Release Note v0.18 - StreamNative Documentation

StreamNative Private Cloud is an enterprise product which brings specific controllers for Kubernetes by providing specific Custom Resource Definitions (CRDs) that extend the basic Kubernetes orchestration capabilities to support the setup and management of StreamNative components.

What’s Changed

🚀 New Features

Managed Kafka Node Pool and Resource Management

Managed Kafka Node Pool: Added managed Kafka node pool configuration support, enabling fine-grained control over Kafka NodePool resources
Kafka JVM Options: Added support for configuring JVM options and template customization for managed Kafka workloads
Pause Rollout and Pending Change: Introduced pause rollout and pending change support for managed Kafka, allowing operators to control rollouts with greater precision
Kafka Zone Rack Injection: Added Kafka zone rack injection with provider zone label support for improved rack awareness
Broker Zone Spreading: Added broker zone spreading for managed KafkaCluster when Ursa storage is enabled
Group Share: Enabled group share capability for Kafka clusters
New KeyShared Implementation: Enabled new KeyShared implementation for dedicated and serverless clusters
Kafka Cruise Control and Entity Operator Reconciliation: Added support for reconciling Entity Operator and Cruise Control components

Oxia Metadata Store Enhancements

Sidecar Coordinator Mode: Added sidecar coordinator mode for OxiaCluster (requires Oxia >= 0.16.0), with dedicated pprof port and basic health check readiness probe
Daemon ConfigMap: Added daemon ConfigMap support for Oxia >= 0.16.0
Coordinator CLI Flags: Added --profile pprof flag and --cluster-config flag to the coordinator command
SubPath Mounts: Optimized Oxia volume mounts by using subPath mounts and removing redundant coordinator-conf volumes
Default Bootstrap Authority: Added default Oxia bootstrap extra authority configuration
Pod Anti-Affinity Tuning: Changed default Oxia pod anti-affinity from required to preferred for better scheduling flexibility

Istio Networking and Service Exposure

Gateway and VirtualService Generation: Added Istio Gateway and VirtualService generation from advertised listeners for brokers
mTLS Handling: Improved Istio resource handling for Oxia mTLS none mode
Shared-ZK DestinationRule: Added mTLS support for shared ZooKeeper DestinationRule with conditional CA certificate injection
gRPC-Aware Routing: Applied gRPC-aware Istio routing for Oxia port 6648

Iceberg Catalog Integrations

BigLake Catalog: Added BigLake iceberg catalog support for Kafka clusters
Horizon Catalog: Added Horizon compaction catalog support
Multi-Catalog for Delta: Added support for multiple catalog configurations in delta lakehouse deployments

Schema Registry Configuration

Schema Registry URL: Made schema registry URL and schemaRegistryStorageClassName independently configurable
Bearer Token Auth: Added bearer token authentication support for schema registry connections

Agent Engine

Agent Types: Added configurable agent type definitions
Separate Package Service: Made agent and Kafka Connect support separate package service configurations
Functions Worker Integration: Passed agentFunctionStateStorageServiceUrl to Functions Worker for agent function state storage
Kafka Volume Mounts: Added volume and volumeMount support for Kafka in AgentFunction pods

Detector and Observability

Topics-Load Detector: Added new topics-load detector that loads up topics to produce accurate billing based on storage size
Metrics Config: Added support for setting custom metrics configuration
Scrape Labels: Added Prometheus scrape labels to pod templates across core workloads

Storage Enhancements

Azure Blob Storage: Added AZUREBLOB backend storage type support for Codex
AvgShedder LoadBalancer: Enabled AvgShedder load balancer by default for Codex workloads

🔧 Enhancements

Kafka Platform Improvements

Ursa Storage Defaults: Tuned default Ursa Kafka storage settings for managed Kafka workloads
Override Precedence: Ensured custom Kafka configuration correctly overrides Ursa storage defaults
Compaction Scheduler: Added clusterName support to the Kafka compaction scheduler and aligned resource/replica handling with Pulsar patterns
Broker Discovery: Enhanced Kafka broker discovery for managed clusters
NodePool Lifecycle: Updated NodePool annotation and label propagation, entity operator configuration, and JVM options management
System Properties Cleanup: Removed unnecessary Java system properties from managed Kafka configuration

PfSQL and Gateway Updates

PfSQL Upgrade Chain: Upgraded PfSQL runner and gateway through v0.22.8 → v0.22.9 → v0.22.10
Gateway Improvements: Updated compute method for ActiveProcessorCount and managed ledger offload thread handling

OIDC and Security

OIDC Issuer Handling: Enhanced OIDC issuers handling with custom configuration support, including OIDC issuer auto-merge for dynamic updates
Detector JWT Auth: Converted detector JWT authentication to environment variable injection and auto-disabled TLS certificate verification
Client Auth: Fixed client JWT authentication handling in GetBrokerRestClient for broker rollout

Build and Infrastructure

Multi-Platform Build: Added multi-platform image build support
Release Pipeline: Fixed release job disk space issue by upgrading to larger machine types

🐛 Bug Fixes

Kafka and Resource Fixes

Paused Resource Creation: Fixed Kafka and KafkaNodePool resource creation when pause is enabled
Namespace UIDs: Replaced namespace UIDs with sub-resource UIDs to avoid unnecessary cluster-scoped GET operations
Explicit Affinity: Respected user-configured explicit pod affinity and fixed label keys for anti-affinity rules
OIDC Field Removal: Removed omitempty from OIDCIssuers field to fix server-side apply (SSA) field removal bug
Volume Mounts: Fixed missing volume and volumeMount for Kafka in AgentFunction workloads

