diff options
author | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2020-03-11 15:47:18 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2020-03-11 15:47:18 +0000 |
commit | 97b24386228230f11f3401976075b91a6ded3b7b (patch) | |
tree | f6fe2a4bcbf3861de6bd4e546854566aac9b1224 /kubernetes | |
parent | def29252f39f5432c51bfd3d753bbf35c2060256 (diff) | |
parent | e10aee3d209ba9e809050dd2657de2b5bcdac4ce (diff) |
Merge "Helm changes for new Kafka and zk images"
Diffstat (limited to 'kubernetes')
19 files changed, 508 insertions, 534 deletions
diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/cadi.properties b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/cadi.properties index 1e7d7d38ac..977699d83a 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/cadi.properties +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/cadi.properties @@ -2,13 +2,13 @@ aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 aaf_env=DEV aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm -cadi_truststore=/opt/kafka/config/org.onap.dmaap.mr.trust.jks +cadi_truststore=/etc/kafka/secrets/cert/org.onap.dmaap.mr.trust.jks cadi_truststore_password=enc:gvXm0E9p-_SRNw5_feOUE7wqXBxgxV3S_bdAyB08Sq9F35cCUZHWgQyKIDtTAbEw -cadi_keyfile=/opt/kafka/config/org.onap.dmaap.mr.keyfile +cadi_keyfile=/etc/kafka/secrets/cert/org.onap.dmaap.mr.keyfile cadi_alias=dmaapmr@mr.dmaap.onap.org -cadi_keystore=/opt/kafka/config/org.onap.dmaap.mr.p12 +cadi_keystore=/etc/kafka/secrets/cert/org.onap.dmaap.mr.p12 cadi_keystore_password=enc:pLMCzQzk-OP7IpYNi0TPtQSkNcraFAdarZG8HbdOKq4BycW6g_7mfhphLhOZo6ht cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/jmx-kafka-prometheus.yml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/jmx-kafka-prometheus.yml new file mode 100644 index 0000000000..2ab713e789 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/jmx-kafka-prometheus.yml @@ -0,0 +1,23 @@ +jmxUrl: service:jmx:rmi:///jndi/rmi://localhost:{{ .Values.jmx.port }}/jmxrmi +lowercaseOutputName: true +lowercaseOutputLabelNames: true +ssl: false +rules: +- pattern : kafka.server<type=ReplicaManager, name=(.+)><>(Value|OneMinuteRate) + name: "cp_kafka_server_replicamanager_$1" +- pattern : kafka.controller<type=KafkaController, name=(.+)><>Value + name: "cp_kafka_controller_kafkacontroller_$1" +- pattern : kafka.server<type=BrokerTopicMetrics, name=(.+)><>OneMinuteRate + name: "cp_kafka_server_brokertopicmetrics_$1" +- pattern : kafka.network<type=RequestMetrics, name=RequestsPerSec, request=(.+)><>OneMinuteRate + name: "cp_kafka_network_requestmetrics_requestspersec_$1" +- pattern : kafka.network<type=SocketServer, name=NetworkProcessorAvgIdlePercent><>Value + name: "cp_kafka_network_socketserver_networkprocessoravgidlepercent" +- pattern : kafka.server<type=ReplicaFetcherManager, name=MaxLag, clientId=(.+)><>Value + name: "cp_kafka_server_replicafetchermanager_maxlag_$1" +- pattern : kafka.server<type=KafkaRequestHandlerPool, name=RequestHandlerAvgIdlePercent><>OneMinuteRate + name: "cp_kafka_kafkarequesthandlerpool_requesthandleravgidlepercent" +- pattern : kafka.controller<type=ControllerStats, name=(.+)><>OneMinuteRate + name: "cp_kafka_controller_controllerstats_$1" +- pattern : kafka.server<type=SessionExpireListener, name=(.+)><>OneMinuteRate + name: "cp_kafka_server_sessionexpirelistener_$1" diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/log4j.properties b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/log4j.properties deleted file mode 100644 index 8e20fa48aa..0000000000 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/log4j.properties +++ /dev/null @@ -1,74 +0,0 @@ -log4j.rootLogger=INFO, stdout, kafkaAppender - -log4j.appender.stdout=org.apache.log4j.ConsoleAppender -log4j.appender.stdout.layout=org.apache.log4j.PatternLayout -log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n - -log4j.appender.kafkaAppender=org.apache.log4j.DailyRollingFileAppender -log4j.appender.kafkaAppender.DatePattern='.'yyyy-MM-dd-HH -log4j.appender.kafkaAppender.File=${kafka.logs.dir}/server.log -log4j.appender.kafkaAppender.layout=org.apache.log4j.PatternLayout -log4j.appender.kafkaAppender.layout.ConversionPattern=[%d] %p %m (%c)%n - -log4j.appender.stateChangeAppender=org.apache.log4j.DailyRollingFileAppender -log4j.appender.stateChangeAppender.DatePattern='.'yyyy-MM-dd-HH -log4j.appender.stateChangeAppender.File=${kafka.logs.dir}/state-change.log -log4j.appender.stateChangeAppender.layout=org.apache.log4j.PatternLayout -log4j.appender.stateChangeAppender.layout.ConversionPattern=[%d] %p %m (%c)%n - -log4j.appender.requestAppender=org.apache.log4j.DailyRollingFileAppender -log4j.appender.requestAppender.DatePattern='.'yyyy-MM-dd-HH -log4j.appender.requestAppender.File=${kafka.logs.dir}/kafka-request.log -log4j.appender.requestAppender.layout=org.apache.log4j.PatternLayout -log4j.appender.requestAppender.layout.ConversionPattern=[%d] %p %m (%c)%n - -log4j.appender.cleanerAppender=org.apache.log4j.DailyRollingFileAppender -log4j.appender.cleanerAppender.DatePattern='.'yyyy-MM-dd-HH -log4j.appender.cleanerAppender.File=${kafka.logs.dir}/log-cleaner.log -log4j.appender.cleanerAppender.layout=org.apache.log4j.PatternLayout -log4j.appender.cleanerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n - -log4j.appender.controllerAppender=org.apache.log4j.DailyRollingFileAppender -log4j.appender.controllerAppender.DatePattern='.'yyyy-MM-dd-HH -log4j.appender.controllerAppender.File=${kafka.logs.dir}/controller.log -log4j.appender.controllerAppender.layout=org.apache.log4j.PatternLayout -log4j.appender.controllerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n - -log4j.appender.authorizerAppender=org.apache.log4j.DailyRollingFileAppender -log4j.appender.authorizerAppender.DatePattern='.'yyyy-MM-dd-HH -log4j.appender.authorizerAppender.File=${kafka.logs.dir}/kafka-authorizer.log -log4j.appender.authorizerAppender.layout=org.apache.log4j.PatternLayout -log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n - -# Change the two lines below to adjust ZK client logging -log4j.logger.org.I0Itec.zkclient.ZkClient=INFO -log4j.logger.org.apache.zookeeper=INFO - -# Change the two lines below to adjust the general broker logging level (output to server.log and stdout) -log4j.logger.kafka=INFO -log4j.logger.org.apache.kafka=INFO - -# Change to DEBUG or TRACE to enable request logging -log4j.logger.kafka.request.logger=WARN, requestAppender -log4j.additivity.kafka.request.logger=false - -# Uncomment the lines below and change log4j.logger.kafka.network.RequestChannel$ to TRACE for additional output -# related to the handling of requests -#log4j.logger.kafka.network.Processor=TRACE, requestAppender -#log4j.logger.kafka.server.KafkaApis=TRACE, requestAppender -#log4j.additivity.kafka.server.KafkaApis=false -log4j.logger.kafka.network.RequestChannel$=WARN, requestAppender -log4j.additivity.kafka.network.RequestChannel$=false - -log4j.logger.kafka.controller=TRACE, controllerAppender -log4j.additivity.kafka.controller=false - -log4j.logger.kafka.log.LogCleaner=INFO, cleanerAppender -log4j.additivity.kafka.log.LogCleaner=false - -log4j.logger.state.change.logger=TRACE, stateChangeAppender -log4j.additivity.state.change.logger=false - -# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses -log4j.logger.kafka.authorizer.logger=INFO, authorizerAppender -log4j.additivity.kafka.authorizer.logger=false diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/server.properties b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/server.properties deleted file mode 100644 index 5016507bfd..0000000000 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/config/server.properties +++ /dev/null @@ -1,122 +0,0 @@ -############################# Socket Server Settings ############################# - -# The address the socket server listens on. It will get the value returned from -# java.net.InetAddress.getCanonicalHostName() if not configured. -# FORMAT: -# listeners = listener_name://host_name:port -# EXAMPLE: -# listeners = PLAINTEXT://your.host.name:9092 -listeners=EXTERNAL_SASL_PLAINTEXT://0.0.0.0:9093,INTERNAL_SASL_PLAINTEXT://0.0.0.0:9092 - -# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details -listener.security.protocol.map=INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT - -# The number of threads that the server uses for receiving requests from the network and sending responses to the network -num.network.threads=3 - -# The number of threads that the server uses for processing requests, which may include disk I/O -num.io.threads=8 - -# The send buffer (SO_SNDBUF) used by the socket server -socket.send.buffer.bytes=102400 - -#The number of hours to keep a log file before deleting it -log.retention.hours=168 -#The maximum size of the log before deleting it -log.retention.bytes=21474836480 - -# The receive buffer (SO_RCVBUF) used by the socket server -socket.receive.buffer.bytes=102400 - -# The maximum size of a request that the socket server will accept (protection against OOM) -socket.request.max.bytes=104857600 - - -############################# Log Basics ############################# - -# A comma separated list of directories under which to store log files -log.dirs=/opt/kafka/data - -# The default number of log partitions per topic. More partitions allow greater -# parallelism for consumption, but this will also result in more files across -# the brokers. -num.partitions={{ .Values.defaultpartitions }} - -# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown. -# This value is recommended to be increased for installations with data dirs located in RAID array. -num.recovery.threads.per.data.dir=1 - -############################# Internal Topic Settings ############################# -# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state" -# For anything other than development testing, a value greater than 1 is recommended for to ensure availability such as 3. -offsets.topic.replication.factor={{ .Values.replicaCount }} -transaction.state.log.replication.factor=1 -transaction.state.log.min.isr=1 - -############################# Log Flush Policy ############################# - -# Messages are immediately written to the filesystem but by default we only fsync() to sync -# the OS cache lazily. The following configurations control the flush of data to disk. -# There are a few important trade-offs here: -# 1. Durability: Unflushed data may be lost if you are not using replication. -# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush. -# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks. -# The settings below allow one to configure the flush policy to flush data after a period of time or -# every N messages (or both). This can be done globally and overridden on a per-topic basis. - -# The number of messages to accept before forcing a flush of data to disk -#log.flush.interval.messages=10000 - -# The maximum amount of time a message can sit in a log before we force a flush -#log.flush.interval.ms=1000 - -############################# Log Retention Policy ############################# - -# The following configurations control the disposal of log segments. The policy can -# be set to delete segments after a period of time, or after a given size has accumulated. -# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens -# from the end of the log. - -# The minimum age of a log file to be eligible for deletion due to age -log.retention.hours=168 - -# A size-based retention policy for logs. Segments are pruned from the log unless the remaining -# segments drop below log.retention.bytes. Functions independently of log.retention.hours. -#log.retention.bytes=1073741824 - -# The maximum size of a log segment file. When this size is reached a new log segment will be created. -log.segment.bytes=1073741824 - -# The interval at which log segments are checked to see if they can be deleted according -# to the retention policies -log.retention.check.interval.ms=300000 - -############################# Zookeeper ############################# - -# Zookeeper connection string (see zookeeper docs for details). -# This is a comma separated host:port pairs, each corresponding to a zk -# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002". -# You can also append an optional chroot string to the urls to specify the -# root directory for all kafka znodes. -zookeeper.connect={{ include "common.release" . }}-{{.Values.zookeeper.name}}-0.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}},{{ include "common.release" . }}-{{.Values.zookeeper.name}}-1.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}},{{ include "common.release" . }}-{{.Values.zookeeper.name}}-2.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}} - -# Timeout in ms for connecting to zookeeper -zookeeper.connection.timeout.ms=6000 - - -############################# Group Coordinator Settings ############################# - -# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance. -# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms. -# The default value for this is 3 seconds. -# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing. -# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup. -group.initial.rebalance.delay.ms=0 - -inter.broker.listener.name=INTERNAL_SASL_PLAINTEXT -default.replication.factor={{ .Values.replicaCount }} -delete.topic.enable=true -sasl.enabled.mechanisms=PLAIN -authorizer.class.name=org.onap.dmaap.kafkaAuthorize.KafkaCustomAuthorizer -version=1.1.1 -sasl.mechanism.inter.broker.protocol=PLAIN diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/jaas/kafka_server_jaas.conf b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/jaas/kafka_server_jaas.conf new file mode 100644 index 0000000000..ff43fbb141 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/jaas/kafka_server_jaas.conf @@ -0,0 +1,11 @@ +KafkaServer { + org.onap.dmaap.kafkaAuthorize.PlainLoginModule1 required + username="${KAFKA_ADMIN}" + password="${KAFKA_PSWD}" + user_${KAFKA_ADMIN}="${KAFKA_PSWD}"; +}; +Client { + org.apache.zookeeper.server.auth.DigestLoginModule required + username="${ZK_ADMIN}" + password="${ZK_PSWD}"; + }; diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/jaas/zk_client_jaas.conf b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/jaas/zk_client_jaas.conf new file mode 100644 index 0000000000..0755c1e2b7 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/resources/jaas/zk_client_jaas.conf @@ -0,0 +1,5 @@ +Client { + org.apache.zookeeper.server.auth.DigestLoginModule required + username="${ZK_ADMIN}" + password="${ZK_PSWD}"; + };
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/configmap.yaml index e579d82780..50398987d2 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/configmap.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/configmap.yaml @@ -12,10 +12,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +{{- if .Values.global.aafEnabled }} apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-server-prop-configmap + name: {{ include "common.fullname" . }}-cadi-prop-configmap namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -23,12 +24,12 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/server.properties").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/cadi.properties").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-cadi-prop-configmap + name: {{ include "common.fullname" . }}-jaas-configmap namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -36,13 +37,14 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/cadi.properties").AsConfig . | indent 2 }} ---- +{{ tpl (.Files.Glob "resources/jaas/kafka_server_jaas.conf").AsConfig . | indent 2 }} + +{{ else }} apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-log4j-prop-configmap + name: {{ include "common.fullname" . }}-jaas-configmap namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -50,6 +52,22 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/log4j.properties").AsConfig . | indent 2 }} ---- +{{ tpl (.Files.Glob "resources/jaas/zk_client_jaas.conf").AsConfig . | indent 2 }} + +{{- end }} +{{- if .Values.prometheus.jmx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-prometheus-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "resources/config/jmx-kafka-prometheus.yml").AsConfig | indent 2 }} +--- +{{- end }}
