Releases: kroxylicious/kroxylicious
v0.9.0
0.9.0
- #1668 Bump apicurio-registry.version from 2.6.5.Final to 2.6.6.Final
- #1667 Bump io.micrometer:micrometer-bom from 1.14.1 to 1.14.2
- #1666 Bump org.apache.logging.log4j:log4j-bom from 2.24.2 to 2.24.3
- #1294 AWS KMS - support authentication from instance metadata of EC2
- #1657 Remove forwardPartialRequests feature of record validation filter
- #1635 Handle ApiVersions unsupported version downgrade
- #1648 Add test-only feature mechanism to Proxy configuration
- #1379 Remove Deprecated EnvelopeEncryption
- #1561 Allow Trust and ClientAuth to be set for Downstream TLS
- #1550 Upgrade Apache Kafka from 3.8.0 to 3.9.0 #1550
- #1557 Bump io.micrometer:micrometer-bom from 1.13.5 to 1.13.6
- #1554 Bump apicurio-registry.version from 2.6.4.Final to 2.6.5.Final
- #1522 Bump apicurio-registry.version from 2.6.3.Final to 2.6.4.Final
- #1498 Give KmsService lifecycle methods
- #1514 Bump io.netty:netty-bom from 4.1.112.Final to 4.1.113.Final
- #1517 Bump apicurio-registry.version from 2.6.2.Final to 2.6.3.Final
- #1515 Bump io.micrometer:micrometer-bom from 1.13.2 to 1.13.4
Changes, deprecations and removals
- The deprecated EnvelopeEncryption filter is now removed. Use RecordEncryption instead.
- The deprecated forwardPartialRequests option has been removed from the Record Validation Filter.
- This release upgrades Kroxylicious to Jackson 2.18 which "improves" how jackson handles constructor detection which may lead to issues with filter config.
If after the upgrade you observe issues similar to
com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Invalid type definition for type
com.fasterxml.jackson.databind.tofix.CreatorResolutionTest$HostPort: Argument #0 of Creator [method com.fasterxml.jackson.databind.tofix.CreatorResolutionTest$HostPort#parse(java.lang.String)] has no property name (and is not Injectable): can not use as property-based Creator
then you need to add@JsonCreator(mode = JsonCreator.Mode.DELEGATING)
to the constructor one expects Jackson to use.
v0.8.0
v0.7.0
0.7.0
- #1414 Address record validation filter name inconsistency
- #1348 Fix #1348: Rework the Record Encryption documentation describing the role of the administrator
- #1415 Fix #1415: Improve record validation docs #1429
- #1417: Extend JsonSchemaValidator to validate the incoming schema id matches the expected.
- #1401: Support a FIPs-certified cipher from an alternative provider
- #1416: Schema validation should not rely on the syntax validation
- #1393: Remove api versions service
- #1404: Move deprecated Context classes out of kroxylicious-api
- #1402: Move FilterInvoker classes to kroxylicious-runtime
- #1289: Record Encryption - expose maxEncryptionsPerDek for configuration
- #1394: Make ClusterNetworkAddressConfigProvider and co internal
- #1356: Changes for Kafka 3.8.0 #1356
- #1354: Make EDEK cache refresh and expiry durations configurable
- #1360: Bump kafka.version from 3.7.0 to 3.7.1
- #1322: Introduce FilterDispatchExecutor
- #1154: Apicurio based schema validation filter
Changes, deprecations and removals
- The Record Encryption Filter now uses
AES/GCM/NoPadding
as the transformation String and checks the KMS
returns a 256bit DEK. This enables users to configure an alternative JCE Provider in their JRE configuration
that offers this algorithm. - FilterFactoryContext#eventLoop() is deprecated, replaced by FilterFactoryContext#filterDispatchExecutor().
This returns FilterDispatchExecutor, a new interface extending ScheduledExecutorService. FilterDispatchExecutor
has methods to enable Filters to check if the current thread is the Filter Dispatch Thread and it offers
specialized futures, where chained async methods will also run on the Filter Dispatch Thread when no executor
is supplied. This is intended to be a tool to make it convenient for Filters to hand off work to uncontrolled
threads, then switch back to an execution context where mutation of Filter members is safe. - Record Encryption Filter: Data Encryption Keys will now be refreshed one hour after creation by default.
This is a bugfix for #1139 to ensure we start
using new key material after key-encryption-keys are rotated in the KMS within some controlled duration. - Breaking changes to public kroxylicious-api module, Filter Authors may be affected
- Deprecated
io.kroxylicious.proxy.clusternetworkaddressconfigprovider.ClusterNetworkAddressConfigProviderContributor
moved to internal module - Deprecated
io.kroxylicious.proxy.service.ClusterNetworkAddressConfigProvider
moved to internal module - Deprecated
io.kroxylicious.proxy.service.HostPort
moved to internal module - Deprecated
io.kroxylicious.proxy.filter.FilterInvoker
and implementations moved to internal module - Deprecated
io.kroxylicious.proxy.filter.FilterAndInvoker
moved to internal module - Deprecated
io.kroxylicious.proxy.filter.FilterInvokers
moved to internal module - Deprecated
io.kroxylicious.proxy.service.Context
moved to internal module - Deprecated
io.kroxylicious.proxy.service.Contributor
moved to internal module - Deprecated
io.kroxylicious.proxy.ApiVersionsService
removed without replacement
- Deprecated
v0.6.0
CHANGELOG
This changelog enumerates all user-facing changes made to Kroxylicious, in reverse chronological order.
For changes that effect a public API, the deprecation policy is followed.
Format <github issue/pr number>: <short description>
.
