0.25.0

CRD Upgrades

!!! IMPORTANT !!!

This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. If upgrading from Strimzi 0.22, migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.25 is done! If upgrading from Strimzi version earlier than 0.22, you need to first install the CRDs from Strimzi 0.22 and complete the migration to v1beta2 for all Strimzi CRDs and CRs before the upgrade to 0.25 is done!

For more details about the CRD upgrades, see the documentation.

Main changes since 0.24

• Move from Scala 2.12 to Scala 2.13. (#5192)
• Open Policy Agent authorizer updated to a new version supporting Scala 2.13. See the Changes, deprecations and removals sections for more details. (#5192)
• Allow a custom password to be set for SCRAM-SHA-512 users by referencing a secret in the KafkaUser resource
• Add support for EnvVar Configuration Provider for Apache Kafka
• Add support for tls-external authentication to User Operator to allow management of ACLs and Quotas for TLS users with user certificates generated externally (#5249)
• Support for disabling the automatic generation of network policies by the Cluster Operator. Set the Cluster Operator's STRIMZI_NETWORK_POLICY_GENERATION environment variable to false to disable network policies. (#5258)
• Update User Operator to use Admin API for managing SCRAM-SHA-512 users
• Configure fixed size limit for emptyDir volumes used for temporary files (#5340)
• Update Strimzi Kafka Bridge to 0.20.2

All changes can be found under the 0.25.0 milestone.

Changes, deprecations and removals

• The KafkaConnectS2I resource has been removed and is no longer supported by the operator.
  Please use the migration guide to migrate your KafkaConnectS2I deployments to KafkaConnect Build instead.
• The Open Policy Agent authorizer has been updated to a new version that supports Scala 2.13.
  The new release introduces a new format of the input data sent to the Open Policy Agent server.
  For more information about the new format and how to migrate from the old version, see the OPA Kafka plugin v1.0.0 release notes.
• User Operator now uses Kafka Admin API to manage SCRAM-SHA-512 credentials.
  All operations done by the User Operator now use Kafka Admin API and connect directly to Kafka instead of ZooKeeper.
  As a result, the environment variables STRIMZI_ZOOKEEPER_CONNECT and STRIMZI_ZOOKEEPER_SESSION_TIMEOUT_MS were removed from the User Operator configuration.
• All emptyDir volumes used by Strimzi for temporary files have now configured a fixed size limit.
• Annotate Cluster Operator resource metrics with a namespace label

Upgrading from Strimzi 0.24

See the documentation for upgrade instructions.

0.25.0-rc1

CRD Upgrades

!!! IMPORTANT !!!

This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. If upgrading from Strimzi 0.22, migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.25 is done! If upgrading from Strimzi version earlier than 0.22, you need to first install the CRDs from Strimzi 0.22 and complete the migration to v1beta2 for all Strimzi CRDs and CRs before the upgrade to 0.25 is done!

For more details about the CRD upgrades, see the documentation.

Main changes since 0.24

• Move from Scala 2.12 to Scala 2.13. (#5192)
• Open Policy Agent authorizer updated to a new version supporting Scala 2.13. See the Changes, deprecations and removals sections for more details. (#5192)
• Allow a custom password to be set for SCRAM-SHA-512 users by referencing a secret in the KafkaUser resource
• Add support for EnvVar Configuration Provider for Apache Kafka
• Add support for tls-external authentication to User Operator to allow management of ACLs and Quotas for TLS users with user certificates generated externally (#5249)
• Support for disabling the automatic generation of network policies by the Cluster Operator. Set the Cluster Operator's STRIMZI_NETWORK_POLICY_GENERATION environment variable to false to disable network policies. (#5258)
• Update User Operator to use Admin API for managing SCRAM-SHA-512 users
• Configure fixed size limit for emptyDir volumes used for temporary files (#5340)
• Update Strimzi Kafka Bridge to 0.20.2

All changes can be found under the 0.25.0 milestone.

