...
| draw.io Diagram | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Test steps on an existing ServiceMesh cluster
- Add custom ports to istio-ingressgateway service
(https://www.dangtrinh.com/2019/09/how-to-open-custom-port-on-istio.html) - Modify onap-strimzi-kafka pods and services to disable TLS and set advertizedHosts
- Add "ingress" services to Ingress Gateway/VCs for onap_strimzi
...
- to istio-ingressgateway
- Create External Kafka User (optional)
- Test the external client access to Kafka
Add custom ports to istio-ingressgateway service
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
1. Export existing service definition: kubectl -n istio-ingress get service istio-ingressgateway -o yaml > istio_ingressgateway.yaml 2. Check existing Nodeports (The range of valid ports is 30000-32767) kubectl get svc -A |grep Load kubectl get svc -A |grep NodePort 3. Choose 4 free ports (e.g. 30900, 30901,30902, 3090330910) 4. Edit istio_ingressgateway.yaml and add: - port: 90039010 nodePort: 3090330910 targetPort: 90039010 name: kafka-bootstrap protocol: TCP - port: 9000 nodePort: 30900 targetPort: 9000 name: kafka-0 protocol: TCP - port: 9001 nodePort: 30901 targetPort: 9001 name: kafka-1 protocol: TCP - port: 9002 nodePort: 30902 targetPort: 9002 name: kafka-2 protocol: TCP 5. Apply changes: kubectl apply -f ./istio_ingressgateway.yaml |
...
Modify onap-strimzi-kafka pods and services to disable TLS and set advertizedHosts
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
1. Login to the K8S Control Node and set the helm environment
helm repo add local http://127.0.0.1:8879
helm plugin install --version v0.10.3 https://github.com/chartmuseum/helm-push.git
git config --global --add safe.directory /opt/oom
2. Modify the onap-strimzi config
cd /opt/oom/kubernetes
vi strimzi/templates/strimzi-kafka.yaml
Update "tls" and "authentication.type" of the "external" kafka listener:
---
- name: external
port: 9094
type: nodeport
tls: false
authentication:
type: {{ .Values.config.saslMechanism }}
configuration:
brokers:
- broker: 0
advertisedHost: kafka-api.simpledemo.onap.org
advertisedPort: 9000
- broker: 1
advertisedHost: kafka-api.simpledemo.onap.org
advertisedPort: 9001
- broker: 2
advertisedHost: kafka-api.simpledemo.onap.org
advertisedPort: 9002
3. Apply the changes to onap-strimzi
make strimzi
helm upgrade -i onap-strimzi local/strimzi --namespace onap --version 12.0.0 --values /opt/oom/kubernetes/onap/values.yaml --values /opt/oom/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml --values /opt/oom/kubernetes/onap/resources/overrides/environment.yaml --values /home/ubuntu/oom/master/onap-overrides.yaml --timeout '900s' |
Add Ingress Gateway/VCs for onap_strimzi to istio-ingressgateway
- Create a file (e.g. kafka-ingress.yaml) Istio Ingress Gateway/VirtualService entries for the kafka-bootstrap-api and the brokers
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: kafka-bootstrap-api-gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- kafka-bootstrap-api.simpledemo.onap.org
port:
name: tls-kafka-bootstrap
number: 90039010
protocol: TLS
tls:
credentialName: ingress-tls-secret
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: kafka-bootstrap-api-service
spec:
hosts:
- kafka-bootstrap-api.simpledemo.onap.org
gateways:
- kafka-bootstrap-api-gateway
tcp:
- match:
- port: 90039010
route:
- destination:
host: onap-strimzi-kafka-external-bootstrap
port:
number: 9094
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: kafka-api-gateway
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- kafka-api.simpledemo.onap.org
port:
name: tls-kafka-0
number: 9000
protocol: TLS
tls:
credentialName: ingress-tls-secret
mode: SIMPLE
- hosts:
- kafka-api.simpledemo.onap.org
port:
name: tls-kafka-1
number: 9001
protocol: TLS
tls:
credentialName: ingress-tls-secret
mode: SIMPLE
- hosts:
- kafka-api.simpledemo.onap.org
port:
name: tls-kafka-2
number: 9002
protocol: TLS
tls:
credentialName: ingress-tls-secret
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: kafka-0-api-service
spec:
hosts:
- kafka-api.simpledemo.onap.org
gateways:
- kafka-api-gateway
tcp:
- match:
- port: 9000
route:
- destination:
host: onap-strimzi-kafka-0
port:
number: 9094
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: kafka-1-api-service
spec:
hosts:
- kafka-api.simpledemo.onap.org
gateways:
- kafka-api-gateway
tcp:
- match:
- port: 9001
route:
- destination:
host: onap-strimzi-kafka-1
port:
number: 9094
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: kafka-2-api-service
spec:
hosts:
- kafka-api.simpledemo.onap.org
gateways:
- kafka-api-gateway
tcp:
- match:
- port: 9002
route:
- destination:
host: onap-strimzi-kafka-2
port:
number: 9094 |
...
