1

Compare Source

Main changes since 0.26.0

• Updated Log4j2 to 2.15.0 to mitigate CVE-2021-44228
  • In the Strimzi operators and init containers
  • In Cruise Control
  • In the Kafka Bridge
• Documentation improvements

v0.26.0

Compare Source

• Add support for Kafka 2.8.1 and 3.0.0; remove Kafka 2.7.0 and 2.7.1
• Update the Open Policy Agent Authorizer to version 1.1.0
• Expose JMX port on Zookeeper nodes via a headless service.
• Allow configuring labels and annotations for JMX authentication secrets
• Enable Cruise Control anomaly.detection configurations
• Add support for building connector images from the Maven coordinates
• Allow Kafka Connect Build artifacts to be downloaded from insecure servers (#​5542)
• Add option to specify pull secret in Kafka Connect Build on OpenShift (#​5631)
• Configurable authentication, authorization, and SSL for Cruise Control API
• Update to Cruise Control version 2.5.73
• Allow to configure /tmp volume size via Pod template. By default 1Mi is used.

Changes, deprecations and removals

• imageRepositoryOverride,imageRegistryOverride and imageTagOverride are now removed from values.yaml. defaultImageRepository, defaultImageRegistry and defaultImageTag values are introduced in helm charts which sets the default registry, repository and tags for the images. Now the registry, repository and tag for a single image can be configured as per the requirement.
• The OpenShift Templates were removed from the examples and are no longer supported (#​5548)
• Kafka MirrorMaker 1 has been deprecated in Apache Kafka 3.0.0 and will be removed in Apache Kafka 4.0.0.
  As a result, the KafkaMirrorMaker custom resource which is used to deploy Kafka MirrorMaker 1 has been deprecated in Strimzi as well. (#​5617)
  The KafkaMirrorMaker resource will be removed from Strimzi when we adopt Apache Kafka 4.0.0.
  As a replacement, use the KafkaMirrorMaker2 custom resource with the IdentityReplicationPolicy.

v0.25.0

Compare Source

• Move from Scala 2.12 to Scala 2.13. (#​5192)
• Open Policy Agent authorizer updated to a new version supporting Scala 2.13. See the Changes, deprecations and removals sections for more details. (#​5192)
• Allow a custom password to be set for SCRAM-SHA-512 users by referencing a secret in the KafkaUser resource
• Add support for EnvVar Configuration Provider for Apache Kafka
• Add support for tls-external authentication to User Operator to allow management of ACLs and Quotas for TLS users with user certificates generated externally (#​5249)
• Support for disabling the automatic generation of network policies by the Cluster Operator. Set the Cluster Operator's STRIMZI_NETWORK_POLICY_GENERATION environment variable to false to disable network policies. (#​5258)
• Update User Operator to use Admin API for managing SCRAM-SHA-512 users
• Configure fixed size limit for emptyDir volumes used for temporary files (#​5340)
• Update Strimzi Kafka Bridge to 0.20.2

Changes, deprecations and removals

• The KafkaConnectS2I resource has been removed and is no longer supported by the operator.
  Please use the migration guide to migrate your KafkaConnectS2I deployments to KafkaConnect Build instead.
• The Open Policy Agent authorizer has been updated to a new version that supports Scala 2.13.
  The new release introduces a new format of the input data sent to the Open Policy Agent server.
  For more information about the new format and how to migrate from the old version, see the OPA Kafka plugin v1.0.0 release notes.
• User Operator now uses Kafka Admin API to manage SCRAM-SHA-512 credentials.
  All operations done by the User Operator now use Kafka Admin API and connect directly to Kafka instead of ZooKeeper.
  As a result, the environment variables STRIMZI_ZOOKEEPER_CONNECT and STRIMZI_ZOOKEEPER_SESSION_TIMEOUT_MS were removed from the User Operator configuration.
• All emptyDir volumes used by Strimzi for temporary files have now configured a fixed size limit.
• Annotate Cluster Operator resource metrics with a namespace label

v0.24.0

Compare Source

• Add support for Kubernetes Configuration Provider for Apache Kafka
• Use Red Hat UBI8 base image
• Add support for Kafka 2.7.1 and remove support for 2.6.0, 2.6.1, and 2.6.2
• Support for patching of service accounts and configuring their labels and annotations. The feature is disabled by default and enabled using the new ServiceAccountPatching feature gate.
• Added support for configuring cluster-operator's worker thread pool size that is used for various sync and async tasks
• Add Kafka Quotas plugin with produce, consume, and storage quotas
• Support pausing reconciliation of KafkaTopic CR with annotation strimzi.io/pause-reconciliation
• Update cruise control to 2.5.57
• Update to Strimzi Kafka Bridge to 0.20.0
• Support for broker load information added to the rebalance optimization proposal. Information on the load difference, before and after a rebalance is stored in a ConfigMap
• Add support for selectively changing the verbosity of logging for individual CRs, using markers.
• Added support for `controller_mutation_rate' quota. Creation/Deletion of topics and creation of partitions can be configured through this.
• Use newer version of Kafka Exporter with different bugfixes

