Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
April 2, 2024 08:35 pm GMT

KafkaUser in another namespace

We are integrating fluentbit into Kafka via Kubernetes deployed using strimzi.io and we hit our first issue.

When creating a KafkaUser it will not create the secret needed for tls in our fluent namespace

apiVersion: kafka.strimzi.io/v1beta2kind: KafkaUsermetadata:  name: fluent  namespace: fluent  labels:    strimzi.io/cluster: debezium-clusterspec:  authentication:    type: tls  authorization:    type: simple    acls:      - resource:          name: '*'          patternType: literal          type: topic        operation: All      - resource:          name: '*'          patternType: literal          type: group        operation: All      - resource:          type: cluster        operation: All

it simply sits there like

kubectl get kafkauser                         NAME     CLUSTER            AUTHENTICATION   AUTHORIZATION   READYfluent   debezium-cluster   tls              simple

Reading up it seems that this is a long running issue and although there is a fix for java applications, it would appear you need to deploy something else to mirror the secret generated into the fluent namespace.

In one of the comments it lead us to https://config-syncer.com/docs/v0.14.7/setup/install/ which had a comment about another tool emberstack/kubernetes-reflector.

Installation is pretty straight forward.

helm repo add emberstack https://emberstack.github.io/helm-chartshelm repo updatehelm upgrade --install reflector -n emberstack --create-namespace  emberstack/reflector

Then you need to annotate the KafkaUser yaml and apply it

apiVersion: kafka.strimzi.io/v1beta2kind: KafkaUsermetadata:  name: fluent  namespace: kakfa  labels:    strimzi.io/cluster: kakfa-clusterspec:  authentication:    type: tls  template:    secret:      metadata:        annotations:          reflector.v1.k8s.emberstack.com/reflection-allowed: "true"          reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "fluent"  authorization:    type: simple    acls:      - resource:          name: '*'          patternType: literal          type: topic        operation: All      - resource:          name: '*'          patternType: literal          type: group        operation: All      - resource:          type: cluster        operation: All

and then finally create a empty secret in the fluent namespace and annotate it to mirror the secret created previously.

apiVersion: v1                                                                                  kind: Secretmetadata:  name: fluent                                                                               namespace: fluent  annotations:    reflector.v1.k8s.emberstack.com/reflects: "kafka/fluent"                                                                          type: Opaque

When completed the secret is mirrored (and maintained)

kubectl get secret fluent -n kafkaNAME     TYPE     DATA   AGE fluent   Opaque   5      26mkubectl get secret fluent -n fluentNAME     TYPE     DATA   AGE                                                                    fluent   Opaque   5      19m

You can now reference the secret in your config.

Read how to sync the Kafka Cluster CA certificate into your namespace to enable the sync of the Kafka Cluster CA Certificate.


Original Link: https://dev.to/darkedges/kafkauser-in-another-namespace-81c

Share this article:    Share on Facebook
View Full Article

Dev To

An online community for sharing and discovering great ideas, having debates, and making friends

More About this Source Visit Dev To