Enable envoy tls termination #41
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dobrerazvan
added
enhancement
amuraru
reviewed
Jan 31, 2022
amuraru
reviewed
Jan 31, 2022
pkg/resources/kafka/kafka.go
Outdated
| @@ -1035,6 +1035,9 @@ func (r *Reconciler) createExternalListenerStatuses(log logr.Logger) (map[string | |||
| if err != nil { | |||
| return nil, err | |||
| } | |||
| if eListener.ExternalStartingPort == -1 { | |||
There was a problem hiding this comment.
same comment, eListener offers a HostnameOverride field that can be used here?
amuraru
reviewed
Jan 31, 2022
|
we also need unit-tests added |
alungu
reviewed
Feb 3, 2022
pkg/resources/envoy/configmap.go
Outdated
| // Create an any cast broker access point | ||
| if elistener.ExternalStartingPort == -1 { | ||
| // append l[AnyCastPort] with another filter for the same listener | ||
| filterChain = &envoylistener.FilterChain{ |
There was a problem hiding this comment.
Could we avoid somehow code duplication here? I see that only the hostname is different from the broker specific filter.
There was a problem hiding this comment.
@dobrerazvan please don't forget about this code duplicate, too
dobrerazvan
force-pushed
the
dobre/work-2
branch
from
d57de35
to
c62bdc7
Compare
ecojan
reviewed
Feb 18, 2022
api/v1beta1/kafkacluster_types.go
Outdated
| @@ -373,6 +385,29 @@ func (c IngressServiceSettings) GetServiceType() corev1.ServiceType { | |||
| return c.ServiceType | |||
| } | |||
|
|
|||
| // Replace {{.Id}} in brokerHostnameTemplate with actual broker id | |||
There was a problem hiding this comment.
Suggestion to do string replace here instead of template engine from Go.
Reasons are that we are doing the same process here (not calling any extra functions to require template engine), current deployment spec is done via Helm (need to escape double templating).
wdyt?
alungu
reviewed
Feb 22, 2022
| { | ||
| CertificateChain: &envoycore.DataSource{ | ||
| Specifier: &envoycore.DataSource_Filename{ | ||
| Filename: "/certs/certificate.crt", |
There was a problem hiding this comment.
If these paths are hard coded, it means that we always have to mount the secrets to these paths, right?
Should we add this information the CRD?
There was a problem hiding this comment.
Since this is generated and used un the envoy deployment to mount the ssl cert, i think it could be hardcoded, doesn't really matter where is mounted as long as it's mounted somewhere.
pkg/resources/envoy/configmap.go
Outdated
| } | ||
|
|
||
| if elistener.TLSEnabled() { | ||
| // tls |
There was a problem hiding this comment.
minor: should we drop this comment (and the one below non tls? The condition is very clear.
pkg/resources/envoy/configmap.go
Outdated
|
|
||
| for _, p := range ports { | ||
|
|
||
| if elistener.ExternalStartingPort == -1 { |
There was a problem hiding this comment.
could we replace this with the method helper TLSEnabled?
pkg/resources/envoy/deployment.go
Outdated
| @@ -66,6 +65,26 @@ func (r *Reconciler) deployment(log logr.Logger, extListener v1beta1.ExternalLis | |||
| }, | |||
| } | |||
|
|
|||
| if extListener.ExternalStartingPort == -1 && extListener.TLSSecretName != "" { | |||
There was a problem hiding this comment.
could we replace this with the method helper TLSEnabled?
pkg/resources/envoy/service.go
Outdated
| TargetPort: intstr.FromInt(int(extListener.ExternalStartingPort) + brokerId), | ||
| Protocol: corev1.ProtocolTCP, | ||
| }) | ||
| if extListener.ExternalStartingPort != -1 { |
There was a problem hiding this comment.
could we replace this with the method helper TLSEnabled?
pkg/resources/envoy/configmap.go
Outdated
| }, | ||
| }, | ||
| } | ||
| pbTlsContext, _ := anypb.New(tlsContext) |
There was a problem hiding this comment.
Should we check the returned error, too?
pkg/resources/envoy/configmap.go
Outdated
| // Create an any cast broker access point | ||
| if elistener.ExternalStartingPort == -1 { | ||
| // append l[AnyCastPort] with another filter for the same listener | ||
| filterChain = &envoylistener.FilterChain{ |
There was a problem hiding this comment.
@dobrerazvan please don't forget about this code duplicate, too
| ports = append(ports, int(p)) | ||
| } | ||
| sort.Ints(ports) | ||
|
|
pkg/resources/envoy/configmap.go
Outdated
| for _, p := range ports { | ||
|
|
||
| if elistener.ExternalStartingPort == -1 { | ||
| listeners = append(listeners, &envoylistener.Listener{ |
There was a problem hiding this comment.