Changes, deprecations and removals

• The deprecated KafkaConnectS2I custom resource will be removed after the 0.24.0 release.
  Please use the migration guide to migrate your KafkaConnectS2I deployments to KafkaConnect Build instead.
• The fields topicsBlacklistPattern and groupsBlacklistPattern in the KafkaMirrorMaker2 resource are deprecated and will be removed in the future.
  They are replaced by new fields topicsExcludePattern and groupsExcludePattern.
• The field whitelist in the KafkaMirrorMaker resource is deprecated and will be removed in the future.
  It is replaced with a new field include.
• bind-utils removed from containers to improve security posture.
• Kafka Connect Build now uses hashes to name downloaded artifact files. Previously, it was using the last segment of the download URL.
  If your artifact requires a specific name, you can use the new type: other artifact and its fileName field.
• The option enableECDSA of Kafka CR authentication of type oauth has been deprecated and is ignored.
  ECDSA token signature support is now always enabled without the need for Strimzi Cluster Operator installing the BouncyCastle JCE crypto provider.
  BouncyCastle library is no longer packaged with Strimzi Kafka images.

v0.23.0

Compare Source

• Add support for Kafka 2.8.0 and 2.6.2, remove support for Kafka 2.5.x
• Make it possible to configure maximum number of connections and maximum connection creation rate in listener configuration
• Add support for configuring finalizers for loadbalancer type listeners
• Use dedicated Service Account for Kafka Connect Build on Kubernetes
• Remove direct ZooKeeper access for handling user quotas in the User Operator. Add usage of Admin Client API instead.
• Migrate to CRD v1 (required by Kubernetes 1.22+)
• Support for configuring custom Authorizer implementation
• Changed Reconciliation interval for Topic Operator from 90 to 120 seconds (to keep it the same as for other operators)
• Changed Zookeeper session timeout default value to 18 seconds for Topic and User Operators (for improved resiliency)
• Removed requirement for replicas and partitions KafkaTopic spec making these parameters optional
• Support to configure a custom filter for parent CR's labels propagation into subresources
• Allow disabling service links (environment variables describing Kubernetes services) in Pod template
• Update Kaniko executor to 1.6.0
• Add support for separate control plane listener (disabled by default, available via the ControlPlaneListener feature gate)
• Support for Dual Stack networking

Changes, deprecations and removals

• Strimzi API versions v1alpha1 and v1beta1 were removed from all Strimzi custom resources apart from KafkaTopic and KafkaUser (use v1beta2 versions instead)
• The following annotations have been removed and cannot be used anymore:
  • cluster.operator.strimzi.io/delete-claim (used internally only - replaced by strimzi.io/delete-claim)
  • operator.strimzi.io/generation (used internally only - replaced by strimzi.io/generation)
  • operator.strimzi.io/delete-pod-and-pvc (use strimzi.io/delete-pod-and-pvc instead)
  • operator.strimzi.io/manual-rolling-update (use strimzi.io/manual-rolling-update instead)
• When the class field is configured in the configuration section of an Ingress-type listener, Strimzi will not automatically set the deprecated kubernetes.io/ingress.class annotation anymore. In case you still need this annotation, you can set it manually in the listener configuration using the annotations field or in the .spec.kafka.template section.
• The .spec.kafkaExporter.template.service section in the Kafka custom resource has been deprecated and will be removed in the next API version (the service itself was removed several releases ago).

v0.22.1

Compare Source

Main changes since 0.22.0

• Do not use ownerReference for EO role in separate watched namespace (#​4588)
• Minor documentation and system test improvements

See the 0.22.0 release for information about CRD upgrades, deprecations and removals.

Upgrading from Strimzi 0.21.x and 0.22.0

See the documentation for upgrade instructions.