0.6.0
- #1195: SASL OAUTHBEARER validation filter
- #1076: AWS KMS implementation for Record Encryption
- #1201: Bump com.fasterxml.jackson:jackson-bom from 2.17.0 to 2.17.1
- #1158: Bump io.netty:netty-bom from 4.1.108.Final to 4.1.109.Final
- #1162: Fix #1162: allow tenant / resource name prefix separator to be controlled from configuration
- #1120: Generate API compatability report as part of the release process.
- #1220: Range-aware Port Per Node with integer configuration
Changes, deprecations and removals
- RangeAwarePortPerNodeClusterNetworkAddressConfigProvider is a new ClusterNetworkAddressConfigProvider that is capable of modelling
more target topologies using a compact set of ports. Users can declare multiple ranges of node ids that exist in the target cluster
and the proxy will map those ranges on to a minimal set of proxy ports. See the Virtual Cluster configuration docs
for more information.
0.5.1
- #1129: Ensure timeouts are cancelled when sendRequest completes normally. Thanks to @luozhenyu for spotting the issue.
- #1115: Bump io.netty:netty-bom from 4.1.107.Final to 4.1.108.Final
- #1110: Body decoder now supports older versions of ApiVersionsResponse
- #1107: Replace deprecated FilePasswordFilePath class with @JsonAlias.
- #1099: Bump io.micrometer:micrometer-bom from 1.12.3 to 1.12.4
- #1103: Bump com.fasterxml.jackson:jackson-bom from 2.16.1 to 2.17.0
- #1057: Check platform supports all record encryption ciphers at configuration time
0.5.0
- #1074: Port-per-broker Exposition: make lowest broker id configurable
- #1066: Log platform information on startup
- #1050: Change AES GCM cipher to require a 256bit key
- #1049: Add deprecated EnvelopeEncryption filter to ease migration to RecordEncryption filter
- #1043: Rename EnvelopeEncryption filter to RecordEncryption
- #1029: Upgrade to Kafka 3.7.0
- #1011: Bump io.netty:netty-bom from 4.1.106.Final to 4.1.107.Final
- #1010: Bump io.micrometer:micrometer-bom from 1.12.2 to 1.12.3
- #1024: Log virtual cluster and metrics binding
- #1032: Cache unknown alias resolutions temporarily
- #1031: Fix inconsistently named configuration key in test filter class (FetchResponseTransformationFilter)
- #1020: KMS retry logic failing with Null Pointers
- #1019: Stop logging license header as part of the startup banner.
- #1004: Publish images to Quay kroxylicious/kroxylicious rather than kroxylicious-developer
- #997: Add hardcoded maximum frame size
- #782: Securely handle the HashiCorp Vault Token in Kroxylicious configuration
- #973: Remove deprecated CompositeFilter and its documentation
- #935: Enable user to configure alternative source of keys for vault KMS client
- #787: Initial documentation for the envelope-encryption feature.
- #940: Support vault namespaces and support secrets transit engine at locations other than /transit
- #951: Include the kroxylicious maintained filters in the dist by default
- #910: Envelope encryption preserve batches within MemoryRecords
- #883: Ensure we only initialise a filter factory once.
- #912: Bump io.netty:netty-bom from 4.1.104.Final to 4.1.106.Final
- #909: [build] use maven maven-dependency-plugin to detect missing/superfluous dependencies at build time
- #895: Ensure we execute deferred Filter methods on the eventloop
- #896: In TLS config, use passwordFile as property to accept password material from a file rather than filePath.
- #844: Fix connect to upstream using TLS client authentication
- #885: Bump kroxy.extension.version from 0.8.0 to 0.8.1
Changes, deprecations and removals
- EncryptionVersion 1 is no longer supported, we found that it had diverged from our design document and have corrected it. From release 0.5.0 we guarantee backwards compatibility from EncryptionVersion 2 onwards.
- We have renamed the EnvelopeEncryption filter it is now the RecordEncryption filter. As this is a more accurate description of its role. We have not changed the way we deliver the encryption-at-rest as we are still using Envelope Encryption. Note we have preserved an
EnvelopeEncryption
factory, albeit deprecated, to avoid runtime failures for users upgrading from0.4.x
. - When configuring TLS, the property
filePath
for specifying the location of a file providing the password is now
deprecated. UsepasswordFile
instead. - When configuring TLS, it is no longer valid to pass a null inline password like
"storePassword": {"password": null}
instead use"storePassword": null
- As a result of the work of #909, some superfluous transitive dependencies have been removed from some kroxylicious. If you were relying on those, you will need to
adjust your dependencies as your adopt this release. io.kroxylicious:kroxylicious-filter-test-support
now contains RecordTestUtils for creating exampleRecord
,RecordBatch
andMemoryRecords
. It also contains
assertj assertions for those same classes to enable us to write fluent assertions, accessible viaio.kroxylicious.test.assertj.KafkaAssertions
.- The configuration for VaultKMS service has changed.
- Instead of the
vaultUrl
config key, the provider now requiresvaultTransitEngineUrl
. This must provide the
complete path to the Transit Engine on the HashiCorp Vault instance (e.g. https://myvault:8200/v1/transit or
https://myvault:8200/v1/mynamespace/transit). - The
vaultToken
field now requires aPasswordProvider
object rather than inline text value. You may pass the
token from a file (filename specified by apasswordFile
field) or inline (password
field). The latter is not
recommended in production environments.
- Instead of the
- The deprecated CompositeFilter interface has been removed.
- Container images for releases will be published to quay.io/kroxylicious/kroxylicious (rather than kroxylicious-developer)
FetchResponseTransformationFilter
now uses configuration keytransformationConfig
(rather thanconfig
). This matches
the configuration expected byProduceRequestTransformationFilter
.
