Search

Chapter 2. Enhancements

download PDF

AMQ Streams 2.3 adds a number of enhancements.

2.1. Kafka 3.3.1 enhancements

For an overview of the enhancements introduced with Kafka 3.3.0 and 3.3.1, refer to the Kafka 3.3.0 and Kafka 3.3.1 Release Notes.

2.2. Kafka connector status

The status of the KafkaConnector custom resource now shows NotReady if the connector or any associated tasks are reporting as FAILED. Previously, the custom resource would show READY even when the connector or a task had failed.

2.3. ControlPlaneListener feature gate moves to GA

The ControlPlaneListener feature gate has moved to GA, which means it is now permanently enabled and cannot be disabled.

With ControlPlaneListener enabled, the connections between the Kafka controller and brokers use an internal control plane listener on port 9090.

See ControlPlaneListener feature gate.

Important

With the ControlPlaneListener feature gate permanently enabled, it is no longer possible to upgrade or downgrade directly between AMQ Streams 1.7 and earlier and AMQ Streams 2.3 and newer. You have to upgrade or downgrade through one of the AMQ Streams versions in between. For more information, see Upgrading from an AMQ Streams version earlier than 1.7.

2.4. ServiceAccountPatching feature gate moves to GA

The ServiceAccountPatching feature gate has moved to GA, which means it is now permanently enabled and cannot be disabled.

With ServiceAccountPatching enabled, the Cluster Operator always reconciles service accounts and updates them when needed. For example, when you change service account labels or annotations using the template property of a custom resource, the operator automatically updates them on the existing service account resources.

See ServiceAccountPatching feature gate.

2.5. UseStrimziPodSets feature gate moves to beta

The UseStrimziPodSets feature gate moves to a beta level of maturity, and is now enabled by default. This means StrimziPodSets are used by default instead of StatefulSets.

The feature gate controls a resource for managing pods called StrimziPodSet. AMQ Streams handles the creation and management of pods instead of OpenShift. Using StrimziPodSets instead of StatefulSets provides more control over the functionality.

See UseStrimziPodSets feature gate and Feature gate releases.

2.6. Rack awareness configuration for the Kafka Bridge

Rack awareness for Kafka Bridge pods is now supported. Use the KafkaBridge custom resource to configure rack awareness. You can configure a Kafka Bridge pod to be aware of the rack in which it runs. A rack can represent an availability zone, data center, or an actual rack in your data center.

Example rack configuration for Kafka Bridge

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaBridge
# ...
spec:
  # ...
  rack:
    topologyKey: topology.kubernetes.io/zone
  # ...

See Rack schema reference.

2.7. Pluggable pod security profiles

Security context defines constraints on pods and containers. OpenShift uses built-in security context constraints (SCCs) to control permissions. SCCs are the settings and strategies that control the security features a pod has access to. You can also create and manage your own SCCs.

The optional STRIMZI_POD_SECURITY_PROVIDER_CLASS environment variable for the Cluster Operator provides security context configuration for pods and containers.

See Applying security context to AMQ Streams pods and containers.

2.8. Kafka broker restart events

After the Cluster Operator restarts a Kafka pod in an OpenShift cluster, it emits an OpenShift event into the pod’s namespace explaining why the pod restarted. For help in understanding cluster behavior, you can check the reason for a restart event from the command line. When checking restart events from the command line, you can also specify a reason or other field-selector options to filter the events returned.

The following example returns restart events that were triggered due to an error.

Returning restart events that were triggered for a specified reason

oc -n kafka get events --field-selector reportingController=strimzi.io/cluster-operator,reason=PodForceRestartOnError

See Finding information on Kafka restarts.

2.9. Configurable Kafka Admin client

A new User Operator environment variable called STRIMZI_KAFKA_ADMIN_CLIENT_CONFIGURATION can pass additional configuration to the Kafka Admin client. The Kafka Admin client helps manage brokers and topics. You can now tune the Kafka Admin client without rebuilding the User Operator. For example, you can use it to pass SASL configuration or tune timeouts.

Kafka Admin client timeout configuration

apiVersion: apps/v1
kind: Deployment
metadata:
  name: strimzi-user-operator
  labels:
    app: strimzi
spec:
  # ...
  template:
    # ...
    spec:
      # ...
      containers:
        - name: strimzi-user-operator
          # ...
          env:
            - name: STRIMZI_KAFKA_ADMIN_CLIENT_CONFIGURATION
              value: |
                default.api.timeout.ms=120000
                request.timeout.ms=60000

Note

This is an advanced configuration option, provided without validation.

See Deploying the standalone User Operator.

2.10. Cruise Control capacity overrides

New Cruise Control configuration options allow you to specify overrides that set the network capacity and CPU limits for each Kafka broker. You can use these options when brokers are running on nodes with heterogeneous network or CPU resources.

Override capacity limits can be set for the following broker resources:

  • cpu - CPU resource in millicores or CPU cores (Default: 1)
  • inboundNetwork - Inbound network throughput in byte units per second (Default: 10000KiB/s)
  • outboundNetwork - Outbound network throughput in byte units per second (Default: 10000KiB/s)

An example of Cruise Control capacity overrides configuration using bibyte units

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: my-cluster
spec:
  # ...
  cruiseControl:
    # ...
    brokerCapacity:
      cpu: "1"
      inboundNetwork: 10000KiB/s
      outboundNetwork: 10000KiB/s
      overrides:
      - brokers: [0]
        cpu: "2.755"
        inboundNetwork: 20000KiB/s
        outboundNetwork: 20000KiB/s
      - brokers: [1, 2]
        cpu: 3000m
        inboundNetwork: 30000KiB/s
        outboundNetwork: 30000KiB/s

See Capacity overrides.

2.11. OAuth 2.0 password grants for Kafka clients

You can now configure Kafka clients to use the OAuth password grants mechanism for interaction with Kafka brokers.

Password grants mechanism properties

security.protocol=SASL_SSL
sasl.mechanism=OAUTHBEARER
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
  oauth.token.endpoint.uri="<token_endpoint_url>" \
  oauth.client.id="<client_id>" \ 1
  oauth.client.secret="<client_secret>" \ 2
  oauth.password.grant.username="<username>" \ 3
  oauth.password.grant.password="<password>" \ 4
  oauth.scope="<scope>" \
  oauth.audience="<audience>" ;
  # ...

1
Client ID, which is the name used when creating the client in the authorization server.
2
(Optional) Client secret created when creating the client in the authorization server.
3
Username for password grant authentication. OAuth password grant configuration (username and password) uses the OAuth 2.0 password grant method. To use password grants, create a user account for a client on your authorization server with limited permissions. The account should act like a service account. Use in environments where user accounts are required for authentication, but consider using a refresh token first.
4
Password for password grant authentication.

See Configuring Kafka Java clients to use OAuth 2.0.

Note

At the time of release, a minor issue was discovered that currently prevents password grants from working with the Kafka Bridge for AMQ Streams on OpenShift. For more information, see the known issue for OAuth password grants configuration.

2.12. Authentication and authorization metrics

You can now collect metrics specific to oauth authentication and opa or keycloak authorization. You do this by setting the enableMetrics property to true in the listener configuration of the Kafka resource. For example, set enableMetrics to true in spec.kafka.listeners.authentication and spec.kafka.authorization. Similarly, you can enable metrics for oauth authentication in the KafkaBridge, KafkaConnect, KafkaMirrorMaker, and KafkaMirrorMaker2 custom resources.

See Introducing metrics.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.