|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Kroxylicious release 0.21.0" |
| 4 | +date: 2026-05-15 00:00:00 +0000 |
| 5 | +author: "Rob Young" |
| 6 | +author_url: "https://github.com/robobario" |
| 7 | +# noinspection YAMLSchemaValidation |
| 8 | +categories: blog kroxylicious-proxy releases |
| 9 | +tags: [ "releases", "kroxylicious-proxy" ] |
| 10 | +--- |
| 11 | + |
| 12 | +We're excited to announce the release of [Kroxylicious 0.21.0](https://github.com/kroxylicious/kroxylicious/releases/tag/v0.21.0)! This release brings significant new capabilities for Kubernetes environments, enhanced observability, and improved AWS integration. It's been a great open source effort, with a lot of features and fixes coming from the community, so thank you all! Check out the full [Changelog](https://github.com/kroxylicious/kroxylicious/blob/main/CHANGELOG.md#0210) for everything including deprecations, changes, and removals. We also have a [video guide](https://www.youtube.com/watch?v=BuDJfMufm60) to the release. |
| 13 | + |
| 14 | +Here are the highlights: |
| 15 | + |
| 16 | +### Alpha: Kubernetes Admission Webhook for Sidecar Injection |
| 17 | + |
| 18 | +The headline feature is our new Kubernetes admission webhook for automatic sidecar injection. This alpha release enables transparent Kafka protocol proxying without any application code changes. Define your sidecar configuration with the `KroxyliciousSidecarConfig` CRD, and the webhook automatically injects the proxy sidecar into matching pods when they are created (note that once created the proxy will not be updated, and must be recreated to reflect changes in the `KroxyliciousSidecarConfig`). Perfect for adding encryption, validation, or multi-tenancy capabilities to existing Kafka applications. |
| 19 | + |
| 20 | +See the [admission webhook guide](https://kroxylicious.io/documentation/0.21.0/html/admission-webhook-guide/) in the documentation for installation and usage. |
| 21 | + |
| 22 | +### Graceful Connection Draining |
| 23 | + |
| 24 | +Virtual clusters now support graceful connection draining during shutdown. [Configure](https://github.com/kroxylicious/kroxylicious/issues/3968) `drainTimeout` on your virtual cluster, and the proxy will stop accepting new connections while waiting for in-flight requests to complete before shutting down. New metrics track whether disconnections completed gracefully or hit the timeout. Essential for zero-downtime deployments and rolling updates in Kubernetes. Sidebar: while we are talking about restarts and deployments, there is also a [Connection Expiration Filter](https://kroxylicious.io/documentation/0.21.0/html/connection-expiration-guide/) which will help rebalance your connections over time. |
| 25 | + |
| 26 | +### HAProxy PROXY Protocol Support |
| 27 | + |
| 28 | +[Hrishabh Gupta](https://github.com/hrishabhg) added HAProxy PROXY protocol support. Configure `proxy.proxyProtocol.mode` to `enabled`, and the proxy expects the PROXY protocol header before the TLS handshake (or first Kafka RPC if kroxylicious is not terminating TLS). This enables deployment behind HAProxy or other load balancers that use PROXY protocol, and in future could enable new topologies. For example, you could terminate TLS at the load-balancer and pass the SNI hostname information to kroxylicious via the PROXY Protocol. The load balancer would handle TLS computation and certificate rotation, while the Proxy could then offer a single port for all traffic and not terminate TLS. |
| 29 | + |
| 30 | +### Strimzi Integration Enhancements |
| 31 | + |
| 32 | +[Shubham Rawat](https://github.com/ShubhamRwt) enhanced the Kubernetes operator with automatic TLS trust discovery for Strimzi-managed Kafka clusters. Set `trustStrimziCaCertificate` in your KafkaService, and the operator automatically configures the proxy to trust the Strimzi-signed cluster certificates. One less manual step when integrating with Strimzi. (Note that the Strimzi CA secret must be in the same namespace as the KafkaService) |