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/Chart.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/secrets.yaml index 921865dcbe..58a10662e8 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/Chart.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/secrets.yaml @@ -1,5 +1,4 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T +# Copyright © 2020 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,8 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: v1 -description: ONAP Message Router Kafka Service -name: message-router-mirrormaker -version: 5.0.0 - +{{ include "common.secret" . }}
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml index aa97e32a9a..ab3a6bf852 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/templates/statefulset.yaml @@ -1,4 +1,3 @@ -# Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -32,6 +31,11 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + {{- if .Values.prometheus.jmx.enabled }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.jmx.port | quote }} + {{- end }} spec: podAntiAffinity: {{if eq .Values.podAntiAffinityType "hard" -}} @@ -47,10 +51,14 @@ spec: operator: In values: - {{ include "common.name" . }} + - key: "release" + operator: In + values: + - {{ include "common.release" . }} topologyKey: "kubernetes.io/hostname" {{- if .Values.nodeAffinity }} nodeAffinity: - {{ toYaml .Values.nodeAffinity | indent 10 }} + {{ toYaml .Values.nodeAffinity | indent 10 }} {{- end }} initContainers: - name: {{ include "common.name" . }}-initcontainer @@ -74,24 +82,58 @@ spec: - sh - -exec - | - chown -R 1000:1000 /opt/kafka/data; - rm -rf '/opt/kafka/data/lost+found'; - cp /opt/kafka/tmpconfig/server.properties /opt/kafka/config/; - chown 1000:1000 /opt/kafka/config/server.properties; - cd /opt/kafka/config; - ls; + chown -R 1000:0 /var/lib/kafka/data; image: "{{ .Values.busyBoxRepository }}/{{ .Values.busyBoxImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - - mountPath: /opt/kafka/data + - mountPath: /var/lib/kafka/data name: kafka-data - - mountPath: /opt/kafka/tmpconfig/server.properties - subPath: server.properties - name: server - - mountPath: /opt/kafka/config - name: config-data name: {{ include "common.name" . }}-permission-fixer + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/etc/kafka/secrets/jaas/${PFILE}; done" + env: + - name: ZK_ADMIN + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "zk-client" "key" "login") | indent 10 }} + - name: ZK_PSWD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "zk-client" "key" "password") | indent 10 }} + - name: KAFKA_ADMIN + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "kafka-admin" "key" "login") | indent 10 }} + - name: KAFKA_PSWD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "kafka-admin" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /etc/kafka/secrets/jaas + name: jaas-config + - mountPath: /config-input + name: jaas + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config containers: + {{- if .Values.prometheus.jmx.enabled }} + - name: prometheus-jmx-exporter + image: "{{ .Values.prometheus.jmx.imageRepository }}/{{ .Values.prometheus.jmx.image }}:{{ .Values.prometheus.jmx.imageTag }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - java + - -XX:+UnlockExperimentalVMOptions + - -XX:+UseCGroupMemoryLimitForHeap + - -XX:MaxRAMFraction=1 + - -XshowSettings:vm + - -jar + - jmx_prometheus_httpserver.jar + - {{ .Values.prometheus.jmx.port | quote }} + - /etc/jmx-kafka/jmx-kafka-prometheus.yml + ports: + - containerPort: {{ .Values.prometheus.jmx.port }} + resources: +{{ toYaml .Values.prometheus.jmx.resources | indent 10 }} + volumeMounts: + - name: jmx-config + mountPath: /etc/jmx-kafka + {{- end }} - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -100,14 +142,21 @@ spec: - -exc - | export KAFKA_BROKER_ID=${HOSTNAME##*-} && \ - export ENDPOINT_PORT=$(( $KAFKA_BROKER_ID + {{ .Values.service.baseNodePort }} )) && \ + {{- if .Values.global.aafEnabled }} export KAFKA_ADVERTISED_LISTENERS=EXTERNAL_SASL_PLAINTEXT://$(HOST_IP):$(( $KAFKA_BROKER_ID + {{ .Values.service.baseNodePort }} )),INTERNAL_SASL_PLAINTEXT://:{{ .Values.service.internalPort }} && \ - exec start-kafka.sh + {{ else }} + export KAFKA_ADVERTISED_LISTENERS=EXTERNAL_PLAINTEXT://$(HOST_IP):$(( $KAFKA_BROKER_ID + {{ .Values.service.baseNodePort }} )),INTERNAL_PLAINTEXT://:{{ .Values.service.internalPort }} && \ + {{- end }} + exec /etc/confluent/docker/run resources: {{ include "common.resources" . | indent 12 }} ports: - containerPort: {{ .Values.service.internalPort }} - containerPort: {{ .Values.service.externalPort }} + {{- if .Values.prometheus.jmx.enabled }} + - containerPort: {{ .Values.jmx.port }} + name: jmx + {{- end }} {{ if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: @@ -128,28 +177,63 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.hostIP + - name: KAFKA_ZOOKEEPER_CONNECT + value: {{ include "common.release" . }}-{{.Values.zookeeper.name}}-0.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}},{{ include "common.release" . }}-{{.Values.zookeeper.name}}-1.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}},{{ include "common.release" . }}-{{.Values.zookeeper.name}}-2.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}} + - name: KAFKA_CONFLUENT_SUPPORT_METRICS_ENABLE + value: "{{ .Values.kafka.enableSupport }}" + - name: KAFKA_OPTS + value: "{{ .Values.kafka.jaasOptions }}" + {{- if .Values.global.aafEnabled }} + - name: KAFKA_OPTS + value: "{{ .Values.kafka.jaasOptionsAaf }}" - name: aaf_locate_url value: https://aaf-locate.