0.4.1
- #836: Cache decrypted EDEK and resolved aliases
- #823: Recover from EDEK decryption failures and improve KMS resilience measures
- #841: Ensure the envelope encryption filter transits record offsets unchanged.
- #847: Bump org.apache.maven.plugins:maven-compiler-plugin from 3.11.0 to 3.12.1
- #838: Ensure the decryption maintains record ordering, regardless of completion order of the decryptor.
- #837: refactor: take advantage of the topic injection in several integration tests including (the SampleFilterIT)
- #827: Release process should update version number references in container image versi...
v0.5.1
CHANGELOG
Please enumerate all user-facing changes using format <github issue/pr number>: <short description>
, with changes ordered in reverse chronological order.
SNAPSHOT
0.5.1
- #1129: Ensure timeouts are cancelled when sendRequest completes normally. Thanks to @luozhenyu for spotting the issue.
- #1115: Bump io.netty:netty-bom from 4.1.107.Final to 4.1.108.Final
- #1110: Body decoder now supports older versions of ApiVersionsResponse
- #1107: Replace deprecated FilePasswordFilePath class with @JsonAlias.
- #1099: Bump io.micrometer:micrometer-bom from 1.12.3 to 1.12.4
- #1103: Bump com.fasterxml.jackson:jackson-bom from 2.16.1 to 2.17.0
- #1057: Check platform supports all record encryption ciphers at configuration time
0.5.0
- #1074: Port-per-broker Exposition: make lowest broker id configurable
- #1066: Log platform information on startup
- #1050: Change AES GCM cipher to require a 256bit key
- #1049: Add deprecated EnvelopeEncryption filter to ease migration to RecordEncryption filter
- #1043: Rename EnvelopeEncryption filter to RecordEncryption
- #1029: Upgrade to Kafka 3.7.0
- #1011: Bump io.netty:netty-bom from 4.1.106.Final to 4.1.107.Final
- #1010: Bump io.micrometer:micrometer-bom from 1.12.2 to 1.12.3
- #1024: Log virtual cluster and metrics binding
- #1032: Cache unknown alias resolutions temporarily
- #1031: Fix inconsistently named configuration key in test filter class (FetchResponseTransformationFilter)
- #1020: KMS retry logic failing with Null Pointers
- #1019: Stop logging license header as part of the startup banner.
- #1004: Publish images to Quay kroxylicious/kroxylicious rather than kroxylicious-developer
- #997: Add hardcoded maximum frame size
- #782: Securely handle the HashiCorp Vault Token in Kroxylicious configuration
- #973: Remove deprecated CompositeFilter and its documentation
- #935: Enable user to configure alternative source of keys for vault KMS client
- #787: Initial documentation for the envelope-encryption feature.
- #940: Support vault namespaces and support secrets transit engine at locations other than /transit
- #951: Include the kroxylicious maintained filters in the dist by default
- #910: Envelope encryption preserve batches within MemoryRecords
- #883: Ensure we only initialise a filter factory once.
- #912: Bump io.netty:netty-bom from 4.1.104.Final to 4.1.106.Final
- #909: [build] use maven maven-dependency-plugin to detect missing/superfluous dependencies at build time
- #895: Ensure we execute deferred Filter methods on the eventloop
- #896: In TLS config, use passwordFile as property to accept password material from a file rather than filePath.
- #844: Fix connect to upstream using TLS client authentication
- #885: Bump kroxy.extension.version from 0.8.0 to 0.8.1
Changes, deprecations and removals
- EncryptionVersion 1 is no longer supported, we found that it had diverged from our design document and have corrected it. From release 0.5.0 we guarantee backwards compatibility from EncryptionVersion 2 onwards.
- We have renamed the EnvelopeEncryption filter it is now the RecordEncryption filter. As this is a more accurate description of its role. We have not changed the way we deliver the encryption-at-rest as we are still using Envelope Encryption. Note we have preserved an
EnvelopeEncryption
factory, albeit deprecated, to avoid runtime failures for users upgrading from0.4.x
. - When configuring TLS, the property
filePath
for specifying the location of a file providing the password is now
deprecated. UsepasswordFile
instead. - When configuring TLS, it is no longer valid to pass a null inline password like
"storePassword": {"password": null}
instead use"storePassword": null
- As a result of the work of #909, some superfluous transitive dependencies have been removed from some kroxylicious. If you were relying on those, you will need to
adjust your dependencies as your adopt this release. io.kroxylicious:kroxylicious-filter-test-support
now contains RecordTestUtils for creating exampleRecord
,RecordBatch
andMemoryRecords
. It also contains
assertj assertions for those same classes to enable us to write fluent assertions, accessible viaio.kroxylicious.test.assertj.KafkaAssertions
.- The configuration for VaultKMS service has changed.
- Instead of the
vaultUrl
config key, the provider now requiresvaultTransitEngineUrl
. This must provide the
complete path to the Transit Engine on the HashiCorp Vault instance (e.g. https://myvault:8200/v1/transit or
https://myvault:8200/v1/mynamespace/transit). - The
vaultToken
field now requires aPasswordProvider
object rather than inline text value. You may pass the
token from a file (filename specified by apasswordFile
field) or inline (password
field). The latter is not
recommended in production environments.
- Instead of the
- The deprecated CompositeFilter interface has been removed.
- Container images for releases will be published to quay.io/kroxylicious/kroxylicious (rather than kroxylicious-developer)
FetchResponseTransformationFilter
now uses configuration keytransformationConfig
(rather thanconfig
). This matches
the configuration expected byProduceRequestTransformationFilter
.
0.4.1
- #836: Cache decrypted EDEK and resolved aliases
- #823: Recover from EDEK decryption failures and improve KMS resilience measures
- #841: Ensure the envelope encryption filter transits record offsets unchanged.
