|
RC1 of Strimzi Operators 0.23.0
Jakub Scholz
Release Candidate 1 of Strimzi Operators 0.23.0 is now available for testing with a lot of changes and improvements. This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. Migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.23 is done! For more details about the CRD upgrades, see the documentation. The main changes since the 0.22 release include: * Add support for Kafka 2.8.0 and 2.6.2, remove support for Kafka 2.5.x * Make it possible to configure maximum number of connections and maximum connection creation rate in listener configuration * Add support for configuring finalizers for loadbalancer type listeners * Use dedicated Service Account for Kafka Connect Build on Kubernetes * Remove direct ZooKeeper access for handling user quotas in the User Operator. Add usage of Admin Client API instead. * Migrate to CRD v1 (required by Kubernetes 1.22+) * Support for configuring custom Authorizer implementation * Changed Reconciliation interval for Topic Operator from 90 to 120 seconds (to keep it the same as for other operators) * Changed Zookeeper session timeout default value to 18 seconds for Topic and User Operators (for improved resiliency) * Removed requirement for replicas and partitions KafkaTopic spec making these parameters optional * Support to configure a custom filter for parent CR's labels propagation into subresources * Allow disabling service links (environment variables describing Kubernetes services) in Pod template * Update Kaniko executor to 1.6.0 * Add support for separate control plane listener (disabled by default, available via the ControlPlaneListener feature gate) * Support for Dual Stack networking There are also several deprecations and removals. For more details and installation files, go to https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.23.0-rc1 Any feedback can be provided on the Strimzi mailing list, on the #strimzi Slack channel on CNCF Slack or as a GitHub issue. Thanks & Regards Jakub & Strimzi team
|
|
|
|
Re: Can I secure Prometheus/JMX monitoring Network Policies?
Jakub Scholz
Hi David, I'm afraid you are right - they cannot be secured through network policies right now. The built in Strimzi network policies open the ports up and you cannot close it anymore. And for Prometheus and JMX ports it is not configurable in any way. Feel free to open a GitHub enhancement issue for it if you want. Thanks & Regards Jakub
On Tue, May 4, 2021 at 5:38 PM David Lynn <david.james.lynn@...> wrote:
|
|
|
|
Can I secure Prometheus/JMX monitoring Network Policies?
David Lynn <david.james.lynn@...>
Hi, I am currently using strimzi with monitoring enabled. I am also using Network Policies to secure my cluster communication. I have found a method to secure my listeners to allow specific sources to be accessed: However Strimzi also creates network policies for the Prometheus/JMX ports, and I have been currently unable to see where I would specify the networkPolicyPeers required to restrict communication. I believe I cannot add these to the listeners, as described in this comment: Is there somewhere where I can add the Network Policy restrictions for port 9404 (Prometheus) and 9999 (JMX)? Thanks, David
|
|
|
|
Re: Does kafka-http bridge work with https?
Jakub Scholz
Hi, The Bridge does not support HTTPS directly. The expectation is that you would front it with some Ingress, Proxy or API Gateway which will be able to add you things such as HTTPS encryption, authentication etc. Thanks & Regards Jakub
On Mon, May 3, 2021 at 10:59 PM Hamza Aslam <hamza.aslam@...> wrote:
|
|
|
|
Does kafka-http bridge work with https?
Hamza Aslam <hamza.aslam@...>
Hi, I successfully used the kafka HTTP bridge to implement a realtime notification system and realized that it is not set up with HTTPS, Is there a way around that?
|
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka OAuth library 0.7.2 released
Jakub Scholz
Hi, Version 0.7.2 of the Strimzi Kafka OAuth library is now available: https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.7.2. The main change since 0.7.1 is an improvement to OAuth over SASL-PLAIN: * Introduced 'no-client-credentials' mode with OAuth over PLAIN (#107) For more details about the new features see the RELEASE_NOTES and the README files. All changes can be found under the 0.7.2 milestone. Thanks to everyone who contributed to this release! Thanks & Regards Strimzi team
|
|
|
|
Re: Reg: Setting up strimzi kafka with own CA certs
Tom Bentley
FWIW I am in the process of rewriting the certificate handling to support more flexible CA hierarchies (and other things) for the "cluster CA" and "clients CA". It's still some way off a PR, but it would support having brokers trust a given root CA certificate (without access to the key), but issuing using an intermediate certificate, which sounds like what you want. Kind regards, Tom
On Thu, Apr 15, 2021 at 5:10 PM Jakub Scholz <jakub@...> wrote:
|
|
|
|
Re: Reg: Setting up strimzi kafka with own CA certs
Jakub Scholz
Strimzi needs to issue the certificates for the different components to secure them. That is why it needs a CA which can do that. If you use server certificate to issue new certs, properly written applications should reject it. If you want to use a server certificate, you should check the listener certificates, where you can provide only a server certificate and it will be used only for a given listener but not to secure replication etc.: https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str Jakub
On Thu, Apr 15, 2021 at 3:00 PM Nag Raj <tsnagraj.08@...> wrote:
|
|
|
|
Reg: Setting up strimzi kafka with own CA certs
Nag Raj
Hi team, I was deploying strimzi kafka with own CA certs, my organization provides CA.crt, rootCA and intermediate CA. But in the strimzi documentation, to implement this scenario we need to have CA.Key as well which is not provided by my organization. Is there any way we can implement this use case without CA. Key. Thank you. Regards, Raj
|
|
|
|
Re: FW: Questions about setting up kafka-http bridge
Jakub Scholz
Hi Hamze, Thanks & Regards Jakub
On Tue, Apr 6, 2021 at 8:48 PM Hamza Aslam <hamza.aslam@...> wrote:
|
|
|
|
FW: Questions about setting up kafka-http bridge
Hamza Aslam <hamza.aslam@...>
I was able to start it up. My postman keeps giving me a 415 format not supported error how do we fix that?
