https://strimzi.io/docs/operators/latest/configuring.html
https://strimzi.io/docs/operators/latest/configuring.html#proc-accessing-kafka-using-ingress-str
https://strimzi.io/blog/2019/04/23/accessing-kafka-part-2/
Current Setup - no Ingress (Kohn):
- External Access via Nodeports
- onap-strimzi-kafka-external-bootstrap (30493)
- onap-strimzi-kafka-0 (30490)
- onap-strimzi-kafka-1 (30491)
- onap-strimzi-kafka-2 (30492)
- TLS termination on Kafka Pods
External Access to Kafka (DT implementation) in Jakarta/Kohn
- External Access via Ingress (Traefik)
- new TCP "EntryPoints" in Traefik Gateway for bootstrap and brokers
- Update Pod "clienttls" ports (9093) to use "advertizedHost" and "advertizedPort"
- NodePorts not used...
- IngressRouteTCP entry to "internal" bootstrap service
- Use "tls passthough"
- IngressRouteTCP entries to external broker ports
Proposal for London (External Access via Ingress)
- External Access via Ingress (istio-ingress)
- new TLS ports on Ingress Gateway for bootstrap and brokers
- Disable TLS on "external" broker ports
- Disable all Nodeports in Service definitions
Need to check:
https://github.com/istio/istio/issues/20076
Test steps on an existing ServiceMesh cluster
- Add custom ports to istio-ingressgateway service
(https://www.dangtrinh.com/2019/09/how-to-open-custom-port-on-istio.html) - Modify onap-strimzi-kafka pods and services to disable TLS and set advertizedHosts
- Add "ingress" services to onap_strimzi
- "Add custom ports to istio-ingressgateway service"
1. Export existing service definition: kubectl -n istio-ingress get service istio-ingressgateway -o yaml > istio_ingressgateway.yaml 2. Check existing Nodeports (The range of valid ports is 30000-32767) kubectl get svc -A |grep Load kubectl get svc -A |grep NodePort 3. Choose 4 free ports (e.g. 30900, 30901,30902, 30903) 4. Edit istio_ingressgateway.yaml and add: - port: 9003 nodePort: 30903 targetPort: 9003 name: kafka-bootstrap protocol: TCP - port: 9000 nodePort: 30900 targetPort: 9000 name: kafka-0 protocol: TCP - port: 9001 nodePort: 30901 targetPort: 9001 name: kafka-1 protocol: TCP - port: 9002 nodePort: 30902 targetPort: 9002 name: kafka-2 protocol: TCP 5. Apply changes: kubectl apply -f ./istio_ingressgateway.yaml
- "Modify onap-strimzi-kafka pods and services to disable TLS and set advertizedHosts"
1. Login to the K8S Control Node and set the helm environment helm repo add local http://127.0.0.1:8879 helm plugin install --version v0.10.3 https://github.com/chartmuseum/helm-push.git git config --global --add safe.directory /opt/oom 2. Modify the onap-strimzi config cd /opt/oom/kubernetes vi strimzi/templates/strimzi-kafka.yaml Update "tls" and "authentication.type" of the "external" kafka listener: --- - name: external port: 9094 type: nodeport tls: false authentication: type: {{ .Values.config.saslMechanism }} configuration: brokers: - broker: 0 advertisedHost: kafka-api.simpledemo.onap.org advertisedPort: 9000 - broker: 1 advertisedHost: kafka-api.simpledemo.onap.org advertisedPort: 9001 - broker: 2 advertisedHost: kafka-api.simpledemo.onap.org advertisedPort: 9002 3. Apply the changes to onap-strimzi helm upgrade -i onap-strimzi local/strimzi --namespace onap --version 12.0.0 --values /opt/oom/kubernetes/onap/values.yaml --values /opt/oom/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml --values /opt/oom/kubernetes/onap/resources/overrides/environment.yaml --values /home/ubuntu/oom/master/onap-overrides.yaml --timeout '900s'