|
| 1 | +# Prerequisites |
| 2 | + |
| 3 | +# Installation of the JMX-Exporter as a sidecar |
| 4 | +The JMX-Exporter can be easily installed in two steps. |
| 5 | + |
| 6 | +First deploy the ConfigMap which contains the Kafka JMX configurations. The following example is for a Kafka cluster which exposes the jmx port 9010: |
| 7 | +``` |
| 8 | +helm repo add promcat-charts https://sysdiglabs.github.io/integrations-charts |
| 9 | +helm repo update |
| 10 | +helm -n kafka install kafka-jmx-exporter promcat-charts/jmx-exporter --set jmx_port=9010 --set integrationType=kafka --set onlyCreateJMXConfigMap=true |
| 11 | +``` |
| 12 | + |
| 13 | +Then generate a patch file and apply it to your workload (your Kafka Deployment/StatefulSet/Daemonset). The following example is for a Kafka cluster which exposes the jmx port 9010, and is deployed as a StatefulSet called 'kafka-cp-kafka': |
| 14 | +``` |
| 15 | +helm template kafka-jmx-exporter promcat-charts/jmx-exporter --set jmx_port=9010 --set integrationType=kafka --set onlyCreateSidecarPatch=true > sidecar-patch.yaml |
| 16 | +kubectl -n kafka patch sts kafka-cp-kafka --patch-file sidecar-patch.yaml |
| 17 | +``` |
| 18 | + |
| 19 | +# Create Secrets for Authentication for the Kafka-Exporter |
| 20 | +Your Kafka cluster external endpoints might be secured by using authentication for the clients that want to connect to it (TLS, SASL+SCARM, SASL+Kerberos). |
| 21 | +If you are going to make the Kafka-Exporter (which will be deployed in the next tab) use these secured external endpoints, then you'll need to create Kubernetes Secrets in the following step. |
| 22 | +If you prefer using an internal not-secured (plaintext) endpoint for the Kafka-Exporter to connect to the Kafka cluster, then skip this step. |
| 23 | + |
| 24 | +If using TLS, you'll need to create a Secret which contains the CA, the client certificate and the client key. The names of these files must be "ca.crt", "tls.crt" and "tls.key". The name of the secret can be any name that you want. Example: |
| 25 | +``` |
| 26 | +kubectl create secret generic kafka-exporter-certs --from-file=./tls.key --from-file=./tls.crt --from-file=./ca.crt --dry-run=true -o yaml | kubectl apply -f - |
| 27 | +``` |
| 28 | + |
| 29 | +If using SASL+SCRAM, you'll need to create a Secret which contains the "username" and "password". Example: |
| 30 | +``` |
| 31 | +echo -n 'admin' > username |
| 32 | +echo -n '1f2d1e2e67df' > password |
| 33 | +kubectl create secret generic kafka-exporter-sasl-scram --from-file=username --from-file=password --dry-run=true -o yaml | kubectl apply -f - |
| 34 | +``` |
| 35 | + |
| 36 | +If using SASL+Kerberos, you'll need to create a Secret which contains the "kerberos.conf". If the 'Kerberos Auth Type' is 'keytabAuth', it should also contain the "kerberos.keytab". Example: |
| 37 | +``` |
| 38 | +kubectl create secret generic kafka-exporter-sasl-kerberos --from-file=./kerberos.conf --from-file=./kerberos.keytab --dry-run=true -o yaml | kubectl apply -f - |
| 39 | +``` |
| 40 | + |
| 41 | +# Installation of the Kafka-Exporter |
| 42 | +The Kafka-Exporter can be easily installed with one Helm command. The flags will change depending on the authentication used in Kafka. You can find more info about the flags in the [Kafka Exporter chart values.yaml](https://github.com/sysdiglabs/integrations-charts/blob/main/charts/kafka-exporter/values.yaml). |
| 43 | + |
| 44 | +Example of Kafka-Exporter without auth: |
| 45 | +``` |
| 46 | +helm -n kafka install kafka-exporter promcat-charts/kafka-exporter \ |
| 47 | + --set namespaceName="kafka" \ |
| 48 | + --set workloadType="statefulset" \ |
| 49 | + --set workloadName="kafka" \ |
| 50 | + --set kafkaServer[0]=kafka-cp-kafka:9092 |
| 51 | +``` |
| 52 | + |
| 53 | +Example of Kafka-Exporter with TLS auth: |
| 54 | +``` |
| 55 | +helm -n kafka install kafka-exporter promcat-charts/kafka-exporter \ |
| 56 | + --set namespaceName="kafka" \ |
| 57 | + --set workloadType="statefulset" \ |
| 58 | + --set workloadName="kafka" \ |
| 59 | + --set kafkaServer[0]=kafka-cp-kafka:9092 \ |
| 60 | + --set tls.enabled=true \ |
| 61 | + --set tls.insecureSkipVerify=false \ |
| 62 | + --set tls.serverName="kafkaServerName" \ |
| 63 | + --set tls.secretName="kafka-exporter-certs" |
| 64 | +``` |
| 65 | + |
| 66 | +Example of Kafka-Exporter with SASL+SCRAM auth: |
| 67 | +``` |
| 68 | +helm -n kafka install kafka-exporter promcat-charts/kafka-exporter \ |
| 69 | + --set namespaceName="kafka" \ |
| 70 | + --set workloadType="statefulset" \ |
| 71 | + --set workloadName="kafka" \ |
| 72 | + --set kafkaServer[0]=kafka-cp-kafka:9092 \ |
| 73 | + --set sasl.enabled=true \ |
| 74 | + --set sasl.handshake=true \ |
| 75 | + --set sasl.scram.enabled=true \ |
| 76 | + --set sasl.scram.mechanism="plain" \ |
| 77 | + --set sasl.scram.secretName="kafka-exporter-sasl-scram" |
| 78 | +``` |
| 79 | + |
| 80 | +Example of Kafka-Exporter with SASL+Kerberos auth: |
| 81 | +``` |
| 82 | +helm -n kafka install kafka-exporter promcat-charts/kafka-exporter \ |
| 83 | + --set namespaceName="kafka" \ |
| 84 | + --set workloadType="statefulset" \ |
| 85 | + --set workloadName="kafka" \ |
| 86 | + --set kafkaServer[0]=kafka-cp-kafka:9092 \ |
| 87 | + --set sasl.enabled=true \ |
| 88 | + --set sasl.handshake=true \ |
| 89 | + --set sasl.kerberos.enabled=true \ |
| 90 | + --set sasl.kerberos.serviceName="kerberos-service" \ |
| 91 | + --set sasl.kerberos.realm="kerberos-realm" \ |
| 92 | + --set sasl.kerberos.kerberosAuthType="keytabAuth" \ |
| 93 | + --set sasl.kerberos.secretName="kafka-exporter-sasl-kerberos" |
| 94 | +``` |
| 95 | + |
| 96 | +You can find below ConfigMap with the JMX configurations for Kafka, a patch for the JMX-exporter as a sidecar, a deployment with the Kafka-Exporter without auth, and the Sysdig Agent ConfigMap with the Prometheus job to scrape both exporters. |
0 commit comments