- #847: Bump org.apache.maven.plugins:maven-compiler-plugin from 3.11.0 to 3.12.1
- #838: Ensure the decryption maintains record ordering, regardless of completion order of the decryptor.
- #837: refactor: take advantage of the topic injection in several integration tests including (the SampleFilterIT)
- #827: Release process should update version number references in container image versions too
- #825: Improve the topic encryption example
- #832: Bump io.netty:netty-bom from 4.1.101.Final to 4.1.104.Final
- #828: Bump io.micrometer:micrometer-bom from 1.12.0 to 1.12.1
0.4.0
- #817: Encryption Filter: Set hardcoded request timeout on Vault requests
- #798: Encryption Filter: Refactor Serialization to new Parcel Scheme
- #809: Bump Kroxylicious Junit Ext from 0.7.0 to 0.8.0
- #803: Bump kafka.version from 3.6.0 to 3.6.1 #803
- #741: Encryption Filter: Implement a HashiCorp Vault KMS
- #764: Encryption Filter: Rotate to a new DEK when the old one is exhausted
- #696: Initial work on an Envelope Encryption Filter
- #752: Remove redundant re-installation of time-zone data in Dockerfile used for Kroxylicious container image
- #727: Tease out simple transform filters into their own module
- #628: Kroxylicious system tests
- [#738](https://git...
v0.5.0
CHANGELOG
Please enumerate all user-facing changes using format <githib issue/pr number>: <short description>
, with changes ordered in reverse chronological order.
SNAPSHOT
0.5.0
- #1074: Port-per-broker Exposition: make lowest broker id configurable
- #1066: Log platform information on startup
- #1050: Change AES GCM cipher to require a 256bit key
- #1049: Add deprecated EnvelopeEncryption filter to ease migration to RecordEncryption filter
- #1043: Rename EnvelopeEncryption filter to RecordEncryption
- #1029: Upgrade to Kafka 3.7.0
- #1011: Bump io.netty:netty-bom from 4.1.106.Final to 4.1.107.Final
- #1010: Bump io.micrometer:micrometer-bom from 1.12.2 to 1.12.3
- #1024: Log virtual cluster and metrics binding
- #1032: Cache unknown alias resolutions temporarily
- #1031: Fix inconsistently named configuration key in test filter class (FetchResponseTransformationFilter)
- #1020: KMS retry logic failing with Null Pointers
- #1019: Stop logging license header as part of the startup banner.
- #1004: Publish images to Quay kroxylicious/kroxylicious rather than kroxylicious-developer
- #997: Add hardcoded maximum frame size
- #782: Securely handle the HashiCorp Vault Token in Kroxylicious configuration
- #973: Remove deprecated CompositeFilter and its documentation
- #935: Enable user to configure alternative source of keys for vault KMS client
- #787: Initial documentation for the envelope-encryption feature.
- #940: Support vault namespaces and support secrets transit engine at locations other than /transit
- #951: Include the kroxylicious maintained filters in the dist by default
- #910: Envelope encryption preserve batches within MemoryRecords
- #883: Ensure we only initialise a filter factory once.
- #912: Bump io.netty:netty-bom from 4.1.104.Final to 4.1.106.Final
- #909: [build] use maven maven-dependency-plugin to detect missing/superfluous dependencies at build time
- #895: Ensure we execute deferred Filter methods on the eventloop
- #896: In TLS config, use passwordFile as property to accept password material from a file rather than filePath.
- #844: Fix connect to upstream using TLS client authentication
- #885: Bump kroxy.extension.version from 0.8.0 to 0.8.1
Changes, deprecations and removals
- EncryptionVersion 1 is no longer supported, we found that it had diverged from our design document and have corrected it. From release 0.5.0 we guarantee backwards compatibility from EncryptionVersion 2 onwards.
- We have renamed the EnvelopeEncryption filter it is now the RecordEncryption filter. As this is a more accurate description of its role. We have not changed the way we deliver the encryption-at-rest as we are still using Envelope Encryption. Note we have preserved an
EnvelopeEncryption
factory, albeit deprecated, to avoid runtime failures for users upgrading from0.4.x
. - When configuring TLS, the property
filePath
for specifying the location of a file providing the password is now
deprecated. UsepasswordFile
instead. - When configuring TLS, it is no longer valid to pass a null inline password like
"storePassword": {"password": null}
instead use"storePassword": null
- As a result of the work of #909, some superfluous transitive dependencies have been removed from some kroxylicious. If you were relying on those, you will need to
adjust your dependencies as your adopt this release. io.kroxylicious:kroxylicious-filter-test-support
now contains RecordTestUtils for creating exampleRecord
,RecordBatch
andMemoryRecords
. It also contains
assertj assertions for those same classes to enable us to write fluent assertions, accessible viaio.kroxylicious.test.assertj.KafkaAssertions
.- The configuration for VaultKMS service has changed.
- Instead of the
vaultUrl
config key, the provider now requiresvaultTransitEngineUrl
. This must provide the
complete path to the Transit Engine on the HashiCorp Vault instance (e.g. https://myvault:8200/v1/transit or
https://myvault:8200/v1/mynamespace/transit). - The
vaultToken
field now requires aPasswordProvider
object rather than inline text value. You may pass the
token from a file (filename specified by apasswordFile
field) or inline (password
field). The latter is not
recommended in production environments.
- Instead of the
- The deprecated CompositeFilter interface has been removed.
- Container images for releases will be published to quay.io/kroxylicious/kroxylicious (rather than kroxylicious-developer)
FetchResponseTransformationFilter
now uses configuration keytransformationConfig
(rather thanconfig
). This matches
the configuration expected byProduceRequestTransformationFilter
.