| 33 | + |
| 34 | +This release also upgrades Strimzi support to version 1.0.0. If you're using the Strimzi integration feature (`spec.strimziKafkaRef` in KafkaService CR), Strimzi 0.49.0 or later is now required. |
| 35 | + |
| 36 | +### AWS KMS Improvements |
| 37 | + |
| 38 | +[Oleksiy Pylypenko](https://github.com/oleksiyp) has extended the Record Encryption AWS KMS, added native support for IRSA (IAM Roles for Service Accounts) and EKS Pod Identity credential providers. The credential configuration has been restructured under a unified `credentials` node, with new `credentials.webIdentity` and `credentials.podIdentity` options for EKS workloads. Existing configurations using top-level `longTermCredentials` or `ec2MetadataCredentials` continue to work unchanged. See the [Proxy Guide](https://kroxylicious.io/documentation/0.21.0/html/record-encryption-guide/#proc-aws-kms-setup-application-identity-pod-identity-record-encryption) for details. |
| 39 | + |
| 40 | +### Dynamic TLS Credential Selection |
| 41 | + |
| 42 | +[Paco Viramontes](https://github.com/kidpollo) implemented a [new plugin API](https://github.com/kroxylicious/design/blob/main/proposals/011-plugin-api-to-select-tls-credentials-for-server-connection.md) enabling dynamic TLS credential selection for upstream connections. Implement `ServerTlsCredentialSupplier` to select different client certificates for the connection from kroxylicious to a target cluster, based on the TLS certificates sent from the client to kroxylicious. This dynamic selection allows Implementors to build their own complex mutual TLS client certificate selection logic. |
| 43 | + |
| 44 | +### Schema Validation Enhancements |
| 45 | + |
| 46 | +[Carles Arnal](https://github.com/carlesarnal) updated the record validation filter to support Avro and Protobuf schema validation alongside the existing JSON schema support. Validate your records against schemas in Apicurio Registry regardless of serialization format. See the docs for `schemaType` [here](https://kroxylicious.io/documentation/0.21.0/html/record-validation-guide#proc-configuring-record-validation-filter-record-validation). |
| 47 | + |
| 48 | +### Container Image Rename |
| 49 | + |
| 50 | +The primary proxy container image has been renamed from `quay.io/kroxylicious/kroxylicious` to `quay.io/kroxylicious/proxy`. The operator automatically uses the new image name. If you're deploying the proxy image directly (without the operator), update your deployment configurations. We will continue publishing new public images to `quay.io/kroxylicious/kroxylicious`, but it is deprecated and will be removed in a future release. |
| 51 | + |
| 52 | +### Community Contributions |
| 53 | + |
| 54 | +This release saw exceptional contributions from the community, with commits landed from: |
| 55 | + |
| 56 | +Carles Arnal, Dahyun Woo, Dan Vulpe, Francisco Vila, Hrishabh Gupta, Keith Wall, Ken Huang, Liberty-Swine, m1a2st, Mario Salinas, Matt Van Horn, Mirtunjay Singh, msalinas-se, Oleksiy Pylypenko, Paco Viramontes, PaulRMellor, Piotr Płaczek, Robert Young, Sam Barker, Shubham Rawat, Tanner Smith, Tom Bentley, Trevin Chow, Urjit Patel, ZhangDT |
| 57 | + |
| 58 | +Thank you to everyone who contributed! |
| 59 | + |
| 60 | +### Artefacts |
| 61 | + |
| 62 | +Binary distributions and container images are available on the [download](https://kroxylicious.io/download/0.21.0/) page. |
| 63 | + |
| 64 | +### Feedback |
| 65 | + |
| 66 | +We'd love to hear from you! Whether you're kicking the tyres, running Kroxylicious in production, or just find the project interesting — drop by and say hello. |
| 67 | +You can reach us through [Slack](https://kroxylicious.slack.com), [GitHub](https://github.com/kroxylicious/kroxylicious/issues) or even [bsky](https://bsky.app/profile/kroxylicious.io), or tell us in person on one of our upcoming [community calls]({% link join-us/community-call/index.md %}). |
0 commit comments