Chapter 2. Enhancements
AMQ Streams 2.3 adds a number of enhancements.
2.1. Kafka 3.3.1 enhancements
For an overview of the enhancements introduced with Kafka 3.3.0 and 3.3.1, refer to the Kafka 3.3.0 and Kafka 3.3.1 Release Notes.
2.2. Kafka connector status
The status of the KafkaConnector
custom resource now shows NotReady
if the connector or any associated tasks are reporting as FAILED
. Previously, the custom resource would show READY
even when the connector or a task had failed.
2.3. ControlPlaneListener
feature gate moves to GA
The ControlPlaneListener
feature gate has moved to GA, which means it is now permanently enabled and cannot be disabled.
With ControlPlaneListener
enabled, the connections between the Kafka controller and brokers use an internal control plane listener on port 9090.
See ControlPlaneListener
feature gate.
With the ControlPlaneListener
feature gate permanently enabled, it is no longer possible to upgrade or downgrade directly between AMQ Streams 1.7 and earlier and AMQ Streams 2.3 and newer. You have to upgrade or downgrade through one of the AMQ Streams versions in between. For more information, see Upgrading from an AMQ Streams version earlier than 1.7.
2.4. ServiceAccountPatching
feature gate moves to GA
The ServiceAccountPatching
feature gate has moved to GA, which means it is now permanently enabled and cannot be disabled.
With ServiceAccountPatching
enabled, the Cluster Operator always reconciles service accounts and updates them when needed. For example, when you change service account labels or annotations using the template property of a custom resource, the operator automatically updates them on the existing service account resources.
2.5. UseStrimziPodSets
feature gate moves to beta
The UseStrimziPodSets
feature gate moves to a beta level of maturity, and is now enabled by default. This means StrimziPodSets are used by default instead of StatefulSets.
The feature gate controls a resource for managing pods called StrimziPodSet
. AMQ Streams handles the creation and management of pods instead of OpenShift. Using StrimziPodSets instead of StatefulSets provides more control over the functionality.
See UseStrimziPodSets
feature gate and Feature gate releases.
2.6. Rack awareness configuration for the Kafka Bridge
Rack awareness for Kafka Bridge pods is now supported. Use the KafkaBridge
custom resource to configure rack awareness. You can configure a Kafka Bridge pod to be aware of the rack in which it runs. A rack can represent an availability zone, data center, or an actual rack in your data center.
Example rack
configuration for Kafka Bridge
apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaBridge # ... spec: # ... rack: topologyKey: topology.kubernetes.io/zone # ...
2.7. Pluggable pod security profiles
Security context defines constraints on pods and containers. OpenShift uses built-in security context constraints (SCCs) to control permissions. SCCs are the settings and strategies that control the security features a pod has access to. You can also create and manage your own SCCs.
The optional STRIMZI_POD_SECURITY_PROVIDER_CLASS
environment variable for the Cluster Operator provides security context configuration for pods and containers.
See Applying security context to AMQ Streams pods and containers.
2.8. Kafka broker restart events
After the Cluster Operator restarts a Kafka pod in an OpenShift cluster, it emits an OpenShift event into the pod’s namespace explaining why the pod restarted. For help in understanding cluster behavior, you can check the reason for a restart event from the command line. When checking restart events
from the command line, you can also specify a reason
or other field-selector
options to filter the events returned.
The following example returns restart events that were triggered due to an error.
Returning restart events that were triggered for a specified reason
oc -n kafka get events --field-selector reportingController=strimzi.io/cluster-operator,reason=PodForceRestartOnError
2.9. Configurable Kafka Admin client
A new User Operator environment variable called STRIMZI_KAFKA_ADMIN_CLIENT_CONFIGURATION
can pass additional configuration to the Kafka Admin client. The Kafka Admin client helps manage brokers and topics. You can now tune the Kafka Admin client without rebuilding the User Operator. For example, you can use it to pass SASL configuration or tune timeouts.
Kafka Admin client timeout configuration
apiVersion: apps/v1 kind: Deployment metadata: name: strimzi-user-operator labels: app: strimzi spec: # ... template: # ... spec: # ... containers: - name: strimzi-user-operator # ... env: - name: STRIMZI_KAFKA_ADMIN_CLIENT_CONFIGURATION value: | default.api.timeout.ms=120000 request.timeout.ms=60000
This is an advanced configuration option, provided without validation.
2.10. Cruise Control capacity overrides
New Cruise Control configuration options allow you to specify overrides that set the network capacity and CPU limits for each Kafka broker. You can use these options when brokers are running on nodes with heterogeneous network or CPU resources.
Override capacity limits can be set for the following broker resources:
-
cpu
- CPU resource in millicores or CPU cores (Default: 1) -
inboundNetwork
- Inbound network throughput in byte units per second (Default: 10000KiB/s) -
outboundNetwork
- Outbound network throughput in byte units per second (Default: 10000KiB/s)
An example of Cruise Control capacity overrides configuration using bibyte units
apiVersion: kafka.strimzi.io/v1beta2 kind: Kafka metadata: name: my-cluster spec: # ... cruiseControl: # ... brokerCapacity: cpu: "1" inboundNetwork: 10000KiB/s outboundNetwork: 10000KiB/s overrides: - brokers: [0] cpu: "2.755" inboundNetwork: 20000KiB/s outboundNetwork: 20000KiB/s - brokers: [1, 2] cpu: 3000m inboundNetwork: 30000KiB/s outboundNetwork: 30000KiB/s
See Capacity overrides.
2.11. OAuth 2.0 password grants for Kafka clients
You can now configure Kafka clients to use the OAuth password grants mechanism for interaction with Kafka brokers.
Password grants mechanism properties
security.protocol=SASL_SSL sasl.mechanism=OAUTHBEARER sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ oauth.token.endpoint.uri="<token_endpoint_url>" \ oauth.client.id="<client_id>" \ 1 oauth.client.secret="<client_secret>" \ 2 oauth.password.grant.username="<username>" \ 3 oauth.password.grant.password="<password>" \ 4 oauth.scope="<scope>" \ oauth.audience="<audience>" ; # ...
- 1
- Client ID, which is the name used when creating the client in the authorization server.
- 2
- (Optional) Client secret created when creating the client in the authorization server.
- 3
- Username for password grant authentication. OAuth password grant configuration (username and password) uses the OAuth 2.0 password grant method. To use password grants, create a user account for a client on your authorization server with limited permissions. The account should act like a service account. Use in environments where user accounts are required for authentication, but consider using a refresh token first.
- 4
- Password for password grant authentication.
See Configuring Kafka Java clients to use OAuth 2.0.
At the time of release, a minor issue was discovered that currently prevents password grants from working with the Kafka Bridge for AMQ Streams on OpenShift. For more information, see the known issue for OAuth password grants configuration.
2.12. Authentication and authorization metrics
You can now collect metrics specific to oauth
authentication and opa
or keycloak
authorization. You do this by setting the enableMetrics
property to true in the listener configuration of the Kafka resource. For example, set enableMetrics
to true
in spec.kafka.listeners.authentication
and spec.kafka.authorization
. Similarly, you can enable metrics for oauth authentication in the KafkaBridge
, KafkaConnect
, KafkaMirrorMaker
, and KafkaMirrorMaker2
custom resources.
See Introducing metrics.