Changes, deprecations and removals

• The KafkaConnectS2I resource has been removed and is no longer supported by the operator.
  Please use the migration guide to migrate your KafkaConnectS2I deployments to KafkaConnect Build instead.
• The Open Policy Agent authorizer has been updated to a new version that supports Scala 2.13.
  The new release introduces a new format of the input data sent to the Open Policy Agent server.
  For more information about the new format and how to migrate from the old version, see the OPA Kafka plugin v1.0.0 release notes.
• User Operator now uses Kafka Admin API to manage SCRAM-SHA-512 credentials.
  All operations done by the User Operator now use Kafka Admin API and connect directly to Kafka instead of ZooKeeper.
  As a result, the environment variables STRIMZI_ZOOKEEPER_CONNECT and STRIMZI_ZOOKEEPER_SESSION_TIMEOUT_MS were removed from the User Operator configuration.
• All emptyDir volumes used by Strimzi for temporary files have now configured a fixed size limit.
• Annotate Cluster Operator resource metrics with a namespace label

Upgrading from Strimzi 0.24

See the documentation for upgrade instructions.

0.24.0

CRD Upgrades

!!! IMPORTANT !!!

This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. If upgrading from Strimzi 0.22, migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.24 is done! If upgrading from Strimzi version earlier than 0.22, you need to first install the CRDs from Strimzi 0.22 and complete the migration to v1beta2 for all Strimzi CRDs and CRs before the upgrade to 0.24 is done!

For more details about the CRD upgrades, see the documentation.

Main changes since 0.23

• Add support for Kubernetes Configuration Provider for Apache Kafka
• Use Red Hat UBI8 base image
• Add support for Kafka 2.7.1 and remove support for 2.6.0, 2.6.1, and 2.6.2
• Support for patching of service accounts and configuring their labels and annotations. The feature is disabled by default and enabled using the new ServiceAccountPatching feature gate.
• Added support for configuring cluster-operator's worker thread pool size that is used for various sync and async tasks
• Add Kafka Quotas plugin with produce, consume, and storage quotas
• Support pausing reconciliation of KafkaTopic CR with annotation strimzi.io/pause-reconciliation
• Update cruise control to 2.5.55
• Update to Strimzi Kafka Bridge to 0.20.0
• Support for broker load information added to the rebalance optimization proposal. Information on the load difference, before and after a rebalance is stored in a ConfigMap
• Add support for selectively changing the verbosity of logging for individual CRs, using markers.
• Added support for controller_mutation_rate quota. Creation/Deletion of topics and creation of partitions can be configured through this.
• Use newer version of Kafka Exporter with different bugfixes

All changes can be found under the 0.24.0 milestone.

Changes, deprecations and removals

• The deprecated KafkaConnectS2I custom resource will be removed after the 0.24.0 release.
  Please use the migration guide to migrate your KafkaConnectS2I deployments to KafkaConnect Build instead.
• The fields topicsBlacklistPattern and groupsBlacklistPattern in the KafkaMirrorMaker2 resource are deprecated and will be removed in the future.
  They are replaced by new fields topicsExcludePattern and groupsExcludePattern.
• The field whitelist in the KafkaMirrorMaker resource is deprecated and will be removed in the future.
  It is replaced with a new field include.
• bind-utils removed from containers to improve security posture.
• Kafka Connect Build now uses hashes to name downloaded artifact files. Previously, it was using the last segment of the download URL.
  If your artifact requires a specific name, you can use the new type: other artifact and its fileName field.
• The option enableECDSA of Kafka CR authentication of type oauth has been deprecated and is ignored.
  ECDSA token signature support is now always enabled without the need for Strimzi Cluster Operator installing the BouncyCastle JCE crypto provider.
  BouncyCastle library is no longer packaged with Strimzi Kafka images.

Upgrading from Strimzi 0.23

See the documentation for upgrade instructions.

0.24.0-rc2

Main changes since 0.24.0-rc1

• Update Cruise Control to 2.5.57 with performance improvements (#5172)
• Fix Kafka Bridge Grafana dashboard (#5159)
• Print deprecation warning for the enableECDSA field only when the field is really used (#5160)
• Documentation improvements
• System test improvements

0.24.0-rc1

CRD Upgrades

!!! IMPORTANT !!!