| Code Block |
|---|
kubectl -n onap apply -f ./kafka-ingress.yaml |
Test the external client access to Kafka
- Add hostnames to DNS (or /etc/hosts) by using the IP Address of the istio-ingressgateway LB
| Code Block |
|---|
sudo vi /etc/hosts ---- 10.32.240.14 kafka-bootstrap-api.simpledemo.onap.org 10.32.240.14 kafka-api.simpledemo.onap.org |
- Test the connectionInstall KafkaCat
| Code Block |
|---|
sudo apt install kafkacat |
- Get the Metadata ((use an existing Kafka User, e.g. Admin)):
| Code Block | ||
|---|---|---|
| ||
kafkacat -L -b kafka-bootstrap-api.simpledemo.onap.org:9003 -X security.protocol=sasl_ssl -X enable.ssl.certificate.verification=false -X sasl.mechanisms=SCRAM-SHA-512 -X sasl.username=<strimzi-user> -X sasl.password=<strimzi-password> -v -v Metadata for all topics (from broker -1: sasl_ssl://kafka-bootstrap-api.simpledemo.onap.org:9003/bootstrap): 3 brokers: broker 0 at kafka-api.simpledemo.onap.org:9000 (controller) broker 2 at kafka-api.simpledemo.onap.org:9002 broker 1 at kafka-api.simpledemo.onap.org:9001 33 topics: topic "org.onap.dmaap.mr.PNF_REGISTRATION" with 2 partitions: partition 0, leader 2, replicas: 2, isrs: 2 partition 1, leader 1, replicas: 1, isrs: 1 topic "SDC-DISTR-NOTIF-TOPIC-AUTO" with 6 partitions: ... |
- Get the Metadata ((use an existing Kafka User, e.g. Admin)):
| Code Block | ||
|---|---|---|
| ||
kafkacat -b kafka-bootstrap-api.simpledemo.onap.org:9003 -X security.protocol=sasl_ssl -X enable.ssl.certificate.verification=false -X sasl.mechanisms=SCRAM-SHA-512 -X sasl.username=strimzi-kafka-admin -X sasl.password=GzxcHZ29sUXb -C -t unauthenticated.VES_NOTIFICATION_OUTPUT -v
{"event":{"commonEventHeader":{"startEpochMicrosec":8745745764578,"eventId":"FileReady_1797490e-10ae-4d48-9ea7-3d7d790b25e1","timeZoneOffset":"UTC+05.30","internalHeaderFields":{"collectorTimeStamp":"Tue, 12 06 2022 01:35:59 GMT"},"priority":"Normal","version":"4.0.1","reportingEntityName":"otenb5309","sequence":0,"domain":"notification","lastEpochMicrosec":8745745764578,"eventName":"Noti_RnNode-Ericsson_FileReady","vesEventListenerVersion":"7.0.1","sourceName":"oteNB5309"},"notificationFields":{"notificationFieldsVersion":"2.0","changeType":"FileReady","changeIdentifier":"PM_MEAS_FILES","arrayOfNamedHashMap":[{"name":"test.xml.gz","hashMap":{"location":"sftp://sftp:22/test.xml.gz","fileFormatType":"org.3GPP.32.435#measCollec","fileFormatVersion":"V10","compression":"gzip"}}]}}}
... |