You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 15
Next »
https://strimzi.io/docs/operators/latest/configuring.html
https://strimzi.io/docs/operators/latest/configuring.html#proc-accessing-kafka-using-ingress-str
https://strimzi.io/blog/2019/04/23/accessing-kafka-part-2/
Current Setup - no Ingress (Kohn):
- External Access via Nodeports
- onap-strimzi-kafka-external-bootstrap (30493)
- onap-strimzi-kafka-0 (30490)
- onap-strimzi-kafka-1 (30491)
- onap-strimzi-kafka-2 (30492)
- TLS termination on Kafka Pods
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkFuZHJlYXMgR2Vpc3NsZXIiLCJvdXRwdXRUeXBlIjoiYmxvY2siLCJsYXN0TW9kaWZpZXJOYW1lIjoiQW5kcmVhcyBHZWlzc2xlciIsImxhbmd1YWdlIjoiZW4iLCJkaWFncmFtRGlzcGxheU5hbWUiOiIiLCJzRmlsZUlkIjoiIiwiYXR0SWQiOiIxNTY4NjA3NzMiLCJkaWFncmFtTmFtZSI6ImluZ3JlcyIsImFzcGVjdCI6IiIsImxpbmtzIjoiYXV0byIsImNlb05hbWUiOiJLYWZrYSBBY2Nlc3MgdmlhIEluZ3Jlc3MiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjE1Njg2MDc3MCwiZWRpdGFibGUiOmZhbHNlLCJjZW9JZCI6MTU2ODYwODg3LCJwYWdlSWQiOiIiLCJsYm94Ijp0cnVlLCJzZXJ2ZXJDb25maWciOnsiZW1haWxwcmV2aWV3IjoiMSJ9LCJvZHJpdmVJZCI6IiIsInJldmlzaW9uIjo1LCJtYWNyb0lkIjoiMzRhY2Q2MGUtZmE5YS00ODc4LThmNDYtMTZhNDdiNjQxODE1IiwicHJldmlld05hbWUiOiJpbmdyZXMucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6IjQ4NiIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTY2OTk5ODA4MDAwMCwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=
External Access to Kafka (DT implementation) in Jakarta/Kohn
- External Access via Ingress (Traefik)
- new TCP "EntryPoints" in Traefik Gateway for bootstrap and brokers
- Update Pod "clienttls" ports (9093) to use "advertizedHost" and "advertizedPort"
- NodePorts not used...
- IngressRouteTCP entry to "internal" bootstrap service
- IngressRouteTCP entries to external broker ports
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkFuZHJlYXMgR2Vpc3NsZXIiLCJvdXRwdXRUeXBlIjoiYmxvY2siLCJsYXN0TW9kaWZpZXJOYW1lIjoiQW5kcmVhcyBHZWlzc2xlciIsImxhbmd1YWdlIjoiZW4iLCJkaWFncmFtRGlzcGxheU5hbWUiOiIiLCJzRmlsZUlkIjoiIiwiYXR0SWQiOiIxNTY4NjA4MTkiLCJkaWFncmFtTmFtZSI6IlRyYWZpazJLYWZrYSIsImFzcGVjdCI6IiIsImxpbmtzIjoiYXV0byIsImNlb05hbWUiOiJLYWZrYSBBY2Nlc3MgdmlhIEluZ3Jlc3MiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjE1Njg2MDc3MCwiZWRpdGFibGUiOmZhbHNlLCJjZW9JZCI6MTU2ODYwODg3LCJwYWdlSWQiOiIiLCJsYm94Ijp0cnVlLCJzZXJ2ZXJDb25maWciOnsiZW1haWxwcmV2aWV3IjoiMSJ9LCJvZHJpdmVJZCI6IiIsInJldmlzaW9uIjozLCJtYWNyb0lkIjoiMWM3MTJiMjctMTM2YS00MmY2LWI1ODctYWY0NDRmNGQxYTMwIiwicHJldmlld05hbWUiOiJUcmFmaWsyS2Fma2EucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6Ijg4NyIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTY3MDIzMTE5NDAwMCwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=
