|
RC1 of Strimzi Operators 0.24.0
Jakub Scholz
Release Candidate 1 of Strimzi Operators 0.24.0 is now available for testing with a lot of changes and improvements. Important: This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. If upgrading from Strimzi 0.22, migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.24 is done! If upgrading from Strimzi version earlier than 0.22, you need to first install the CRDs from Strimzi 0.22 and complete the migration to v1beta2 for all Strimzi CRDs and CRs before the upgrade to 0.24 is done! For more details about the CRD upgrades, see the documentation. The main changes since the 0.23 release include: * Add support for Kubernetes Configuration Provider for Apache Kafka * Use Red Hat UBI8 base image * Add support for Kafka 2.7.1 and remove support for 2.6.0, 2.6.1, and 2.6.2 * Support for patching of service accounts and configuring their labels and annotations. * Added support for configuring cluster-operator's worker thread pool size * Add Kafka Quotas plugin with produce, consume, and storage quotas * Support pausing reconciliation of KafkaTopic CRs * Update cruise control to 2.5.55 * Update to Strimzi Kafka Bridge to 0.20.0 * Selectively changing the verbosity of logging for individual CRs * Added support for `controller_mutation_rate` quota * Use newer version of Kafka Exporter with different bugfixes There are also several deprecations and removals. For more details and installation files, go to https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.24.0-rc1 Any feedback can be provided on the Strimzi mailing list, on the #strimzi Slack channel on CNCF Slack or as a GitHub issue. Thanks & Regards Strimzi team |
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka Bridge 0.20.1 and OAuth library 0.8.1 released
Jakub Scholz
Strimzi Kafka Bridge 0.20.1 and Strimzi Kafka OAuth library 0.8.1 have been released. Both versions contain updated dependencies. For more details, go to https://github.com/strimzi/strimzi-kafka-bridge/releases/tag/0.20.1 and https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.8.1 Thanks to everyone who contributed to these releases! Thanks & Regards Strimzi team |
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka Bridge 0.20.0 released
Jakub Scholz
Strimzi Kafka Bridge 0.20.0 has been released and is now available: https://github.com/strimzi/strimzi-kafka-bridge/releases/tag/0.20.0. It will be also used in the next release of Strimzi operators. The main changes since 0.19.0 are: * Updated dependencies * Added a new Admin Client feature to get begin/end offsets for topic partitions * Move from Docker Hub to Quay.io as our container registry * Use Red Hat UBI8 as the base image Thanks to everyone who contributed to this release! Thanks & Regards Strimzi team |
|
|
|
RC1 of Strimzi Kafka Bridge 0.20.0
Jakub Scholz
Release Candidate 1 of Strimzi Kafka Bridge the 0.20.0 is now available for testing: https://github.com/strimzi/strimzi-kafka-bridge/releases/tag/0.20.0-rc1. The main changes since 0.19.0 are: * Updated dependencies * Added a new Admin Client feature to get begin/end offsets for topic partitions * Move from Docker Hub to Quay.io as our container registry * Use Red Hat UBI8 as the base image Any feedback can be provided on the mailing list, on Slack or as a GitHub issue. Thanks & Regards Strimzi team |
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka OAuth library 0.8.0 released
Jakub Scholz
Strimzi Kafka OAuth library version 0.8.0 has been released and is now available: https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.8.0. The main changes since 0.7.x are: * Replaced keycloak-core library with nimbus-jose-jwt * Option `oauth.audience` has been added to client and server configuration * Pass the configured `oauth.scope` option on the Kafka broker as `scope` when performing clientId + secret authentication on the broker * Support for PEM certificates For more details about the new features see the RELEASE_NOTES and the README files. All changes can be found under the 0.8.0 milestone. Thanks to everyone who contributed to this release! Thanks & Regards Strimzi team |
|
|
|
RC2 of Strimzi Kafka OAuth library 0.8.0
Jakub Scholz
Release Candidate 2 of the 0.8.0 version of the Strimzi Kafka OAuth library is now available for testing: https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.8.0-rc2. Compared to RC1, it fixes Maven dependency issues with Jackson Databind and Json Path. To test it, you can use the staging Maven repository: <repositories> <repository> <id>staging</id> <url>https://oss.sonatype.org/content/repositories/iostrimzi-1104</url> </repository> </repositories> For more details about the new features see the RELEASE_NOTES and the README files. All changes can be found under the 0.8.0 milestone. Any feedback can be provided on the mailing list, on Slack or as a GitHub issue. Thanks & Regards Strimzi team |
|
|
|
RC1 of Strimzi Kafka OAuth library 0.8.0
Jakub Scholz
Release Candidate 1 of the 0.8.0 version of the Strimzi Kafka OAuth library is now available for testing: https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.8.0-rc1. Compared to RC1, it adds the custom claim checking feature and test improvements. The main changes since 0.7.x are: * Replaced keycloak-core library with nimbus-jose-jwt * Option `oauth.audience` has been added to client and server configuration * Pass the configured `oauth.scope` option on the Kafka broker as `scope` when performing clientId + secret authentication on the broker * Support for PEM certificates To test it, you can use the staging Maven repository: <repositories> <repository> <id>staging</id> <url>https://oss.sonatype.org/content/repositories/iostrimzi-1103</url> </repository> </repositories> For more details about the new features see the RELEASE_NOTES and the README files. All changes can be found under the 0.8.0 milestone. Any feedback can be provided on the mailing list, on Slack or as a GitHub issue. Thanks & Regards Strimzi team |
