Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: GEFEST-856 авторизация в kafka по ключу #462

Closed
wants to merge 11 commits into from
Closed

WIP: GEFEST-856 авторизация в kafka по ключу #462

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
76578d5
WAPI-22944 авторизация в kafka по ключу
Jun 28, 2024
183fd88
WAPI-22944 авторизация в kafka по ключу
Jul 23, 2024
2d30316
WAPI-22944 правки после ревью
Jul 29, 2024
a61d176
WAPI-22944 добавил pdb
Jul 29, 2024
d6b4536
Update charts/keys/values.yaml
DemonNSK Jul 29, 2024
2d384c4
WAPI-22944 выпилил pdb
Jul 29, 2024
1052473
Merge remote-tracking branch 'origin/WAPI-22944-keys-kafka-tls' into …
Jul 29, 2024
39261df
WAPI-22944 правки после ревью
Jul 29, 2024
bf8c356
Update charts/keys/values.yaml
DemonNSK Jul 29, 2024
c28bd05
Update charts/keys/values.yaml
DemonNSK Jul 29, 2024
08d0ff9
WAPI-22944 обновил доку
Jul 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 56 additions & 9 deletions charts/keys/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,48 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
| `tasker.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` |
| `tasker.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` |

### Counter service settings

| Name | Description | Value |
| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `counter.enabled` | Counter service is enabled. | `false` |
| `counter.replicas` | A replica count for the pod. | `1` |
| `counter.prometheus.scrape` | If Prometheus scrape is enabled. | `true` |
| `counter.resources.requests.cpu` | A CPU request. | `20m` |
| `counter.resources.requests.memory` | A memory request. | `32Mi` |
| `counter.resources.limits.cpu` | A CPU limit. | `1000m` |
| `counter.resources.limits.memory` | A memory limit. | `512Mi` |
| `counter.preloader.refreshTick` | If HPA is enabled for the service. | `1m` |
| `counter.updateStatusQueryTimeout` | Update status query timeout. | `1s` |
| `counter.buffer.size` | Buffer size | `1000` |
| `counter.buffer.delay` | Buffer delay | `1s` |
| `counter.kafka` | **Settings for read stat messages.** | |
| `counter.kafka.clientPrefix` | Client prefix name | `""` |
| `counter.kafka.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` |
| `counter.kafka.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` |
| `counter.kafka.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` |
| `counter.kafka.tls.enabled` | If tls connection to kafka is enabled. | `false` |
| `counter.kafka.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` |
| `counter.kafka.tls.rootCert` | Root certificate. | `""` |
| `counter.kafka.tls.cert` | Client certificate. | `""` |
| `counter.kafka.tls.key` | Client key. | `""` |
| `counter.kafka.topics.stats` | Topic to consume stat messages. | `""` |

### Redis settings

| Name | Description | Value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | ------- |
| `counter.redis.retries` | | `5` |
| `counter.redis.minRetryBackoff` | | `100ms` |
| `counter.redis.maxRetryBackoff` | | `3s` |
| `counter.annotations` | Kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `counter.labels` | Kubernetes [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `counter.podAnnotations` | Kubernetes [pod annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `counter.podLabels` | Kubernetes [pod labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `counter.nodeSelector` | Kubernetes [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). | `{}` |
| `counter.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` |
| `counter.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` |

### Redis settings

| Name | Description | Value |
Expand Down Expand Up @@ -195,15 +237,20 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about

### Kafka settings

| Name | Description | Value |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `kafka.audit` | **Settings for sending audit messages.** | |
| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` |
| `kafka.audit.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` |
| `kafka.audit.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` |
| `kafka.audit.topic` | Topic to produce audit messages. | `""` |
| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` |
| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` |
| Name | Description | Value |
| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `kafka.audit` | **Settings for sending audit messages.** | |
| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` |
| `kafka.audit.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` |
| `kafka.audit.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` |
| `kafka.audit.topic` | Topic to produce audit messages. | `""` |
| `kafka.audit.tls.enabled` | If tls connection to kafka is enabled. | `false` |
| `kafka.audit.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` |
| `kafka.audit.tls.rootCert` | Root certificate. | `""` |
| `kafka.audit.tls.cert` | Client certificate. | `""` |
| `kafka.audit.tls.key` | Client key. | `""` |
| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` |
| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` |

