Skip to main content
StreamNative Private Cloud is an enterprise product which brings specific controllers for Kubernetes by providing specific Custom Resource Definitions (CRDs) that extend the basic Kubernetes orchestration capabilities to support the setup and management of StreamNative components.

What’s Changed

🚀 New Features

Advertised Listeners Support

  • API for AdvertisedListeners: New API fields for configuring advertised listeners on PulsarBroker
  • Controller Implementation: Complete controller logic for managing AdvertisedListeners
  • Authorization Policy Integration: Added advertised listener ports to broker’s authorization policy

Istio Ambient Mode

  • Ambient Mode Support: Full support for running Pulsar clusters in Istio ambient mode
  • Ambient Mode API: Added API configuration for enabling ambient mode in Pulsar clusters
  • Design Documentation: Comprehensive design document for Istio Ambient Mode integration

Enhanced Authentication & Security

  • mTLS Support: Added mTLS (mutual TLS) support to authentication module
  • Broker-to-Broker mTLS: Support for broker to broker mTLS client authentication
  • Local Revocation List: Support for local certificate revocation list
  • API Keys Public Key: Support for specifying the public key path or secret for API keys authentication
  • Disable V1 Routes: Support for disabling v1 routes for API key service

Kafka Connect Enhancements

  • PLAIN and SCRAM Authentication: Support for PLAIN and SCRAM-SHA authentication for Kafka Connect
  • TLS Configuration: Support for setting TLS config (truststore, keystore) for KafkaConnect
  • GenericAuth Backward Compatibility: Added GenericAuth back to KafkaConnect for backward compatibility

Pulsar Functions Improvements

  • Kafka Support: Added Kafka support on Pulsar Functions
  • Oxia State Storage: Create OxiaNamespace automatically if the function enabled Oxia state
  • No Java Log Config: Do not generate javaLogConfig for functions to simplify configuration

🔧 Enhancements

Compaction Service

  • Cluster Name Configuration: Introduced clusterName configuration to compaction service
  • Optional Image Field: Changed CompactionScheduler.Image to optional for flexibility
  • Node Selector Support: Support for setting node selector for compaction scheduler

Kafka on Pulsar (KoP)

  • Schema Registry Limit: Added kafkaSchemaRegistryLimitSchemaSupport configuration option
  • KSN Lakehouse Configs: Added cluster-level configs for KSN when lakehouse is enabled
  • Linking Mode: Added linkingMode configuration for UniLink
  • Topic Rename Map: Support for TopicRenameMap configuration in UniLink
  • Subject Rename Map: Added subjectRenameMap support for UniLinkSchema

Oxia Enhancements

  • Pause Rollout: Support pause rollout for Oxia server
  • Pending Change Diff: Added pending change diff for Oxia cluster visibility
  • Leases Permission: Updated leases permission for Oxia role
  • No OxiaNamespace for Function State: Do not create OxiaNamespace for function state when not needed

Resource Management

  • Prepare Container Security: Added securityContext and resource limits for prepare container
  • Function Mesh Resources: Added resource configuration for function mesh components
  • Toolset Global API Key: Toolset support for global API key integration

Gateway & Proxy

  • Gateway TLS Feature Flag: Introduced feature DISABLE_AUTO_FILL_UP_GATEWAY_TLS_FIELDS
  • Broker ServiceEntry: Declare address in Broker ServiceEntry for better networking

Monitoring & Observability

  • Full Metrics Timeout: Added timeout for full metrics collection
  • API Key Metrics: Disable full metrics if API key is not enabled
  • Autorecovery Probes: Added liveness and readiness probe for autorecovery

Broker Configuration

  • Default LB Config: Added default broker load balancer config for Pulsar 3.x
  • Authorization Policy TLS: Added port 8443 to authorization policy when TLS is enabled

🐛 Bug Fixes

Core Fixes

  • managedLedgerOffloadReadThreads: Fixed managedLedgerOffloadReadThreads configuration
  • HPA Graceful Rollout: Fixed HPA when graceful rollout is enabled
  • Proxy Readonly FS: Fixed proxy readonly filesystem script

PFSQL Fixes

  • Istio Reconcile NPE: Fixed NPE from PFSQL Istio reconcile
  • Virtual Service: Fixed creating PFSQL gateway virtual service on non-Istio clusters
  • Serverless Istio: Fixed PFSQL enables Istio on serverless clusters

Serverless & Coordinator

  • Coordinator Reconcile: Fixed serverless blocking Pulsar coordinator reconcile

API Validation

  • AgentFunction Fields: Removed unnecessary required fields for AgentFunction and KafkaConnect

🔒 Security Updates

CVE Fixes

  • Go Version Upgrade: Upgraded Go from 1.23.12 to 1.25.3 to fix CVEs
  • Security Patches: Applied latest security patches and updates

Authentication Enhancements

  • mTLS Authentication: Full mTLS support added to authentication module
  • Broker Authentication: Broker to broker mTLS client authentication support
  • Certificate Revocation: Local revocation list support for enhanced certificate management

📦 Dependencies

Updated Dependencies

  • PFSQL Gateway: Updated PFSQL gateway to version 0.22.6
  • Go Version: Upgraded to Go 1.25.3 for security and performance improvements
  • Red Hat Docker: Upgraded Red Hat Docker file to use Go 1.25.3

Go Module Updates

  • Complete Upgrade: Complete Go 1.25.3 upgrade for all modules and workflows
  • Alpine Image: Upgraded Alpine base image for improved security

🚨 Breaking Changes

Configuration Changes

  • CompactionScheduler.Image: The Image field for CompactionScheduler is now optional
  • javaLogConfig: No longer generates javaLogConfig for functions by default
  • AgentFunction/KafkaConnect: Some previously required fields are now optional

API Changes

  • AdvertisedListeners API: New API fields added for configuring advertised listeners
  • Ambient Mode API: New API fields for Istio ambient mode support

🔄 Migration Notes

From v0.13.6 to v0.14.x

  • Go Version: The operator now uses Go 1.25.3, ensure compatibility with your build environment
  • mTLS Configuration: If using mTLS, review the new authentication module configuration
  • Kafka Connect Auth: Review Kafka Connect authentication settings, especially if using PLAIN or SCRAM
  • Functions Configuration: Note that javaLogConfig is no longer generated automatically for functions
  • Advertised Listeners: If using custom listeners, review the new AdvertisedListeners API

📋 Upgrade Instructions

  1. Backup: Create a backup of your current configuration and state
  2. Update CRDs: Apply the new CRD definitions including AdvertisedListeners fields
  3. Update Operator: Deploy the new operator version (v0.14.x)
  4. Review Authentication: Review and update mTLS and authentication configurations
  5. Verify: Check that all components are running correctly
  6. Test: Validate new features in a test environment before production use
  7. Monitor: Monitor metrics and logs for any issues during and after upgrade

🎯 Performance Improvements

  • Broker Configuration: Optimized default broker load balancer config for Pulsar 3.x
  • Metrics Collection: Added timeout for full metrics to prevent blocking
  • Resource Efficiency: Improved resource configuration options for prepare container and function mesh

📚 Documentation

  • Added design documents for multi-protocol advertised addresses and PulsarBroker architecture
  • Added Istio Ambient Mode design document for SN Operator
  • Updated API documentation for AdvertisedListeners configuration
  • Enhanced configuration examples for Kafka Connect authentication
  • Improved guides for mTLS configuration