|
|
|
[ANNOUNCE] [RELEASE] Kubernetes Configuration Provider for Apache Kafka 0.1.0
Jakub Scholz
We have released the initial 0.1.0 version of our Kubernetes Configuration Provider for Apache Kafka. It can be used in Kafka clients or server components to load configuration data from Kubernetes Secrets or Config Maps. It is available in Maven repositories or as a download on our GitHub. And from Strimzi 0.24 it will be also included in our container images. For more details, go to https://github.com/strimzi/kafka-kubernetes-config-provider Thanks & Regards Strimzi |
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka Operators 0.23.0 released
Jakub Scholz
Strimzi 0.23.0 has been released and is now available for use. IMPORTANT: This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. Migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.23 is done! For more details about the CRD upgrades, see the documentation. The main changes since the 0.22 release include: * Add support for Kafka 2.8.0 and 2.6.2, remove support for Kafka 2.5.x * Make it possible to configure maximum number of connections and maximum connection creation rate in listener configuration * Add support for configuring finalizers for loadbalancer type listeners * Use dedicated Service Account for Kafka Connect Build on Kubernetes * Remove direct ZooKeeper access for handling user quotas in the User Operator. Add usage of Admin Client API instead. * Migrate to CRD v1 (required by Kubernetes 1.22+) * Support for configuring custom Authorizer implementation * Changed Reconciliation interval for Topic Operator from 90 to 120 seconds (to keep it the same as for other operators) * Changed Zookeeper session timeout default value to 18 seconds for Topic and User Operators (for improved resiliency) * Removed requirement for replicas and partitions KafkaTopic spec making these parameters optional * Support to configure a custom filter for parent CR's labels propagation into subresources * Allow disabling service links (environment variables describing Kubernetes services) in Pod template * Update Kaniko executor to 1.6.0 * Add support for separate control plane listener (disabled by default, available via the ControlPlaneListener feature gate) * Support for Dual Stack networking There are also several deprecations and removals. For more details and installation files, go to https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.23.0 Thanks to everyone who contributed to this release! Thanks & Regards Jakub |
|
|
|
Re: Yaml or Json file including all Strimzi objects and options?
Jakub Scholz
Hi Anthony, I answered this already yesterday on the user mailing list. I do not think we have any files like that. It often doesn't make sense to use all the different options or it is even impossible. So we do not maintain any such files. The documentation has the API reference where you can find all the options: https://strimzi.io/docs/operators/latest/using.html#schema_properties You should be also able to find the OpenAPI schema in the CRDs. Thanks & Regards Jakub On Mon, May 10, 2021 at 11:59 PM Anthony Percy <anthcp@...> wrote: Looking for a Yaml or Json file that includes all Strimzi objects and options? |
|
|
|
Yaml or Json file including all Strimzi objects and options?
Anthony Percy
Looking for a Yaml or Json file that includes all Strimzi objects and options?
Or a json schema stc?? Looking to build python class objects from said file... regards anthony |
|
|
|
RC1 of Strimzi Operators 0.23.0
Jakub Scholz
Release Candidate 1 of Strimzi Operators 0.23.0 is now available for testing with a lot of changes and improvements. This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. Migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.23 is done! For more details about the CRD upgrades, see the documentation. The main changes since the 0.22 release include: * Add support for Kafka 2.8.0 and 2.6.2, remove support for Kafka 2.5.x * Make it possible to configure maximum number of connections and maximum connection creation rate in listener configuration * Add support for configuring finalizers for loadbalancer type listeners * Use dedicated Service Account for Kafka Connect Build on Kubernetes * Remove direct ZooKeeper access for handling user quotas in the User Operator. Add usage of Admin Client API instead. * Migrate to CRD v1 (required by Kubernetes 1.22+) * Support for configuring custom Authorizer implementation * Changed Reconciliation interval for Topic Operator from 90 to 120 seconds (to keep it the same as for other operators) * Changed Zookeeper session timeout default value to 18 seconds for Topic and User Operators (for improved resiliency) * Removed requirement for replicas and partitions KafkaTopic spec making these parameters optional * Support to configure a custom filter for parent CR's labels propagation into subresources * Allow disabling service links (environment variables describing Kubernetes services) in Pod template * Update Kaniko executor to 1.6.0 * Add support for separate control plane listener (disabled by default, available via the ControlPlaneListener feature gate) * Support for Dual Stack networking There are also several deprecations and removals. For more details and installation files, go to https://github.com/strimzi/strimzi-kafka-operator/releases/tag/0.23.0-rc1 Any feedback can be provided on the Strimzi mailing list, on the #strimzi Slack channel on CNCF Slack or as a GitHub issue. Thanks & Regards Jakub & Strimzi team |
|
|
|
Re: Can I secure Prometheus/JMX monitoring Network Policies?
