|
1 | | -# kakfa-gitops |
2 | | -A Kafka GitOps workflow example for multi-env deployments with Flux, Kustomize, Helm and Confluent Operator |
| 1 | +# GitOps for Apache Kafka Example |
| 2 | + |
| 3 | +For this example we assume a single clusters simulated a production environment. The end goal is to leverage Flux and Kustomize to manage [Confluent Operator for Kubernetes](https://github.com/confluentinc/operator-earlyaccess). You can extend the with another cluster while minimizing duplicated declarations. |
| 4 | + |
| 5 | +We will configure [Flux](https://fluxcd.io/) to install, deploy and config the [Confluent Platform](https://www.confluent.io/product/confluent-platform) using their private `HelmRepository` and `HelmRelease` custom resources. |
| 6 | +Flux will monitor the Helm repository, and it will automatically upgrade the Helm releases to their latest chart version based on semver ranges. |
| 7 | + |
| 8 | +You may find this project helpful by simply referencing the documentation, code, and strategies for managing Kafka resources on Kubernetes. Additionally, if you just wish to operate a working example of the new Confluent operator, the following usage instructions will guide you. |
| 9 | + |
| 10 | +## Prerequisites |
| 11 | +You will need a Kubernetes cluster version 1.16 or newer and kubectl version 1.18. |
| 12 | + |
| 13 | +In order to follow the guide you'll need a GitHub account and a |
| 14 | +[personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) |
| 15 | +that can create repositories (check all permissions under `repo`). |
| 16 | + |
| 17 | +Install the Flux CLI on MacOS and Linux using Homebrew: |
| 18 | + |
| 19 | +```sh |
| 20 | +brew install fluxcd/tap/flux |
| 21 | +``` |
| 22 | + |
| 23 | +Install the Confluent CLI |
| 24 | +```she |
| 25 | +curl -sL --http1.1 https://cnfl.io/cli | sh -s -- latest |
| 26 | +``` |
| 27 | + |
| 28 | +Get early access by registering interest here: [Confluent Operator Early Access Registration](https://events.confluent.io/confluentoperatorearlyaccess) For this Early Access program, you will have received an API key (associated with your email address) to the Confluent JFrog Artifactory. This is required to pull down the Helm charts and Confluent Docker images. |
| 29 | + |
| 30 | +## Repository structure |
| 31 | + |
| 32 | +The Git repository contains the following top directories: |
| 33 | + |
| 34 | +- **apps** dir contains Helm releases with a custom configuration per cluster |
| 35 | +- **infrastructure** dir contains common infra tools such as Confluent Operator, example LDAP controller and Helm repository definitions |
| 36 | +- **clusters** dir contains the Flux configuration per cluster |
| 37 | + |
| 38 | +``` |
| 39 | +├── apps |
| 40 | +│ ├── base |
| 41 | +│ │ ├── kafka |
| 42 | +│ │ └── rolebindings |
| 43 | +│ ├── production |
| 44 | +├── infrastructure |
| 45 | +│ ├── confluent |
| 46 | +│ ├── sources |
| 47 | +│ └── tools |
| 48 | +└── clusters |
| 49 | + └── production |
| 50 | +``` |
| 51 | +### /apps |
| 52 | +The apps configuration contains all the Confluent Platform configuration and is structured into: |
| 53 | + |
| 54 | +- **apps/base/kakfa/** dir common values for all clusters: namespaces, certificates, secrets, Confluent components via Helm release definitions and Deployments |
| 55 | +- **apps/base/rolebings/** dir contains the common RBAC bindings for all deployments |
| 56 | +- **apps/production/** dir contains the production values |
| 57 | + |
| 58 | +### /infrastructure |
| 59 | +The infrastructure `sources` folder contains the [Flux Source Controller](https://fluxcd.io/docs/components/source/) configuration and some common tooling which is required for this Confluent LDAP / RBAC example. |
| 60 | +```yaml |
| 61 | +apiVersion: source.toolkit.fluxcd.io/v1beta1 |
| 62 | +kind: HelmRepository |
| 63 | +metadata: |
| 64 | + name: confluent-private |
| 65 | + namespace: flux-system |
| 66 | +spec: |
| 67 | + url: https://confluent.jfrog.io/confluent/helm-early-access-operator-2 |
| 68 | + secretRef: |
| 69 | + name: https-credentials |
| 70 | + interval: 5m |
| 71 | +``` |
| 72 | +Note secretRef: The Confluent helm repository is private and requires a username and password which we must create. |
| 73 | +Note that with interval: 5m we configure Flux to pull the Helm repository index every five minutes. If the index contains a new chart version that matches a HelmRelease semver range, Flux will upgrade the release. |
| 74 | +
|
| 75 | +The `confluent` folder contains the Helm release which is performed by the [Helm Controller](https://fluxcd.io/docs/components/helm/helmreleases/) and also requires access to the private Docker registry to pull down the Confluent images. |
