...
draw.io Diagram | ||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Test steps on an existing ServiceMesh cluster
- Add custom ports to istio-ingressgateway service
(https://www.dangtrinh.com/2019/09/how-to-open-custom-port-on-istio.html) - Modify onap-strimzi-kafka pods and services to disable TLS and set advertizedHosts
- Add "ingress" services to Ingress Gateway/VCs for onap_strimzi
...
- to istio-ingressgateway
- Create External Kafka User (optional)
- Test the external client access to Kafka
Add custom ports to istio-ingressgateway service
...
Code Block | ||||
---|---|---|---|---|
| ||||
1. Export existing service definition: kubectl -n istio-ingress get service istio-ingressgateway -o yaml > istio_ingressgateway.yaml 2. Check existing Nodeports (The range of valid ports is 30000-32767) kubectl get svc -A |grep Load kubectl get svc -A |grep NodePort 3. Choose 4 free ports (e.g. 30900, 30901,30902, 3090330910) 4. Edit istio_ingressgateway.yaml and add: - port: 90039010 nodePort: 3090330910 targetPort: 90039010 name: kafka-bootstrap protocol: TCP - port: 9000 nodePort: 30900 targetPort: 9000 name: kafka-0 protocol: TCP - port: 9001 nodePort: 30901 targetPort: 9001 name: kafka-1 protocol: TCP - port: 9002 nodePort: 30902 targetPort: 9002 name: kafka-2 protocol: TCP 5. Apply changes: kubectl apply -f ./istio_ingressgateway.yaml |
...
Modify onap-strimzi-kafka pods and services to disable TLS and set advertizedHosts
...
Code Block | ||||
---|---|---|---|---|
| ||||
1. Login to the K8S Control Node and set the helm environment helm repo add local http://127.0.0.1:8879 helm plugin install --version v0.10.3 https://github.com/chartmuseum/helm-push.git git config --global --add safe.directory /opt/oom 2. Modify the onap-strimzi config cd /opt/oom/kubernetes vi strimzi/templates/strimzi-kafka.yaml Update "tls" and "authentication.type" of the "external" kafka listener: --- - name: external port: 9094 type: nodeport tls: false authentication: type: {{ .Values.config.saslMechanism }} configuration: brokers: - broker: 0 advertisedHost: kafka-api.simpledemo.onap.org advertisedPort: 9000 - broker: 1 advertisedHost: kafka-api.simpledemo.onap.org advertisedPort: 9001 - broker: 2 advertisedHost: kafka-api.simpledemo.onap.org advertisedPort: 9002 3. Apply the changes to onap-strimzi make strimzi helm upgrade -i onap-strimzi local/strimzi --namespace onap --version 12.0.0 --values /opt/oom/kubernetes/onap/values.yaml --values /opt/oom/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml --values /opt/oom/kubernetes/onap/resources/overrides/environment.yaml --values /home/ubuntu/oom/master/onap-overrides.yaml --timeout '900s' |
Add Ingress Gateway/VCs for onap_strimzi to istio-ingressgateway
- Create a file (e.g. kafka-ingress.yaml) Istio Ingress Gateway/VirtualService entries for the kafka-bootstrap-api and the brokers
Code Block | ||||
---|---|---|---|---|
| ||||
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: kafka-bootstrap-api-gateway spec: selector: istio: ingressgateway servers: - hosts: - kafka-bootstrap-api.simpledemo.onap.org port: name: tls-kafka-bootstrap number: 90039010 protocol: TLS tls: credentialName: ingress-tls-secret mode: SIMPLE --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: kafka-bootstrap-api-service spec: hosts: - kafka-bootstrap-api.simpledemo.onap.org gateways: - kafka-bootstrap-api-gateway tcp: - match: - port: 90039010 route: - destination: host: onap-strimzi-kafka-external-bootstrap port: number: 9094 --- apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: kafka-api-gateway spec: selector: istio: ingressgateway servers: - hosts: - kafka-api.simpledemo.onap.org port: name: tls-kafka-0 number: 9000 protocol: TLS tls: credentialName: ingress-tls-secret mode: SIMPLE - hosts: - kafka-api.simpledemo.onap.org port: name: tls-kafka-1 number: 9001 protocol: TLS tls: credentialName: ingress-tls-secret mode: SIMPLE - hosts: - kafka-api.simpledemo.onap.org port: name: tls-kafka-2 number: 9002 protocol: TLS tls: credentialName: ingress-tls-secret mode: SIMPLE --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: kafka-0-api-service spec: hosts: - kafka-api.simpledemo.onap.org gateways: - kafka-api-gateway tcp: - match: - port: 9000 route: - destination: host: onap-strimzi-kafka-0 port: number: 9094 --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: kafka-1-api-service spec: hosts: - kafka-api.simpledemo.onap.org gateways: - kafka-api-gateway tcp: - match: - port: 9001 route: - destination: host: onap-strimzi-kafka-1 port: number: 9094 --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: kafka-2-api-service spec: hosts: - kafka-api.simpledemo.onap.org gateways: - kafka-api-gateway tcp: - match: - port: 9002 route: - destination: host: onap-strimzi-kafka-2 port: number: 9094 |
...
