HiveMQ Platform Operator for Kubernetes 2.1.3 Maintenance Release

The HiveMQ Team is excited to announce the release of HiveMQ Platform Operator for Kubernetes 2.1.3. This maintenance release for the 2.1 series provides important bug fixes and usability enhancements.

HiveMQ Platform Operator for Kubernetes Helm Charts

• Added a new sharedPersistentVolumeClaim volume type for the additionalVolumes Helm chart value. This allows a single PVC to be mounted across multiple subdirectories in the HiveMQ container, eliminating the need for workarounds or separate PVCs per directory.

HiveMQ Platform Operator for Kubernetes

• The operator now tracks changes to environment variable Secrets and ConfigMaps using content-based hashing instead of Kubernetes metadata.resourceVersion. This prevents unnecessary rolling restarts when external secret sync services (such as Azure Key Vault, External Secrets Operator, or Sealed Secrets) rewrite secrets without changing their content.
• Added validation for container port, service port, and target port names that exceed the 15-character Kubernetes limit. Invalid port names now set the HiveMQ Platform custom resource to an ERROR state with a descriptive message. Previously, invalid port names failed silently during reconciliation.
• Added validation for the StatefulSet in the /validate HTTP endpoint using a dry-run on the Kubernetes API server. If you configure a Kubernetes Admission Webhook, invalid configurations are now rejected at admission time with a descriptive error message.
• Fixed an issue where long Helm release names caused the Init App update to fail because the operator service URL did not match the truncated Kubernetes service name.
• Fixed an issue where rolling restarts could get stuck in the SCALE_DOWN_IN_PROGRESS phase on GKE environments because the StatefulSet controller did not scale down the surge pod.

TLS Compatibility Notice for Extension and Customization Downloads

This release updates the underlying Java runtime to JDK-21.0.10, which disables several legacy TLS cipher suites and signature algorithms by default. While the operator itself is unaffected, these changes can impact connections to servers used for extension or customization downloads.

If your Helm chart references external download URLs, ensure the servers hosting those files support modern TLS configurations. This applies to:

• extensionUri: Used to download custom extensions (see custom extension example)
• customizationUri: Used to download customizations for enterprise extensions (Kafka, Google Pub/Sub, Amazon Kinesis)

What to Verify on Each Download Server

• Cipher suites: Confirm that your server supports forward-secrecy cipher suites (for example, TLS_ECDHE_RSA_* or TLS_ECDHE_ECDSA_*). Servers that only support TLS_RSA_* cipher suites will cause SSLHandshakeException errors during downloads.
• Signature algorithms: Ensure that your server's TLS 1.2 handshake does not rely on SHA-1 signatures (rsa_pkcs1_sha1, ecdsa_sha1). The server must support SHA-256 or stronger algorithms.
• Server certificates: Ensure your server's TLS certificate is signed with SHA-256 or stronger. SHA-1 signed certificates are no longer supported.

Test Your Server

To test your server's TLS compatibility, run the following command:

    openssl s_client -connect <your-server>:443 -tls1_2 2>/dev/null | grep -E "Cipher|Signature"
  

NOTE: The skipHttpsCertificateValidation and skipHttpsHostnameVerification Helm chart options do not bypass cipher suite negotiation. Connections to servers offering only deprecated cipher suites will fail regardless of these settings.

Get Started Today

To get started with the new operator, see our HiveMQ Platform Operator Quick Start Guide.

To update from a previous version of the Platform Operator for Kubernetes, you need to update your HiveMQ Platform custom resource definition. For simple step-by-step instructions, see our Upgrade Guide.

To learn more about all the features our operator offers, see HiveMQ Platform Operator for Kubernetes.