Update dependency io.strimzi:api to v0.34.0

[bf2robot]

This PR contains the following updates:

Package	Type	Update	Change
io.strimzi:api (source)	compile	minor	0.29.0 -> 0.34.0

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the logs for more information.

---

Release Notes

strimzi/strimzi-kafka-operator

v0.34.0

Compare Source

• Add support for Kafka 3.4.0 and remove support for Kafka 3.2.x
• Stable Pod identities for Kafka Connect and MirrorMaker 2 (Feature Gate StableConnectIdentities)
• Use JDK HTTP client in the Kubernetes client instead of the OkHttp client
• Add truststore configuration for HTTPS connections to OPA server
• Add image digest support in Helm chart
• Added the httpRetries and httpRetryPauseMs options to OAuth authentication configuration. They are set to 0 by default - no retries, no backoff between retries. Also added analogous httpRetries option in the keycloak authorization configuration. These features are enabled by the updated Strimzi Kafka OAuth library (0.12.0).

v0.33.2

Compare Source

Main changes since 0.33.1

⚠️ Important: Strimzi 0.33.2 supports only Kubernetes 1.19 and newer! Kubernetes versions 1.16, 1.17 and 1.18 are not supported anymore since Strimzi 0.32.

⚠️ Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore!

Bug Fixes

• Support for Kafka 3.4.0 which fixes CVE-2023-25194
• Fix RBAC files in standalone User Operator installation files

v0.33.1

Compare Source

Main changes since 0.33.0

⚠️ Important: Strimzi 0.33.1 supports only Kubernetes 1.19 and newer! Kubernetes versions 1.16, 1.17 and 1.18 are not supported anymore since Strimzi 0.32.

⚠️ Important: Direct upgrade from Strimzi 0.22 or earlier is not supported anymore!

Bug Fixes

• Remove the Lease resource from installation files

v0.33.0

Compare Source

• Add support for Kafka 3.3.2
• Support loadBalancerClass attribute in service with type loadBalancer
• Support for automatically restarting failed Connect or Mirror Maker 2 connectors
• Redesign of Strimzi User Operator to improve its scalability
• Use Java 17 as the runtime for all containers and language level for all modules except api, crd-generator, crd-annotations, and test
• Improved FIPS (Federal Information Processing Standards) support
• Upgrade Vert.x to 4.3.5
• Moved from using the Jaeger exporter to OTLP exporter by default
• Kafka Exporter support for Recreate deployment strategy
• ImageStream validation for Kafka Connect builds on OpenShift
• Support for configuring the metadata for the Role / RoleBinding of Entity Operator
• Add liveness and readiness probes specifically for nodes running in KRaft combined mode
• Upgrade HTTP bridge to latest 0.24.0 release

Known issues

• The TLS passthrough feature of the Ingress-NGINX Controller for Kubernetes is not compatible with some new TLS features supported by Java 17 such as the session tickets extension.
  If you use type: ingress listener with enabled mTLS authentication, we recommend you to test if your clients are affected or not.
  If needed, you can also disable the session ticket extension in the Kafka brokers in your Kafka custom resource by setting the jdk.tls.server.enableSessionTicketExtension Java system property to false:

  apiVersion: kafka.strimzi.io/v1beta2
  kind: Kafka
  metadata:

...

spec:

...

kafka:
  jvmOptions:
    javaSystemProperties:
      - name: jdk.tls.server.enableSessionTicketExtension
        value: "false"

...

