Waterstream Change Log¶
1.6.X¶
1.6.0¶
Docker images are now published as multi-arch manifest lists supporting both amd64 and arm64. The standard image
waterstreamio/waterstream-kafkanow works on both platforms: Docker automatically selects the right binary for the host.Migration for arm64 users: if you were pulling
waterstreamio/waterstream-kafka-arm64v8, switch towaterstreamio/waterstream-kafka. The architecture-specific image names are no longer published from this version onwards.Added
hostnameVerificationflag to the bridge SSL configuration for SSL client connections. When set totrue, hostname verification against the remote broker’s SSL certificate is enabled (uses the HTTPS algorithm). Default isfalse(disabled, preserving previous behavior). A warning is logged when hostname verification is disabled. See Waterstream Bridge Mode for details.Azure Event Hubs authentication via OAUTHBEARER (Azure Entra ID) is now supported, with a bundled callback handler
io.waterstream.kafka.auth.EventHubsCallbackHandler. Two new environment variables are exposed:KAFKA_SASL_LOGIN_CALLBACK_HANDLER_CLASSandKAFKA_SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, mapping to the Kafka client properties of the same name. See Azure Event Hubs authentication (OAUTHBEARER).
1.5.X¶
1.5.1¶
Docker images are now signed with cosign. See Verifying the image signature for how to verify them.
1.5.0¶
No Docker image was published for this version — the build failed during the signature process
Upgrade Java to 25
Base Docker image switched from eclipse-temurin:19-jre to amazoncorretto:25-headless
Fix some CVEs by updating vulnerable dependencies
Devbox is deprecated and will no longer be updated
1.4.X¶
1.4.33¶
Minor fixes to debug messages
1.4.32¶
Waterstream enables rolling upgrades by temporarily exceeding the license limit for up to one minute.
Fix to CVE-2024-47561
Last version for the organization
simplematter, next version will belong to thewaterstreamorganization
1.4.31¶
Better debug logs for the “rewind” feature
1.4.30¶
Fix to issue with lazy initialization of producer with bridge clients
1.4.29¶
Fix to CVE-2023-39410
1.4.28¶
Implemented Session Expiry Interval parameter for MQTT 5 bridge clients
1.4.27¶
Fixed issue with the bridge clients
1.4.26¶
Fixed issue with missing compression library
1.4.25¶
Added parameters for Kafka truststore and keystore settings
Changed log messages for WebSockets upgrade errors to be more informative
1.4.24¶
Recover after the Kafka topic re-creation without Waterstream restart
1.4.23¶
WebSockets optimizations
If session consistency can’t be ensured - then start from the latest state, not from the fresh
1.4.22¶
Technical release to fix the aspect of the documentation
1.4.21¶
Improving message validation in MQTT 5: don’t drop the connection, just report the error.
1.4.19¶
Messages validation. See (Experimental) Validate messages with the Confluent Schema Registry
1.4.18¶
Fix QoS2 guarantees under heavy load
1.4.17¶
Fix cross-node session loading issues
1.4.12¶
Limit maximal lifetime of the JWT token
1.4.11¶
Allow repeated rewinds of the same Kafka topic
Limit maximal rewind depth with
REWIND_MAX_DEPTH_SECONDSparameters (default is 60 days)
1.4.10¶
(Experimental) Start subscription from the specified timestamp in the past (a.k.a “rewind”)
1.4.9¶
JWT authentication can use the certificate for validating the signature, no need to extract the public key now
Bugfix: correct unsubscribe when there’s a lot of MQTT-Kafka topics mapping
1.4.8¶
Optimize historical messages reading
JWT improvement: sub claim pre-processing before converting to the username. Groups extraction.
1.4.7¶
Give JWT authentication higher priority over plaintext authentication to let them work together
1.4.6¶
SSL: do not request client certificate if client SSL authetication is disabled (workaround for Chrome WSS issue https://bugs.chromium.org/p/chromium/issues/detail?id=329884)
1.4.4¶
Kafka to MQTT topic mapping - added
ignoreKafkaHeadersparameter. Now it’s possible to ignore Kafka message headerMqttTopicfor the selected mappings.
1.4.1¶
Metrics for total traffic sent/received to/from MQTT client
Metrics for total traffic produced/consumed into/from Kafka topics
More accurate check for the per-client packet size limit. Thanks to Stefano Da Roit (stefano.daroit@gmail.com) for reporting it.