Security and CVE Fixes

Go Toolchain: Upgraded Go toolchain to 1.25.9 across v0.18.x releases (CVE-2026-32280)
OpenTelemetry SDK: Upgraded OTel SDK to v1.43.0 (CVE-2026-39883)
gRPC Dependency: Upgraded google.golang.org/grpc to v1.79.3 (CVE-2026-33186)
PostgreSQL Driver: Updated pgx v5 to fix security vulnerabilities
Alpine Packages: Upgraded base image Alpine packages (CVE-2026-22184, CVE-2026-28390)
Dockerfile Images: Upgraded Dockerfile base images and Go versions across multiple releases

Operational Fixes

Istio CaCertificates: Conditionally set caCertificates on shared ZooKeeper DestinationRule only when ca.crt is present
Oxia Legacy Mode: Defaulted legacy Oxia coordinator to file-based configuration for backward compatibility

🚨 Breaking Changes

Resource and Configuration Changes

Expanded KafkaCluster API: KafkaCluster gains significant new node pool, JVM, zone spreading, and managed resource configuration options
Oxia Sidecar Coordinator: OxiaCluster >= 0.16.0 now defaults to sidecar coordinator mode with separate pprof port and readiness probe behavior
Istio Gateway Generation: Brokers now generate Istio Gateway and VirtualService resources from advertised listeners, which may impact existing Istio configurations
NodePool Annotation Updates: Updated annotation and label handling for Kafka NodePool resources may require validation before upgrade
Toolchain and Image Upgrades: Dockerfile images, Go toolchain, and dependencies received incremental CVE-driven upgrades across patch releases

🔄 Migration Notes

From v0.17 to v0.18

Apply Updated CRDs First: Apply the latest CRDs and RBAC manifests before upgrading the operator
Review KafkaCluster Specs: If you use KafkaCluster, review new node pool, JVM options, zone rack, broker spreading, and group share fields before rollout
Review Oxia Configuration: If you use OxiaCluster, validate sidecar coordinator mode behavior with the new daemon ConfigMap, subPath mounts, and pprof port settings
Review Istio Configurations: If you expose brokers through Istio, review the new Gateway and VirtualService generation from advertised listeners and verify that your existing Istio configurations are compatible
Review Schema Registry: If you use schema registry, validate the new configurable URL and schemaRegistryStorageClassName settings, and test bearer token authentication
Review Iceberg Integrations: If you use compaction with Iceberg catalogs, validate BigLake and Horizon catalog support, and verify multi-catalog delta configurations
Review Agent Functions: If you use Agent Engine, validate agent types, Kafka volume mount support, and Functions Worker storage URL configuration
Review Security Updates: If you run security scans or pin images, review the CVE-driven image and dependency upgrades shipped across the v0.18.x release line

📋 Upgrade Instructions

Backup: Create a backup of your current configuration and state
Update CRDs: Apply the latest CRDs and RBAC manifests before upgrading the operator
Deploy Operator: Upgrade the operator image to v0.18.10
Validate Kafka Workloads: Verify KafkaCluster, NodePool, cruise control, and entity operator reconciliation if you use managed Kafka features
Validate Oxia Clusters: Verify OxiaCoordinator sidecar deployment, daemon ConfigMap, and subPath volume mount behavior
Validate Istio Paths: Verify broker Gateway and VirtualService routing, Oxia mTLS behavior, and gRPC-aware routing on port 6648
Validate Detector Workloads: Check topics-load detector operation and JWT auth environment variable injection
Monitor: Monitor controller logs, reconciliation status, and workload readiness after the upgrade

🎯 Performance Improvements

Kafka Storage Tuning: Improved default storage-related tuning for Kafka on Ursa
Broker Zone Spreading: Optimized broker placement and rack awareness with provider zone labels
Oxia Scheduling: Relaxed default pod anti-affinity for Oxia to improve scheduling throughput
Codex AvgShedder: Enabled AvgShedder load balancer by default for better load distribution
Cluster-Scope Operations: Replaced namespace UIDs with sub-resource UIDs to reduce unnecessary cluster-scoped GET operations

📚 Documentation

Regenerated CRDs, deepcopy assets, and RBAC manifests for Kafka, Oxia, Istio, compaction scheduler, Functions Worker, and related APIs
Expanded operator configuration surface for Kafka managed resources, Oxia sidecar mode, Iceberg catalogs, and schema registry

Documentation Index

​What’s Changed

​🚀 New Features

​Managed Kafka Node Pool and Resource Management

​Oxia Metadata Store Enhancements

​Istio Networking and Service Exposure

​Iceberg Catalog Integrations

​Schema Registry Configuration

​Agent Engine

​Detector and Observability

​Storage Enhancements

​🔧 Enhancements

​Kafka Platform Improvements

​PfSQL and Gateway Updates

​OIDC and Security

​Build and Infrastructure

​🐛 Bug Fixes

​Kafka and Resource Fixes

​Security and CVE Fixes

​Operational Fixes

​🚨 Breaking Changes

​Resource and Configuration Changes

​🔄 Migration Notes

​From v0.17 to v0.18

​📋 Upgrade Instructions

​🎯 Performance Improvements

​📚 Documentation