What’s Changed
🚀 New Features
Managed Kafka Node Pool and Resource Management
- Managed Kafka Node Pool: Added managed Kafka node pool configuration support, enabling fine-grained control over Kafka NodePool resources
- Kafka JVM Options: Added support for configuring JVM options and template customization for managed Kafka workloads
- Pause Rollout and Pending Change: Introduced pause rollout and pending change support for managed Kafka, allowing operators to control rollouts with greater precision
- Kafka Zone Rack Injection: Added Kafka zone rack injection with provider zone label support for improved rack awareness
- Broker Zone Spreading: Added broker zone spreading for managed
KafkaClusterwhen Ursa storage is enabled - Group Share: Enabled group share capability for Kafka clusters
- New KeyShared Implementation: Enabled new KeyShared implementation for dedicated and serverless clusters
- Kafka Cruise Control and Entity Operator Reconciliation: Added support for reconciling Entity Operator and Cruise Control components
Oxia Metadata Store Enhancements
- Sidecar Coordinator Mode: Added sidecar coordinator mode for OxiaCluster (requires Oxia >= 0.16.0), with dedicated pprof port and basic health check readiness probe
- Daemon ConfigMap: Added daemon ConfigMap support for Oxia >= 0.16.0
- Coordinator CLI Flags: Added
--profilepprof flag and--cluster-configflag to the coordinator command - SubPath Mounts: Optimized Oxia volume mounts by using subPath mounts and removing redundant coordinator-conf volumes
- Default Bootstrap Authority: Added default Oxia bootstrap extra authority configuration
- Pod Anti-Affinity Tuning: Changed default Oxia pod anti-affinity from required to preferred for better scheduling flexibility
Istio Networking and Service Exposure
- Gateway and VirtualService Generation: Added Istio Gateway and VirtualService generation from advertised listeners for brokers
- mTLS Handling: Improved Istio resource handling for Oxia mTLS none mode
- Shared-ZK DestinationRule: Added mTLS support for shared ZooKeeper DestinationRule with conditional CA certificate injection
- gRPC-Aware Routing: Applied gRPC-aware Istio routing for Oxia port 6648
Iceberg Catalog Integrations
- BigLake Catalog: Added BigLake iceberg catalog support for Kafka clusters
- Horizon Catalog: Added Horizon compaction catalog support
- Multi-Catalog for Delta: Added support for multiple catalog configurations in delta lakehouse deployments
Schema Registry Configuration
- Schema Registry URL: Made schema registry URL and
schemaRegistryStorageClassNameindependently configurable - Bearer Token Auth: Added bearer token authentication support for schema registry connections
Agent Engine
- Agent Types: Added configurable agent type definitions
- Separate Package Service: Made agent and Kafka Connect support separate package service configurations
- Functions Worker Integration: Passed
agentFunctionStateStorageServiceUrlto Functions Worker for agent function state storage - Kafka Volume Mounts: Added volume and volumeMount support for Kafka in AgentFunction pods
Detector and Observability
- Topics-Load Detector: Added new topics-load detector that loads up topics to produce accurate billing based on storage size
- Metrics Config: Added support for setting custom metrics configuration
- Scrape Labels: Added Prometheus scrape labels to pod templates across core workloads
Storage Enhancements
- Azure Blob Storage: Added
AZUREBLOBbackend storage type support for Codex - AvgShedder LoadBalancer: Enabled AvgShedder load balancer by default for Codex workloads
🔧 Enhancements
Kafka Platform Improvements
- Ursa Storage Defaults: Tuned default Ursa Kafka storage settings for managed Kafka workloads
- Override Precedence: Ensured custom Kafka configuration correctly overrides Ursa storage defaults
- Compaction Scheduler: Added
clusterNamesupport to the Kafka compaction scheduler and aligned resource/replica handling with Pulsar patterns - Broker Discovery: Enhanced Kafka broker discovery for managed clusters
- NodePool Lifecycle: Updated NodePool annotation and label propagation, entity operator configuration, and JVM options management
- System Properties Cleanup: Removed unnecessary Java system properties from managed Kafka configuration
PfSQL and Gateway Updates
- PfSQL Upgrade Chain: Upgraded PfSQL runner and gateway through v0.22.8 → v0.22.9 → v0.22.10
- Gateway Improvements: Updated compute method for ActiveProcessorCount and managed ledger offload thread handling
OIDC and Security
- OIDC Issuer Handling: Enhanced OIDC issuers handling with custom configuration support, including OIDC issuer auto-merge for dynamic updates
- Detector JWT Auth: Converted detector JWT authentication to environment variable injection and auto-disabled TLS certificate verification
- Client Auth: Fixed client JWT authentication handling in
GetBrokerRestClientfor broker rollout
Build and Infrastructure
- Multi-Platform Build: Added multi-platform image build support
- Release Pipeline: Fixed release job disk space issue by upgrading to larger machine types