The Listener is the same object for both TLS and non-TLS. could we reuse the code?
| @@ -226,37 +259,48 @@ func GenerateEnvoyConfig(kc *v1beta1.KafkaCluster, elistener v1beta1.ExternalLis | |||
| Cluster: fmt.Sprintf("broker-%d", brokerId), | |||
| }, | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
This method (GenerateEnvoyConfig) has almost 400 lines. Could we split it in multiple functions, please?
There was a problem hiding this comment.
I added dedicated functions that generate tls specifics
alungu
approved these changes
Feb 22, 2022
dobrerazvan
force-pushed
the
dobre/work-2
branch
from
07776c5
to
642a67f
Compare
ecojan
approved these changes
Feb 23, 2022
amuraru
reviewed
Mar 7, 2022
api/v1beta1/kafkacluster_types.go
Outdated
| @@ -407,6 +428,8 @@ type IngressServiceSettings struct { | |||
| // In case of external listeners using NodePort access method the broker instead of node public IP (see "brokerConfig.nodePortExternalIP") | |||
| // is advertised on the address having the following format: <kafka-cluster-name>-<broker-id>.<namespace><value-specified-in-hostnameOverride-field> | |||
| HostnameOverride string `json:"hostnameOverride,omitempty"` | |||
| // Template used to generate broker hostnames for tls enabled envoy. %id will be replaced with brokerId value | |||
| BrokerHostnameTemplate string `json:"brokerHostnameTemplate,omitempty"` | |||
There was a problem hiding this comment.
@dobrerazvan can this be moved to KafkaClusterSpec.EnvoyConfig ?
The reason for this is that the comment says it applies to "envoy" ingress while this IngressServiceSettings is generic for all kafka ingresses (istio, envoy)
There was a problem hiding this comment.
@amuraru Implemented the review.
|
@dobrerazvan please rebase this on top of master. I just force rebased the master branch to sync with upstream banzaicloud/master branch |
…adobe/kafka docker hub repos - build the koperator docker image - build Apache kafka docker image When `kafka-*` tags are created a github action is triggered to build and push a new adobe/kafka docker image version
dobrerazvan
force-pushed
the
dobre/work-2
branch
from
e4466c2
to
f5ea9e1
Compare
Did that. |
dobrerazvan
force-pushed
the
dobre/work-2
branch
from
c50cab2
to
810b7a5
Compare
amuraru
reviewed
Mar 15, 2022
| @@ -377,6 +390,16 @@ func (c IngressServiceSettings) GetServiceType() corev1.ServiceType { | |||
| return c.ServiceType | |||
| } | |||
|
|
|||
| // Replace %id in brokerHostnameTemplate with actual broker id | |||
| func (c EnvoyConfig) GetBrokerHostname(brokerId int32) string { | |||
There was a problem hiding this comment.
Suggested change
| func (c EnvoyConfig) GetBrokerHostname(brokerId int32) string { | |
| func (c EnvoyConfig) Get BrokerHostnameTemplate(brokerId int32) string { |
amuraru
approved these changes
Mar 15, 2022
amuraru
pushed a commit
that referenced
this pull request
Mar 30, 2022
amuraru
pushed a commit
that referenced
this pull request
Apr 22, 2022
amuraru
pushed a commit
that referenced
this pull request
May 3, 2022
amuraru
pushed a commit
that referenced
this pull request
May 3, 2022
amuraru
pushed a commit
that referenced
this pull request
May 8, 2022
amuraru
pushed a commit
that referenced
this pull request
May 11, 2022
amuraru
pushed a commit
that referenced
this pull request
May 11, 2022
amuraru
pushed a commit
that referenced
this pull request
May 13, 2022
amuraru
pushed a commit
that referenced
this pull request
May 23, 2022
amuraru
pushed a commit
that referenced
this pull request
May 27, 2022
amuraru
pushed a commit
that referenced
this pull request
Jun 17, 2022
amuraru
pushed a commit
that referenced
this pull request
Jun 29, 2022
azun
pushed a commit
that referenced
this pull request
Jul 28, 2022
azun
pushed a commit
that referenced
this pull request
Jul 29, 2022
amuraru
pushed a commit
that referenced
this pull request
Jul 29, 2022
amuraru
pushed a commit
that referenced
this pull request
Aug 22, 2022
amuraru
pushed a commit
that referenced
this pull request
Sep 10, 2022
alungu
pushed a commit
that referenced
this pull request
Jan 5, 2023
aguzovatii
pushed a commit
to aguzovatii/koperator
that referenced
this pull request
Mar 22, 2023
aguzovatii
pushed a commit
to aguzovatii/koperator
that referenced
this pull request
Mar 22, 2023
aguzovatii
pushed a commit
to aguzovatii/koperator
that referenced
this pull request
Mar 23, 2023
amuraru
pushed a commit
that referenced
this pull request
May 16, 2023
ctrlaltluc
added a commit
that referenced
this pull request
May 19, 2023