v0.22.0

Compare Source

• Add v1beta2 version for all resources. v1beta2 removes all deprecated fields.
• Add annotations that enable the operator to restart Kafka Connect connectors or tasks. The annotations can be applied to the KafkaConnector and the KafkaMirrorMaker2 custom resources.
• Add additional configuration options for the Kaniko executor used by the Kafka Connect Build on Kubernetes
• Add support for JMX options configuration of all Kafka Connect (KC, KC2SI, MM2)
• Update Strimzi Kafka OAuth to version 0.7 and add support for new features:
  • OAuth authentication over SASL PLAIN mechanism
  • Checking token audience
  • Validating tokens using JSONPath filter queries to perform custom checks
• Fix Cruise Control crash loop when updating container configurations
• Configure external logging ConfigMap name and key.
• Add support for configuring labels and annotations in ClusterRoleBindings created as part of Kafka and Kafka Connect clusters
• Add support for Ingress v1 in Kubernetes 1.19 and newer
• Add support for Kafka 2.6.1
• List topics used by a Kafka Connect connector in the .status section of the KafkaConnector custom resource
• Bump Cruise Control to v2.5.37 for Kafka 2.7 support. Note this new version of Cruise Control uses Log4j 2 and is supported by dynamic logging configuration (where logging properties are defined in a ConfigMap). However, existing Log4j configurations must be updated to Log4j 2 configurations.
• Support pausing reconciliation of CR with annotation strimzi.io/pause-reconciliation

Changes, deprecations and removals

• In the past, when no Ingress class was specified in the Ingress-type listener in the Kafka custom resource, the
  kubernetes.io/ingress.class annotation was automatically set to nginx. Because of the support for the new
  IngressClass resource and the new ingressClassName field in the Ingress resource, the default value will not be set
  anymore. Please use the class field in .spec.kafka.listeners[].configuration to specify the class name.

• The KafkaConnectS2I custom resource is deprecated and will be removed in the future. You can use the new KafkaConnect build feature instead.

• Removed support for Helm2 charts as that version is now unsupported. There is no longer the need for separate helm2 and helm3 binaries, only helm (version 3) is required.

• The following annotations are deprecated for a long time and will be removed in 0.23.0:

  • cluster.operator.strimzi.io/delete-claim (used internally only - replaced by strimzi.io/delete-claim)
  • operator.strimzi.io/generation (used internally only - replaced by strimzi.io/generation)
  • operator.strimzi.io/delete-pod-and-pvc (use strimzi.io/delete-pod-and-pvc instead)
  • operator.strimzi.io/manual-rolling-update (use strimzi.io/manual-rolling-update instead)

• External logging configuration has changed. spec.logging.name is deprecated. Moved to spec.logging.valueFrom.configMapKeyRef.name. Key in the ConfigMap is configurable via spec.logging.valueFrom.configMapKeyRef.key.

  • from

  logging:
    type: external
    name: my-config-map
  

  • to

  logging:
    type: external
    valueFrom:
      configMapKeyRef:
        name: my-config-map
        key: my-key
  

• Existing Cruise Control logging configurations must be updated from Log4j syntax to Log4j 2 syntax.

  • For existing inline configurations, replace the cruisecontrol.root.logger property with rootLogger.level.
  • For existing external configurations, replace the existing configuration with a new configuration file named log4j2.properties using log4j 2 syntax.

v0.21.1

Compare Source

Main changes since 0.21.0

This patch release contains two bug-fixes:

• Fix broken links in the OAuth documentation (#​4265)
• Fix the network-policies handling when metrics config from CM is used (#​4261)

Upgrading from Strimzi 0.20.x and 0.21.0

See the documentation for upgrade instructions.

v0.21.0

Compare Source

• Add support for declarative management of connector plugins in Kafka Connect CR
• Add inter.broker.protocol.version to the default configuration in example YAMLs
• Add support for secretPrefix property for User Operator to prefix all secret names created from KafkaUser resource.
• Allow configuring labels and annotations for Cluster CA certificate secrets
• Add the JAAS configuration string in the sasl.jaas.config property to the generated secrets for KafkaUser with SCRAM-SHA-512 authentication.
• Strimzi test-container has been renamed to strimzi-test-container to make the name more clear
• Updated the CPU usage metric in the Kafka, ZooKeeper and Cruise Control dashboards to include the CPU kernel time (other than the current user time)
• Allow disabling ownerReference on CA secrets
• Make it possible to run Strimzi operators and operands with read-only root filesystem
• Move from Docker Hub to Quay.io as our container registry
• Add possibility to configure DeploymentStrategy for Kafka Connect, Kafka Mirror Maker (1 and 2), and Kafka Bridge
• Support passing metrics configuration as an external ConfigMap
• Enable CORS configuration for Cruise Control
• Add support for rolling individual Kafka or ZooKeeper pods through the Cluster Operator using an annotation
• Add support for Topology Spread Constraints in Pod templates
• Make Kafka cluster-id (KIP-78) available on Kafka CRD status
• Add support for Kafka 2.7.0

Deprecations and removals

• The metrics field in the Strimzi custom resources has been deprecated and will be removed in the future. For configuring metrics, use the new metricsConfig field and pass the configuration via ConfigMap.

v0.20.1

Compare Source

Main changes since 0.20.0

This patch release contains several bug-fixes:

• Silent error from missing CRB RBAC in Kafka Connect when not needed (#​4019)
• Fine-tune the Kafka Exporter health checks (#​3885)
• Correct connect configuration comparison (#​3987)
• Avoid changing custom resource status because of HashSet ordering (#​4069)
• Fix the client rack-awareness in Kafka Connect (#​3903)
• Connect default logging not expanded (#​4057)
• Topic operator improvements (#​3982)
• Do not use ownerReference in UO and TO bindings into a different namespace (#​4080)
• Remove owner references from ClusterRoleBindings (#​4077)
• Topic Operator metrics (#​3883)

v0.20.0

Compare Source

Note: This is the last version of Strimzi that will support Kubernetes 1.11 and higher. Future versions will drop support for Kubernetes 1.11-1.15 and support only Kubernetes 1.16 and higher.