Code Block |
---|
kubectl -n onap apply -f ./kafka-ingress.yaml |
Test the external client access to Kafka
- Add hostnames to DNS (or /etc/hosts) by using the IP Address of the istio-ingressgateway LB
Code Block |
---|
sudo vi /etc/hosts ---- 10.32.240.14 kafka-bootstrap-api.simpledemo.onap.org 10.32.240.14 kafka-api.simpledemo.onap.org |
- Test the connectionInstall KafkaCat
Code Block |
---|
sudo apt install kafkacat |
- Get the Metadata ((use an existing Kafka User, e.g. Admin)):
Code Block | ||
---|---|---|
| ||
kafkacat -L -b kafka-bootstrap-api.simpledemo.onap.org:9003 -X security.protocol=sasl_ssl -X enable.ssl.certificate.verification=false -X sasl.mechanisms=SCRAM-SHA-512 -X sasl.username=<strimzi-user> -X sasl.password=<strimzi-password> -v -v Metadata for all topics (from broker -1: sasl_ssl://kafka-bootstrap-api.simpledemo.onap.org:9003/bootstrap): 3 brokers: broker 0 at kafka-api.simpledemo.onap.org:9000 (controller) broker 2 at kafka-api.simpledemo.onap.org:9002 broker 1 at kafka-api.simpledemo.onap.org:9001 33 topics: topic "org.onap.dmaap.mr.PNF_REGISTRATION" with 2 partitions: partition 0, leader 2, replicas: 2, isrs: 2 partition 1, leader 1, replicas: 1, isrs: 1 topic "SDC-DISTR-NOTIF-TOPIC-AUTO" with 6 partitions: ... |
- Get the Metadata ((use an existing Kafka User, e.g. Admin)):
Code Block | ||
---|---|---|
| ||
kafkacat -b kafka-bootstrap-api.simpledemo.onap.org:9003 -X security.protocol=sasl_ssl -X enable.ssl.certificate.verification=false -X sasl.mechanisms=SCRAM-SHA-512 -X sasl.username=strimzi-kafka-admin -X sasl.password=GzxcHZ29sUXb -C -t unauthenticated.VES_NOTIFICATION_OUTPUT -v
{"event":{"commonEventHeader":{"startEpochMicrosec":8745745764578,"eventId":"FileReady_1797490e-10ae-4d48-9ea7-3d7d790b25e1","timeZoneOffset":"UTC+05.30","internalHeaderFields":{"collectorTimeStamp":"Tue, 12 06 2022 01:35:59 GMT"},"priority":"Normal","version":"4.0.1","reportingEntityName":"otenb5309","sequence":0,"domain":"notification","lastEpochMicrosec":8745745764578,"eventName":"Noti_RnNode-Ericsson_FileReady","vesEventListenerVersion":"7.0.1","sourceName":"oteNB5309"},"notificationFields":{"notificationFieldsVersion":"2.0","changeType":"FileReady","changeIdentifier":"PM_MEAS_FILES","arrayOfNamedHashMap":[{"name":"test.xml.gz","hashMap":{"location":"sftp://sftp:22/test.xml.gz","fileFormatType":"org.3GPP.32.435#measCollec","fileFormatVersion":"V10","compression":"gzip"}}]}}}
... |