Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: GEFEST-856 авторизация в kafka по ключу #462

Closed
wants to merge 11 commits into from
Closed

WIP: GEFEST-856 авторизация в kafka по ключу #462

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
76578d5
WAPI-22944 авторизация в kafka по ключу
Jun 28, 2024
183fd88
WAPI-22944 авторизация в kafka по ключу
Jul 23, 2024
2d30316
WAPI-22944 правки после ревью
Jul 29, 2024
a61d176
WAPI-22944 добавил pdb
Jul 29, 2024
d6b4536
Update charts/keys/values.yaml
DemonNSK Jul 29, 2024
2d384c4
WAPI-22944 выпилил pdb
Jul 29, 2024
1052473
Merge remote-tracking branch 'origin/WAPI-22944-keys-kafka-tls' into …
Jul 29, 2024
39261df
WAPI-22944 правки после ревью
Jul 29, 2024
bf8c356
Update charts/keys/values.yaml
DemonNSK Jul 29, 2024
c28bd05
Update charts/keys/values.yaml
DemonNSK Jul 29, 2024
08d0ff9
WAPI-22944 обновил доку
Jul 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 67 additions & 9 deletions charts/keys/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,14 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
| `redis.image.repository` | Redis image repository. | `2gis-on-premise/keys-redis` |
| `redis.image.tag` | Redis image tag. | `6.2.6-alpine3.15` |

### Kubernetes [Pod Disruption Budget](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets) settings

| Name | Description | Value |
| -------------------- | --------------------------------------------------- | ------- |
| `pdb.enabled` | If PDB is enabled for the service | `false` |
| `pdb.minAvailable` | How many pods must be available after the eviction | `""` |
| `pdb.maxUnavailable` | How many pods can be unavailable after the eviction | `1` |

### Flags for enabling/disabling certain features.

| Name | Description | Value |
Expand Down Expand Up @@ -154,6 +162,38 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about
| `tasker.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` |
| `tasker.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` |

### Counter worker settings

| Name | Description | Value |
| ----------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------- |
| `counter.enabled` | Counter worker is enabled. | `false` |
| `counter.replicas` | A replica count for the pod. | `1` |
| `counter.prometheus.scrape` | If Prometheus scrape is enabled. | `true` |
| `counter.resources.requests.cpu` | A CPU request. | `20m` |
| `counter.resources.requests.memory` | A memory request. | `32Mi` |
| `counter.resources.limits.cpu` | A CPU limit. | `1000m` |
| `counter.resources.limits.memory` | A memory limit. | `512Mi` |
| `counter.preloader.refreshTick` | Refresh interval for in-memory cache with keys info. | `1m` |
| `counter.updateStatusQueryTimeout` | Timeout for database queries to update key status. | `1s` |
| `counter.buffer` | **Settings for in-memory buffer for statistics data.** | |
| `counter.buffer.size` | The maximum size of the buffer. When the limit is reached, the data from the buffer is transferred to Redis. | `1000` |
| `counter.buffer.delay` | The maximum interval between data transfer operations from the buffer to Redis. | `1s` |

### Redis settings

| Name | Description | Value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | ------- |
| `counter.redis.retries` | | `5` |
| `counter.redis.minRetryBackoff` | | `100ms` |
| `counter.redis.maxRetryBackoff` | | `3s` |
| `counter.annotations` | Kubernetes [annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `counter.labels` | Kubernetes [labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `counter.podAnnotations` | Kubernetes [pod annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). | `{}` |
| `counter.podLabels` | Kubernetes [pod labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). | `{}` |
| `counter.nodeSelector` | Kubernetes [node selectors](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector). | `{}` |
| `counter.affinity` | Kubernetes pod [affinity settings](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). | `{}` |
| `counter.tolerations` | Kubernetes [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) settings. | `{}` |

### Redis settings

| Name | Description | Value |
Expand Down Expand Up @@ -195,15 +235,33 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about