0.4.1
- #836: Cache decrypted EDEK and resolved aliases
- #823: Recover from EDEK decryption failures and improve KMS resilience measures
- #841: Ensure the envelope encryption filter transits record offsets unchanged.
- #847: Bump org.apache.maven.plugins:maven-compiler-plugin from 3.11.0 to 3.12.1
- #838: Ensure the decryption maintains record ordering, regardless of completion order of the decryptor.
- #837: refactor: take advantage of the topic injection in several integration tests including (the SampleFilterIT)
- #827: Release process should update version number references in container image versions too
- #825: Improve the topic encryption example
- #832: Bump io.netty:netty-bom from 4.1.101.Final to 4.1.104.Final
- #828: Bump io.micrometer:micrometer-bom from 1.12.0 to 1.12.1
0.4.0
- #817: Encryption Filter: Set hardcoded request timeout on Vault requests
- #798: Encryption Filter: Refactor Serialization to new Parcel Scheme
- #809: Bump Kroxylicious Junit Ext from 0.7.0 to 0.8.0
- #803: Bump kafka.version from 3.6.0 to 3.6.1 #803
- #741: Encryption Filter: Implement a HashiCorp Vault KMS
- #764: Encryption Filter: Rotate to a new DEK when the old one is exhausted
- #696: Initial work on an Envelope Encryption Filter
- #752: Remove redundant re-installation of time-zone data in Dockerfile used for Kroxylicious container image
- #727: Tease out simple transform filters into their own module
- #628: Kroxylicious system tests
- #738: Update to Kroxylicious Junit Ext 0.7.0
- #723: Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.16.0 #723
- #724: Bump io.netty.incubator:netty-incubator-transport-native-io_uring from 0.0.23.Final to 0.0.24.Final
- #725: Bump io.netty:netty-bom from 4.1.100.Final to 4.1.101.Final #725
- #710: Rename modules
- #709: Add a KMS service API and an in-memory implementation
- #667: Nested factories
- #701: Bump org.apache.logging.log4j:log4j-bom from 2.21.0 to 2.21.1 #701
Changes, deprecations and removals
- The `P...
v0.4.1
CHANGELOG
Please enumerate all user-facing changes using format <githib issue/pr number>: <short description>
, with changes ordered in reverse chronological order.
SNAPSHOT
0.4.1
- #841: Ensure the envelope encryption filter transits record offsets unchanged.
- #847: Bump org.apache.maven.plugins:maven-compiler-plugin from 3.11.0 to 3.12.1
- #838: Ensure the decryption maintains record ordering, regardless of completion order of the decryptor.
- #837: refactor: take advantage of the topic injection in several integration tests including (the SampleFilterIT)
- #827: Release process should update version number references in container image versions too
- #825: Improve the topic encryption example
- #832: Bump io.netty:netty-bom from 4.1.101.Final to 4.1.104.Final
- #828: Bump io.micrometer:micrometer-bom from 1.12.0 to 1.12.1
0.4.0
- #817: Encryption Filter: Set hardcoded request timeout on Vault requests
- #798: Encryption Filter: Refactor Serialization to new Parcel Scheme
- #809: Bump Kroxylicious Junit Ext from 0.7.0 to 0.8.0
- #803: Bump kafka.version from 3.6.0 to 3.6.1 #803
- #741: Encryption Filter: Implement a HashiCorp Vault KMS
- #764: Encryption Filter: Rotate to a new DEK when the old one is exhausted
- #696: Initial work on an Envelope Encryption Filter
- #752: Remove redundant re-installation of time-zone data in Dockerfile used for Kroxylicious container image
- #727: Tease out simple transform filters into their own module
- #628: Kroxylicious system tests
- #738: Update to Kroxylicious Junit Ext 0.7.0
- #723: Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.16.0 #723
- #724: Bump io.netty.incubator:netty-incubator-transport-native-io_uring from 0.0.23.Final to 0.0.24.Final
- #725: Bump io.netty:netty-bom from 4.1.100.Final to 4.1.101.Final #725
- #710: Rename modules
- #709: Add a KMS service API and an in-memory implementation
- #667: Nested factories
- #701: Bump org.apache.logging.log4j:log4j-bom from 2.21.0 to 2.21.1 #701
Changes, deprecations and removals
- The
ProduceRequestTransformationFilter
andFetchResponseTransformationFilter
have been moved to their own module kroxylicious-simple-transform.
If you were depending on these filters, you must ensure that the kroxylicious-simple-transform JAR file is added to your classpath. The
Javadoc of these classes has been updated to convey the fact that these filters are not intended for production use.
0.3.0
- #686: Bump org.apache.logging.log4j:log4j-bom from 2.20.0 to 2.21.0.
- #634: Update integration tests JDK dependency to 21.
- #632: Kroxylicious tester now supports creating & deleting topics on specific virtual clusters.
- #675: Bump to Netty 4.1.100.Final to mitigate the Rapid Reset Attack (CVE-2023-44487)
- #665: Bump org.apache.kafka:kafka-clients from 3.5.1 to 3.6.0
- #660: Use container registry neutral terminology in docs/scripts #660
- #648: Bump io.netty.incubator:netty-incubator-transport-native-io_uring from 0.0.22.Final to 0.0.23.Final
- #649: Bump io.netty:netty-bom from 4.1.97.Final to 4.1.99.Final
- #650: Bump io.sundr:builder-annotations from 0.100.3 to 0.101.0
- #518: [Breaking] #sendRequest ought to accept request header.
- #623: [Breaking] Refactor how Filters are Created
- #633: Address missing exception handling in FetchResponseTransformationFilter (and add unit tests)
- #537: Computation stages chained to the CompletionStage return by #sendRequest using the default executor async methods now run on the Netty Event Loop.