{{ include "common.namespace" . }}:8095 - + - name: KAFKA_LISTENER_SECURITY_PROTOCOL_MAP + value: "{{ .Values.kafka.protocolMapAaf }}" + - name: KAFKA_LISTENERS + value: "{{ .Values.kafka.listenersAaf }}" + - name: KAFKA_SASL_ENABLED_MECHANISMS + value: "{{ .Values.kafka.saslMech }}" + - name: KAFKA_INTER_BROKER_LISTENER_NAME + value: "{{ .Values.kafka.interBrokerListernerAaf }}" + - name: KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL + value: "{{ .Values.kafka.saslInterBrokerProtocol }}" + - name: KAFKA_AUTHORIZER_CLASS_NAME + value: "{{ .Values.kafka.authorizer }}" + {{ else }} + - name: KAFKA_OPTS + value: "{{ .Values.kafka.jaasOptions }}" + - name: KAFKA_LISTENER_SECURITY_PROTOCOL_MAP + value: "{{ .Values.kafka.protocolMap }}" + - name: KAFKA_LISTENERS + value: "{{ .Values.kafka.listeners }}" + - name: KAFKA_INTER_BROKER_LISTENER_NAME + value: "{{ .Values.kafka.interBrokerListerner }}" + {{- end }} + {{- range $key, $value := .Values.configurationOverrides }} + - name: {{ printf "KAFKA_%s" $key | replace "." "_" | upper | quote }} + value: {{ $value | quote }} + {{- end }} + {{- if .Values.jmx.port }} + - name: KAFKA_JMX_PORT + value: "{{ .Values.jmx.port }}" + {{- end }} + - name: enableCadi + value: "{{ .Values.global.aafEnabled }}" volumeMounts: - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /var/run/docker.sock name: docker-socket - - mountPath: /opt/kafka/tmpconfig/server.properties - subPath: server.properties - name: server - - mountPath: /opt/kafka/config/server.properties - subPath: server.properties - name: config-data - - mountPath: /opt/kafka/config/log4j.properties - subPath: log4j.properties - name: log4j - - mountPath: /opt/kafka/config/cadi.properties + {{- if .Values.global.aafEnabled }} + - mountPath: /etc/kafka/data/cadi.properties subPath: cadi.properties name: cadi - - mountPath: /opt/kafka/data + {{ end }} + - name: jaas-config + mountPath: /etc/kafka/secrets/jaas + - mountPath: /var/lib/kafka/data name: kafka-data {{- if .Values.tolerations }} tolerations: @@ -159,20 +243,25 @@ spec: - name: localtime hostPath: path: /etc/localtime - - name: config-data - emptyDir: {} + - name: jaas-config + emptyDir: + medium: Memory - name: docker-socket hostPath: path: /var/run/docker.sock - - name: server - configMap: - name: {{ include "common.fullname" . }}-server-prop-configmap - - name: log4j - configMap: - name: {{ include "common.fullname" . }}-log4j-prop-configmap + {{- if .Values.global.aafEnabled }} - name: cadi configMap: name: {{ include "common.fullname" . }}-cadi-prop-configmap + {{ end }} + - name: jaas + configMap: + name: {{ include "common.fullname" . }}-jaas-configmap + {{- if .Values.prometheus.jmx.enabled }} + - name: jmx-config + configMap: + name: {{ include "common.fullname" . }}-prometheus-configmap + {{- end }} {{ if not .Values.persistence.enabled }} - name: kafka-data emptyDir: {} @@ -194,4 +283,4 @@ spec: storage: {{ .Values.persistence.size | quote }} {{ end }} imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: "{{ include "common.namespace" . }}-docker-registry-key"
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/values.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/values.yaml index 873e72e0d2..0399c3aefb 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-kafka/values.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-kafka/values.yaml @@ -24,13 +24,14 @@ global: loggingImage: beats/filebeat:5.5.0 persistence: {} ubuntuInitRepository: registry.hub.docker.com + envsubstImage: dibi/envsubst ################################################################# # Application configuration defaults. ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/dmaap/kafka111:1.0.1 +image: onap/dmaap/kafka111:1.0.3 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 busyBoxImage: busybox:1.30 @@ -41,15 +42,76 @@ zookeeper: name: message-router-zookeeper port: 2181 +kafka: + heapOptions: -Xmx5G -Xms1G + jaasOptions: -Djava.security.auth.login.config=/etc/kafka/secrets/jaas/zk_client_jaas.conf + jaasOptionsAaf: -Djava.security.auth.login.config=/etc/kafka/secrets/jaas/kafka_server_jaas.conf + enableSupport: false + protocolMapAaf: INTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL_SASL_PLAINTEXT:SASL_PLAINTEXT + protocolMap: INTERNAL_PLAINTEXT:PLAINTEXT,EXTERNAL_PLAINTEXT:PLAINTEXT + listenersAaf: EXTERNAL_SASL_PLAINTEXT://0.0.0.0:9091,INTERNAL_SASL_PLAINTEXT://0.0.0.0:9092 + listeners: EXTERNAL_PLAINTEXT://0.0.0.0:9091,INTERNAL_PLAINTEXT://0.0.0.0:9092 + authorizer: org.onap.dmaap.kafkaAuthorize.KafkaCustomAuthorizer + saslInterBrokerProtocol: PLAIN + saslMech: PLAIN + interBrokerListernerAaf: INTERNAL_SASL_PLAINTEXT + interBrokerListerner: INTERNAL_PLAINTEXT + + +configurationOverrides: + "offsets.topic.replication.factor": "3" + "log.dirs": "/var/lib/kafka/data" + "log.retention.hours": "168" + "num.partitions": "3" + "offsets.topic.replication.factor": "3" + "transaction.state.log.replication.factor": "1" + "transaction.state.log.min.isr": "1" + "num.recovery.threads.per.data.dir": "5" + "log.retention.hours": "168" + "zookeeper.connection.timeout.ms": "6000" + "default.replication.factor": "3" + +jmx: + port: 5555 + +prometheus: + jmx: + enabled: false + image: solsson/kafka-prometheus-jmx-exporter@sha256 + imageTag: 6f82e2b0464f50da8104acd7363fb9b995001ddff77d248379f8788e78946143 + imageRepository: docker.io + port: 5556 + +jaas: + config: + zkClient: kafka + zkClientPassword: kafka_secret + kafkaAdminUser: admin + kafkaAdminPassword: admin_secret + #kafkaAdminUserExternal: some secret + #zkClientPasswordExternal: some secret + + +secrets: + - uid: zk-client + type: basicAuth + externalSecret: '{{ .Values.jaas.config.zkClientPasswordExternal}}' + login: '{{ .Values.jaas.config.zkClient }}' + password: '{{ .Values.jaas.config.zkClientPassword }}' + passwordPolicy: required + - uid: kafka-admin + type: basicAuth + externalSecret: '{{ .Values.jaas.config.kafkaAdminUserExternal}}' + login: '{{ .Values.jaas.config.kafkaAdminUser }}' + password: '{{ .Values.jaas.config.kafkaAdminPassword }}' + passwordPolicy: required + # flag to enable debugging - application support required debugEnabled: false # default number of instances replicaCount: 3 -#Kafka custom authorizer class name -kafkaCustomAuthorizer: org.onap.dmaap.kafkaAuthorize.KafkaCustomAuthorizer -deleteTopicEnable: true # To access Kafka outside cluster, this value must be set to hard and the number of nodes in K8S cluster must be equal or greater then replica count podAntiAffinityType: soft @@ -69,17 +131,17 @@ tolerations: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 70 + periodSeconds: 20 + timeoutSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true readiness: - initialDelaySeconds: 60 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 90 + periodSeconds: 20 + timeoutSeconds: 100 ## Persist data to a persitent volume persistence: @@ -109,7 +171,8 @@ service: name: message-router-kafka portName: message-router-kafka internalPort: 9092 - externalPort: 9093 + internalSSLPort: 9093 + externalPort: 9091 baseNodePort: 30490 diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/templates/NOTES.txt b/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/templates/NOTES.txt deleted file mode 100644 index a44d0f76ee..0000000000 --- a/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/templates/deployment.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/templates/deployment.yaml deleted file mode 100644 index 9c8a43b96a..0000000000 --- a/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/templates/deployment.yaml +++ /dev/null @@ -1,105 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ .Values.service.name }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-initcontainer - image: "{{ .Values.global.ubuntuInitRepository }}/{{ .Values.ubuntuInitImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - command: - - /root/ready.py - args: - - --container-name - - {{ .Values.messagerouter.container }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: "{{ include "common.repository" . }}/{{ .Values.image }}" - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - - -exc - - | - exec start-mirrormaker.sh - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - {{ if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - sh - - -c - - "touch /tmp/lprobe.txt" - - "rm /tmp/lprobe.txt" - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{ end }} - readinessProbe: - exec: - command: - - sh - - -c - - "touch /tmp/rprobe.txt" - - "rm /tmp/rprobe.txt" - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - env: - - name: KAFKA_HEAP_OPTS - value: "{{ .Values.kafkaHeapOptions }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/run/docker.sock - name: docker-socket - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: docker-socket - hostPath: - path: /var/run/docker.sock - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/values.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/values.yaml deleted file mode 100644 index 676f6342f4..0000000000 --- a/kubernetes/dmaap/components/message-router/charts/message-router-mirrormaker/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - readinessRepository: oomk8s - readinessImage: readiness-check:2.0.0 - loggingRepository: docker.elastic.co - loggingImage: beats/filebeat:5.5.0 - persistence: {} - ubuntuInitRepository: registry.hub.docker.com - -################################################################# -# Application configuration defaults. -################################################################# -# application image -repository: nexus3.onap.org:10001 -image: onap/dmaap/kafka111:1.0.1 -pullPolicy: Always -ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 - -zookeeper: - name: message-router-zookeeper - port: 2181 - -messagerouter: - container: message-router - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 -kafkaHeapOptions: -Xmx4G -Xms2G - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 20 - timeoutSeconds: 5 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - timeoutSeconds: 5 - - -service: - type: NodePort - name: message-router-mirrormaker - portName: message-router-mirrormaker - internalPort: 9092 - - - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: large -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2000m - memory: 4Gi - requests: - cpu: 500m - memory: 1Gi - large: - limits: - cpu: 4000m - memory: 8Gi - requests: - cpu: 1000m - memory: 2Gi - unlimited: {} - diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/resources/config/jmx-zookeeper-prometheus.yml b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/resources/config/jmx-zookeeper-prometheus.yml new file