For more details, see [kubernetes/ingress-nginx#​9540](https://togithub.com/kubernetes/ingress-nginx/issues/9540).
##### Changes, deprecations and removals

* The `UseStrimziPodSet` feature gate will move to GA in Strimzi 0.35.
Support for StatefulSets will be removed from Strimzi right after the 0.34 release.
Please use the Strimzi 0.33 release to test StrimziPodSets in your environment and report any major or blocking issues before the StatefulSet support is removed.
* The default length of any new SCRAM-SHA-512 passwords will be 32 characters instead of 12 characters used in the previous Strimzi versions.
Existing passwords will not be affected by this change until they are regenerated (for example because the user secret is deleted).
If you want to keep using the original password length, you can set it using the `STRIMZI_SCRAM_SHA_PASSWORD_LENGTH` environment variable in `.spec.entityOperator.template.userOperatorContainer.env` in the `Kafka` custom resource or in the `Deployment` of the standalone User Operator.
```yaml
userOperatorContainer:
  env:
    - name: STRIMZI_SCRAM_SHA_PASSWORD_LENGTH
      value: "12"

• In previous versions, the ssl.secure.random.implementation option in Kafka brokers was always set to SHA1PRNG.
  From Strimzi 0.33 on, it is using the default SecureRandom implementation from the Java Runtime.
  If you want to keep using SHA1PRNG as your SecureRandom, you can configure it in .spec.kafka.config in your Kafka custom resource.
• Support for JmxTrans in Strimzi is deprecated.
  It is currently planned to be removed in Strimzi 0.35.0.
• Support for type: jaeger tracing based on Jaeger clients and OpenTracing API was deprecated in the Strimzi 0.31 release.
  As the Jaeger clients are retired and the OpenTracing project is archived, we cannot guarantee their support for future versions.
  In Strimzi 0.32 and 0.33, we added support for OpenTelemetry tracing as a replacement.
  If possible, we will maintain the support for type: jaeger tracing until June 2023 and remove it afterwards.
  Please migrate to OpenTelemetry as soon as possible.
• When OpenTelemetry is enabled for tracing, starting from this release, the operator configures the OTLP exporter instead of the Jaeger one by default.
  The Jaeger exporter is even not included in the Kafka images anymore, so if you want to use it you have to add the binary by yourself.
  The OTEL_EXPORTER_OTLP_ENDPOINT environment variable has to be used instead of the OTEL_EXPORTER_JAEGER_ENDPOINT in order to specify the OTLP endpoint to send traces to.
  If you are using Jaeger as the backend system for tracing, you need to have 1.35 release at least which is the first one exposing an OTLP endpoint.

v0.32.0

Compare Source

• Add support for Kafka 3.3.1 and remove support for Kafka 3.1.0, 3.1.1, and 3.1.2
• Update Open Policy Agent (OPA) Authorizer to 1.5.0
• Update KafkaConnector CR status so the 'NotReady' condition is added if the connector or any tasks are reporting a 'FAILED' state.
• Add auto-approval mechanism on KafkaRebalance resource when an optimization proposal is ready
• The ControlPlaneListener feature gate moves to GA
• Add client rack-awareness support to Strimzi Bridge pods
• Add support for OpenTelemetry for distributed tracing
  • Kafka Connect, Mirror Maker, Mirror Maker 2 and Strimzi Bridge can be configured to use OpenTelemetry
  • Using Jaeger exporter by default for backward compatibility
• Updated JMX Exporter dependency to 0.17.2
• ZookeeperRoller considers unready pods
• Support multiple operations per ACLRule
• Upgrade Vert.x to 4.3.4
• Add cluster-ip listener. We can use it with a tcp port configuration in an ingress controller to expose kafka with an optional tls encryption and a single LoadBalancer.
• Update Strimzi OAuth library to 0.11.0

Changes, deprecations and removals

• From 0.32.0 on, Strimzi supports only Kubernetes version 1.19 and newer.
• A connector or task failing triggers a 'NotReady' condition to be added to the KafkaConnector CR status. This is different from previous versions where the CR would report 'Ready' even if the connector or a task had failed.
• The ClusterRole from file 020-ClusterRole-strimzi-cluster-operator-role.yaml was split into two separate roles:
