Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 132 additions & 0 deletions _posts/2026-07-03-release-0_22_0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
---
layout: post
title: "Kroxylicious release 0.22.0"
date: 2026-07-03 00:00:00 +0000
author: "Rob Young"
author_url: "https://github.com/robobario"
# noinspection YAMLSchemaValidation
categories: blog kroxylicious-proxy releases
tags: [ "releases", "kroxylicious-proxy" ]
---


Kroxylicious 0.22.0 has been released!
This release brings a new Record Encryption KMS implementation for Thales CipherTrust Manager, bumps the minimum Java version to 21, and improves operator resilience.
We've also been busy building the foundations for hot reload of virtual clusters.
We've taken our first steps towards routing a single client connection to multiple upstream clusters.
Thanks to everyone who contributed!
Check out the full [Changelog](https://github.com/kroxylicious/kroxylicious/blob/main/CHANGELOG.md#0220) for everything including deprecations, changes, and removals.

Here are the highlights:

### Thales CipherTrust Manager KMS

Keith Wall added a new KMS provider for Record Encryption backed by [Thales CipherTrust Manager](https://cpl.thalesgroup.com/encryption/ciphertrust-manager).
Supported authentication mechanisms are username/password and client certificate authentication.

```yaml
kms: CipherTrustKmsService

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

figured this would be at least something given we don't have docs yet

kmsConfig:
endpointUrl: https://ctm.example.com
userCredentials:
username: myuser
password:
passwordFile: /path/to/password
```

### Named Cluster Definitions (`clusterDefinitions`)

Previously each virtual cluster had its own inline `targetCluster`, duplicating connection details across virtual clusters that share the same upstream.
Now you define the target cluster once under the top-level `clusterDefinitions` list and reference it with `target: { cluster: "<name>" }` from any virtual cluster.

**Before:**
```yaml
virtualClusters:
- name: dev
targetCluster:
bootstrapServers: broker1:9092,broker2:9092
- name: test
targetCluster:
bootstrapServers: broker1:9092,broker2:9092
```

**After:**
```yaml
clusterDefinitions:
- name: my-cluster
bootstrapServers: broker1:9092,broker2:9092

virtualClusters:
- name: dev
target:
cluster: my-cluster
- name: test
target:
cluster: my-cluster
```

The `targetCluster` field is deprecated and will be removed in a future release, but continues to work unchanged for now.

### KafkaProxyIngress Infrastructure Annotations

We added `KafkaProxyIngress.spec.infrastructure.annotations` to the KafkaProxyIngress custom resource.
The operator now propagates these custom annotations to the Services and Routes it manages.
For example, on AWS you can request a Network Load Balancer instead of the default Classic Load Balancer:

```yaml
spec:
infrastructure:
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
```

### Java 21 Now Required

Java 17 support has been removed. **Java 21 is now the minimum runtime required.**

### Operator Resilience

Sam Barker fixed a class of operator bugs where `KafkaProxy`, `KafkaService`, and `VirtualKafkaCluster` resources could get stuck under API server load or transient unavailability.
The operator watches related resources (such as Secrets and ConfigMaps) and reconciles the owning primary resource when they change.
Previously, each such event triggered a live API server lookup to find the primary resource; under pressure this could fail and leave the resource stuck.
The operator now reads from its local cache instead.

### Foundations for What's Next

#### Hot Reload

[Urjit Patel](https://github.com/Uzziee) completed the hot-reload engine!
What this means is users that embed Kroxylicious can implement their own mechanism for dynamically reloading individual Virtual Clusters without restarting the whole proxy process.
Note that the standalone binary distribution and operator do not yet take advantage of this engine, we are currently shaping this in design proposal [#117](https://github.com/kroxylicious/design/pull/117).
Embedders today can use:
- The `KafkaProxy.reconfigure()` API to push a new configuration while the proxy is running.
- Add, remove, or replace the filter chains of individual virtual clusters.
- New metrics tracking lifecycle state: `kroxylicious_virtual_cluster_state`, `kroxylicious_virtual_cluster_transitions_total`, `kroxylicious_reconfigure_total` and `kroxylicious_reconfigure_duration_seconds`.

Big thank you to Urjit for driving this implementation.

#### Routing API

We have taken our first steps towards implementing the [Routing API](https://github.com/kroxylicious/design/blob/main/proposals/070-routing-api.md)!
We recently accepted this proposal which adds powerful capabilities to Kroxylicious.
Currently when a client connects to Kroxylicious, the proxy establishes a single connection to an upstream node.
The Routing API decouples things so that messages received on a single client connection can be routed to multiple upstream nodes.
The new features are not yet user facing, we have published the routing interfaces, enabling developers to start building Router implementations, and have begun implementing the Routing engine.


### Community Contributions

This release included commits from:

[Dahyun Woo](https://github.com/dahyvuun), [DeCluttered](https://github.com/Decluttered), [Devendra Reddy Pennabadi](https://github.com/devareddy05), [DragonFSKY](https://github.com/DragonFSKY), Francisco Vila, Keith Wall, [mapan1984](https://github.com/mapan1984), PaulRMellor, [Piotr Płaczek](https://github.com/piotrpdev), [polachandu](https://github.com/polachandu), Robert Young, [Roshni R](https://github.com/Roshr2211), Sam Barker, Tom Bentley, [Urjit Patel](https://github.com/Uzziee)

Thank you all!

### Artefacts

Binary distributions and container images are available on the [download](https://kroxylicious.io/download/0.22.0/) page.

### Feedback

We'd love to hear from you! Whether you're kicking the tyres, running Kroxylicious in production, or just find the project interesting — drop by and say hello.
You can reach us through [Slack](https://kroxylicious.slack.com), [GitHub](https://github.com/kroxylicious/kroxylicious/issues) or even [bsky](https://bsky.app/profile/kroxylicious.io), or tell us in person on one of our upcoming [community calls]({% link join-us/community-call/index.md %}).
Loading