🐛 Bug Fixes
Kafka and Resource Fixes
- Paused Resource Creation: Fixed Kafka and KafkaNodePool resource creation when pause is enabled
- Namespace UIDs: Replaced namespace UIDs with sub-resource UIDs to avoid unnecessary cluster-scoped GET operations
- Explicit Affinity: Respected user-configured explicit pod affinity and fixed label keys for anti-affinity rules
- OIDC Field Removal: Removed
omitemptyfrom OIDCIssuers field to fix server-side apply (SSA) field removal bug - Volume Mounts: Fixed missing volume and volumeMount for Kafka in AgentFunction workloads
Security and CVE Fixes
- Go Toolchain: Upgraded Go toolchain to 1.25.9 across v0.18.x releases (CVE-2026-32280)
- OpenTelemetry SDK: Upgraded OTel SDK to v1.43.0 (CVE-2026-39883)
- gRPC Dependency: Upgraded
google.golang.org/grpcto v1.79.3 (CVE-2026-33186) - PostgreSQL Driver: Updated pgx v5 to fix security vulnerabilities
- Alpine Packages: Upgraded base image Alpine packages (CVE-2026-22184, CVE-2026-28390)
- Dockerfile Images: Upgraded Dockerfile base images and Go versions across multiple releases
Operational Fixes
- Istio CaCertificates: Conditionally set
caCertificateson shared ZooKeeper DestinationRule only whenca.crtis present - Oxia Legacy Mode: Defaulted legacy Oxia coordinator to file-based configuration for backward compatibility
🚨 Breaking Changes
Resource and Configuration Changes
- Expanded KafkaCluster API:
KafkaClustergains significant new node pool, JVM, zone spreading, and managed resource configuration options - Oxia Sidecar Coordinator: OxiaCluster >= 0.16.0 now defaults to sidecar coordinator mode with separate pprof port and readiness probe behavior
- Istio Gateway Generation: Brokers now generate Istio Gateway and VirtualService resources from advertised listeners, which may impact existing Istio configurations
- NodePool Annotation Updates: Updated annotation and label handling for Kafka NodePool resources may require validation before upgrade
- Toolchain and Image Upgrades: Dockerfile images, Go toolchain, and dependencies received incremental CVE-driven upgrades across patch releases
🔄 Migration Notes
From v0.17 to v0.18
- Apply Updated CRDs First: Apply the latest CRDs and RBAC manifests before upgrading the operator
- Review KafkaCluster Specs: If you use
KafkaCluster, review new node pool, JVM options, zone rack, broker spreading, and group share fields before rollout - Review Oxia Configuration: If you use OxiaCluster, validate sidecar coordinator mode behavior with the new daemon ConfigMap, subPath mounts, and pprof port settings
- Review Istio Configurations: If you expose brokers through Istio, review the new Gateway and VirtualService generation from advertised listeners and verify that your existing Istio configurations are compatible
- Review Schema Registry: If you use schema registry, validate the new configurable URL and
schemaRegistryStorageClassNamesettings, and test bearer token authentication - Review Iceberg Integrations: If you use compaction with Iceberg catalogs, validate BigLake and Horizon catalog support, and verify multi-catalog delta configurations
- Review Agent Functions: If you use Agent Engine, validate agent types, Kafka volume mount support, and Functions Worker storage URL configuration
- Review Security Updates: If you run security scans or pin images, review the CVE-driven image and dependency upgrades shipped across the v0.18.x release line
📋 Upgrade Instructions
- Backup: Create a backup of your current configuration and state
- Update CRDs: Apply the latest CRDs and RBAC manifests before upgrading the operator
- Deploy Operator: Upgrade the operator image to
v0.18.10 - Validate Kafka Workloads: Verify
KafkaCluster, NodePool, cruise control, and entity operator reconciliation if you use managed Kafka features - Validate Oxia Clusters: Verify OxiaCoordinator sidecar deployment, daemon ConfigMap, and subPath volume mount behavior
- Validate Istio Paths: Verify broker Gateway and VirtualService routing, Oxia mTLS behavior, and gRPC-aware routing on port 6648
- Validate Detector Workloads: Check topics-load detector operation and JWT auth environment variable injection
- Monitor: Monitor controller logs, reconciliation status, and workload readiness after the upgrade
🎯 Performance Improvements
- Kafka Storage Tuning: Improved default storage-related tuning for Kafka on Ursa
- Broker Zone Spreading: Optimized broker placement and rack awareness with provider zone labels
- Oxia Scheduling: Relaxed default pod anti-affinity for Oxia to improve scheduling throughput
- Codex AvgShedder: Enabled AvgShedder load balancer by default for better load distribution
- Cluster-Scope Operations: Replaced namespace UIDs with sub-resource UIDs to reduce unnecessary cluster-scoped GET operations
📚 Documentation
- Regenerated CRDs, deepcopy assets, and RBAC manifests for Kafka, Oxia, Istio, compaction scheduler, Functions Worker, and related APIs
- Expanded operator configuration surface for Kafka managed resources, Oxia sidecar mode, Iceberg catalogs, and schema registry