| 76 | +```yaml |
| 77 | +apiVersion: helm.toolkit.fluxcd.io/v2beta1 |
| 78 | +kind: HelmRelease |
| 79 | +metadata: |
| 80 | + name: confluent |
| 81 | + namespace: confluent |
| 82 | +spec: |
| 83 | + interval: 1m |
| 84 | + chart: |
| 85 | + spec: |
| 86 | + chart: confluent-for-kubernetes |
| 87 | + sourceRef: |
| 88 | + kind: HelmRepository |
| 89 | + name: confluent-private |
| 90 | + namespace: flux-system |
| 91 | + values: |
| 92 | + image: |
| 93 | + registry: confluent-docker-internal-early-access-operator-2.jfrog.io |
| 94 | +``` |
| 95 | +Note: The Helm automatically looks for a secret called `confluent-registry` which we must create in the confluent namespace. |
| 96 | + |
| 97 | +## Setup |
| 98 | +Following this example, you'll set up secure Confluent Platform clusters with SASL PLAIN authentication, role-based access control (RBAC) authorization, and inter-component TLS. The clusters dir contains the Kustomization definitions:: |
| 99 | +``` |
| 100 | +./clusters/ |
| 101 | +└── production |
| 102 | + ├── apps.yaml |
| 103 | + └── infrastructure.yaml |
| 104 | +``` |
| 105 | +1. Using GitOps will require the FluxCD toolkit to have read and write access to the repository. For your own local version, you must create a fork of this repository and clone it locally; otherwise, the GitOps automation will not be authorized to read and write from the repository. Fork this repository on your personal GitHub account and export your GitHub access token, username and repo name: |
| 106 | +```sh |
| 107 | +export GITHUB_TOKEN=<your-token> |
| 108 | +export GITHUB_USER=<your-username> |
| 109 | +export GITHUB_REPO=<repository-name> |
| 110 | +``` |
| 111 | + |
| 112 | +2. After forking and cloning the repository, navigate to the project root and verify that your production cluster folder satisfies the prerequisites with: |
| 113 | +```sh |
| 114 | +flux check --pre |
| 115 | +``` |
| 116 | + |
| 117 | +3. Flux will now need connectivity do your cluster, ensure the correct kubectl context to your cluster and bootstrap Flux: |
| 118 | +```sh |
| 119 | +flux bootstrap github \ |
| 120 | + --owner=${GITHUB_USER} \ |
| 121 | + --repository=${GITHUB_REPO} \ |
| 122 | + --branch=main \ |
| 123 | + --personal \ |
| 124 | + --path=clusters/production |
| 125 | +``` |
| 126 | +4. Deploy the secrets required by the application. The secrets referenced in `./resources/populate_secrets.sh` will match up to the LDAP/LDIFs located at `./infrastructure/tools/ldap.yaml` |
| 127 | +```sh |
| 128 | +./resources/populate_secrets.sh |
| 129 | +``` |
| 130 | + |
| 131 | +5. The source controller will be unable to pull the Helm chart or connect to the Docker registry. You now should create the following secrets using Confluent early access credentials: |
| 132 | +```sh |
| 133 | +export USER=<user id here (often same as email)> |
| 134 | +export APIKEY=<API KEY sent via email> |
| 135 | +export EMAIL=<user email here> |
| 136 | +
|
| 137 | +kubectl create secret docker-registry confluent-registry -n confluent \ |
| 138 | + --docker-server=confluent-docker-internal-early-access-operator-2.jfrog.io \ |
| 139 | + --docker-username=$USER \ |
| 140 | + --docker-password=$APIKEY \ |
| 141 | + --docker-email=$EMAIL && \ |
| 142 | +kubectl create secret -n flux-system generic https-credentials \ |
| 143 | +--from-literal=username=$USER \ |
| 144 | +--from-literal=password=$APIKEY |
| 145 | +
|
| 146 | +``` |
| 147 | +Watch for the Helm releases being installed in production cluster: |
| 148 | + |
| 149 | +```console |
| 150 | +$ watch flux get helmreleases --all-namespaces |
| 151 | +``` |
| 152 | + |
| 153 | + |
| 154 | +## Appendix |
| 155 | +### Useful commands |
| 156 | + |
| 157 | +* Force Flux Reconciliation |
| 158 | + `flux reconcile source git flux-system` |
| 159 | + |
| 160 | +* Decode secrets |
| 161 | + `kubectl get secrets -n flux-system https-credentials -o json | jq '.data | map_values(@base64d)'` |
| 162 | + |
| 163 | +* Access Control Centre |
| 164 | + `kubectl port-forward -n confluent controlcenter-0 9021:9021`. The web UI credentials will be c3/c3-secret (as defined by the populated secrets) |
| 165 | + |
| 166 | +* LDAP Testing. Exec onto the ldap container by running: `kubectl exec -it -n tools ldap -- bash`. Running |
| 167 | + `ldapsearch -LLL -x -H ldap://ldap.tools.svc.cluster.local:389 -b 'dc=test,dc=com' -D "cn=mds,dc=test,dc=com" -w 'Developer!'` will return a list of LDAP users presently configured |
| 168 | + |
| 169 | +* For testing a repeatable deployment process, for example on a local minikube, a `tldr.sh` script which captures the above steps has been included at the root of this project |
0 commit comments