working scheduled event with kafka/tls

Author: adwk67

demos/airflow-scheduled-job/01-airflow-demo-clusterrole.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: airflow-demo-clusterrole
+rules:
+- apiGroups:
+    - spark.stackable.tech
+  resources:
+    - sparkapplications
+  verbs:
+    - create
+    - get
+    - list
+- apiGroups:
+    - apps
+  resources:
+    - statefulsets
+  verbs:
+    - get
+    - watch
+    - list
+- apiGroups:
+    - ""
+  resources:
+    - persistentvolumeclaims
+  verbs:
+    - list
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    - get
+    - watch
+    - list
+- apiGroups:
+    - ""
+  resources:
+    - pods/exec
+  verbs:
+    - create

demos/airflow-scheduled-job/01-airflow-spark-clusterrole.yaml

@@ -2,11 +2,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: airflow-spark-clusterrole-binding
+  name: airflow-demo-clusterrole-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: airflow-spark-clusterrole
+  name: airflow-demo-clusterrole
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: Group

…02-airflow-spark-clusterrolebinding.yaml …/02-airflow-demo-clusterrolebinding.yamldemos/airflow-scheduled-job/02-airflow-spark-clusterrolebinding.yaml renamed to demos/airflow-scheduled-job/02-airflow-demo-clusterrolebinding.yaml demos/airflow-scheduled-job/02-airflow-spark-clusterrolebinding.yaml renamed to demos/airflow-scheduled-job/02-airflow-demo-clusterrolebinding.yaml

@@ -9,10 +9,12 @@ spec:
       containers:
         - name: start-pyspark-job
           image: oci.stackable.tech/sdp/tools:1.0.0-stackable0.0.0-dev
-          # N.B. it is possible for the scheduler to report that a DAG exists, only for the worker task to fail if a pod is unexpectedly
-          # restarted. Additionally, the db-init job takes a few minutes to complete before the cluster is deployed. The wait/watch steps
-          # below are not "water-tight" but add a layer of stability by at least ensuring that the db is initialized and ready and that
-          # all pods are reachable (albeit independent of each other).
+          # N.B. it is possible for the scheduler to report that a DAG exists,
+          # only for the worker task to fail if a pod is unexpectedly
+          # restarted. The wait/watch steps below are not "water-tight" but add
+          # a layer of stability by at least ensuring that the cluster is
+          # initialized and ready and that all pods are reachable (albeit
+          # independent of each other).
           command:
           - bash
           - -euo

demos/airflow-scheduled-job/03-enable-and-run-spark-dag.yaml

@@ -9,10 +9,12 @@ spec:
       containers:
         - name: start-date-job
           image: oci.stackable.tech/sdp/tools:1.0.0-stackable0.0.0-dev
-          # N.B. it is possible for the scheduler to report that a DAG exists, only for the worker task to fail if a pod is unexpectedly
-          # restarted. Additionally, the db-init job takes a few minutes to complete before the cluster is deployed. The wait/watch steps
-          # below are not "water-tight" but add a layer of stability by at least ensuring that the db is initialized and ready and that
-          # all pods are reachable (albeit independent of each other).
+          # N.B. it is possible for the scheduler to report that a DAG exists,
+          # only for the worker task to fail if a pod is unexpectedly
+          # restarted. The wait/watch steps below are not "water-tight" but add
+          # a layer of stability by at least ensuring that the cluster is
+          # initialized and ready and that all pods are reachable (albeit
+          # independent of each other).
           command:
           - bash
           - -euo