From: Hamza Aslam <hamza.aslam@...>
Sent: Tuesday, April 6, 2021 11:18 AM To: cncf-strimzi-dev@... Subject: Questions about setting up kafka-http bridge
Hi
I am trying to set up the kafka-http bridge so I can read from and write to a topic. I had the kafka-connect running which I halted and ran the bridge but the get requests say that the server isn’t up even though I ran the bridge and it did not give me any errors and looks like its running. On github it says to edit the applications file but I don’t think anything needs to be changed or updated there. What am I missing. The documentation on the website doesn’t have step by step instructions which I am afraid I will need
Kind regards Hamza
|
|
|
|
Questions about setting up kafka-http bridge
Hamza Aslam <hamza.aslam@...>
Hi
I am trying to set up the kafka-http bridge so I can read from and write to a topic. I had the kafka-connect running which I halted and ran the bridge but the get requests say that the server isn’t up even though I ran the bridge and it did not give me any errors and looks like its running. On github it says to edit the applications file but I don’t think anything needs to be changed or updated there. What am I missing. The documentation on the website doesn’t have step by step instructions which I am afraid I will need
Kind regards Hamza
|
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka Operators 0.22.1 released
Jakub Scholz
Strimzi Operators 0.22.1 which addresses the known issues from 0.22.0 release is now available: * Do not use ownerReference for Entity Operator role in separate watched namespace (#4588) * Minor documentation and system test improvements For more details, see the 0.22.1 release on GitHub. See the 0.22.0 release for information about CRD upgrades, deprecations and removals. Thanks to everyone who contributed to this release!
|
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka Operators 0.22.0 released
Jakub Scholz
Strimzi Operators 0.22.0 has been released with a lot of changes and improvements. This release introduces new API version `v1beta2` to all Strimzi custom resources. This is a preparation for migration to `apiextensions/v1` which is needed because Kubernetes 1.22 will remove support for `apiextensions/v1beta1`. Migration to `v1beta2` needs to be completed for all Strimzi CRDs and CRs after the upgrade to 0.22 is done and before upgrading to Strimzi 0.23 which will support only Strimzi `v1beta2` APIs and `apiextensions/v1` CRDs. For more details about the CRD upgrades, see the documentation: https://strimzi.io/docs/operators/0.22.0/deploying.html#assembly-upgrade-resources-str The main changes since the 0.21 release include: * Add `v1beta2` version for all resources. `v1beta2` removes all deprecated fields. * Add annotations that enable the operator to restart Kafka Connect connectors or tasks. The annotations can be applied to the KafkaConnector and the KafkaMirrorMaker2 custom resources. * Add additional configuration options for the Kaniko executor used by the Kafka Connect Build on Kubernetes * Add support for JMX options configuration of all Kafka Connect (KC, KC2SI, MM2) * Update Strimzi Kafka OAuth to version 0.7 and add support for new features: * OAuth authentication over SASL PLAIN mechanism * Checking token audience * Validating tokens using JSONPath filter queries to perform custom checks * Fix Cruise Control crash loop when updating container configurations * Configure external logging `ConfigMap` name and key. * Add support for configuring labels and annotations in ClusterRoleBindings created as part of Kafka and Kafka Connect clusters * Add support for Ingress v1 in Kubernetes 1.19 and newer * Add support for Kafka 2.6.1 * List topics used by a Kafka Connect connector in the `.status` section of the `KafkaConnector` custom resource * Bump Cruise Control to v2.5.37 for Kafka 2.7 support. Note this new version of Cruise Control uses `Log4j 2` and is supported by dynamic logging configuration (where logging properties are defined in a ConfigMap). However, existing `Log4j` configurations must be updated to `Log4j 2` configurations. * Support pausing reconciliation of CR with annotation `strimzi.io/pause-reconciliation` There are also several deprecations and removals and one known issue. For more details and installation files, go to https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.22.0 Thanks to everyone who contributed to this release!