- #612: [Breaking] Allow filter authors to declare when their filter requires configuration. Note this includes a backwards incompatible change to the contract of the
Contributor
.getInstance
will now throw exceptions rather than returningnull
to mean there was a problem or this contributor does not know about the requested type. - #608: Improve the contributor API to allow it to express more properties about the configuration. This release deprecates
Contributor.getConfigType
in favour ofContributor.getConfigDefinition
. It also removes the proliferation of ContributorManager classes by providing a single type which can handle all Contributors. - #538: Refactor FilterHandler and fix several bugs that would leave messages unflushed to client/broker.
- #531: Simple Test Client now supports multi-RPC conversations with the server.
- #510: Add multi-tenant kubernetes example
- #519: Fix Kafka Client leaks in the SampleFilterIntegrationTest.
- #494: [Breaking] Make the Filter API fully asynchronous (filter methods must return a CompletionStage)
- #498: Include the cluster name from the configuration node in the config model.
- #488: Kroxylicious Bill Of Materials
- #480: Multi-tenant - add suport for the versions of OffsetFetch, FindCoordinator, and DeleteTopics used by Sarama client v1.38.1
- #472: Respect logFrame/logNetwork options in virtualcluster config
- #470: Ensure that the EagerMetadataLearner passes on a client's metadata request with fidelity (fix for kcat -C -E)
- #416: Eagerly expose broker endpoints on startup to allow existing client to reconnect (without connecting to bootstrap).
- #463: deregister micrometer hooks, meters and the registry on shutdown
- #443: Obtain upstream ApiVersions when proxy is not SASL offloading
- #412: Remove $(portNumber) pattern from brokerAddressPattern for SniRouting and PortPerBroker schemes
- #414: Add kubernetes sample illustrating SNI based routing, downstream/upstream TLS and the use of certificates from cert-manager.
- #392: Introduce CompositeFilters
- #401: Fix netty buffer leak when doing a short-circuit response
- #409: Bump netty.version from 4.1.93.Final to 4.1.94.Final #409
- #374 Upstream TLS support
- #375 Support key material in PEM format (X.509 certificates and PKCS-8 private keys)
- #398: Validate admin port does not collide with cluster ports
- #384: Bump guava from 32.0.0-jre to 32.0.1-jre
- #372: Eliminate the test config model from the code-base
- #364: Add Dockerfile for kroxylicious
Changes, deprecations and removals
The Filter API is refactored to be fully asynchronous. Filter API methods such as #onXxxxRequest
and onXxxxResponse
now are required to return a `CompletionStage<FilterRes...
v0.4.0
What's changed?
- #798: Encryption Filter: Refactor Serialization to new Parcel Scheme
- #809: Bump Kroxylicious Junit Ext from 0.7.0 to 0.8.0
- #803: Bump kafka.version from 3.6.0 to 3.6.1 #803
- #741: Encryption Filter: Implement a HashiCorp Vault KMS
- #764: Encryption Filter: Rotate to a new DEK when the old one is exhausted
- #696: Initial work on an Envelope Encryption Filter
- #752: Remove redundant re-installation of time-zone data in Dockerfile used for Kroxylicious container image
- #727: Tease out simple transform filters into their own module
- #628: Kroxylicious system tests
- #738: Update to Kroxylicious Junit Ext 0.7.0
- #723: Bump com.fasterxml.jackson:jackson-bom from 2.15.3 to 2.16.0 #723
- #724: Bump io.netty.incubator:netty-incubator-transport-native-io_uring from 0.0.23.Final to 0.0.24.Final
- #725: Bump io.netty:netty-bom from 4.1.100.Final to 4.1.101.Final #725
- #710: Rename modules
- #709: Add a KMS service API and an in-memory implementation
- #667: Nested factories
- #701: Bump org.apache.logging.log4j:log4j-bom from 2.21.0 to 2.21.1 #701
Changes, deprecations and removals
- The
ProduceRequestTransformationFilter
andFetchResponseTransformationFilter
have been moved to their own module kroxylicious-simple-transform.
If you were depending on these filters, you must ensure that the kroxylicious-simple-transform JAR file is added to your classpath. The
Javadoc of these classes has been updated to convey the fact that these filters are not intended for production use.
Release 0.3.0
Release 0.3.0
- #686: Bump org.apache.logging.log4j:log4j-bom from 2.20.0 to 2.21.0.
- #634: Update integration tests JDK dependency to 21.
- #632: Kroxylicious tester now supports creating & deleting topics on specific virtual clusters.
- #675: Bump to Netty 4.1.100.Final to mitigate the Rapid Reset Attack (CVE-2023-44487)
- #665: Bump org.apache.kafka:kafka-clients from 3.5.1 to 3.6.0
- #660: Use container registry neutral terminology in docs/scripts #660
- #648: Bump io.netty.incubator:netty-incubator-transport-native-io_uring from 0.0.22.Final to 0.0.23.Final
- #649: Bump io.netty:netty-bom from 4.1.97.Final to 4.1.99.Final
- #650: Bump io.sundr:builder-annotations from 0.100.3 to 0.101.0
- #518: [Breaking] #sendRequest ought to accept request header.
- #623: [Breaking] Refactor how Filters are Created
- #633: Address missing exception handling in FetchResponseTransformationFilter (and add unit tests)
- #537: Computation stages chained to the CompletionStage return by #sendRequest using the default executor async methods now run on the Netty Event Loop.