* [INTERNAL] [BUILD] Publish docker images to adobe/kafka-operator and adobe/kafka docker hub repos - build the koperator docker image - build Apache kafka docker image When `kafka-*` tags are created a github action is triggered to build and push a new adobe/kafka docker image version * [INTERNAL] make manifests should be called manually, if needed (#25) We made some chnages for spinnaker annotations and `preserveUnknownFields` that would be overriden by `make manifests` * [INTERNAL] Allow Kafka to use External DNS for inter-broker protocol (#17) (#22) * [INTERNAL] Allow external listeners to be used for inner communication (#26) * [INTERNAL] Ensure external listerners are always the first the advertised.listeners configuration This is needed for old clients connecting to kafka through Zookeeper that does not have a way to infer the right listener. In this case, the first listener in the advertised.listener config is used to connect to brokers. This patch ensures the external listeners (those reachable from outside) are listed before internal ones * [INTERNAL] Generate CRDs resources * [INTERNAL] Upgrade to Kafka 2.8.1 (#36) * Enable envoy idleTimeout and TCP keep-alive for connections to kafka and clients 1/ Kafka broker defines connections.max.idle.ms=600s To ensure envoy as a client for kafka broker is terminating the connection first to avoid network disconnects this patch is setting the idleTimeout to value slightly less than that 2/ Enable tcp-keep alive for all TCP connections established by envoy to kafka and to client (or fronting Load Balancer) * Enable envoy tls termination (#41) * [INTERNAL] Build kafka 3.1.1 using Oracle OpenJDK * Envoy config generated by the operator is invalid in envoy 1.22 Added explicit typeconfig for envoy.filters.http.router ``` [2022-06-16 13:27:58.425][1][info][main] [source/server/server.cc:939] exiting Didn't find a registered implementation for 'envoy.filters.http.router' with type URL: '' ``` * Added TaintedBrokersSelector to kafkaClusterSpec (#48) Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> * Build kafka 3.2.2 * Upgrade kafka to 3.2.3 * Upgrade kafka to 3.3.1 * [Internal] Update helm for adobe builds (#52) * [INTERNAL] Use local replacement for sub-modules (#54) As part of banzaicloud#929, the local replacement for sub-modules was removed in favor of using valid tags. Adobe Koperator fork has some internal changes in the api sub-module, so we need to use the local version of the sub-module instead of the upstream version, so we are forced to revert the changes from banzaicloud#929. * Upgrade kafka to 3.4.0 --------- Co-authored-by: Adi Muraru <amuraru@adobe.com> Co-authored-by: Adrian Lungu <adrian.lungu89@gmail.com> Co-authored-by: Razvan Dobre <dobre.razvan@gmail.com> Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> Co-authored-by: Adrian Coman <acoman@adobe.com> Co-authored-by: aguzovatii <guzovatii.anatolii@gmail.com>
ctrlaltluc
pushed a commit
that referenced
this pull request
Jun 8, 2023
ctrlaltluc
added a commit
that referenced
this pull request
Jun 8, 2023
* [INTERNAL] [BUILD] Publish docker images to adobe/kafka-operator and adobe/kafka docker hub repos - build the koperator docker image - build Apache kafka docker image When `kafka-*` tags are created a github action is triggered to build and push a new adobe/kafka docker image version * [INTERNAL] make manifests should be called manually, if needed (#25) We made some chnages for spinnaker annotations and `preserveUnknownFields` that would be overriden by `make manifests` * [INTERNAL] Allow Kafka to use External DNS for inter-broker protocol (#17) (#22) * [INTERNAL] Allow external listeners to be used for inner communication (#26) * [INTERNAL] Ensure external listerners are always the first the advertised.listeners configuration This is needed for old clients connecting to kafka through Zookeeper that does not have a way to infer the right listener. In this case, the first listener in the advertised.listener config is used to connect to brokers. This patch ensures the external listeners (those reachable from outside) are listed before internal ones * [INTERNAL] Generate CRDs resources * [INTERNAL] Upgrade to Kafka 2.8.1 (#36) * Enable envoy idleTimeout and TCP keep-alive for connections to kafka and clients 1/ Kafka broker defines connections.max.idle.ms=600s To ensure envoy as a client for kafka broker is terminating the connection first to avoid network disconnects this patch is setting the idleTimeout to value slightly less than that 2/ Enable tcp-keep alive for all TCP connections established by envoy to kafka and to client (or fronting Load Balancer) * Enable envoy tls termination (#41) * [INTERNAL] Build