Jakub Scholz
Hi David, I'm afraid you are right - they cannot be secured through network policies right now. The built in Strimzi network policies open the ports up and you cannot close it anymore. And for Prometheus and JMX ports it is not configurable in any way. Feel free to open a GitHub enhancement issue for it if you want. Thanks & Regards Jakub On Tue, May 4, 2021 at 5:38 PM David Lynn <david.james.lynn@...> wrote:
|
|
|
|
Can I secure Prometheus/JMX monitoring Network Policies?
David Lynn <david.james.lynn@...>
Hi, I am currently using strimzi with monitoring enabled. I am also using Network Policies to secure my cluster communication. I have found a method to secure my listeners to allow specific sources to be accessed: However Strimzi also creates network policies for the Prometheus/JMX ports, and I have been currently unable to see where I would specify the networkPolicyPeers required to restrict communication. I believe I cannot add these to the listeners, as described in this comment: Is there somewhere where I can add the Network Policy restrictions for port 9404 (Prometheus) and 9999 (JMX)? Thanks, David |
|
|
|
Re: Does kafka-http bridge work with https?
Jakub Scholz
Hi, The Bridge does not support HTTPS directly. The expectation is that you would front it with some Ingress, Proxy or API Gateway which will be able to add you things such as HTTPS encryption, authentication etc. Thanks & Regards Jakub On Mon, May 3, 2021 at 10:59 PM Hamza Aslam <hamza.aslam@...> wrote:
|
|
|
|
Does kafka-http bridge work with https?
Hamza Aslam <hamza.aslam@...>
Hi, I successfully used the kafka HTTP bridge to implement a realtime notification system and realized that it is not set up with HTTPS, Is there a way around that?
|
|
|
|
[ANNOUNCE] [RELEASE] Strimzi Kafka OAuth library 0.7.2 released
Jakub Scholz
Hi, Version 0.7.2 of the Strimzi Kafka OAuth library is now available: https://github.com/strimzi/strimzi-kafka-oauth/releases/tag/0.7.2. The main change since 0.7.1 is an improvement to OAuth over SASL-PLAIN: * Introduced 'no-client-credentials' mode with OAuth over PLAIN (#107) For more details about the new features see the RELEASE_NOTES and the README files. All changes can be found under the 0.7.2 milestone. Thanks to everyone who contributed to this release! Thanks & Regards Strimzi team |
|
|
|
Re: Reg: Setting up strimzi kafka with own CA certs
Tom Bentley
FWIW I am in the process of rewriting the certificate handling to support more flexible CA hierarchies (and other things) for the "cluster CA" and "clients CA". It's still some way off a PR, but it would support having brokers trust a given root CA certificate (without access to the key), but issuing using an intermediate certificate, which sounds like what you want. Kind regards, Tom On Thu, Apr 15, 2021 at 5:10 PM Jakub Scholz <jakub@...> wrote:
|
|
|
|
Re: Reg: Setting up strimzi kafka with own CA certs
Jakub Scholz
Strimzi needs to issue the certificates for the different components to secure them. That is why it needs a CA which can do that. If you use server certificate to issue new certs, properly written applications should reject it. If you want to use a server certificate, you should check the listener certificates, where you can provide only a server certificate and it will be used only for a given listener but not to secure replication etc.: https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str Jakub On Thu, Apr 15, 2021 at 3:00 PM Nag Raj <tsnagraj.08@...> wrote:
|
|
|
|
Reg: Setting up strimzi kafka with own CA certs
Nag Raj
Hi team, I was deploying strimzi kafka with own CA certs, my organization provides CA.crt, rootCA and intermediate CA. But in the strimzi documentation, to implement this scenario we need to have CA.Key as well which is not provided by my organization. Is there any way we can implement this use case without CA. Key. Thank you. Regards, Raj |
|
|