- #612: [Breaking] Allow filter authors to declare when their filter requires configuration. Note this includes a backwards incompatible change to the contract of the
Contributor
.getInstance
will now throw exceptions rather than returningnull
to mean there was a problem or this contributor does not know about the requested type. - #608: Improve the contributor API to allow it to express more properties about the configuration. This release deprecates
Contributor.getConfigType
in favour ofContributor.getConfigDefinition
. It also removes the proliferation of ContributorManager classes by providing a single type which can handle all Contributors. - #538: Refactor FilterHandler and fix several bugs that would leave messages unflushed to client/broker.
- #531: Simple Test Client now supports multi-RPC conversations with the server.
- #510: Add multi-tenant kubernetes example
- #519: Fix Kafka Client leaks in the SampleFilterIntegrationTest.
- #494: [Breaking] Make the Filter API fully asynchronous (filter methods must return a CompletionStage)
- #498: Include the cluster name from the configuration node in the config model.
- #488: Kroxylicious Bill Of Materials
- #480: Multi-tenant - add suport for the versions of OffsetFetch, FindCoordinator, and DeleteTopics used by Sarama client v1.38.1
- #472: Respect logFrame/logNetwork options in virtualcluster config
- #470: Ensure that the EagerMetadataLearner passes on a client's metadata request with fidelity (fix for kcat -C -E)
- #416: Eagerly expose broker endpoints on startup to allow existing client to reconnect (without connecting to bootstrap).
- #463: deregister micrometer hooks, meters and the registry on shutdown
- #443: Obtain upstream ApiVersions when proxy is not SASL offloading
- #412: Remove $(portNumber) pattern from brokerAddressPattern for SniRouting and PortPerBroker schemes
- #414: Add kubernetes sample illustrating SNI based routing, downstream/upstream TLS and the use of certificates from cert-manager.
- #392: Introduce CompositeFilters
- #401: Fix netty buffer leak when doing a short-circuit response
- #409: Bump netty.version from 4.1.93.Final to 4.1.94.Final #409
- #374 Upstream TLS support
- #375 Support key material in PEM format (X.509 certificates and PKCS-8 private keys)
- #398: Validate admin port does not collide with cluster ports
- #384: Bump guava from 32.0.0-jre to 32.0.1-jre
- #372: Eliminate the test config model from the code-base
- #364: Add Dockerfile for kroxylicious
Changes, deprecations and removals
The Filter API is refactored to be fully asynchronous. Filter API methods such as #onXxxxRequest
and onXxxxResponse
now are required to return a CompletionStage<FilterResult>
. The FilterResult
encapsulates the message to be
forwarded and carries orders (such as close the connection). The context provides factory methods for creating
FilterResult
objects.
The default metrics port has changed from 9193 to 9190 to prevent port collisions
Filter Authors can now implement CompositeFilter if they want a single configuration block to contribute multiple Filters
to the Filter chain. This enables them to write smaller, more focused Filter implementations but deliver them as a whole
behaviour with a single block of configuration in the Kroxylicious configuration yaml. This interface is mutually exclusive
with RequestFilter, ResponseFilter or any specific message Filter interfaces.
In the kroxylicious config, the brokerAddressPattern parameter for the PortPerBroker scheme no longer accepts or requires
:$(portNumber) suffix. In addition, for the SniRouting scheme the config now enforces that there is no port specifier
present on the brokerAddressPattern parameter. Previously, it was accepted but would lead to a failure later.
Kroxylicious configuration no longer requires a non empty filters
list, users can leave it unset or configure in an empty
list of filters and Kroxylicious will proxy to the cluster successfully.
The Contributor API for creating filters has been significantly changed.
FilterContributor
is renamedFilterFactory
.- Filter Authors will now implement one FilterFactory implementation for each Filter implementation. So the cardinality is now one-to-one.
- We now identify which filter we want to load using it's class name or simple class name,
for exampleio.kroxylicious.filter.SpecialFilter
orSpecialFilter
. FilterConstructContext
is renamedFilterCreateContext
- FilterExecutors is removed from FilterCreateContext and the
eventloop()
method is pulled up to FilterCreateContext. - BaseConfig is removed and any Jackson deserializable type can be used as config.
- configuration is no longer part of the FilterCreateContext, it is supplied as a parameter to the
FilterFactory#createFilter(..)
method.
