CODEWITHSUNDEEP
google-cloud-platformapache-kafkagoogle-kubernetes-enginenginx-ingressstrimzi
Alain Lavoie
Alain Lavoie

Reputation: 13

Strimzi Kafka exposed via ingress in GKE

I have a kafka cluster created with Strimzi operator in our GKE cluster. I need to have it exposed over an ingress to allow external team to interact with it for development purpose.

I am trying to expose it over the internet, but i can't seem to find the right configuration in GKE. It needs to do a SSL-Passthrough. Is this supported in GKE?

I tried with multiple configuration, but no IP address is assigned to it.

Here is the cluster configuration that i am using.

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: cmc-cluster
spec:
  kafka:
    version: 2.8.0
    replicas: 3
    listeners:
      - name: test1
        port: 9098
        type: ingress
        tls: true
        authentication:
          type: scram-sha-512
        configuration:
          bootstrap:
            host: kafka-bootstrap.dev.testdomain.io
            annotations:
              kubernetes.io/ingress.class: nginx
          brokers:
            - host: kafka-broker0.dev.testdomain.io
              broker: 0
              annotations:
                kubernetes.io/ingress.class: nginx
            - host: kafka-broker1.dev.testdomain.io
              broker: 1
              annotations:
                kubernetes.io/ingress.class: nginx
            - host: kafka-broker2.dev.testdomain.io
              broker: 2
              annotations:
                kubernetes.io/ingress.class: nginx
          brokerCertChainAndKey:
            secretName: kafka-dev-tls
            certificate: tls.crt
            key: tls.key
    config:
      auto.create.topics.enable: "false"
    authorization:
      type: simple

Can anyone help me?

Upvotes: 0

Views: 1131

Answers (1)

Alain Lavoie
Alain Lavoie

Reputation: 13

I managed to find a solution to my problem. It seems it does not work with ingress because GCP ingresses are L7 load balancers using only HTTP/HTTPS. So i had to leverage Service Load balancer (L4) which is which allow TCP tunnelling.

Just had to rework some annotations which were in externalBootstrapService and perPodService and move them into their specific listener.

Here is my new config.

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: cmc-cluster
spec:
  kafka:
    version: 2.8.0
    replicas: 3
    listeners:
      - name: test1
        port: 9098
        type: loadbalancer
        tls: true
        authentication:
          type: scram-sha-512
        configuration:
          bootstrap:
            loadBalancerIP: <ip bootstrap>
          brokers:
            - broker: 0
              advertisedHost: kafka-broker0.dev.testdomain.io
              loadBalancerIP: <ip broker-0>
            - broker: 1
              advertisedHost: kafka-broker1.dev.testdomain.io
              loadBalancerIP: <ip broker-1>
            - broker: 2
              advertisedHost: kafka-broker2.dev.testdomain.io
              loadBalancerIP: <ip broker-2>
          brokerCertChainAndKey:
            secretName: kafka-dev-tls
            certificate: tls.crt
            key: tls.key
    config:
      auto.create.topics.enable: "false"
    authorization:
      type: simple

Upvotes: 1

Related Questions