From a11732a62336a65c6f0382b7639d82865a791363 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 10 Sep 2024 02:15:42 -0700 Subject: [PATCH] Add gateway and keda support to kafka-ui Signed-off-by: Tamal Saha --- charts/kafka-ui/README.md | 133 +++++++++++++++---------- charts/kafka-ui/artifacthub-repo.yml | 15 --- charts/kafka-ui/index.yaml | 3 - charts/kafka-ui/templates/NOTES.txt | 21 ---- charts/kafka-ui/templates/_helpers.tpl | 18 ++++ charts/kafka-ui/templates/gw.yaml | 85 ++++++++++++++++ charts/kafka-ui/templates/ingress.yaml | 95 ------------------ charts/kafka-ui/templates/keda.yaml | 20 ++++ charts/kafka-ui/values.yaml | 108 ++++++++++++-------- 9 files changed, 272 insertions(+), 226 deletions(-) delete mode 100644 charts/kafka-ui/artifacthub-repo.yml delete mode 100644 charts/kafka-ui/index.yaml create mode 100644 charts/kafka-ui/templates/gw.yaml delete mode 100644 charts/kafka-ui/templates/ingress.yaml create mode 100644 charts/kafka-ui/templates/keda.yaml diff --git a/charts/kafka-ui/README.md b/charts/kafka-ui/README.md index 6c4baffb..3b6d1a9d 100644 --- a/charts/kafka-ui/README.md +++ b/charts/kafka-ui/README.md @@ -45,59 +45,86 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the `kafka-ui` chart and their default values. -| Parameter | Description | Default | -|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------| -| replicaCount | | 1 | -| image.registry | | docker.io | -| image.repository | | provectuslabs/kafka-ui | -| image.pullPolicy | | IfNotPresent | -| image.tag | Overrides the image tag whose default is the chart appVersion. | "" | -| imagePullSecrets | | [] | -| nameOverride | | "" | -| fullnameOverride | | "" | -| serviceAccount.create | Specifies whether a service account should be created | true | -| serviceAccount.annotations | Annotations to add to the service account | {} | -| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | -| existingConfigMap | | "" | -| yamlApplicationConfig | | {} | -| yamlApplicationConfigConfigMap | kafka: clusters: - name: yaml bootstrapServers: kafka-service:9092 spring: security: oauth2: auth: type: disabled management: health: ldap: enabled: false | {} | -| existingSecret | keyName: config.yml name: configMapName | "" | -| envs.secret | | {} | -| envs.config | | {} | -| networkPolicy.enabled | | false | -| networkPolicy.egressRules.customRules | # Additional custom egress rules # e.g: # customRules: # - to: # - namespaceSelector: # matchLabels: # label: example | [] | -| networkPolicy.ingressRules.customRules | # Additional custom ingress rules # e.g: # customRules: # - from: # - namespaceSelector: # matchLabels: # label: example | [] | -| podAnnotations | | {} | -| podLabels | | {} | -| annotations | # Annotations to be added to kafka-ui Deployment # | {} | -| probes.useHttpsScheme | | false | -| podSecurityContext | | {} | -| securityContext | | {} | -| service.type | | ClusterIP | -| service.port | | 80 | -| ingress.enabled | Enable ingress resource | false | -| ingress.annotations | Annotations for the Ingress | {} | -| ingress.ingressClassName | ingressClassName for the Ingress | "" | -| ingress.path | The path for the Ingress | "/" | -| ingress.pathType | The path type for the Ingress | "Prefix" | -| ingress.host | The hostname for the Ingress | "" | -| ingress.tls.enabled | Enable TLS termination for the Ingress | false | -| ingress.tls.secretName | the name of a pre-created Secret containing a TLS private key and certificate | "" | -| ingress.precedingPaths | HTTP paths to add to the Ingress before the default path | [] | -| ingress.succeedingPaths | Http paths to add to the Ingress after the default path | [] | -| resources | | {} | -| autoscaling.enabled | | false | -| autoscaling.minReplicas | | 1 | -| autoscaling.maxReplicas | | 100 | -| autoscaling.targetCPUUtilizationPercentage | | 80 | -| nodeSelector | | {} | -| tolerations | | [] | -| affinity | | {} | -| env | | {} | -| initContainers | | {} | -| volumeMounts | | {} | -| volumes | | {} | -| namespace.create | | false | +| Parameter | Description | Default | +|--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| replicaCount | | 1 | +| image.registry | | docker.io | +| image.repository | | provectuslabs/kafka-ui | +| image.pullPolicy | | IfNotPresent | +| image.tag | Overrides the image tag whose default is the chart appVersion. | "" | +| imagePullSecrets | | [] | +| nameOverride | | "" | +| fullnameOverride | | "" | +| serviceAccount.create | Specifies whether a service account should be created | true | +| serviceAccount.annotations | Annotations to add to the service account | {} | +| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" | +| existingConfigMap | | "" | +| yamlApplicationConfig | | {} | +| yamlApplicationConfigConfigMap | kafka: clusters: - name: yaml bootstrapServers: kafka-service:9092 spring: security: oauth2: auth: type: disabled management: health: ldap: enabled: false | {} | +| existingSecret | keyName: config.yml name: configMapName | "" | +| envs.secret | | {} | +| envs.config | | {} | +| networkPolicy.enabled | | false | +| networkPolicy.egressRules.customRules | # Additional custom egress rules # e.g: # customRules: # - to: # - namespaceSelector: # matchLabels: # label: example | [] | +| networkPolicy.ingressRules.customRules | # Additional custom ingress rules # e.g: # customRules: # - from: # - namespaceSelector: # matchLabels: # label: example | [] | +| podAnnotations | | {} | +| podLabels | | {} | +| annotations | # Annotations to be added to kafka-ui Deployment # | {} | +| probes.useHttpsScheme | | false | +| podSecurityContext | | {} | +| securityContext | | {} | +| service.type | | ClusterIP | +| service.port | | 80 | +| ingress.enabled | Enable ingress resource | false | +| ingress.annotations | Annotations for the Ingress | {} | +| ingress.ingressClassName | ingressClassName for the Ingress | "" | +| ingress.path | The path for the Ingress | "/" | +| ingress.pathType | The path type for the Ingress | "Prefix" | +| ingress.host | The hostname for the Ingress | "" | +| ingress.tls.enabled | Enable TLS termination for the Ingress | false | +| ingress.tls.secretName | the name of a pre-created Secret containing a TLS private key and certificate | "" | +| ingress.precedingPaths | HTTP paths to add to the Ingress before the default path | [] | +| ingress.succeedingPaths | Http paths to add to the Ingress after the default path | [] | +| resources | | {} | +| autoscaling.enabled | | false | +| autoscaling.minReplicas | | 1 | +| autoscaling.maxReplicas | | 100 | +| autoscaling.targetCPUUtilizationPercentage | | 80 | +| nodeSelector | | {} | +| tolerations | | [] | +| affinity | | {} | +| env | | {} | +| initContainers | | {} | +| volumeMounts | | {} | +| volumes | | {} | +| namespace.create | | false | +| gateway.className | | "ace" | +| gateway.port | | 8082 | +| gateway.tlsSecretRef.name | | service-presets-cert | +| gateway.tlsSecretRef.namespace | | ace | +| gateway.referenceGrant.create | | true | +| keda.proxyService.namespace | | "keda" | +| keda.proxyService.name | | "keda-add-ons-http-interceptor-proxy" | +| keda.proxyService.port | | 8080 | +| targetPendingRequests | | 200 | +| autoscaling.enabled | | false | +| autoscaling.minReplicas | | 1 | +| autoscaling.maxReplicas | | 100 | +| autoscaling.targetCPUUtilizationPercentage | | 80 | +| app.service.name | | "" | +| app.service.namespace | | "" | +| app.authSecret.name | | "" | +| bind.name | | "" | +| bind.namespace | | "" | +| authzproxy.enabled | | false | +| authzproxy.repository | KubeDB operator container image | appscode/kube-authz-proxy | +| authzproxy.tag | KubeDB