Proposal for London (External Access via Ingress)
- External Access via Ingress (istio-ingress)
- new TLS ports on Ingress Gateway for bootstrap and brokers
- Disable TLS on "external" broker ports
- Disable all Nodeports in Service definitions
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkFuZHJlYXMgR2Vpc3NsZXIiLCJvdXRwdXRUeXBlIjoiYmxvY2siLCJsYXN0TW9kaWZpZXJOYW1lIjoiQW5kcmVhcyBHZWlzc2xlciIsImxhbmd1YWdlIjoiZW4iLCJkaWFncmFtRGlzcGxheU5hbWUiOiIiLCJzRmlsZUlkIjoiIiwiYXR0SWQiOiIxNTY4NjA3ODkiLCJkaWFncmFtTmFtZSI6IkluZ3Jlc3MyS2Fma2EiLCJhc3BlY3QiOiIiLCJsaW5rcyI6ImF1dG8iLCJjZW9OYW1lIjoiS2Fma2EgQWNjZXNzIHZpYSBJbmdyZXNzIiwidGJzdHlsZSI6InRvcCIsImNhbkNvbW1lbnQiOmZhbHNlLCJkaWFncmFtVXJsIjoiIiwiY3N2RmlsZVVybCI6IiIsImJvcmRlciI6dHJ1ZSwibWF4U2NhbGUiOiIxIiwib3duaW5nUGFnZUlkIjoxNTY4NjA3NzAsImVkaXRhYmxlIjpmYWxzZSwiY2VvSWQiOjE1Njg2MDg4NywicGFnZUlkIjoiIiwibGJveCI6dHJ1ZSwic2VydmVyQ29uZmlnIjp7ImVtYWlscHJldmlldyI6IjEifSwib2RyaXZlSWQiOiIiLCJyZXZpc2lvbiI6NSwibWFjcm9JZCI6IjQ5NTIyYjQ5LTRhYzktNGE2MC1iNjFiLWVmNTIwYWU3YzM0YSIsInByZXZpZXdOYW1lIjoiSW5ncmVzczJLYWZrYS5wbmciLCJsaWNlbnNlU3RhdHVzIjoiT0siLCJzZXJ2aWNlIjoiIiwiaXNUZW1wbGF0ZSI6IiIsIndpZHRoIjoiODU3Iiwic2ltcGxlVmlld2VyIjpmYWxzZSwibGFzdE1vZGlmaWVkIjoxNjcwMzI1MjA3MDAwLCJleGNlZWRQYWdlV2lkdGgiOmZhbHNlLCJvQ2xpZW50SWQiOiIifQ==
Test steps
- Add custom ports to istio-ingressgateway service
(https://www.dangtrinh.com/2019/09/how-to-open-custom-port-on-istio.html) - Modify "external" pods to disable TLS
- Add "ingress" services to onap_strimzi
- "Add custom ports to istio-ingressgateway service"
1. Export existing service definition:
kubectl -n istio-ingress get service istio-ingressgateway -o yaml > istio_ingressgateway.yaml
2. Check existing Nodeports (The range of valid ports is 30000-32767)
kubectl get svc -A |grep Load
kubectl get svc -A |grep NodePort
3. Choose 4 free ports (e.g. 30900, 30901,30902, 30903)
4. Edit istio_ingressgateway.yaml and add:
- port: 9003
nodePort: 30903
targetPort: 9003
name: kafka-bootstrap
protocol: TCP
- port: 9000
nodePort: 30900
targetPort: 9000
name: kafka-0
protocol: TCP
- port: 9001
nodePort: 30901
targetPort: 9001
name: kafka-1
protocol: TCP
- port: 9002
nodePort: 30902
targetPort: 9002
name: kafka-2
protocol: TCP
5. Apply changes:
kubectl apply -f ./istio_ingressgateway.yaml