nais / kafkarator Goto Github PK

Operator for Aiven Kafka topic and user management

License: MIT License

Makefile 0.30% Go 74.87% Shell 0.63% Python 16.87% Earthly 2.12% Smarty 5.20%

kafka kafka-operator kubernetes kubernetes-operator nais-features

kafkarator's Introduction

Kafkarator

Kafkarator is a Kubernetes operator on the NAIS platform, providing self-service functionality for Aiven hosted Kafka through Kubernetes resources.

Kafkarator defines a Kubernetes custom resource, kafka.nais.io/Topic. When users create or update this resource, Kafkarator translates it to Aiven topics and ACL entries.

User documentation

https://doc.nais.io/persistence/kafka/

Developer documentation

Kafkarator uses earthly via earthlyw for building.

Use ./earthlyw +docker to build docker images for kafkarator and canary.

Verifying the kafkarator images and their contents

The images are signed "keylessly" using Sigstore cosign. To verify their authenticity run

cosign verify \
--certificate-identity "https://github.com/nais/kafkarator/.github/workflows/main.yml@refs/heads/master" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/kafkarator@sha256:<shasum>

The images are also attested with SBOMs in the CycloneDX format. You can verify these by running

cosign verify-attestation --type cyclonedx  \
--certificate-identity "https://github.com/nais/kafkarator/.github/workflows/main.yml@refs/heads/master" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
europe-north1-docker.pkg.dev/nais-io/nais/images/kafkarator@sha256:<shasum>

kafkarator's People

Contributors

Stargazers

Watchers

Forkers

michaelandrepearce

kafkarator's Issues

Don't allow Topics with MinISR > Replication

It is possible to create a topic where minimumInSyncReplicas > replication, which doesn't really make sense.
This will generate alerts from Kafka, and we should generally not allow this configuration to be created.

Topics som har failed sync pga. fatal error blir aldri forsøkt resynced

I Kafkarator har vi prøvd å lage litt logikk for å "gi opp" å synce topics der det oppstår en "fatal" error.
Dette for å unngå å spinne på topics som ikke vil la seg reconcile uten at en bruker kommer inn og gjør noe.

Det vi mangler er en måte å fange opp at problemet har blitt fikset og prøve på nytt.

Vi har nå over 500 topics i dev-gcp som er FailedSynchronization fordi det var problemer med API'et til Aiven:

Status:
  Errors:
    Get "https://api.aiven.io/v1/project/nav-dev/service": dial tcp 35.210.97.77:443: i/o timeout
  Fully Qualified Name:   aura.kafkarator-canary-dev-gcp
  Message:                Get "https://api.aiven.io/v1/project/nav-dev/service": dial tcp 35.210.97.77:443: i/o timeout
  Synchronization Hash:   943e4eb998b07c6
  Synchronization State:  FailedSynchronization
  Synchronization Time:   2022-11-25T12:16:25Z

Hvis man restarter Kafkarator vil den se på dette og anse det som "Synchronization already complete", fordi i/o timeout mot APIet ble ansett som en fatal error.

Det kan være vi skal lage oss noe mekanisme for å retry etter en lengre periode, for å fange opp når noe har blitt løst uten at en bruker må inn og endre hashen. Samtidig er det viktig å ikke bare retry med én gang på disse feilene.

ACTION REQUIRED: Changes to pulling Chainguard Images

Hey there Chainguard here.

We noticed that you are using Chainguard Images, thank you! We wanted to make you aware of an upcoming change that will impact your project.

Starting August 16, 2023 public users will no longer be able to pull images from our registry (cgr.dev/chainguard) by tags other than latest or latest-dev. Please see the announcement for more information.

You are currently using the following.

In https://github.com/nais/kafkarator/blob/fcbbad6dd2d274f29ef699d080c59c164f7d26ea/.github/workflows/main.yml:

cgr.dev/chainguard/go:1.20

In https://github.com/nais/kafkarator/blob/fcbbad6dd2d274f29ef699d080c59c164f7d26ea/Earthfile:

cgr.dev/chainguard/go:1.20

Our goal is to prevent your project from experiencing any disruptions. Please see the migration guide for options.

If there's more we can do to help please reply to this issue or email us at [email protected].

Thank you!

Undersøke alerts på høy CPU-bruk i Kafkarator fra helga

Feature request. Title and description fields in metadata

Background: Datakatalogen indexes Kafka topics. In order to support search and provide information information about topics it would would be helpful if developers are encouraged to provide a title and description when creating topics

Example of topic view in datakatalogen: https://data.adeo.no/kafka/aapen-person-pdl-dokument-v1-value

Tildel utvikler tilgang basert på team

Hadde vert fin og kunne tildele utvikler tilgang til toppics basert på team.
Da er det ett sted mindre og huske og legge til / fjerne tilganger

La utviklere konfigurere compaction lag på topics

https://developer.confluent.io/learn-kafka/architecture/compaction/#when-compaction-is-triggered

Log compaction skjer basert på et par forskjellige parametere, og ingen av disse er mulig å konfigurere via vår Topic ressurs.
Vi burde la teamene konfigurere min.compaction.lag.ms, max.compaction.lag.ms og min.cleanable.dirty.ratio på sine topics.

Manage Schema Registry ACLs

Aiven has introduced ACLs for Schema Registry. Previously there were no ACLs with regards to Schema Registry, but now it is possible to set ACLs that limits the users to specific subjects.

It's unclear exactly how it's best to use these, but experience from mtpilot indicates that at some point in the future the current way, where default is full access, will shift to default no access.

We should add Schema Registry ACLs when we create Topic ACLs, and manage them as a whole.