This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. If upgrading from Strimzi 0.22, migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.24 is done! If upgrading from Strimzi version earlier than 0.22, you need to first install the CRDs from Strimzi 0.22 and complete the migration to v1beta2 for all Strimzi CRDs and CRs before the upgrade to 0.24 is done!

For more details about the CRD upgrades, see the documentation.

Main changes since 0.23

• Add support for Kubernetes Configuration Provider for Apache Kafka
• Use Red Hat UBI8 base image
• Add support for Kafka 2.7.1 and remove support for 2.6.0, 2.6.1, and 2.6.2
• Support for patching of service accounts and configuring their labels and annotations. The feature is disabled by default and enabled using the new ServiceAccountPatching feature gate.
• Added support for configuring cluster-operator's worker thread pool size that is used for various sync and async tasks
• Add Kafka Quotas plugin with produce, consume, and storage quotas
• Support pausing reconciliation of KafkaTopic CR with annotation strimzi.io/pause-reconciliation
• Update cruise control to 2.5.55
• Update to Strimzi Kafka Bridge to 0.20.0
• Support for broker load information added to the rebalance optimization proposal. Information on the load difference, before and after a rebalance is stored in a ConfigMap
• Add support for selectively changing the verbosity of logging for individual CRs, using markers.
• Added support for controller_mutation_rate quota. Creation/Deletion of topics and creation of partitions can be configured through this.
• Use newer version of Kafka Exporter with different bugfixes

All changes can be found under the 0.24.0 milestone.

Changes, deprecations and removals

• The deprecated KafkaConnectS2I custom resource will be removed after the 0.24.0 release.
  Please use the migration guide to migrate your KafkaConnectS2I deployments to KafkaConnect Build instead.
• The fields topicsBlacklistPattern and groupsBlacklistPattern in the KafkaMirrorMaker2 resource are deprecated and will be removed in the future.
  They are replaced by new fields topicsExcludePattern and groupsExcludePattern.
• The field whitelist in the KafkaMirrorMaker resource is deprecated and will be removed in the future.
  It is replaced with a new field include.
• bind-utils removed from containers to improve security posture.
• Kafka Connect Build now uses hashes to name downloaded artifact files. Previously, it was using the last segment of the download URL.
  If your artifact requires a specific name, you can use the new type: other artifact and its fileName field.
• The option enableECDSA of Kafka CR authentication of type oauth has been deprecated and is ignored.
  ECDSA token signature support is now always enabled without the need for Strimzi Cluster Operator installing the BouncyCastle JCE crypto provider.
  BouncyCastle library is no longer packaged with Strimzi Kafka images.

Upgrading from Strimzi 0.23

See the documentation for upgrade instructions.

0.23.0

CRD Upgrades

!!! IMPORTANT !!!

This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. Migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.23 is done!

For more details about the CRD upgrades, see the documentation.

Main changes since 0.22

• Add support for Kafka 2.8.0 and 2.6.2, remove support for Kafka 2.5.x
• Make it possible to configure maximum number of connections and maximum connection creation rate in listener configuration
• Add support for configuring finalizers for loadbalancer type listeners
• Use dedicated Service Account for Kafka Connect Build on Kubernetes
• Remove direct ZooKeeper access for handling user quotas in the User Operator. Add usage of Admin Client API instead.
• Migrate to CRD v1 (required by Kubernetes 1.22+)
• Support for configuring custom Authorizer implementation
• Changed Reconciliation interval for Topic Operator from 90 to 120 seconds (to keep it the same as for other operators)
• Changed Zookeeper session timeout default value to 18 seconds for Topic and User Operators (for improved resiliency)
• Removed requirement for replicas and partitions KafkaTopic spec making these parameters optional
• Support to configure a custom filter for parent CR's labels propagation into subresources
• Allow disabling service links (environment variables describing Kubernetes services) in Pod template
• Update Kaniko executor to 1.6.0
• Add support for separate control plane listener (disabled by default, available via the ControlPlaneListener feature gate)
• Support for Dual Stack networking

All changes can be found under the 0.23.0 milestone.