operator container image tag | "v0.0.1" | +| authzproxy.securityContext | Security options this container should run with | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}} | +| authzproxy.resources | Compute Resources required by this container | {} | +| authzproxy.params.listen | | 8000 | +| authzproxy.params.metricsAddr | | 8080 | +| authzproxy.params.platformURL | | "" | +| authzproxy.params.platformCABundle | | "" | Specify each parameter using the `--set key=value[,key=value]` argument to `helm upgrade -i`. For example: diff --git a/charts/kafka-ui/artifacthub-repo.yml b/charts/kafka-ui/artifacthub-repo.yml deleted file mode 100644 index be24bea1..00000000 --- a/charts/kafka-ui/artifacthub-repo.yml +++ /dev/null @@ -1,15 +0,0 @@ -# Artifact Hub repository metadata file -# -# Some settings like the verified publisher flag or the ignored packages won't -# be applied until the next time the repository is processed. Please keep in -# mind that the repository won't be processed if it has not changed since the -# last time it was processed. Depending on the repository kind, this is checked -# in a different way. For Helm http based repositories, we consider it has -# changed if the `index.yaml` file changes. For git based repositories, it does -# when the hash of the last commit in the branch you set up changes. This does -# NOT apply to ownership claim operations, which are processed immediately. -# -repositoryID: 243d43a8-9c5f-42b8-8173-c23350ed1e7a -owners: - - name: maintainers.kafka-ui - email: maintainers.kafka-ui@provectus.com \ No newline at end of file diff --git a/charts/kafka-ui/index.yaml b/charts/kafka-ui/index.yaml deleted file mode 100644 index 87280719..00000000 --- a/charts/kafka-ui/index.yaml +++ /dev/null @@ -1,3 +0,0 @@ -apiVersion: v1 -entries: {} -generated: "2021-11-11T12:26:08.479581+03:00" diff --git a/charts/kafka-ui/templates/NOTES.txt b/charts/kafka-ui/templates/NOTES.txt index 94e8d394..e69de29b 100644 --- a/charts/kafka-ui/templates/NOTES.txt +++ b/charts/kafka-ui/templates/NOTES.txt @@ -1,21 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "kafka-ui.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "kafka-ui.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "kafka-ui.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kafka-ui.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:8080 -{{- end }} diff --git a/charts/kafka-ui/templates/_helpers.tpl b/charts/kafka-ui/templates/_helpers.tpl index 7155681a..316edb84 100644 --- a/charts/kafka-ui/templates/_helpers.tpl +++ b/charts/kafka-ui/templates/_helpers.tpl @@ -82,3 +82,21 @@ This allows us to check if the registry of the image is specified or not. {{- end }} {{- end -}} +{{/* +Fake keda hostname +*/}} +{{- define "keda.hostname" -}} +{{- printf "pgadmin.%s.%s.%s.%s.kubedb.test" .Values.bind.name .Values.bind.namespace .Values.app.service.name .Values.app.service.namespace | quote }} +{{- end }} + +{{- define "image.dockerHub" -}} +{{ list .Values.proxies.dockerHub ._repo | compact | join "/" }} +{{- end }} + +{{- define "image.dockerLibrary" -}} +{{ prepend (list ._repo) (list .Values.proxies.dockerLibrary .Values.proxies.dockerHub | compact | first) | compact | join "/" }} +{{- end }} + +{{- define "image.ghcr" -}} +{{ list .Values.proxies.ghcr ._repo | compact | join "/" }} +{{- end }} diff --git a/charts/kafka-ui/templates/gw.yaml b/charts/kafka-ui/templates/gw.yaml new file mode 100644 index 00000000..b258a821 --- /dev/null +++ b/charts/kafka-ui/templates/gw.yaml @@ -0,0 +1,85 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ include "kafka-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + {{- if .Values.gateway.nodePort }} + annotations: + port-mapping.gateway.voyagermesh.com/{{ .Values.gateway.port }}: {{ .Values.gateway.nodePort }} + {{- end }} +spec: + gatewayClassName: {{ .Values.gateway.className }} + listeners: + - name: {{ include "kafka-ui.fullname" . }} + protocol: HTTPS + port: {{ .Values.gateway.port }} + tls: + certificateRefs: + - group: "" + kind: Secret + name: {{ .Values.gateway.tlsSecretRef.name }} + namespace: {{ .Values.gateway.tlsSecretRef.namespace }} + mode: Terminate + +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ include "kafka-ui.