kafka 3.1.1 using Oracle OpenJDK * Envoy config generated by the operator is invalid in envoy 1.22 Added explicit typeconfig for envoy.filters.http.router ``` [2022-06-16 13:27:58.425][1][info][main] [source/server/server.cc:939] exiting Didn't find a registered implementation for 'envoy.filters.http.router' with type URL: '' ``` * Added TaintedBrokersSelector to kafkaClusterSpec (#48) Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> * Build kafka 3.2.2 * Upgrade kafka to 3.2.3 * Upgrade kafka to 3.3.1 * [Internal] Update helm for adobe builds (#52) * [INTERNAL] Use local replacement for sub-modules (#54) As part of banzaicloud#929, the local replacement for sub-modules was removed in favor of using valid tags. Adobe Koperator fork has some internal changes in the api sub-module, so we need to use the local version of the sub-module instead of the upstream version, so we are forced to revert the changes from banzaicloud#929. * Upgrade kafka to 3.4.0 --------- Co-authored-by: Adi Muraru <amuraru@adobe.com> Co-authored-by: Adrian Lungu <adrian.lungu89@gmail.com> Co-authored-by: Razvan Dobre <dobre.razvan@gmail.com> Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> Co-authored-by: Adrian Coman <acoman@adobe.com> Co-authored-by: aguzovatii <guzovatii.anatolii@gmail.com>
ctrlaltluc
pushed a commit
that referenced
this pull request
Jun 8, 2023
ctrlaltluc
added a commit
that referenced
this pull request
Jun 8, 2023
* [INTERNAL] [BUILD] Publish docker images to adobe/kafka-operator and adobe/kafka docker hub repos - build the koperator docker image - build Apache kafka docker image When `kafka-*` tags are created a github action is triggered to build and push a new adobe/kafka docker image version * [INTERNAL] make manifests should be called manually, if needed (#25) We made some chnages for spinnaker annotations and `preserveUnknownFields` that would be overriden by `make manifests` * [INTERNAL] Allow Kafka to use External DNS for inter-broker protocol (#17) (#22) * [INTERNAL] Allow external listeners to be used for inner communication (#26) * [INTERNAL] Ensure external listerners are always the first the advertised.listeners configuration This is needed for old clients connecting to kafka through Zookeeper that does not have a way to infer the right listener. In this case, the first listener in the advertised.listener config is used to connect to brokers. This patch ensures the external listeners (those reachable from outside) are listed before internal ones * [INTERNAL] Generate CRDs resources * [INTERNAL] Upgrade to Kafka 2.8.1 (#36) * Enable envoy idleTimeout and TCP keep-alive for connections to kafka and clients 1/ Kafka broker defines connections.max.idle.ms=600s To ensure envoy as a client for kafka broker is terminating the connection first to avoid network disconnects this patch is setting the idleTimeout to value slightly less than that 2/ Enable tcp-keep alive for all TCP connections established by envoy to kafka and to client (or fronting Load Balancer) * Enable envoy tls termination (#41) * [INTERNAL] Build kafka 3.1.1 using Oracle OpenJDK * Envoy config generated by the operator is invalid in envoy 1.22 Added explicit typeconfig for envoy.filters.http.router ``` [2022-06-16 13:27:58.425][1][info][main] [source/server/server.cc:939] exiting Didn't find a registered implementation for 'envoy.filters.http.router' with type URL: '' ``` * Added TaintedBrokersSelector to kafkaClusterSpec (#48) Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> * Build kafka 3.2.2 * Upgrade kafka to 3.2.3 * Upgrade kafka to 3.3.1 * [Internal] Update helm for adobe builds (#52) * [INTERNAL] Use local replacement for sub-modules (#54) As part of banzaicloud#929, the local replacement for sub-modules was removed in favor of using valid tags. Adobe Koperator fork has some internal changes in the api sub-module, so we need to use the local version of the sub-module instead of the upstream version, so we are forced to revert the changes from banzaicloud#929. * Upgrade kafka to 3.4.0 --------- Co-authored-by: Adi Muraru <amuraru@adobe.com> Co-authored-by: Adrian Lungu <adrian.lungu89@gmail.com> Co-authored-by: Razvan Dobre <dobre.razvan@gmail.com> Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> Co-authored-by: Adrian Coman <acoman@adobe.com> Co-authored-by: aguzovatii <guzovatii.anatolii@gmail.com>
amuraru
pushed a commit
that referenced
this pull request
Jun 10, 2023
amuraru
pushed a commit
that referenced
this pull request
Dec 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's in this PR?
Why?
Additional context
Checklist
To Do