Changes, deprecations and removals

• Strimzi API versions v1alpha1 and v1beta1 were removed from all Strimzi custom resources apart from KafkaTopic and KafkaUser (use v1beta2 versions instead)
• The following annotations have been removed and cannot be used anymore:
  • cluster.operator.strimzi.io/delete-claim (used internally only - replaced by strimzi.io/delete-claim)
  • operator.strimzi.io/generation (used internally only - replaced by strimzi.io/generation)
  • operator.strimzi.io/delete-pod-and-pvc (use strimzi.io/delete-pod-and-pvc instead)
  • operator.strimzi.io/manual-rolling-update (use strimzi.io/manual-rolling-update instead)
• When the class field is configured in the configuration section of an Ingress-type listener, Strimzi will not automatically set the deprecated kubernetes.io/ingress.class annotation anymore. In case you still need this annotation, you can set it manually in the listener configuration using the annotations field or in the .spec.kafka.template section.
• The .spec.kafkaExporter.template.service section in the Kafka custom resource has been deprecated and will be removed in the next API version (the service itself was removed several releases ago).

Upgrading from Strimzi 0.22

See the documentation for upgrade instructions.

0.23.0-rc1

Main changes since 0.22

• Add support for Kafka 2.8.0 and 2.6.2, remove support for Kafka 2.5.x
• Make it possible to configure maximum number of connections and maximum connection creation rate in listener configuration
• Add support for configuring finalizers for loadbalancer type listeners
• Use dedicated Service Account for Kafka Connect Build on Kubernetes
• Remove direct ZooKeeper access for handling user quotas in the User Operator. Add usage of Admin Client API instead.
• Migrate to CRD v1 (required by Kubernetes 1.22+)
• Support for configuring custom Authorizer implementation
• Changed Reconciliation interval for Topic Operator from 90 to 120 seconds (to keep it the same as for other operators)
• Changed Zookeeper session timeout default value to 18 seconds for Topic and User Operators (for improved resiliency)
• Removed requirement for replicas and partitions KafkaTopic spec making these parameters optional
• Support to configure a custom filter for parent CR's labels propagation into subresources
• Allow disabling service links (environment variables describing Kubernetes services) in Pod template
• Update Kaniko executor to 1.6.0
• Add support for separate control plane listener (disabled by default, available via the ControlPlaneListener feature gate)
• Support for Dual Stack networking

All changes can be found under the 0.23.0 milestone.

CRD Upgrades

!!! IMPORTANT !!!

This release supports only the API version v1beta2 and CRD version apiextensions.k8s.io/v1. Migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs before the upgrade to 0.23 is done!

For more details about the CRD upgrades, see the documentation.

Changes, deprecations and removals

• Strimzi API versions v1alpha1 and v1beta1 were removed from all Strimzi custom resources apart from KafkaTopic and KafkaUser (use v1beta2 versions instead)
• The following annotations have been removed and cannot be used anymore:
  • cluster.operator.strimzi.io/delete-claim (used internally only - replaced by strimzi.io/delete-claim)
  • operator.strimzi.io/generation (used internally only - replaced by strimzi.io/generation)
  • operator.strimzi.io/delete-pod-and-pvc (use strimzi.io/delete-pod-and-pvc instead)
  • operator.strimzi.io/manual-rolling-update (use strimzi.io/manual-rolling-update instead)
• When the class field is configured in the configuration section of an Ingress-type listener, Strimzi will not automatically set the deprecated kubernetes.io/ingress.class annotation anymore. In case you still need this annotation, you can set it manually in the listener configuration using the annotations field or in the .spec.kafka.template section.
• The .spec.kafkaExporter.template.service section in the Kafka custom resource has been deprecated and will be removed in the next API version (the service itself was removed several releases ago).

Upgrading from Strimzi 0.22

See the documentation for upgrade instructions.

0.22.1

Main changes since 0.22.0

• Do not use ownerReference for EO role in separate watched namespace (#4588)
• Minor documentation and system test improvements

See the 0.22.0 release for information about CRD upgrades, deprecations and removals.

Upgrading from Strimzi 0.21.x and 0.22.0

See the documentation for upgrade instructions.