demos/airflow-scheduled-job/04-enable-and-run-date-dag.yaml

@@ -0,0 +1,67 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: start-kafka-job
+spec:
+  template:
+    spec:
+      containers:
+        - name: start-kafka-job
+          image: oci.stackable.tech/sdp/tools:1.0.0-stackable0.0.0-dev
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          # N.B. it is possible for the scheduler to report that a DAG exists,
+          # only for the worker task to fail if a pod is unexpectedly
+          # restarted. The wait/watch steps below are not "water-tight" but add
+          # a layer of stability by at least ensuring that the cluster is
+          # initialized and ready and that all pods are reachable (albeit
+          # independent of each other).
+          command:
+          - bash
+          - -euo
+          - pipefail
+          - -c
+          - |
+              # Kafka: wait for cluster
+              kubectl rollout status --watch statefulset/kafka-broker-default
+              kubectl rollout status --watch statefulset/kafka-controller-default
+
+              # Kafka: create consumer offsets topics (required for group coordinator)
+              kubectl exec kafka-broker-default-0 -c kafka -- \
+                /stackable/kafka/bin/kafka-topics.sh \
+                --bootstrap-server kafka-broker-default-0-listener-broker.$(NAMESPACE).svc.cluster.local:9093 \
+                --create \
+                --topic __consumer_offsets \
+                --partitions 50 \
+                --replication-factor 1 \
+                --config cleanup.policy=compact \
+                --command-config /stackable/config/client.properties
+
+              # Airflow: wait for cluster
+              kubectl rollout status --watch statefulset/airflow-webserver-default
+              kubectl rollout status --watch statefulset/airflow-scheduler-default
+
+              # Airflow: activate DAG
+              AIRFLOW_ADMIN_PASSWORD=$(cat /airflow-credentials/adminUser.password)
+              ACCESS_TOKEN=$(curl -XPOST http://airflow-webserver-default-headless:8080/auth/token -H 'Content-Type: application/json' -d '{"username": "admin", "password": "'$AIRFLOW_ADMIN_PASSWORD'"}' | jq -r .access_token)
+              curl -H "Authorization: Bearer $ACCESS_TOKEN" -H 'Content-Type: application/json' -XPATCH http://airflow-webserver-default-headless:8080/api/v2/dags/kafka_watcher -d '{"is_paused": false}' | jq
+
+              # Kafka: produce a message to create the topic
+              kubectl exec kafka-broker-default-0 -c kafka -- bash -c \
+                'echo "Hello World at: $(date)" | /stackable/kafka/bin/kafka-console-producer.sh \
+                --bootstrap-server kafka-broker-default-0-listener-broker.$(NAMESPACE).svc.cluster.local:9093 \
+                --producer.config /stackable/config/client.properties \
+                --topic test-topic'
+          volumeMounts:
+            - name: airflow-credentials
+              mountPath: /airflow-credentials
+      volumes:
+        - name: airflow-credentials
+          secret:
+            secretName: airflow-credentials
+      restartPolicy: OnFailure
+  backoffLimit: 20 # give some time for the Airflow cluster to be available

demos/airflow-scheduled-job/05-enable-and-run-kafka-dag.yaml

@@ -46,10 +46,11 @@ demos:
       - airflow
       - job-scheduling
     manifests:
-      - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/demos/airflow-scheduled-job/01-airflow-spark-clusterrole.yaml
-      - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/demos/airflow-scheduled-job/02-airflow-spark-clusterrolebinding.yaml
+      - plainYaml: demos/airflow-scheduled-job/01-airflow-demo-clusterrole.yaml
+      - plainYaml: demos/airflow-scheduled-job/02-airflow-demo-clusterrolebinding.yaml
       #- plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/demos/airflow-scheduled-job/03-enable-and-run-spark-dag.yaml
       - plainYaml: https://raw.githubusercontent.com/stackabletech/demos/main/demos/airflow-scheduled-job/04-enable-and-run-date-dag.yaml
+      - plainYaml: demos/airflow-scheduled-job/05-enable-and-run-kafka-dag.yaml
     supportedNamespaces: []
     resourceRequests:
       cpu: 2401m