### LDAP connection settings

Expand Down
38 changes: 36 additions & 2 deletions charts/keys/templates/api/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,25 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.counter.kafka.tls.enabled }}
initContainers:
- name: copy-kafka-audit-certs
image: '{{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}'
imagePullPolicy: {{ .Values.imagePullPolicy }}
resources:
{{- toYaml .Values.api.resources | nindent 12 }}
command:
- /bin/sh
- -ec
- |
cp /tmp/certs/* /etc/2gis/secret/kafka-audit/
chmod 600 /etc/2gis/secret/kafka-audit/client.key
volumeMounts:
- name: {{ include "keys.name-kafka-audit-raw" . | quote }}
mountPath: /tmp/certs
- name: {{ include "keys.name-kafka-audit" . | quote }}
mountPath: /etc/2gis/secret/kafka-audit
{{- end }}
containers:
- name: keys-api
image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}
Expand All @@ -61,13 +80,28 @@ spec:
{{- if .Values.customCAs.bundle }}
{{- include "keys.env.custom.ca.path" . | nindent 12 }}
{{- end }}
{{- if .Values.customCAs.bundle }}
{{- if or .Values.customCAs.bundle .Values.kafka.audit.tls.enabled }}
volumeMounts:
{{- if .Values.customCAs.bundle }}
{{- include "keys.custom.ca.volumeMounts" . | nindent 12 }}
{{- end }}
{{- if .Values.kafka.audit.tls.enabled }}
- name: {{ printf "%s-kafka-audit" (include "keys.name" .) | quote }}
mountPath: /etc/2gis/secret/kafka-audit
{{- end }}
{{- end }}
{{- if .Values.customCAs.bundle }}
{{- if or .Values.customCAs.bundle .Values.kafka.audit.tls.enabled }}
volumes:
{{- if .Values.customCAs.bundle }}
{{- include "keys.custom.ca.deploys.volumes" . | nindent 8 }}
{{- end }}
{{- if .Values.kafka.audit.tls.enabled }}
- name: {{ include "keys.name-kafka-audit-raw" . | quote }}
secret:
secretName: {{ include "keys.name-kafka-audit" . | quote }}
- name: {{ include "keys.name-kafka-audit" . | quote }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with .Values.api.nodeSelector }}
nodeSelector:
Expand Down
89 changes: 89 additions & 0 deletions charts/keys/templates/counter/statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
{{- if .Values.counter.enabled }}
apiVersion: apps/v1
kind: StatefulSet
salkrr marked this conversation as resolved.
Show resolved Hide resolved
metadata:
name: {{ include "keys.counter.name" . }}
labels:
{{- include "keys.counter.labels" . | nindent 4 }}
{{- with .Values.counter.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
serviceName: {{ include "keys.counter.name" . }}
replicas: {{ .Values.counter.replicas }}
selector:
matchLabels:
{{- include "keys.counter.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
prometheus.io/path: "/metrics"
prometheus.io/port: "8090"
prometheus.io/scrape: "{{ .Values.counter.prometheus.scrape }}"
salkrr marked this conversation as resolved.
Show resolved Hide resolved
labels:
{{- include "keys.counter.selectorLabels" . | nindent 8 }}
spec:
{{- if .Values.counter.kafka.tls.enabled }}
initContainers:
- name: copy-counter-kafka-certs
image: '{{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}'
imagePullPolicy: {{ .Values.imagePullPolicy }}
resources:
{{- toYaml .Values.counter.resources | nindent 12 }}
command:
- /bin/sh
- -ec
- |
cp /tmp/certs/* /etc/2gis/secret/kafka-counter/
chmod 600 /etc/2gis/secret/kafka-counter/client.key
volumeMounts:
- name: {{ include "keys.counter.name-kafka-raw" . | quote }}
mountPath: /tmp/certs
- name: {{ include "keys.counter.name-kafka" . | quote }}
mountPath: /etc/2gis/secret/kafka-counter
{{- end }}
containers:
- name: counter
image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
command: [ "keys-counter" ]
ports:
- name: http
containerPort: 8090
resources:
{{- toYaml .Values.counter.resources | nindent 12 }}
env:
{{- include "keys.env.db.deploys" . | nindent 12 }}
{{- include "keys.env.redis" . | nindent 12 }}
{{- include "keys.env.counter" . | nindent 12 }}
{{- if .Values.counter.kafka.tls.enabled }}
volumeMounts:
- name: {{ printf "%s-kafka" (include "keys.counter.name" .) | quote }}
mountPath: /etc/2gis/secret/kafka-counter
{{- end }}
{{- if .Values.counter.kafka.tls.enabled }}
volumes:
- name: {{ include "keys.counter.name-kafka-raw" . | quote }}
secret:
secretName: {{ include "keys.counter.name-kafka" . | quote }}
- name: {{ include "keys.counter.name-kafka" . | quote }}
emptyDir: {}
{{- end }}
{{- with .Values.counter.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.counter.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.counter.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
Loading
Loading