The names used to identify port-per-broker and sni-routing schemes in the Kroxylicious configuration have changed:
PortPerBroker
->PortPerBrokerClusterNetworkAddressConfigProvider
SniRouting
->SniRoutingClusterNetworkAddressConfigProvider
The names used to identify micrometer configuration hooks in configuration have changed:
CommonTagsContributor
->CommonTagsHook
StandardBindersContributor
->StandardBindersHook
CVE Fixes
Release 0.2.0
What's Changed
- Kroxylicious Release 2023-03-27 by @SamBarker in #230
- Begin 0.2.0 development by @SamBarker in #231
- Refactor from kroxylicious futures to JDK futures alternative by @robobario in #211
- Generate code for KafkaRequestDecoder#readBody and KafkaResponseDecoder#readBody by @robobario in #222
- Bump maven-resources-plugin from 3.3.0 to 3.3.1 by @dependabot in #233
- Bump picocli from 4.6.3 to 4.7.1 by @dependabot in #236
- Enable Krpc Generator Mojo to add output directory to project compile or test source roots by @robobario in #232
- Bump maven-install-plugin from 3.1.0 to 3.1.1 by @dependabot in #237
- Bump maven-core from 3.9.0 to 3.9.1 by @dependabot in #235
- Bump maven-surefire-plugin from 3.0.0-M9 to 3.0.0 by @dependabot in #234
- Avoid long poll in multi-tenant tests that use subscribe by @k-wall in #216
- Map the GroupId for OffsetFetch and OffsetDelete RPCs for alterConsumerGroupOffsets, deleteConsumerGroupOffsets and onOffsetFetchRequest Admin API calls by @racheljpg in #217
- Make the version command return the version of the kroxylicious project by @robobario in #239
- bump to the latest version of plexus-build-api by @SamBarker in #241
- checkstyle: include test sources by @robobario in #246
- Use KroxyConfigBuilder in other ITs by @k-wall in #245
- Bump maven-deploy-plugin from 3.1.0 to 3.1.1 by @dependabot in #247
- Bump maven-failsafe-plugin from 3.0.0-M9 to 3.0.0 by @dependabot in #250
- Bump micrometer-bom from 1.10.4 to 1.10.5 by @dependabot in #251
- Bump license-maven-plugin from 4.1 to 4.2 by @dependabot in #248
- test lift by @franvila in #244
- Use sundr builder annotation to build the config for the integration tests. by @k-wall in #253
- Bump maven-enforcer-plugin from 3.2.1 to 3.3.0 by @dependabot in #257
- Bump picocli from 4.7.1 to 4.7.2 by @dependabot in #256
- Bump netty.version from 4.1.90.Final to 4.1.91.Final by @dependabot in #255
- Fix github performance action to not fail when kroxy version is changed by @franvila in #258
- Fix performance action by @franvila in #262
- Backfill some more missing javadoc (api module) by @k-wall in #259
- Wait for services to start in performance action by @robobario in #263
- Add lower-level integration test checking kroxy can decode and proxy RPCs to a mock kafka broker by @robobario in #243
- Bump micrometer-bom from 1.10.5 to 1.10.6 by @dependabot in #273
- Bump mockito-bom from 5.2.0 to 5.3.0 by @dependabot in #274
- Adding summary-always to the PR by @franvila in #269
- Expose multiple clusters / multiple brokers (via static configuration) by @k-wall in #254
- Fix metrics that were always scraped as zero by @robobario in #267
- Enable filters to intercept/mutate SASL requests when proxy is not ha… by @robobario in #278
- Fix #280: Use SLF4J 2.x compatible log4j-slf4j-impl by @k-wall in #281
- Bump mockito-bom from 5.3.0 to 5.3.1 by @dependabot in #282
- Bump maven-plugin-annotations from 3.8.1 to 3.8.2 by @dependabot in #283
- Bump jackson-bom from 2.14.2 to 2.15.0 by @dependabot in #284
- Bump netty-incubator-transport-native-io_uring from 0.0.14.Final to 0.0.20.Final by @dependabot in #286
- Bump maven-plugin-plugin from 3.8.1 to 3.8.2 by @dependabot in #285
- Use new junit5 extension release v0.2.0 by @racheljpg in #289
- Remove duplicated kroxy.extension.version setting in parent pom by @k-wall in #292
- Record PR-comment triggered performance results against PR commit by @robobario in #297
- Bump netty.version from 4.1.91.Final to 4.1.92.Final by @dependabot in #299
- Bump netty-incubator-transport-native-io_uring from 0.0.20.Final to 0.0.21.Final by @dependabot in #298
- Bump picocli from 4.7.2 to 4.7.3 by @dependabot in #301
- Bump maven-checkstyle-plugin from 3.2.1 to 3.2.2 by @dependabot in #300
- Bump junit-bom from 5.9.2 to 5.9.3 by @dependabot in #302
- Introduce a FilterInvoker, RequestFilter and ResponseFilter by @robobario in #288
- Enable forwarding response during request handling by @robobario in #294
- Allowing virtual clusters to share a single port by @k-wall in #279
- Avoid potential for infinite blocking in IT by @SamBarker in #270
- Bump maven-surefire-plugin from 3.0.0 to 3.1.0 by @dependabot in #306
- Bump maven-failsafe-plugin from 3.0.0 to 3.1.0 by @dependabot in #308
- Bump maven-gpg-plugin from 3.0.1 to 3.1.0 by @dependabot in #307
- Add header to forwardRequest and forwardResponse of KrpcFilterContext by @robobario in #296
- bugfix: kroxylicious main method exited immediately by @robobario in #311
- Remove redundant mvn var (debezium) by @k-wall in #314
- Bump maven-plugin-api from 3.9.1 to 3.9.2 by @dependabot in #315
- Bump impsort-maven-plugin from 1.8.0 to 1.9.0 by @dependabot in #316
- Bump build-helper-maven-plugin from 3.3.0 to 3.4.0 by @dependabot in #319
- Bump maven-core from 3.9.1 to 3.9.2 by @dependabot in #317
- Refactor main method to block on a composed CompletableFuture by @robobario in #312
- Bump micrometer-bom from 1.10.6 to 1.11.0 by @dependabot in #318
- Refactor FilterInvoker implementation for speed by @robobario in #320
- Add produce filter that can validate records meet some criteria by @robobario in #309
- Step towards the ability to dynamically bind/unbind ports in response to target cluster topology by @k-wall in #290
- Bump jackson-bom from 2.15.0 to 2.15.1 by @dependabot in #325
- Bump maven-plugin-annotations from 3.8.2 to 3.9.0 by @dependabot in #326
- Bump maven-plugin-plugin from 3.8.2 to 3.9.0 by @dependabot in #327
- Bump maven-source-plugin from 3.2.1 to 3.3.0 by @dependabot in #328
- Bump kroxy ext from 0.2.0 to 0.3.0 by @k-wall in #329
- Fix formatting error in overview.adoc by @gracegrimwood in #332
- Bump integration tests module from OpenJDK 19 to 20. by @k-wall in #333
- Update release instructions by @k-wall in #330
- Adopt closeable#create (rather than #wrap) by @k-wall in #334
- skip javadoc generation in the performance-tests module by @k-wall in #340
- Bump guava from 31.1-jre to 32.0.0-jre by @dependabot in #341...