mode 100644 index 0000000000..a75b644c5f --- /dev/null +++ b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/resources/config/jmx-zookeeper-prometheus.yml @@ -0,0 +1,21 @@ +jmxUrl: service:jmx:rmi:///jndi/rmi://localhost:{{ .Values.jmx.port }}/jmxrmi +lowercaseOutputName: true +lowercaseOutputLabelNames: true +ssl: false +rules: +- pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+)><>(\\w+)" + name: "message-router-zookeeper_$2" +- pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+)><>(\\w+)" + name: "message-router-zookeeper_$3" + labels: + replicaId: "$2" +- pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+)><>(\\w+)" + name: "message-router-zookeeper_$4" + labels: + replicaId: "$2" + memberType: "$3" +- pattern: "org.apache.ZooKeeperService<name0=ReplicatedServer_id(\\d+), name1=replica.(\\d+), name2=(\\w+), name3=(\\w+)><>(\\w+)" + name: "message-router-zookeeper_$4_$5" + labels: + replicaId: "$2" + memberType: "$3" diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/resources/config/zk_server_jaas.conf b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/resources/config/zk_server_jaas.conf new file mode 100644 index 0000000000..8266f6b2c6 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/resources/config/zk_server_jaas.conf @@ -0,0 +1,4 @@ +Server { + org.apache.zookeeper.server.auth.DigestLoginModule required + user_${ZK_ADMIN}="${ZK_PSWD}"; +};
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/configmap.yaml new file mode 100644 index 0000000000..907111d898 --- /dev/null +++ b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/configmap.yaml @@ -0,0 +1,42 @@ +# Copyright © 2020 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{- if .Values.prometheus.jmx.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-prometheus-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "resources/config/jmx-zookeeper-prometheus.yml").AsConfig | indent 2 }} +--- +{{ end }} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-jaas-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ (.Files.Glob "resources/config/zk_server_jaas.conf").AsConfig | indent 2 }}
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/secrets.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/secrets.yaml new file mode 100644 index 0000000000..729cad4cac --- /dev/null +++ b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/secrets.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secret" . }} diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/statefulset.yaml index af4c1719fb..e98e614d93 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/statefulset.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/templates/statefulset.yaml @@ -36,6 +36,11 @@ spec: labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} + {{- if .Values.prometheus.jmx.enabled }} + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.prometheus.jmx.port | quote }} + {{- end }} spec: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -47,6 +52,10 @@ spec: operator: In values: - {{ include "common.name" . }} + - key: "release" + operator: In + values: + - {{ include "common.release" . }} topologyKey: "kubernetes.io/hostname" {{- if .Values.nodeAffinity }} nodeAffinity: @@ -58,13 +67,53 @@ spec: - sh - -exec - > - chown -R 1000:1000 /tmp/zookeeper/apikeys; + chown -R 1000:0 /tmp/zookeeper/apikeys; image: "{{ .Values.busyBoxRepository }}/{{ .Values.busyBoxImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - mountPath: /tmp/zookeeper/apikeys name: zookeeper-data + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/etc/zookeeper/secrets/jaas/${PFILE}; done" + env: + - name: ZK_ADMIN + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "zk-admin" "key" "login") | indent 10 }} + - name: ZK_PSWD + {{- include "common.secret.envFromSecret" (dict "global" . "uid" "zk-admin" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /etc/zookeeper/secrets/jaas + name: jaas-config + - mountPath: /config-input + name: jaas + image: "{{ .Values.global.envsubstImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config containers: + {{- if .Values.prometheus.jmx.enabled }} + - name: prometheus-jmx-exporter + image: "{{ .Values.prometheus.jmx.imageRepository }}/{{ .Values.prometheus.jmx.image }}:{{ .Values.prometheus.jmx.imageTag }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - java + - -XX:+UnlockExperimentalVMOptions + - -XX:+UseCGroupMemoryLimitForHeap + - -XX:MaxRAMFraction=1 + - -XshowSettings:vm + - -jar + - jmx_prometheus_httpserver.jar + - {{ .Values.prometheus.jmx.port | quote }} + - /etc/jmx-zookeeper/jmx-zookeeper-prometheus.yml + ports: + - containerPort: {{ .Values.prometheus.jmx.port }} + resources: +{{ toYaml .Values.prometheus.jmx.resources | indent 10 }} + volumeMounts: + - name: jmx-config + mountPath: /etc/jmx-zookeeper + {{- end }} - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -77,39 +126,71 @@ spec: name: {{ .Values.service.serverPortName }} - containerPort: {{ .Values.service.leaderElectionPort }} name: {{ .Values.service.leaderElectionPortName }} + {{- if .Values.prometheus.jmx.enabled }} + - containerPort: {{ .Values.jmx.port }} + name: jmx + {{- end }} {{ if eq .Values.liveness.enabled true }} livenessProbe: exec: - command: - - sh - - -c - - "zookeeper-ready.sh 2181" + command: ['/bin/bash', '-c', 'echo "ruok" | nc -w 2 -q 2 localhost 2181 | grep imok'] initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end }} readinessProbe: exec: - command: - - sh - - -c - - "zookeeper-ready.sh 2181" + command: ['/bin/bash', '-c', 'echo "ruok" | nc -w 2 -q 2 localhost 2181 | grep imok'] initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + resources: +{{ toYaml .Values.resources | indent 10 }} env: - - name: ZK_REPLICAS + - name : KAFKA_HEAP_OPTS + value: "{{ .Values.zkConfig.heapOptions }}" + {{- if .Values.jmx.port }} + - name : KAFKA_JMX_PORT + value: "{{ .Values.jmx.port }}" + {{- end }} + - name : ZOOKEEPER_REPLICAS value: "{{ .Values.replicaCount }}" - - name: ZK_INIT_LIMIT - value: "{{ .Values.zk.initLimit }}" - - name: ZK_SYNC_LIMIT - value: "{{ .Values.zk.syncLimit }}" + - name : ZOOKEEPER_TICK_TIME + value: "{{ .Values.zkConfig.tickTime }}" + - name : ZOOKEEPER_SYNC_LIMIT + value: "{{ .Values.zkConfig.syncLimit }}" + - name : ZOOKEEPER_INIT_LIMIT + value: "{{ .Values.zkConfig.initLimit }}" + - name : ZOOKEEPER_MAX_CLIENT_CNXNS + value: "{{ .Values.zkConfig.maxClientCnxns }}" + - name : ZOOKEEPER_AUTOPURGE_SNAP_RETAIN_COUNT + value: "{{ .Values.zkConfig.autoPurgeSnapRetainCount}}" + - name : ZOOKEEPER_AUTOPURGE_PURGE_INTERVAL + value: "{{ .Values.zkConfig.autoPurgePurgeInterval}}" + - name: ZOOKEEPER_CLIENT_PORT + value: "{{ .Values.zkConfig.clientPort }}" + - name: KAFKA_OPTS + value: "{{ .Values.zkConfig.kafkaOpts }}" + - name: EXTRA_ARGS + value: "{{ .Values.zkConfig.extraArgs }}" + - name: ZOOKEEPER_SERVER_ID + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - "bash" + - "-c" + - | + ZOOKEEPER_SERVER_ID=$((${HOSTNAME##*-}+1)) \ + /etc/confluent/docker/run volumeMounts: - mountPath: /etc/localtime name: localtime readOnly: true - mountPath: /var/lib/zookeeper/data name: zookeeper-data + - name: jaas-config + mountPath: /etc/zookeeper/secrets/jaas {{- if .Values.tolerations }} tolerations: {{ toYaml .Values.tolerations | indent 10 }} @@ -118,15 +199,29 @@ spec: - name: localtime hostPath: path: /etc/localtime + - name: jaas-config + emptyDir: + medium: Memory + - name: docker-socket + hostPath: + path: /var/run/docker.sock + - name: jaas + configMap: + name: {{ include "common.fullname" . }}-jaas-configmap + {{- if .Values.prometheus.jmx.enabled }} + - name: jmx-config + configMap: + name: {{ include "common.fullname" . }}-prometheus-configmap + {{- end }} {{ if not .Values.persistence.enabled }} - name: zookeeper-data emptyDir: {} {{ else }} volumeClaimTemplates: - metadata: - name: zookeeper-data + name: zookeeper-data labels: - app: {{ include "common.fullname" . }} + app: {{ include "common.fullname" . }} chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ include "common.release" . }}" heritage: "{{ .Release.Service }}" @@ -139,4 +234,4 @@ spec: storage: {{ .Values.persistence.size | quote }} {{ end }} imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: "{{ include "common.namespace" . }}-docker-registry-key"
\ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/values.yaml b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/values.yaml index eeb77ba7fd..4abb6e3c4a 100644 --- a/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/values.yaml +++ b/kubernetes/dmaap/components/message-router/charts/message-router-zookeeper/values.yaml @@ -24,13 +24,14 @@ global: loggingImage: beats/filebeat:5.5.0 ubuntuInitRepository: registry.hub.docker.com persistence: {} + envsubstImage: dibi/envsubst ################################################################# # Application configuration defaults. ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/dmaap/zookeeper:6.0.0 +image: onap/dmaap/zookeeper:6.0.2 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 busyBoxImage: busybox:1.30 @@ -39,12 +40,6 @@ busyBoxRepository: docker.io # flag to enable debugging - application support required debugEnabled: false -# application configuration -config: - # gerrit branch where the latest code is checked in - gerritBranch: master - # gerrit project where the latest code is checked in - gerritProject: http://gerrit.onap.org/r/dmaap/messagerouter/messageservice.git # default number of instances replicaCount: 3 @@ -59,22 +54,55 @@ tolerations: {} # probe configuration parameters liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 40 + periodSeconds: 20 + timeoutSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 + initialDelaySeconds: 40 + periodSeconds: 20 + timeoutSeconds: 10 #Zookeeper properties -zk: - initLimit: 5 - syncLimit: 2 +zkConfig: + tickTime: 2000 + syncLimit: 5 + initLimit: 10 + maxClientCnxns: 200 + autoPurgeSnapRetainCount: 3 + autoPurgePurgeInterval: 24 + heapOptions: -Xmx2G -Xms2G + kafkaOpts: -Dzookeeper.authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider + extraArgs: -Djava.security.auth.login.config=/etc/zookeeper/secrets/jaas/zk_server_jaas.conf + clientPort: 2181 + +jmx: + port: 5555 + +prometheus: + jmx: + enabled: false + image: solsson/kafka-prometheus-jmx-exporter@sha256 + imageTag: 6f82e2b0464f50da8104acd7363fb9b995001ddff77d248379f8788e78946143 + imageRepository: docker.io + port: 5556 + +jaas: + config: + zkAdminUser: kafka + zkAdminPassword: kafka_secret + #zkAdminPasswordExternal= some password + +secrets: + - uid: zk-admin + type: basicAuth + externalSecret: '{{ .Values.jaas.config.zkAdminPasswordExternal}}' + login: '{{ .Values.jaas.config.zkAdminUser }}' + password: '{{ .Values.jaas.config.zkAdminPassword }}' + passwordPolicy: required ## Persist data to a persitent volume persistence: |