0.22.0

Main Changes since 0.21.x

• Add v1beta2 version for all resources. v1beta2 removes all deprecated fields.
• Add annotations that enable the operator to restart Kafka Connect connectors or tasks. The annotations can be applied to the KafkaConnector and the KafkaMirrorMaker2 custom resources.
• Add additional configuration options for the Kaniko executor used by the Kafka Connect Build on Kubernetes
• Add support for JMX options configuration of all Kafka Connect (KC, KC2SI, MM2)
• Update Strimzi Kafka OAuth to version 0.7 and add support for new features:
  • OAuth authentication over SASL PLAIN mechanism
  • Checking token audience
  • Validating tokens using JSONPath filter queries to perform custom checks
• Fix Cruise Control crash loop when updating container configurations
• Configure external logging ConfigMap name and key.
• Add support for configuring labels and annotations in ClusterRoleBindings created as part of Kafka and Kafka Connect clusters
• Add support for Ingress v1 in Kubernetes 1.19 and newer
• Add support for Kafka 2.6.1
• List topics used by a Kafka Connect connector in the .status section of the KafkaConnector custom resource
• Bump Cruise Control to v2.5.37 for Kafka 2.7 support. Note this new version of Cruise Control uses Log4j 2 and is supported by dynamic logging configuration (where logging properties are defined in a ConfigMap). However, existing Log4j configurations must be updated to Log4j 2 configurations.
• Support pausing reconciliation of CR with annotation strimzi.io/pause-reconciliation

All changes can be found under the 0.22.0 milestone.

CRD Upgrades

!!! IMPORTANT !!!

This release introduces new API version v1beta2 to all Strimzi custom resources. This is a preparation for migration to apiextensions/v1 which is needed because Kubernetes 1.22 will remove support for apiextensions/v1beta1. Migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs after the upgrade to 0.22 is done and before upgrading to Strimzi 0.23 which will support only Strimzi v1beta2 APIs and apiextensions/v1 CRDs.

For more details about the CRD upgrades, see the documentation.

Deprecations and removals

• In the past, when no Ingress class was specified in the Ingress-type listener in the Kafka custom resource, the
  kubernetes.io/ingress.class annotation was automatically set to nginx. Because of the support for the new
  IngressClass resource and the new ingressClassName field in the Ingress resource, the default value will not be set
  anymore. Please use the class field in .spec.kafka.listeners[].configuration to specify the class name.
• The KafkaConnectS2I custom resource is deprecated and will be removed in the future. You can use the new KafkaConnect build feature instead.
• Removed support for Helm2 charts as that version is now unsupported. There is no longer the need for separate helm2 and helm3 binaries, only helm (version 3) is required.
• The following annotations are deprecated for a long time and will be removed in 0.23.0:
  • cluster.operator.strimzi.io/delete-claim (used internally only - replaced by strimzi.io/delete-claim)
  • operator.strimzi.io/generation (used internally only - replaced by strimzi.io/generation)
  • operator.strimzi.io/delete-pod-and-pvc (use strimzi.io/delete-pod-and-pvc instead)
  • operator.strimzi.io/manual-rolling-update (use strimzi.io/manual-rolling-update instead)
• External logging configuration has changed. spec.logging.name is deprecated. Moved to spec.logging.valueFrom.configMapKeyRef.name. Key in the ConfigMap is configurable via spec.logging.valueFrom.configMapKeyRef.key.
  • from

  logging:
    type: external
    name: my-config-map
  

  • to

  logging:
    type: external
    valueFrom:
      configMapKeyRef:
        name: my-config-map
        key: my-key
  

• Existing Cruise Control logging configurations must be updated from Log4j syntax to Log4j 2 syntax.
  • For existing inline configurations, replace the cruisecontrol.root.logger property with rootLogger.level.
  • For existing external configurations, replace the existing configuration with a new configuration file named log4j2.properties using log4j 2 syntax.

Upgrading from Strimzi 0.21

See the documentation for upgrade instructions.

Known issues

• On Kubernetes 1.20 and newer, when user configures the Topic or User Operators in the Kafka CR to watch different namespace than the one in which they run (using the watchedNamespace option), the Entity Operator pod will not start properly because of missing RBAC. This will be fixed in 0.22.1 (expected next week). If needed, the required Role and RoleBinding for the Entity Operator can be also created manually as a workaround.