|
|
|
|
RC1 of Strimzi Operators 0.22.0
Jakub Scholz
Release Candidate 1 of Strimzi Operators 0.22.0 is now available for testing with a lot of changes and improvements. This release introduces new API version `v1beta2` to all Strimzi custom resources. This is a preparation for migration to `apiextensions/v1` which is needed because Kubernetes 1.22 will remove support for `apiextensions/v1beta1`. Migration to `v1beta2` needs to be completed for all Strimzi CRDs and CRs after the upgrade to 0.22 is done and before upgrading to Strimzi 0.23 which will support only Strimzi `v1beta2` APIs and `apiextensions/v1` CRDs. For more details about the CRD upgrades, see the documentation: https://strimzi.io/docs/operators/master/deploying.html#assembly-upgrade-resources-str The main changes since the 0.21 release include: * Add `v1beta2` version for all resources. `v1beta2` removes all deprecated fields. * Add annotations that enable the operator to restart Kafka Connect connectors or tasks. The annotations can be applied to the KafkaConnector and the KafkaMirrorMaker2 custom resources. * Add additional configuration options for the Kaniko executor used by the Kafka Connect Build on Kubernetes * Add support for JMX options configuration of all Kafka Connect (KC, KC2SI, MM2) * Update Strimzi Kafka OAuth to version 0.7 and add support for new features: * OAuth authentication over SASL PLAIN mechanism * Checking token audience * Validating tokens using JSONPath filter queries to perform custom checks * Fix Cruise Control crash loop when updating container configurations * Configure external logging `ConfigMap` name and key. * Add support for configuring labels and annotations in ClusterRoleBindings created as part of Kafka and Kafka Connect clusters * Add support for Ingress v1 in Kubernetes 1.19 and newer * Add support for Kafka 2.6.1 * List topics used by a Kafka Connect connector in the `.status` section of the `KafkaConnector` custom resource * Bump Cruise Control to v2.5.37 for Kafka 2.7 support. Note this new version of Cruise Control uses `Log4j 2` and is supported by dynamic logging configuration (where logging properties are defined in a ConfigMap). However, existing `Log4j` configurations must be updated to `Log4j 2` configurations. * Support pausing reconciliation of CR with annotation `strimzi.io/pause-reconciliation` There are also several deprecations and removals. For more details and installation files, go to https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.22.0-rc1 Any feedback can be provided on the Strimzi mailing list, on the #strimzi Slack channel on CNCF Slack or as a GitHub issue. Thanks & Regards Jakub & Strimzi team
|
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka OAuth library 0.7.1 released
Jakub Scholz
Hi, Version 0.7.1 of the Strimzi Kafka OAuth library is now available: https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.7.1. The main changes since 0.7.0 are two bugfixes: * Fixed OAuth over PLAIN intermittent failures (#95) * Fix NPE in Keycloak Authorizer (#97) For more details about the new features see the RELEASE_NOTES and the README files. All changes can be found under the 0.7.1 milestone. Thanks to everyone who contributed to this release! Thanks & Regards Strimzi team
|
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka OAuth library 0.7.0 released
Jakub Scholz
Hi, Version 0.7.0 of the Strimzi Kafka OAuth library is now available: https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.7.0. The main changes since 0.6.x are: * OAuth authentication over SASL PLAIN * Checking `audience` of the JWT token in the server part of the OAuth library * Custom claim checking For more details about the new features see the RELEASE_NOTES and the README files. All changes can be found under the 0.7.0 milestone. Thanks to everyone who contributed to this release! Thanks & Regards Strimzi team
|
|
|
|
RC2 of Strimzi Kafka OAuth library 0.7.0
Jakub Scholz
Hi, Release Candidate 2 of the 0.7.0 version of the Strimzi Kafka OAuth library is now available for testing: https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.7.0-rc2. Compared to RC1, it adds the custom claim checking feature and test improvements. The main changes since 0.6.x are: * OAuth authentication over SASL PLAIN * Checking `audience` of the JWT token in the server part of the OAuth library * Custom claim checking To test it, you can use the staging Maven repository: <repositories> <repository> <id>staging</id> <url>https://oss.sonatype.org/content/repositories/iostrimzi-1090</url> </repository> </repositories> For more details about the new features see the RELEASE_NOTES and the README files. All changes can be found under the 0.7.0 milestone. Any feedback can be provided on the mailing list, on Slack or as a GitHub issue. Thanks & Regards Jakub
|
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka Operators 0.21.1 released
Jakub Scholz
Shortly after releasing 0.21.0 we discovered two bugs affecting it. That is why we now released Strimzi Operators 0.21.1 with the following bug-fixes: * Fix broken links in the OAuth documentation (#4265) * Fix the network-policies handling when metrics config from CM is used (#4261) For more details and installation files, go to https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.21.1 Thanks & Regards Strimzi team
|
|
|
|
Re: [ANNOUNCE] [RELEASE] Strimzi Kafka Operators 0.21.0 released
Jakub Scholz
We found a bug in the new feature for configuring metrics from ConfigMap instead of directly in the custom resource. When used, it in some cases does not properly configure the network policies for the port 9404 used for the metrics. As a workaround, either keep using the old configuration or create manually an additional network policy with your custom name for the port 9404. This bug will be fixed in 0.21.1. Thanks & Regards Jakub
|
|
|
