Comments (7)
FTR the clients have access to different topics, for example Client A has ACLs for topic A but not topic B and Client B has ACLs for topic B but not topic A
from kafka-proxy.
So far the proxy can load only one client certificate. This could be extended by providing a list of client certs to load https://github.com/grepplabs/kafka-proxy/blob/master/proxy/tls.go#L187
Each proxy works independently, so you can configure multiple proxy / proxy groups. The clients and proxies should be configured in that way that the traffic from different groups is not mixed.
There is no real need to use StatefulSet, you can use Deployment as well.
Provided snippet sets up 1 proxy per broker. In this setup proxy must know mapping of other proxies (list of external-server-mappings ), so STS is a ways to provided consistent naming.
from kafka-proxy.
Thanks for quick response @everesio !
Actually I don't need more than one client certificate per proxy group. I prefer each client to have separate proxy group, this is multi-tenant scenario so having each tenant proxy in different pod enables proxy resource limits (CPU, Memory, Open connections) on tenant level. Client connects to single proxy (tenant proxy) with proper client certificate (tenant certificate) so traffic is not mixed. So all good here.
Thanks for explaining the reason for StatefulSet, I agree it simplifies setup. Given my Kafka knowledge I am bit afraid about particular scenario:
- Kafka with 3 brokers and 3 STS proxies, each proxy maps one broker as bootstrap and 2 others as external as in the example
- Because of network problem one stateful set goes into unknown state
In this scenario K8s will not automatically replace the pod (pod is not reachable) and will not add new one. From Kafka perspective all 3 brokers are healthy so Kafka will continue advertise healthy broker with unhealthy proxy, the other two proxies will also continue mapping to the unhealthy proxy. Manual intervention for unhealthy STS will be needed
Feel free to clarify if I misunderstood anything
We use AWS so I am thinking about following alternative:
- Setup EC2 with ENI for each proxy (ENI provides static private IP)
- In case when EC2 is unhealthy launch new EC2 and reassign network interface to it
This is just an idea, not sure how it works out (seems to me this is the approach that AWS MSK uses for replacing unhealthy nodes)
I also plan to try with K8s. However, as you mentioned without stateful set I will not have static network interface so it would be necessary to restart two other proxies in order to change external server mappings for replaced pod. Need to think more about it, maybe DNS or some K8s resources will address it.
Anyways things look promising. This project is really unique offering in Kafka proxies space right now :) Thank you for maintaining it
from kafka-proxy.
For more HA, you can always increase number replicas of each group (STS).
Each replica from the same STS would represent the same broker node.
Each K8S service would load balance ( for new connections) between the replicas of one STS.
from kafka-proxy.
@everesio good to know that I can have more than one instance of proxy behind loadbalancer port. I wonder if this works in case of TLS and client certificates. We use AWS NLB with SSL passthrough so that client negotiates certificates with proxy and NLB (which is in the middle) just forwards the requests back and forth. AWS NLB does not have sticky sessions so may forward randomly, not sure if it is going to stick cert negotiation process with one proxy server and not fallback to another. We can test it though so thanks for the tip.
from kafka-proxy.
client will see only names of N load balancers (each LB can represent a Kafka broker).
it is transparent if behind one LB there are M kafka proxies pods connecting to one kafka broker (together N*M proxy pods).
TLS cert are checked only during connection creation and connections are persistent.
from kafka-proxy.
@everesio thank you for detailed explanation. This resolves my concerns.
from kafka-proxy.
Related Issues (20)
- [Question] Can I attach 3 bootstrap server endpoints to a single port? HOT 1
- [Question] If my Kafka brokers are running version 2.8.1, should I be using kafka-proxy version 0.2.9? HOT 1
- "Metadata" request (ApiKey=3 and ApiVersion=5) in the Kafka Proxy is not following the protocol structure defined by Kafka protocol guide HOT 1
- [Question] is there a plan to release a Java implementation of Kafka Proxy ? HOT 1
- [Need Help] Sending Custom METADATA response through Kafka Proxy
- [Question] is there a plan to support HTTPS proxy ?
- will there be an update to resovle 7 vulnerabilitys
- tls: failed to parse private key AWS MSK HOT 6
- bad performance when executing kafka-producer-perf-test.sh HOT 3
- Can not use grepplabs/kafka-proxy ARM image as base image HOT 1
- one port mapping to 6 broker HOT 2
- AWS Invalid API Key. What did I miss ?
- tls: failed to parse private key HOT 2
- Can't get proxy-listener tls to work HOT 2
- Kafka 3.7.0 and producer error "produce version 10 is not supported" HOT 2
- Is Kafka-proxy support Kafka Cluster in KRaft mode?
- Experiencing issue with AWS MSK IAM between Proxy and Brokers, and SASL Plain between Client and Kafka Proxy
- Running kafka-proxy in k8s with more then 1 replica HOT 1
- MSK Serverless Net Address Not Found HOT 1
- Exposing proxy through istio virtual service HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kafka-proxy.