Kroxylicious release 0.5.0

March 13, 2024 by Robert Young

The Kroxylicious project is very pleased to announce the release of Kroxylicious 0.5.0. See the Changelog for a list of changes and summary of Deprecations, Changes and Removals.

Record Encryption

This release was focused on refining Record Encryption to be ready for experimentation in secure environments, adding:

Enable users to configure Hashicorp Vault TLS, providing custom keystore and truststore
Enable users to supply the Hashicorp Vault token via file rather than having to inject it into the proxy configuration
Include Record Encryption filter (and other Kroxylicious project supported filters) in the binary distribution
Release a Docker image quay.io/kroxylicious/kroxylicious also containing the supported filters
Improvements in how we manage and control the usage of key material, preparing to support alternate Ciphers and configurable Additional Authenticated Data

The protocol for immutable encrypted data written to the broker is now aligned with our initial design. We guarantee data encrypted with version 0.5.0 of the Filter will be decryptable by all future versions of the Record Encryption Filter forever (assuming the keys stored in the KMS remain available for decryption).

Until now we have used the term Envelope Encryption when describing the Filter. Going forward we will use the name Record Encryption to better describe the granularity that encryption is happening at. Encryption is done per record. Envelope Encryption is how we encrypt those records. Record Encryption is how we implement Encryption-At-Rest.

Other Improvements

Support for Apache Kafka 3.7.0 API additions (Kroxylicious is version agnostic and can interface with all current broker and client versions, but must be updated to intercept/forward new APIs or fields added to existing APIs of the Kafka Protocol)
A fix for upstream TLS connections failing, @callaertanthony’s first PR contribution, thank you!
Added a lowestTargetBrokerId configuration for Port-per-broker Virtual Cluster exposition
Numerous bugfixes, documentation improvements, test enhancements

Artefacts

You’ll find binaries attached to the GitHub release, and available through Maven Central.

Docker images are hosted at quay.io/kroxylicious/kroxylicious

Feedback

We are eager for any feedback, you can create an issue in GitHub if you have any problems or want a feature added.