Release notes

Support for JAAS Authentication: Hazelcast Operator now supports setting up Java Authentication and Authorization Service (JAAS) for the clients, allowing enterprises to deploy Hazelcast securely with JAAS authentication in Kubernetes environments

TLS support for MC LDAP Security Provider: Hazelcast Operator now supports authentication and authorization against Lightweight Directory Access Protocol (LDAP) servers over TLS (or LDAPS) for Management Center. Non-SSL LDAP connections continue to work as expected

Simple authentication and authorization for clients: Hazelcast Operator now supports simple authentication and authorization for client connections, bringing native security controls to Operator-managed clusters. You can define authentication realms using Kubernetes secrets, assign roles (admin, monitor, application), and configure fine-grained permissions with InstancePermission and ClusterPermission. The Operator retrieves admin credentials directly from operatorClientSecretName, eliminating manual configuration. This enhancement ensures secure, role-based access control, simplifies client authentication setup, and aligns with Hazelcast’s standard security model for a seamless Kubernetes integration

Added ability to configure client and member mutual authentication separately: you can configure mutual authentication of client-to-member and member-to-member communications separately. (Previously mutual authentication for member to member communication was always Required by default)

Static configuration for User Code Namespace (UCN) now correctly generates the configuration in hazelcast.yaml: static configuration for User Code Namespace (UCN) now correctly generates the configuration in hazelcast.yaml by including the required name-spaces field instead of incorrectly using the default key

Fixed the issue when Hazelcast can’t be deployed using Compact Serializers: the provided compact serializer config was passed to Hazelcast with the wrong YAML format. Now Hazelcast throws an InvalidConfigurationException since the claimed class is not on the classpath, which is expected

Authorization errors logged at incorrect level in Hazelcast Operator: currently, authorization errors in Hazelcast Operator are logged at the DEBUG level instead of ERROR, making it difficult to identify permission-related issues. When an invalid JAAS authentication configuration is applied (such as an incorrect class name) the logs do not immediately signal a failure. Until this issue is resolved in a future release, you should manually check the logs for authorization failures

Clients continue connecting to cluster with expired or invalid TLS certificates: currently, when a TLS secret is updated with a new keystore and truststore, clients using outdated certificates can still connect to the Hazelcast cluster instead of being rejected. Even after updating the TLS secret, there is no built-in mechanism to enforce immediate re-authentication, leading to potential security concerns