### Kafka settings

| Name | Description | Value |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
| `kafka.audit` | **Settings for sending audit messages.** | |
| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` |
| `kafka.audit.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` |
| `kafka.audit.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` |
| `kafka.audit.topic` | Topic to produce audit messages. | `""` |
| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` |
| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` |
| Name | Description | Value |
| --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
| `kafka.main` | **Settings for read stat messages.** | |
| `kafka.main.clientPrefix` | Client prefix name | `""` |
| `kafka.main.brokers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` |
| `kafka.main.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` |
| `kafka.main.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` |
| `kafka.main.username` | Username for authorization (SASL). | `""` |
| `kafka.main.password` | Password for authorization (SASL). | `""` |
| `kafka.main.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` |
| `kafka.main.tls.rootCert` | Root certificate. | `""` |
| `kafka.main.tls.cert` | Client certificate. | `""` |
| `kafka.main.tls.key` | Client key. | `""` |
| `kafka.main.topics.stats` | Topic to consume stat messages. | `""` |
| `kafka.audit` | **Settings for sending audit messages.** | |
| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` |
| `kafka.audit.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` |
| `kafka.audit.SASLMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` |
| `kafka.audit.username` | Username for authorization (SASL). | `""` |
| `kafka.audit.password` | Password for authorization (SASL). | `""` |
| `kafka.audit.topic` | Topic to produce audit messages. | `""` |
| `kafka.audit.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name | `false` |
| `kafka.audit.tls.rootCert` | Root certificate. | `""` |
| `kafka.audit.tls.cert` | Client certificate. | `""` |
| `kafka.audit.tls.key` | Client key. | `""` |
| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` |
| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` |

### LDAP connection settings

Expand Down
38 changes: 36 additions & 2 deletions charts/keys/templates/api/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,25 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if or (eq .Values.kafka.main.securityProtocol "SSL") (eq .Values.kafka.main.securityProtocol "SASL_SSL") }}
initContainers:
- name: copy-kafka-audit-certs
image: '{{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}'
imagePullPolicy: {{ .Values.imagePullPolicy }}
resources:
{{- toYaml .Values.api.resources | nindent 12 }}
command:
- /bin/sh
- -ec
- |
cp /tmp/certs/* /etc/2gis/secret/kafka-audit/
chmod 600 /etc/2gis/secret/kafka-audit/client.key
volumeMounts:
- name: {{ include "keys.name-kafka-audit-raw" . | quote }}
mountPath: /tmp/certs
- name: {{ include "keys.name-kafka-audit" . | quote }}
mountPath: /etc/2gis/secret/kafka-audit
{{- end }}
containers:
- name: keys-api
image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}
Expand All @@ -61,13 +80,28 @@ spec:
{{- if .Values.customCAs.bundle }}
{{- include "keys.env.custom.ca.path" . | nindent 12 }}
{{- end }}
{{- if .Values.customCAs.bundle }}
{{- if or (.Values.customCAs.bundle) (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }}
volumeMounts:
{{- if .Values.customCAs.bundle }}
{{- include "keys.custom.ca.volumeMounts" . | nindent 12 }}
{{- end }}
{{- if or (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }}
- name: {{ printf "%s-kafka-audit" (include "keys.name" .) | quote }}
mountPath: /etc/2gis/secret/kafka-audit
{{- end }}
{{- end }}
{{- if .Values.customCAs.bundle }}
{{- if or (.Values.customCAs.bundle) (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }}
volumes:
{{- if .Values.customCAs.bundle }}
{{- include "keys.custom.ca.deploys.volumes" . | nindent 8 }}
{{- end }}
{{- if or (eq .Values.kafka.audit.securityProtocol "SSL") (eq .Values.kafka.audit.securityProtocol "SASL_SSL") }}
- name: {{ include "keys.name-kafka-audit-raw" . | quote }}
secret:
secretName: {{ include "keys.name-kafka-audit" . | quote }}
- name: {{ include "keys.name-kafka-audit" . | quote }}
emptyDir: {}
{{- end }}
{{- end }}
{{- with .Values.api.nodeSelector }}
nodeSelector:
Expand Down
20 changes: 20 additions & 0 deletions charts/keys/templates/api/pdb.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{{- with .Values.pdb }}
{{- if .enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "keys.name" $ }}
labels:
{{- include "keys.labels" $ | nindent 4 }}
spec:
{{- if .minAvailable }}
minAvailable: {{ .minAvailable }}
{{- end }}
{{- if .maxUnavailable }}
maxUnavailable: {{ .maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "keys.selectorLabels" $ | nindent 6 }}
salkrr marked this conversation as resolved.
Show resolved Hide resolved
{{- end }}
{{- end }}
Loading
Loading