From 23e1d9e6e052cb374e22bc732505bf4e026fb3a3 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Wed, 19 Jul 2017 07:08:30 +0200 Subject: [PATCH 1/6] Temp commit so that github allows a PR to be created, where I can keep notes --- 10broker-config.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/10broker-config.yml b/10broker-config.yml index a246e808..bbf0e446 100644 --- a/10broker-config.yml +++ b/10broker-config.yml @@ -34,6 +34,8 @@ data: # The id of the broker. This must be set to a unique integer for each broker. broker.id=${KAFKA_BROKER_ID} + #broker.rack=${KAFKA_BROKER_RACK} + # Switch to enable topic deletion or not, default value is false delete.topic.enable=true From c0645eefd5dc75b9e9b002b5dd5b009d39b6fd42 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Tue, 1 Aug 2017 06:52:58 +0200 Subject: [PATCH 2/6] Starts scripting, but the API call gets 403 for anonymous user --- 10broker-config.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/10broker-config.yml b/10broker-config.yml index bbf0e446..93bc8f0e 100644 --- a/10broker-config.yml +++ b/10broker-config.yml @@ -11,6 +11,19 @@ data: export KAFKA_BROKER_ID=${HOSTNAME##*-} sed -i "s/\${KAFKA_BROKER_ID}/$KAFKA_BROKER_ID/" /etc/kafka/server.properties + PODNAME=$HOSTNAME + NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) + + # todo add curl to kafka image, switch to a curl image for init or write the whole lookup in java + hash curl 2>/dev/null || { apt-get update; DEBIAN_FRONTEND=noninteractive apt-get install curl -y --no-install-recommends; } + + API=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT/api + AUTH="--cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --header \"Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)\"" + + curl -s $AUTH $API/namespaces/kafka/pods/$PODNAME -I --fail-early || { + echo "Access problems. Could be RBAC." + } + server.properties: |- # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with From 8fe76ff94e7452bd183df3d63af262822a695d71 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Thu, 3 Aug 2017 06:28:41 +0200 Subject: [PATCH 3/6] Looks up zone if kubectl is found, tries to not break config otherwise --- 10broker-config.yml | 24 ++++++++++++------------ 50kafka.yml | 5 +++++ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/10broker-config.yml b/10broker-config.yml index 93bc8f0e..8f9d9d5a 100644 --- a/10broker-config.yml +++ b/10broker-config.yml @@ -11,17 +11,17 @@ data: export KAFKA_BROKER_ID=${HOSTNAME##*-} sed -i "s/\${KAFKA_BROKER_ID}/$KAFKA_BROKER_ID/" /etc/kafka/server.properties - PODNAME=$HOSTNAME - NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) - - # todo add curl to kafka image, switch to a curl image for init or write the whole lookup in java - hash curl 2>/dev/null || { apt-get update; DEBIAN_FRONTEND=noninteractive apt-get install curl -y --no-install-recommends; } - - API=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT/api - AUTH="--cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --header \"Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)\"" - - curl -s $AUTH $API/namespaces/kafka/pods/$PODNAME -I --fail-early || { - echo "Access problems. Could be RBAC." + hash kubectl 2>/dev/null || { + sed -i "s/#init#broker.rack=#init#/#init#broker.rack=# kubectl not found in path/" /etc/kafka/server.properties + } && { + ZONE=$(kubectl get node "$NODE_NAME" -o=go-template='{{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}') + if [ $? -ne 0 ]; then + sed -i "s/#init#broker.rack=#init#/#init#broker.rack=# zone lookup failed, see -c init-config logs/" /etc/kafka/server.properties + elif [ "x$ZONE" == "x" ]; then + sed -i "s/#init#broker.rack=#init#/#init#broker.rack=# zone label not found for node $NODE_NAME/" /etc/kafka/server.properties + else + sed -i "s/#init#broker.rack=#init#/broker.rack=$ZONE/" /etc/kafka/server.properties + fi } server.properties: |- @@ -47,7 +47,7 @@ data: # The id of the broker. This must be set to a unique integer for each broker. broker.id=${KAFKA_BROKER_ID} - #broker.rack=${KAFKA_BROKER_RACK} + #init#broker.rack=#init# # Switch to enable topic deletion or not, default value is false delete.topic.enable=true diff --git a/50kafka.yml b/50kafka.yml index 4404a6be..1280590c 100644 --- a/50kafka.yml +++ b/50kafka.yml @@ -16,6 +16,11 @@ spec: initContainers: - name: init-config image: solsson/kafka:0.11.0.0@sha256:b27560de08d30ebf96d12e74f80afcaca503ad4ca3103e63b1fd43a2e4c976ce + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName command: ['/bin/bash', '/etc/kafka/init.sh'] volumeMounts: - name: config From 7e7b342b108a2e2c18446a3ecc7012eec8b8cd51 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Thu, 3 Aug 2017 06:52:13 +0200 Subject: [PATCH 4/6] Uses an image with kubectl based on the same debian tag as kafka --- 50kafka.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/50kafka.yml b/50kafka.yml index 1280590c..c92d68e8 100644 --- a/50kafka.yml +++ b/50kafka.yml @@ -15,7 +15,7 @@ spec: terminationGracePeriodSeconds: 30 initContainers: - name: init-config - image: solsson/kafka:0.11.0.0@sha256:b27560de08d30ebf96d12e74f80afcaca503ad4ca3103e63b1fd43a2e4c976ce + image: solsson/kubectl-kafkacat@sha256:450cf4e25f19020ab23200890e51aad333eec9bbff28ce6c22c90146aa726075 env: - name: NODE_NAME valueFrom: From 3678ad5db2290af7a1bbc64d297de2d40edc2a6e Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Thu, 3 Aug 2017 14:19:50 +0200 Subject: [PATCH 5/6] I suppose most init scripts will do fine with curl+kubectl+bash --- 50kafka.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/50kafka.yml b/50kafka.yml index c92d68e8..2c42dc77 100644 --- a/50kafka.yml +++ b/50kafka.yml @@ -15,7 +15,7 @@ spec: terminationGracePeriodSeconds: 30 initContainers: - name: init-config - image: solsson/kubectl-kafkacat@sha256:450cf4e25f19020ab23200890e51aad333eec9bbff28ce6c22c90146aa726075 + image: solsson/kafka-initutils@sha256:c275d681019a0d8f01295dbd4a5bae3cfa945c8d0f7f685ae1f00f2579f08c7d env: - name: NODE_NAME valueFrom: From ff972b99cc6ae2af5d5d420c43ce1304e6879aeb Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 07:02:46 +0200 Subject: [PATCH 6/6] Adds RBAC policy for kubectl to look up node's zone --- rbac-namespace-default/node-reader.yml | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rbac-namespace-default/node-reader.yml diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml new file mode 100644 index 00000000..edf3dde1 --- /dev/null +++ b/rbac-namespace-default/node-reader.yml @@ -0,0 +1,37 @@ +# To see if init containers need RBAC: +# +# $ kubectl exec kafka-0 -- cat /etc/kafka/server.properties | grep broker.rack +# #init#broker.rack=# zone lookup failed, see -c init-config logs +# $ kubectl logs -c init-config kafka-0 +# ++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}' +# Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\"" +# +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: node-reader + labels: + origin: github.com_Yolean_kubernetes-kafka +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kafka-node-reader + labels: + origin: github.com_Yolean_kubernetes-kafka +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-reader +subjects: +- kind: ServiceAccount + name: default + namespace: kafka