Release notes

What's New

Learn about the new features and notable changes in this release.

Rebase to Strimzi 0.47.0 and Kafka 4.0.1

This release of Cloudera Streams Messaging - Kubernetes Operator is based on Strimzi 0.47.0 (previously 0.45.0) and Kafka 4.0.1 (previously 3.9.0).

See the following upstream resources for more information on these versions:

ZooKeeper is removed

ZooKeeper and support for ZooKeeper-based Kafka clusters is removed. You can now only run Kafka clusters in KRaft mode. In addition, migrating ZooKeeper-based Kafka clusters to KRaft is no longer supported.

FIPS 140-2/3 compatibility and compliance

Cloudera Streams Messaging - Kubernetes Operator components are FIPS 140-2/3 compliant and can run in FIPS mode to meet strict security requirements.

Strimzi and its managed components automatically enable FIPS mode on FIPS-enabled hosts.
Cloudera Surveyor is FIPS compliant, but requires you to manually enable FIPS mode through configuration. Cloudera Surveyor also supports the use of custom security providers.

For more information, see FIPS mode.

Cloudera Surveyor improvements

Added two new configuration properties that you can use to specify a regular expression filter to hide topics.

This feature is useful to hide technical or internal topics that are not relevant for most Cloudera Surveyor users. Set a global filter with surveyorConfig.surveyor.globalHiddenTopicNamePattern or set per-cluster overrides with clusterConfigs.clusters[*].hiddenTopicNamePattern. Additionally, the Topics page on the UI now includes a filter to show either visible or hidden topics.
Added new filtering options to the Edit Committed Offsets modal.

The filtering options allow you to toggle between filtering for Subscribed Topics or All Topics. Subscribed Topics is selected by default. You can access the modal on the Consumer Group Details > Partition Assignment tab. The filtering options are available for the Topics and Topics & Partitions scopes.
Improved how unsaved changes are handled on the Topic Details > Configuration tab.

Unsaved changes are now restored automatically when returning to the tab, and a warning dialog is displayed when navigating away from the tab. A visual indicator is also displayed next to the tab name to show when you have unsaved changes.
Improved status and alert displays throughout the UI.

Status formatting is more consistent, warning and alert icons are clearer, Unknown and Unreachable states are more expressive, and redundant filters have been removed.
Improved tooltips for all data refresh controls including the refresh, pause, and stop buttons, the refresh interval selector, and the Data as of pill.
Added a tooltip on the Topic Details > Configuration tab explaining what the Overridden label means.
Multiple selection drop-down lists now allow selecting multiple items without closing.
Operation names in filtering dialogs are now spelled out rather than abbreviated.

Fixed Issues

Learn what issues are fixed in this release.

CSMDS-334: ZooKeeper pods are running but Kafka pods are not created: No longer applicable. ZooKeeper is removed.
CSMDS-953: Kafka and ZooKeeper might experience downtime during upgrades: No longer applicable. ZooKeeper is removed.

Known Issues

There are no known issues in this release.

Unsupported features

Learn what features are unsupported in this release.

Strimzi

Kafka MirrorMaker
Kafka MirrorMaker 2
Kafka Bridge
Kafka cluster creation without using KafkaNodePool resources

Cloudera Surveyor

Calling the REST API directly using any kind of tooling or using it programmatically is not supported. At this time, the API is evolving and is subject to major, backward incompatible changes.

Deprecations and removals

Learn what is deprecated or removed in this release.

Deprecations

Mounting additional Secrets in the custom authentication type: Support for the spec.kafka.listeners[*].authentication.secrets property in the custom authentication type is deprecated and will be removed in a future release. Use the additional volumes and volume mounts instead to mount additional Secrets. For more information, see Configuring additional volumes and volume.
Storage overrides: Configuring storage overrides for persistent volumes is deprecated. The spec.storage.overrides property in the KafkaNodePool resource is now ignored. If you want to configure storage classes on a per-broker basis, deploy multiple KafkaNodePool resources with a different storage class each. You can find more details about migrating from storage overrides in Configuring Kafka storage with ZooKeeper | Strimzi

Removals

ZooKeeper: ZooKeeper and support for ZooKeeper-based Kafka clusters is removed. You can now only run Kafka clusters in KRaft mode. In addition, migrating ZooKeeper-based Kafka clusters to KRaft is no longer supported.
important
Before you upgrade, migrate all your ZooKeeper-based Kafka clusters to KRaft. Upgrading a ZooKeeper-based Kafka cluster to this version is not supported. For more information, see Migrating Kafka clusters from ZooKeeper to KRaft.

Behavioral changes

Learn about the behaviroal changes in this release.

Strimzi

Truststore location and format change for Kafka Connect: Previous Behavior: For deployments where both Kafka Connect and the Kafka cluster it connects to are managed by Strimzi, Kafka Connect used a PKCS12 truststore file for trusted certificates. The truststore was loaded from disk and configured using the following properties:

ssl.truststore.location

ssl.truststore.password

ssl.truststore.type=PKCS12; New Behavior: Kafka Connect now uses PEM-encoded certificates loaded from a Kubernetes Secret for trusted certificates. The truststore is configured with the following properties:

ssl.truststore.certificates

ssl.truststore.type=PEM

No password property is required for PEM truststores.

As a result of this behavioral change, the process for deploying a replication flow has also changed in the following ways:

Truststore references must use the *.ssl.truststore.certificates property rather than *.ssl.truststore.location.

Mounting the source Secret as a volume is no longer required.

Configuring truststore passwords is no longer required.

Truststore certificates are referenced directly from Secrets, not from files or Configmaps.

For updated instructions see Deploying a replication flow.

Kafka

Kafka uses log4j2 instead of Reload4j/Log4j1 for logging: Previous Behavior: Kafka 3.9 and lower used Reload4j/Log4j1 for logging.; New Behavior: Kafka 4.0 later uses Log4j2 for logging. If you have any custom logging configuration, you might need to update it during the upgrade to Kafka 4.0.
Explicitly configuring OAuth and LDAP allowed URLs is now required: Previous Behavior: The org.apache.kafka.sasl.oauthbearer.allowed.urls and com.cloudera.kafka.ldap.allowed.urls variables were used to restrict access to specific authentication servers only. If the variables were left empty, Kafka could connect to any LDAP or OAuth server.; New Behavior: If these variables are left empty, Kafka is not allowed to connect to any LDAP or OAuth server URL. If you use LDAP or OAuth authentication, update your configuration and add your server URLs. Configure these variables in your KafkaNodePool resource using the spec.jvmOptions.javaSystemProperties property.
#... kind: KafkaNodePool spec: jvmOptions: javaSystemProperties: - name: com.cloudera.kafka.ldap.allowed.urls value: http://www.ldap-example-1.com,http://www.ldap-example-2.com - name: org.apache.kafka.sasl.oauthbearer.allowed.urls value: http://www.oauth-example-1.com,http://www.oauth-example-2.com

Cloudera Surveyor

Ingress annotations are no longer automatically added: Previous Behavior: The nginx.ingress.kubernetes.io/backend-protocol and cert-manager.io/issuer annotations were automatically added to the Ingress resource. The cert-manager.io/issuer annotation was only added if the tls.enabled and tls.issuer properties were configured.; New Behavior: The nginx.ingress.kubernetes.io/backend-protocol and cert-manager.io/issuer annotations are no longer added automatically. Use the ingress.extraAnnotations property to configure custom annotations.
LDAP entries are now cached by default for five minutes: Previous Behavior: LDAP caching was disabled by default. LDAP entries were not cached.; New Behavior: LDAP caching is enabled by default. Entries are cached for five minutes.