Kroxylicious release 0.4.1

January 12, 2024 by Sam Barker

The Kroxylicious project is very pleased to announce the release of Kroxylicious 0.4.1. This release is focused on fixing an issue where the proxy failed to preserve offsets while decrypting records. While we feel a little sheepish that our own testing (which we have improved at both unit and integration levels) for 0.4.0 missed it we got a great bug report from @giacomoa. Speaking of great bug reports this release also includes our first external contribution PR#849 from @luozhenyu which fixes an issue in the SASL authentication handling.

This release also includes some other small changes cleaning up examples and updating dependencies.

The whole Kroxylicious team is very excited to see people testing out the proxy and is really looking forward to hearing more about how & where people are using it.

Encryption at Rest

The core focus of the 0.4.x series is the EnvelopeEncryption filter, which works by intercepting all produce requests from applications and encrypting the Kafka records as they pass through Kroxylicious. On the consume path, the reverse happens - the filter intercepts the fetch responses and decrypts the records before they are sent to the application. We have more work planned to iterate on the implementation to reach production quality. Check out our 0.5.0 milestone for details.

The Kafka Cluster never sees the plain text of your records. Filter configuration is used to specify which topic(s) should be encrypted by which key.

The encryption keys themselves are stored safely in a Key Management System. 0.4.0 ships with a HashiCorp Vault(tm) integration. We hope to provide other selected Key Management System integrations in due course, however users can leverage the plug-in architecture of Kroxylicious to supply their own integrations.

The diagram below shows how the system works at a high level.

image

If this use-case interests you, here’s a short demo that shows the feature in action. To try it out yourself there’s some interim instructions to use the feature in development. There will be more information landing on the website soon, but meanwhile, if you have questions or comments please head over to the Slack channel.

Binary artifact

You’ll find binaries attached to the GitHub release, and available through Maven Central.