• Add support for Kafka 2.5.1 and 2.6.0. Remove support for 2.4.0 and 2.4.1
• Remove TLS sidecars from Kafka pods => Kafka now uses native TLS to connect to ZooKeeper
• Updated to Cruise Control 2.5.11, which adds Kafka 2.6.0 support and fixes a previous issue with CPU utilization statistics for containers. As a result, the CpuCapacityGoal has now been enabled.
• Cruise Control metrics integration:
  • Enable metrics JMX exporter configuration in the cruiseControl property of the Kafka custom resource
  • New Grafana dashboard for the Cruise Control metrics
• Configure Cluster Operator logging using ConfigMap instead of environment variable and support dynamic changes
• Switch to use the AclAuthorizer class for the simple Kafka authorization type. AclAuthorizer contains new features such as the ability to control the amount of authorization logs in the broker logs.
• Support dynamically changeable logging configuration of Kafka Connect and Kafka Connect S2I
• Support dynamically changeable logging configuration of Kafka brokers
• Support dynamically changeable logging configuration of Kafka MirrorMaker2
• Add support for client.rack property for Kafka Connect to use fetch from closest replica feature.
• Refactored operators Grafana dashboard
  • Fixed bug on maximum reconcile time graph
  • Removed the avarage reconcile time graph
  • Rearranged graphs
• Make listeners configurable as an array and add support for more different listeners in single cluster
• Add support for configuring hostAliases in Pod templates
• Add new resource state metric in the operators for reflecting the reconcile result on a specific resource
• Add improvements for oauth authentication, and keycloak authorization:
  • Support for re-authentication was added, which also enforces access token lifespan on the Kafka client session
  • Permission changes through Keycloak Authorization Services are now detected by Kafka Brokers

Deprecations and removals

Redesign of the .spec.kafka.listeners section

The .spec.kafka.listeners section of the Kafka CRD has been redesigned to allow configuring more different listeners.
The old listeners object which allowed only configuration of oneplain, one tls, and one external listener is now deprecated and will be removed in the future.
It is replaced with an array allowing configuration of multiple different listeners:

listeners:
  - name: local
    port: 9092
    type: internal
    tls: true
  - name: external1
    port: 9093
    type: loadbalancer
    tls: true
  - name: external2
    port: 9094
    type: nodeport
    tls: true

This change includes some other changes:

• The tls field is now required.
• The former overrides section is now merged with the configuration section.
• The dnsAnnotations field has been renamed to annotations since we found out it has wider use.
• Configuration of loadBalancerSourceRanges and externalTrafficPolicy has been moved into listener configuration. Its use in the template section is now deprecated.
• For type: internal listeners, you can now use the flag useServiceDnsDomain to define whether they should use the fully qualified DNS names including the cluster service suffix (usually .cluster.local). This option defaults to false.
• All listeners now support configuring the advertised hostname and port.
• preferredAddressType has been removed to preferredNodePortAddressType.

To convert the old format into the new format with backwards compatibility, you should use following names and types:

• For the old plain listener, use the name plain, port 9092 and type internal.
• For the old tls listener, use the name tls, port 9093 and type internal.
• For the old external listener, use the name external, port 9094.

For example the following old configuration:

listeners:
  plain:

### ...
  tls: 

### ...
  external:
    type: loadbalancer 

### ...

Will look like this in the new format:

listeners:
  - name: plain
    port: 9092
    type: internal
    tls: false
  - name: tls
    port: 9093
    type: internal
    tls: true
  - name: external
    port: 9094
    type: loadbalancer
    tls: true

Removal of monitoring port on Kafka and ZooKeeper related services

The PodMonitor resource is now used instead of the ServiceMonitor for scraping metrics from Kafka, ZooKeeper, Kafka Connect and so on.
For this reason, we have removed the monitoring port tcp-prometheus (9404) on all the services where it is declared (Kafka bootstrap, ZooKeeper client and so

---

Configuration

📅 Schedule: Branch creation - "before 6am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[rra]

We will be replacing this cluster rather than upgrading this here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (0.38.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.