0.22.0-rc1

Main Changes since 0.21.x

• Add v1beta2 version for all resources. v1beta2 removes all deprecated fields.
• Add annotations that enable the operator to restart Kafka Connect connectors or tasks. The annotations can be applied to the KafkaConnector and the KafkaMirrorMaker2 custom resources.
• Add additional configuration options for the Kaniko executor used by the Kafka Connect Build on Kubernetes
• Add support for JMX options configuration of all Kafka Connect (KC, KC2SI, MM2)
• Update Strimzi Kafka OAuth to version 0.7 and add support for new features:
  • OAuth authentication over SASL PLAIN mechanism
  • Checking token audience
  • Validating tokens using JSONPath filter queries to perform custom checks
• Fix Cruise Control crash loop when updating container configurations
• Configure external logging ConfigMap name and key.
• Add support for configuring labels and annotations in ClusterRoleBindings created as part of Kafka and Kafka Connect clusters
• Add support for Ingress v1 in Kubernetes 1.19 and newer
• Add support for Kafka 2.6.1
• List topics used by a Kafka Connect connector in the .status section of the KafkaConnector custom resource
• Bump Cruise Control to v2.5.37 for Kafka 2.7 support. Note this new version of Cruise Control uses Log4j 2 and is supported by dynamic logging configuration (where logging properties are defined in a ConfigMap). However, existing Log4j configurations must be updated to Log4j 2 configurations.
• Support pausing reconciliation of CR with annotation strimzi.io/pause-reconciliation

All changes can be found under the 0.22.0 milestone.

CRD Upgrades

This release introduces new API version v1beta2 to all Strimzi custom resources. This is a preparation for migration to apiextensions/v1 which is needed because Kubernetes 1.22 will remove support for apiextensions/v1beta1. Migration to v1beta2 needs to be completed for all Strimzi CRDs and CRs after the upgrade to 0.22 is done and before upgrading to Strimzi 0.23 which will support only Strimzi v1beta2 APIs and apiextensions/v1 CRDs.

For more details about the CRD upgrades, see the documentation.

Deprecations and removals

• In the past, when no Ingress class was specified in the Ingress-type listener in the Kafka custom resource, the
  kubernetes.io/ingress.class annotation was automatically set to nginx. Because of the support for the new
  IngressClass resource and the new ingressClassName field in the Ingress resource, the default value will not be set
  anymore. Please use the class field in .spec.kafka.listeners[].configuration to specify the class name.
• The KafkaConnectS2I custom resource is deprecated and will be removed in the future. You can use the new KafkaConnect build feature instead.
• Removed support for Helm2 charts as that version is now unsupported. There is no longer the need for separate helm2 and helm3 binaries, only helm (version 3) is required.
• The following annotations are deprecated for a long time and will be removed in 0.23.0:
  • cluster.operator.strimzi.io/delete-claim (used internally only - replaced by strimzi.io/delete-claim)
  • operator.strimzi.io/generation (used internally only - replaced by strimzi.io/generation)
  • operator.strimzi.io/delete-pod-and-pvc (use strimzi.io/delete-pod-and-pvc instead)
  • operator.strimzi.io/manual-rolling-update (use strimzi.io/manual-rolling-update instead)
• External logging configuration has changed. spec.logging.name is deprecated. Moved to spec.logging.valueFrom.configMapKeyRef.name. Key in the ConfigMap is configurable via spec.logging.valueFrom.configMapKeyRef.key.
  • from

  logging:
    type: external
    name: my-config-map
  

  • to

  logging:
    type: external
    valueFrom:
      configMapKeyRef:
        name: my-config-map
        key: my-key
  

• Existing Cruise Control logging configurations must be updated from Log4j syntax to Log4j 2 syntax.
  • For existing inline configurations, replace the cruisecontrol.root.logger property with rootLogger.level.
  • For existing external configurations, replace the existing configuration with a new configuration file named log4j2.properties using log4j 2 syntax.

Upgrading from Strimzi 0.21.0

See the documentation for upgrade instructions.