Chapter 2. Enhancements

For an overview of the enhancements introduced with Kafka 3.1.0, refer to the Kafka 3.1.0 Release Notes.

You can now run AMQ Streams on a FIPS-enabled cluster, although currently not in a FIPS-compliant configuration.

The OpenJDK used in AMQ Streams container images will automatically switch to FIPS mode on a FIPS-enabled cluster. This prevents AMQ Streams from running on the cluster.

To run AMQ Streams on a FIPS-enabled cluster, you disable the OpenJDK FIPS mode by setting a FIPS_MODE environment variable to disabled in the deployment configuration for the Cluster Operator. The AMQ Streams deployment won’t be FIPS compliant, but the AMQ Streams operators as well as all of its operands will be able to run on the FIPS-enabled Kubernetes cluster.

apiVersion: apps/v1
kind: Deployment
spec:
  # ...
  template:
    spec:
      serviceAccountName: strimzi-cluster-operator
      containers:
        # ...
        env:
        # ...
        - name: "FIPS_MODE"
          value: "disabled" 

  # ...

See Configuring FIPS mode in the Cluster Operator.

If you are running a Kafka deployment that uses JBOD storage with multiple disks on the same broker, Cruise Control can balance partitions between the disks.

You use the rebalanceDisk configuration option. To perform an intra-broker disk balance, you set rebalanceDisk to true under the KafkaRebalance.spec.

See Rebalance performance tuning.

The feature gates ControlPlaneListener and ServiceAccountPatching move to beta maturity. This means that they are both enabled by default.

Feature gates at the beta level of maturity are well tested and their functionality is not likely to change.

See Configuring feature gates and Feature gate releases.

A new listener configuration property let’s you control whether or not to create a bootstrap service for a loadBalancer type of listener. A <cluster_name>-kafka-external-bootstrap bootstrap service is created by default for a Kafka cluster. You can choose not to create the service for a loadbalancer by setting the createBootstrapService property to false in the listener configuration.

listeners:
  #...
  - name: external
    port: 9094
    type: loadbalancer
    tls: true
    authentication:
      type: tls
    configuration:
      createBootstrapService: false
      # ...
# ...

See GenericKafkaListenerConfiguration schema properties.

New OAuth configuration properties have been introduced to the OAuth authentication configuration.

The properties related to timeouts and extracting groups information.

The default is sixty seconds for both.

#...
- name: external
  port: 9094
  type: loadbalancer
  tls: true
  authentication:
    type: oauth
    # ...
    connectTimeoutSeconds: 60
    readTimeoutSeconds: 60
    groupsClaim: "$.groups"
    groupsClaimDelimiter: ","

See KafkaListenerAuthenticationOAuth schema reference and KafkaClientAuthenticationOAuth schema properties.