demos/demos-v2.yaml

@@ -16,6 +16,9 @@ spec:
       - name: airflow-dags
         configMap:
           name: airflow-dags
+      - name: kafka-tls-pem
+        configMap:
+          name: truststore-pem
     volumeMounts:
       - name: airflow-dags
         mountPath: /dags/date_demo.py
@@ -29,6 +32,8 @@ spec:
       - name: airflow-dags
         mountPath: /dags/kafka.py
         subPath: kafka.py
+      - name: kafka-tls-pem
+        mountPath: /stackable/kafka-tls-pem
   webservers:
     roleConfig:
       listenerClass: external-unstable
@@ -43,24 +48,25 @@ spec:
       AIRFLOW__CORE__DAGS_FOLDER: "/dags"
       PYTHONPATH: "/stackable/app/log_config:/dags"
       AIRFLOW_CONN_KUBERNETES_IN_CLUSTER: "kubernetes://?__extra__=%7B%22extra__kubernetes__in_cluster%22%3A+true%2C+%22extra__kubernetes__kube_config%22%3A+%22%22%2C+%22extra__kubernetes__kube_config_path%22%3A+%22%22%2C+%22extra__kubernetes__namespace%22%3A+%22%22%7D"
+      #AIRFLOW_CONN_KAFKA_CONN: "{\"conn_type\": \"kafka\", \"extra\": {\"bootstrap.servers\": \"kafka-broker-default-0-listener-broker.{{ NAMESPACE }}.svc.cluster.local:9093\", \"security.protocol\": \"SSL\", \"ssl.ca.location\": \"/stackable/kafka-tls-pem/ca.crt\", \"group.id\": \"airflow_group\", \"auto.offset.reset\": \"latest\"}}"
     podOverrides: &podOverrides
       spec:
         containers:
           - name: airflow
+            image: oci.stackable.tech/sdp/airflow:3.0.6-stackable0.0.0-dev
+            imagePullPolicy: IfNotPresent
             env:
-              - name: KAFKA_BOOTSTRAP
-                valueFrom:
-                  configMapKeyRef:
-                    name: kafka
-                    key: KAFKA
-              - name: AIRFLOW_CONN_KAFKA_CONN # $(KAFKA_BOOTSTRAP)
-                value: "{\"conn_type\": \"kafka\", \"extra\": {\"bootstrap.servers\": \"kafka-broker-default-0-listener-broker.demo.svc.cluster.local:9092\", \"group.id\": \"airflow_group\", \"auto.offset.reset\": \"latest\"}}"
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: AIRFLOW_CONN_KAFKA_CONN
+              value: "{\"conn_type\": \"kafka\", \"extra\": {\"bootstrap.servers\": \"kafka-broker-default-0-listener-broker.$(NAMESPACE).svc.cluster.local:9093\", \"security.protocol\": \"SSL\", \"ssl.ca.location\": \"/stackable/kafka-tls-pem/ca.crt\", \"group.id\": \"airflow_group\", \"auto.offset.reset\": \"latest\"}}"
     roleGroups:
       default:
         replicas: 1
   kubernetesExecutors:
     envOverrides: *envOverrides
-    podOverrides: *podOverrides
   schedulers:
     envOverrides: *envOverrides
     podOverrides: *podOverrides
@@ -118,7 +124,7 @@ data:
     # Define an asset that watches for messages on the queue
     asset = Asset("kafka_queue_asset", watchers=[AssetWatcher(name="kafka_watcher", trigger=trigger)])
 
-    with DAG(dag_id="example_kafka_watcher", schedule=[asset]) as dag:
+    with DAG(dag_id="kafka_watcher", schedule=[asset]) as dag:
       EmptyOperator(task_id="task")
 
   date_demo.py: |

stacks/airflow/airflow.yaml

@@ -1,4 +1,13 @@
 ---
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: TrustStore
+metadata:
+  name: truststore-pem
+spec:
+  secretClassName: tls
+  format: tls-pem
+  targetKind: ConfigMap
+---
 apiVersion: kafka.stackable.tech/v1alpha1
 kind: KafkaCluster
 metadata:
@@ -8,7 +17,7 @@ spec:
     productVersion: 4.1.0
   clusterConfig:
     tls:
-      serverSecretClass: null
+      serverSecretClass: tls
   controllers:
     roleGroups:
       default:
@@ -17,6 +26,16 @@ spec:
     config:
       bootstrapListenerClass: cluster-internal
       brokerListenerClass: cluster-internal
+    podOverrides:
+        spec:
+          containers:
+            - name: kafka
+              env:
+              - name: BOOTSTRAP_SERVER
+                valueFrom:
+                  configMapKeyRef:
+                    name: kafka
+                    key: KAFKA
     roleGroups:
       default:
         replicas: 1