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: {{ include "kafka-ui.fullname" . }} + namespace: {{ .Release.Namespace }} + sectionName: {{ include "kafka-ui.fullname" . }} + rules: + - backendRefs: + - group: "" + kind: Service + name: {{ .Values.keda.proxyService.name }} + namespace: {{ .Values.keda.proxyService.namespace }} + port: {{ .Values.keda.proxyService.port }} + weight: 1 + matches: + - path: + type: PathPrefix + value: / + filters: + - type: URLRewrite + urlRewrite: + hostname: {{ include "keda.hostname" . }} +--- +{{ if .Values.gateway.referenceGrant.create }} + +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: dbui-cert-{{ .Release.Namespace }} + namespace: {{ .Values.gateway.tlsSecretRef.namespace }} +spec: + from: + - group: gateway.networking.k8s.io + kind: Gateway + namespace: {{ .Release.Namespace }} + to: + - group: "" + kind: Secret + name: {{ .Values.gateway.tlsSecretRef.name }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: dbui-httproute-{{ .Release.Namespace }} + namespace: {{ .Values.keda.proxyService.namespace }} +spec: + from: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: {{ .Release.Namespace }} + to: + - group: "" + kind: Service + name: {{ .Values.keda.proxyService.name }} +{{ end }} diff --git a/charts/kafka-ui/templates/ingress.yaml b/charts/kafka-ui/templates/ingress.yaml deleted file mode 100644 index 75b107bd..00000000 --- a/charts/kafka-ui/templates/ingress.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "kafka-ui.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- $kubeCapabilityVersion := semver .Capabilities.KubeVersion.Version -}} -{{- $isHigher1p19 := ge (semver "1.19" | $kubeCapabilityVersion.Compare) 0 -}} -{{- if and ($.Capabilities.APIVersions.Has "networking.k8s.io/v1") $isHigher1p19 -}} -apiVersion: networking.k8s.io/v1 -{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{- else }} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "kafka-ui.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if .Values.ingress.tls.enabled }} - tls: - - hosts: - - {{ tpl .Values.ingress.host . }} - secretName: {{ .Values.ingress.tls.secretName }} - {{- end }} - {{- if .Values.ingress.ingressClassName }} - ingressClassName: {{ .Values.ingress.ingressClassName }} - {{- end }} - rules: - - http: - paths: -{{- if and ($.Capabilities.APIVersions.Has "networking.k8s.io/v1") $isHigher1p19 -}} - {{- range .Values.ingress.precedingPaths }} - - path: {{ .path }} - pathType: {{ .pathType }} - backend: - service: - name: {{ .serviceName }} - port: - {{- if .servicePort }} - number: {{ .servicePort }} - {{- end }} - {{- if .servicePortName }} - name: {{ .servicePortName }} - {{- end }} - {{- end }} - - backend: - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - pathType: {{ .Values.ingress.pathType }} -{{- if .Values.ingress.path }} - path: {{ .Values.ingress.path }} -{{- end }} - {{- range .Values.ingress.succeedingPaths }} - - path: {{ .path }} - pathType: {{ .pathType }} - backend: - service: - name: {{ .serviceName }} - port: - number: {{ .servicePort }} - {{- end }} -{{- if tpl .Values.ingress.host . }} - host: {{tpl .Values.ingress.host . }} -{{- end }} -{{- else -}} - {{- range .Values.ingress.precedingPaths }} - - path: {{ .path }} - backend: - serviceName: {{ .serviceName }} - servicePort: {{ .servicePort }} - {{- end }} - - backend: - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} -{{- if .Values.ingress.path }} - path: {{ .Values.ingress.path }} -{{- end }} - {{- range .Values.ingress.succeedingPaths }} - - path: {{ .path }} - backend: - serviceName: {{ .serviceName }} - servicePort: {{ .servicePort }} - {{- end }} -{{- if tpl .Values.ingress.host . }} - host: {{ tpl .Values.ingress.host . }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kafka-ui/templates/keda.yaml b/charts/kafka-ui/templates/keda.yaml new file mode 100644 index 00000000..f6a02514 --- /dev/null +++ b/charts/kafka-ui/templates/keda.yaml @@ -0,0 +1,20 @@ +kind: HTTPScaledObject +apiVersion: http.keda.sh/v1alpha1 +metadata: + name: {{ include "kafka-ui.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + hosts: + - {{ include "keda.hostname" . }} + pathPrefixes: + - "/" + targetPendingRequests: {{ .Values.targetPendingRequests }} + scaleTargetRef: + name: {{ include "kafka-ui.fullname" . }} + kind: Deployment + apiVersion: apps/v1 + service: {{ include "kafka-ui.fullname" . }} + port: {{ .Values.service.port }} + replicas: + min: {{ .Values.autoscaling.http.minReplicas }} + max: {{ .Values.autoscaling.http.maxReplicas }} diff --git a/charts/kafka-ui/values.yaml b/charts/kafka-ui/values.yaml index 8741c4fa..dd16ba54 100644 --- a/charts/kafka-ui/values.yaml +++ b/charts/kafka-ui/values.yaml @@ -82,15 +82,14 @@ podSecurityContext: {} # fsGroup: 2000 -securityContext: {} - # allowPrivilegeEscalation: false +securityContext: + {} # capabilities: - # drop: ["ALL"] + # drop: + # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 65534 - # seccompProfile: - # type: RuntimeDefault + # runAsUser: 1000 service: type: ClusterIP @@ -100,39 +99,6 @@ service: # if you want to force a specific nodePort. Must be use with service.type=NodePort # nodePort: -# Ingress configuration -ingress: - # Enable ingress resource - enabled: false - - # Annotations for the Ingress - annotations: {} - - # ingressClassName for the Ingress - ingressClassName: "" - - # The path for the Ingress - path: "/" - - # The path type for the Ingress - pathType: "Prefix" - - # The hostname for the Ingress - host: "" - - # configs for Ingress TLS - tls: - # Enable TLS termination for the Ingress - enabled: false - # the name of a pre-created Secret containing a TLS private key and certificate - secretName: "" - - # HTTP paths to add to the Ingress before the default path - precedingPaths: [] - - # Http paths to add to the Ingress after the default path - succeedingPaths: [] - resources: {} # limits: @@ -165,3 +131,67 @@ volumes: {} namespace: create: false + +gateway: + className: "ace" + port: 8082 + # nodePort: 30080 + tlsSecretRef: + name: service-presets-cert + namespace: ace + referenceGrant: + create: true + +# This is the namespace that the ingress should be installed +# into. It should be set to the same namespace as the +# KEDA HTTP componentry is installed in. Defaults to the Helm +# chart release namespace +keda: + proxyService: + namespace: "keda" + name: "keda-add-ons-http-interceptor-proxy" + port: 8080 +targetPendingRequests: 200 +autoscaling: + http: + minReplicas: 0 + maxReplicas: 1 + +# authSecret, Bind CR, HelmRelease CR in same namespace +# db could be in cross namespace +app: + service: + name: "" + namespace: "" + authSecret: + name: "" +bind: + name: "" + namespace: "" + +authzproxy: + enabled: false + # KubeDB operator container image + repository: appscode/kube-authz-proxy + # KubeDB operator container image tag + tag: "v0.0.1" + # Security options this container should run with + securityContext: # +doc-gen:break + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + # Compute Resources required by this container + resources: {} + # requests: + # cpu: 100m + # memory: 128Mi + params: + listen: 8000 + metricsAddr: 8080 + platformURL: "" + platformCABundle: ""