Broker Keep Alive feature of MQTT v5 implementation (https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901094). Thanks to Stefano Da Roit (stefano.daroit@gmail.com) for pointing it out.
Kafka producer’s
max.request.sizechanges to be sufficient for MQTT message size specified byMQTT_MAX_MESSAGE_SIZE. Thanks to Stefano Da Roit (stefano.daroit@gmail.com) for reporting.Improve shared subscription pattern validation. Thanks to Stefano Da Roit (stefano.daroit@gmail.com) for reporting.
1.4.0¶
New approach for mapping Kafka topic to MQTT topic. See MQTT to Kafka (topic + key) mapping rules (new)
1.3.X¶
1.3.27¶
JWT token additional claims allow to match custom placeholders in the MQTT topics. See JWT custom claims
1.3.26¶
Small optimizations in Kafka communication
Support reading from the topics replicated across Kafka clusters with
KAFKA_MESSAGES_TOPICS_REPLICA_PREFIXESandKAFKA_MESSAGES_TOPICS_REPLICA_SUFFIXES
1.3.25¶
Improve stability in situations when many slow MQTT clients subscribed with QoS 0 and can’t keep up with high incoming Kafka traffic
Update the libraries
1.3.24¶
Support of
KAFKA_MESSAGES_ALLOWED_TOPICS_REGEXwhich can limit Kafka topics inKAFKA_MESSAGES_TOPICS_PATTERNS, thus allowing more flexible patterns.
1.3.22¶
JWT authentication support
1.3.21¶
Kafka message key customization support
1.3.18¶
Kafka topic templates in Kafka-MQTT topic mapping which allows less verbose topic mapping. See MQTT to Kafka topic mapping (deprecated) for the details
1.3.17¶
Fix SSL client certificate issuer check errors
1.3.16¶
AWS Metering Service integration
1.3.15¶
Optimize SUBSCRIBE latency
Optimize historical messages processing
1.3.14¶
Changed default Kafka publishing settings linger.ms and batch.size to optimize for throughput
Ability to specify max.block.ms and buffer.memory for Kafka producer
Customize HTTP port of the Devbox. Change default from 80 to 8080
Docker repository name changed from simplematter/waterstream-kafka-minified to simplematter/waterstream-kafka, from simplematter/waterstream-kafka-arm64v8-minified to simplematter/waterstream-kafka-arm64v8, docker repositories became public (but still needing the license to run).
1.3.13¶
Optimize the session load time
1.3.12¶
Ability to specify replication.factor for Kafka Streams
1.3.11¶
Docker images logs customization with WATERSTREAM_LOGBACK_CONFIG
Fix MQTT v 5.0 error code for invalid client ID
1.3.10¶
Devbox Docker image which includes ZooKeeper, Kafka, Waterstream and MQTT Board
Safer base image for Docker images: openjdk:16-oraclelinux8
1.3.9¶
Optimize session state persistence
1.3.8¶
Bugfix: MQTT v 3.1.1 bridge topic subscription
1.3.7¶
Bugfix: if AUTHENTICATION_METHOD_CLIENT_SSL_CERT_ENABLED is true and AUTHENTICATION_REQUIRED is false client SSL certificate is optional now
Add Prometheus metric mqtt_proxy_publish_to_kafka_backlog to track the lag between incoming MQTT messages and publishing to Kafka
1.3.5¶
Ability to specify inline license data in
WATERSTREAM_LICENSE_DATAenvironment variable.
1.3.4¶
Default value for KAFKA_STREAMS_APP_SERVER_HOST is now taken from InetAddress.getLocalHost().getCanonicalHostName() instead of disabling streams app server if it’s not specified.
1.3.3¶
MQTT v5 - shared subscriptions
MQTT v5 - subscription IDs
1.3.2¶
MQTT v5 - Last Will delay
MQTT v5 - topic aliases
1.3.1¶
Bugfix:
Deduplicate retained messages if topic patterns in SUBSCRIBE packet match the topic multiple times
Resolve environment variables in the bridge config file
MQTT5: support multiple user properties with the same key
1.3.0¶
MQTT v5 core features support - see Supported features.
1.2.X¶
1.2.1¶
MQTT-Kafka topic mapping by prefix. In particular, it simplifies reading ksqlDB results back into MQTT. See MQTT to Kafka topic mapping (deprecated) for the details