kroxylicious · robobario · May 4, 2026 · May 15, 2026 · tombentley · May 15, 2026
@@ -0,0 +1,67 @@
+---
+layout: post
+title: "Kroxylicious release 0.21.0"
+date: 2026-05-15 00:00:00 +0000
+author: "Rob Young"
+author_url: "https://github.com/robobario"
+# noinspection YAMLSchemaValidation
+categories: blog kroxylicious-proxy releases
+tags: [ "releases", "kroxylicious-proxy" ]
+---
+
+We're excited to announce the release of [Kroxylicious 0.21.0](https://github.com/kroxylicious/kroxylicious/releases/tag/v0.21.0)! This release brings significant new capabilities for Kubernetes environments, enhanced observability, and improved AWS integration. Check out the full [Changelog](https://github.com/kroxylicious/kroxylicious/blob/main/CHANGELOG.md#0210) for everything including deprecations, changes, and removals.
+
+Here are the highlights:
+
+### Alpha: Kubernetes Admission Webhook for Sidecar Injection
+
+The headline feature is our new Kubernetes admission webhook for automatic sidecar injection. This alpha release enables transparent Kafka protocol proxying without any application code changes. Define your sidecar configuration with the `KroxyliciousSidecarConfig` CRD, and the webhook automatically injects the proxy sidecar into matching pods when they are created. Perfect for adding encryption, validation, or multi-tenancy capabilities to existing Kafka applications.
+
+See the admission webhook guide in the documentation for installation and usage.
+
+### Graceful Connection Draining
+
+Virtual clusters now support graceful connection draining during shutdown. Configure `drainTimeout` on your virtual cluster, and the proxy will stop accepting new connections while waiting for in-flight requests to complete before shutting down. New metrics track whether disconnections completed gracefully or hit the timeout. Essential for zero-downtime deployments and rolling updates in Kubernetes.
+
+### HAProxy PROXY Protocol Support
+
+We have added HAProxy PROXY protocol support for TLS connections. Configure `proxy.proxyProtocol.mode` to `enabled`, and the proxy expects the PROXY protocol header before the TLS handshake. This enables deployment behind HAProxy or other load balancers while preserving client connection information for logging and authorization.
+
+### Strimzi Integration Enhancements
+
+We enhanced the Kubernetes operator with automatic TLS trust discovery for Strimzi-managed Kafka clusters. Set `trustStrimziCaCertificate` in your KafkaService, and the operator automatically configures the proxy to trust the Strimzi-signed cluster certificates. One less manual step when integrating with Strimzi.
+
+This release also upgrades Strimzi support to version 1.0.0. If you're using the Strimzi integration feature (`spec.strimziKafkaRef` in KafkaService CR), Strimzi 0.49.0 or later is now required.
+
+### AWS KMS Improvements
+
+AWS KMS users now have native support for IRSA (IAM Roles for Service Accounts) and EKS Pod Identity credential providers. The credential configuration has been restructured under a unified `credentials` node, with new `credentials.webIdentity` and `credentials.podIdentity` options for EKS workloads. Existing configurations using top-level `longTermCredentials` or `ec2MetadataCredentials` continue to work unchanged.
+
+### Dynamic TLS Credential Selection
+
+A new plugin API enables dynamic TLS credential selection for upstream connections. Implement `ServerTlsCredentialSupplier` to select different client certificates based on the target broker's address. This unlocks multi-tenant or multi-cluster deployments where different upstream connections require different certificates.
+
+### Schema Validation Enhancements
+
+The record validation filter now supports Avro and Protobuf schema validation alongside the existing JSON schema support. Validate your records against schemas in Apicurio Registry regardless of serialization format.
+
+### Container Image Rename
+
+The primary proxy container image has been renamed from `quay.io/kroxylicious/kroxylicious` to `quay.io/kroxylicious/proxy`. The operator automatically uses the new image name. If you're deploying the proxy image directly (without the operator), update your deployment configurations. The old image name is deprecated and will be removed in a future release.
+
+### Community Contributions
+
+This release saw exceptional contributions from the community: with commits landed from:
+
+Carles Arnal, Dahyun Woo, Dan Vulpe, Francisco Vila, Hrishabh Gupta, Keith Wall, Ken Huang, Liberty-Swine, m1a2st, Mario Salinas, Matt Van Horn, Mirtunjay Singh, msalinas-se, Oleksiy Pylypenko, Paco Viramontes, PaulRMellor, Piotr Płaczek, Robert Young, Sam Barker, Shubham Rawat, Tanner Smith, Tom Bentley, Trevin Chow, Urjit Patel, ZhangDT
+
+Thank you to everyone who contributed!
+
+### Artefacts
+
+Binary distributions and container images are available on the [download](https://kroxylicious.io/download/0.21.0/) page.
+
+### Feedback
+
+We'd love to hear from you! Whether you're kicking the tyres, running Kroxylicious in production, or just find the project interesting — drop by and say hello.
+You can reach us through [Slack](https://kroxylicious.slack.com), [GitHub](https://github.com/kroxylicious/kroxylicious/issues) or even [bsky](https://bsky.app/profile/kroxylicious.io)), or tell us in person on one of our upcoming [community calls]({% link join-us/community-call/index.md %}).
@@ -21,7 +21,7 @@ if [ ! -f "${TEST_FILE}" ]; then
 fi
 
 cd ${KROXYLICIOUS_DIR}
-mvn -P dist clean package -pl :kroxylicious-docs
+mvn -P dist clean package -pl :kroxylicious-docs -am -Dquick
 cp -r kroxylicious-docs/target/web/* ${SCRIPT_DIR}
 cd ${SCRIPT_DIR}
 export JEKYLL_SERVE_ARGS=--future