https://strimzi.io/docs/operators/latest/configuring.html
https://strimzi.io/docs/operators/latest/configuring.html#proc-accessing-kafka-using-ingress-str
https://strimzi.io/blog/2019/04/23/accessing-kafka-part-2/
Current Setup - no Ingress (Kohn):
- External Access via Nodeports
- onap-strimzi-kafka-external-bootstrap (30493)
- onap-strimzi-kafka-0 (30490)
- onap-strimzi-kafka-1 (30491)
- onap-strimzi-kafka-2 (30492)
- TLS termination on Kafka Pods
External Access to Kafka (DT implementation) in Jakarta/Kohn
- External Access via Ingress (Traefik)
- new TCP "EntryPoints" in Traefik Gateway for bootstrap and brokers
- Update Pod "clienttls" ports (9093) to use "advertizedHost" and "advertizedPort"
- NodePorts not used...
- IngressRouteTCP entry to "internal" bootstrap service
- Use "tls passthough"
- IngressRouteTCP entries to external broker ports
Proposal for London (External Access via Ingress)
- External Access via Ingress (istio-ingress)
- new TLS ports on Ingress Gateway for bootstrap and brokers
- Disable TLS on "external" broker ports
- Disable all Nodeports in Service definitions
Test steps on an existing ServiceMesh cluster
- Add custom ports to istio-ingressgateway service
(https://www.dangtrinh.com/2019/09/how-to-open-custom-port-on-istio.html) - Modify onap-strimzi-kafka pods and services to disable TLS and set advertizedHosts
- Add "ingress" services to onap_strimzi
- "Add custom ports to istio-ingressgateway service"
1. Export existing service definition:
kubectl -n istio-ingress get service istio-ingressgateway -o yaml > istio_ingressgateway.yaml
2. Check existing Nodeports (The range of valid ports is 30000-32767)
kubectl get svc -A |grep Load
kubectl get svc -A |grep NodePort
3. Choose 4 free ports (e.g. 30900, 30901,30902, 30903)
4. Edit istio_ingressgateway.yaml and add:
- port: 9003
nodePort: 30903
targetPort: 9003
name: kafka-bootstrap
protocol: TCP
- port: 9000
nodePort: 30900
targetPort: 9000
name: kafka-0
protocol: TCP
- port: 9001
nodePort: 30901
targetPort: 9001
name: kafka-1
protocol: TCP
- port: 9002
nodePort: 30902
targetPort: 9002
name: kafka-2
protocol: TCP
5. Apply changes:
kubectl apply -f ./istio_ingressgateway.yaml
- "Modify onap-strimzi-kafka pods and services to disable TLS and set advertizedHosts"
1. Login to the K8S Control Node and set the helm environment
helm repo add local http://127.0.0.1:8879
helm plugin install --version v0.10.3 https://github.com/chartmuseum/helm-push.git
git config --global --add safe.directory /opt/oom
2. Modify the onap-strimzi config
cd /opt/oom/kubernetes
vi strimzi/templates/strimzi-kafka.yaml
Update "tls" and "authentication.type" of the "external" kafka listener:
---
- name: external
port: 9094
type: nodeport
tls: false
authentication:
type: {{ .Values.config.saslMechanism }}
configuration:
brokers:
- broker: 0
advertisedHost: kafka-api.simpledemo.onap.org
advertisedPort: 9000
- broker: 1
advertisedHost: kafka-api.simpledemo.onap.org
advertisedPort: 9001
- broker: 2
advertisedHost: kafka-api.simpledemo.onap.org
advertisedPort: 9002
3. Apply the changes to onap-strimzi
helm upgrade -i onap-strimzi local/strimzi --namespace onap --version 12.0.0 --values /opt/oom/kubernetes/onap/values.yaml --values /opt/oom/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml --values /opt/oom/kubernetes/onap/resources/overrides/environment.yaml --values /home/ubuntu/oom/master/onap-overrides.yaml --timeout '900s'