  • The original strimzi-cluster-operator-namespaced ClusterRole in the file 020-ClusterRole-strimzi-cluster-operator-role.yaml contains the rights related to the resources created based on some Strimzi custom resources.
  • The new strimzi-cluster-operator-watched ClusterRole in the file 023-ClusterRole-strimzi-cluster-operator-role.yaml contains the rights required to watch and manage the Strimzi custom resources.
    When deploying the Strimzi Cluster Operator as cluster-wide, the strimzi-cluster-operator-watched ClusterRole needs to be always granted at the cluster level.
    But the strimzi-cluster-operator-namespaced ClusterRole might be granted only for the namespaces where any custom resources are created.
• The ControlPlaneListener feature gate moves to GA.
  Direct upgrade from Strimzi 0.22 or earlier is not possible anymore.
  You have to upgrade first to one of the Strimzi versions between 0.22 and 0.32 before upgrading to Strimzi 0.32 or newer.
  Please follow the docs for more details.
• The spec.authorization.acls[*].operation field in the KafkaUser resource has been deprecated in favour of the field
  spec.authorization.acls[*].operations which allows to set multiple operations per ACLRule.

v0.31.1

Compare Source

• Kafka 3.1.2 and 3.2.3 (fixes CVE-2022-34917)
• Make sasl.server.max.receive.size broker option user configurable
• Documentation improvements
• Configuring number of operator replicas through the Strimzi Helm Chart
• Update Strimzi Kafka Bridge to 0.22.1

v0.31.0

Compare Source

• Add support for Kafka 3.2.1
• Update Kaniko builder to 1.9.0 and Maven builder to 1.14
• Update Kafka Exporter to 1.6.0
• Pluggable Pod Security Profiles with built-in support for restricted Kubernetes Security Profile
• Add support for leader election and running multiple operator replicas (1 active leader replicas and one or more stand-by replicas)
• Update Strimzi Kafka Bridge to 0.22.0
• Add support for IPv6 addresses being used in Strimzi issued certificates
• Make it easier to wait for custom resource readiness when using the Strimzi api module
• Add StrimziPodSet reconciliation metrics

Deprecations and removals

• Strimzi 0.31.0 (and any possible patch releases) is the last Strimzi version with support for Kubernetes 1.16, 1.17 and 1.18.
  From Strimzi 0.32.0 on, we will support only Kubernetes 1.19 and newer.
  The supported Kubernetes versions will be re-evaluated again in Q1/2023.
• The type: jaeger tracing support based on Jaeger clients and OpenTracing API is now deprecated.
  Because the Jaeger clients are retired and the OpenTracing project is archived, we cannot guarantee their support for future Kafka versions.
  In the future, we plan to replace it with a new tracing feature based on the OpenTelemetry project.

v0.30.0

Compare Source

• Remove Kafka 3.0.0 and 3.0.1
• Add support for simple authorization and for the User Operator to the experimental UseKRaft feature gate
  (Note: Due to KAFKA-13909, broker restarts currently don't work when authorization is enabled.)
• Add network capacity overrides for Cruise Control capacity config
• The ServiceAccountPatching feature gate moves to GA.
  It cannot be disabled anymore and will be permanently enabled.
• The UseStrimziPodSets feature gate moves to beta stage.
  By default, StrimziPodSets are used instead of StatefulSets.
  If needed, UseStrimziPodSets can be disabled in the feature gates configuration in the Cluster Operator.
• Use better encryption and digest algorithms when creating the PKCS12 stores.
  For existing clusters, the certificates will not be updated during upgrade but only next time the PKCS12 store is created.
• Add CPU capacity overrides for Cruise Control capacity config
• Use CustomResource existing spec and status to fix Quarkus native build's serialization
• Update JMX Exporter to version 0.17.0
• Operator emits Kubernetes Events to explain why it restarted a Kafka broker
• Better configurability of the Kafka Admin client in the User Operator
• Update Strimzi Kafka Bridge to 0.21.6

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[MikeEdgar]

This will need some attention when we're ready to upgrade.

[bf2robot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.