feat(helm): add multi-cluster Kafka support with configurable clusters, per-cluster overrides, and enhanced Kerberos and JAAS options

Author: CoderYellow

kafka/README.md

@@ -30,3 +30,49 @@ API-family switches:
 For production, prefer providing an external Kerberos secret or RWX volume containing `client/krb5.conf` and service keytabs. When using a secret, set `kerberos.existingSecret` and map keys into nested paths with `kerberos.existingSecretItems`, for example `[{key: krb5.conf, path: client/krb5.conf}, {key: kafka-0.keytab, path: keytabs/kafka-0.keytab}]`.
 
 Kerberos clients should use the StatefulSet broker DNS names from the headless service. If exposing Kafka through an Istio TCP route, add a matching `kafka/<external-host>@REALM` service principal and keytab, or override the advertised listener and Kerberos principal pattern accordingly.
+
+## Multi-cluster example
+
+```yaml
+kafka:
+  clusters:
+    - name: primary
+      clusterId: MkU3OEVBNTcwNTJENDM2Qk
+    - name: standby
+      clusterId: zlFiTJelTOuhnklFwLWixw
+
+schemaRegistry:
+  kafkaCluster: primary
+
+topicInit:
+  kafkaCluster: primary
+
+kafbatUi:
+  autoClusters: true
+  clusters: []
+
+mirrorMaker:
+  enabled: true
+  properties: |
+    clusters = primary, standby
+
+    primary.bootstrap.servers = kafka-kafka-primary-0.kafka-kafka-primary-headless.kafka.svc.cluster.local:9092,kafka-kafka-primary-1.kafka-kafka-primary-headless.kafka.svc.cluster.local:9092
+    standby.bootstrap.servers = kafka-kafka-standby-0.kafka-kafka-standby-headless.kafka.svc.cluster.local:9092,kafka-kafka-standby-1.kafka-kafka-standby-headless.kafka.svc.cluster.local:9092
+
+    primary.security.protocol = SASL_PLAINTEXT
+    primary.sasl.mechanism = GSSAPI
+    primary.sasl.kerberos.service.name = kafka
+    primary.sasl.jaas.config = com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/kerby/keytabs/mm2.keytab" principal="mm2/mm2.example.com@EXAMPLE.COM";
+
+    standby.security.protocol = SASL_PLAINTEXT
+    standby.sasl.mechanism = GSSAPI
+    standby.sasl.kerberos.service.name = kafka
+    standby.sasl.jaas.config = com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab="/kerby/keytabs/mm2.keytab" principal="mm2/mm2.example.com@EXAMPLE.COM";
+
+    primary->standby.enabled = true
+    primary->standby.topics = .*
+    replication.factor = 1
+    checkpoints.topic.replication.factor = 1
+    heartbeats.topic.replication.factor = 1
+    offset-syncs.topic.replication.factor = 1
+```

kafka/templates/_helpers.tpl

@@ -38,6 +38,109 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- default (include "kafka.fullname" .) .Values.kafka.service.nameOverride -}}
 {{- end -}}
 
+{{- define "kafka.effectiveClusters" -}}
+{{- if .Values.kafka.clusters -}}
+{{- toYaml .Values.kafka.clusters -}}
+{{- else -}}
+{{- toYaml (list (dict "name" "")) -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kafka.cluster.fullname" -}}
+{{- $root := .root -}}
+{{- $cluster := .cluster -}}
+{{- if $cluster.name -}}
+{{- printf "%s-%s" (include "kafka.fullname" $root) $cluster.name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- include "kafka.fullname" $root -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kafka.cluster.label" -}}
+{{- $cluster := .cluster -}}
+{{- default "default" $cluster.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kafka.cluster.serviceName" -}}
+{{- $root := .root -}}
+{{- $cluster := .cluster -}}
+{{- if and $cluster.service $cluster.service.nameOverride -}}
+{{- $cluster.service.nameOverride -}}
+{{- else if and (not $cluster.name) $root.Values.kafka.service.nameOverride -}}
+{{- $root.Values.kafka.service.nameOverride -}}
+{{- else -}}
+{{- include "kafka.cluster.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kafka.cluster.headlessServiceName" -}}
+{{- $root := .root -}}
+{{- $cluster := .cluster -}}
+{{- if and $cluster.headlessService $cluster.headlessService.nameOverride -}}
+{{- $cluster.headlessService.nameOverride -}}
+{{- else if and (not $cluster.name) $root.Values.kafka.headlessService.nameOverride -}}
+{{- $root.Values.kafka.headlessService.nameOverride -}}
+{{- else -}}
+{{- printf "%s-headless" (include "kafka.cluster.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kafka.cluster.controllerQuorum" -}}
+{{- $root := .root -}}
+{{- $cluster := .cluster -}}
+{{- $fullname := include "kafka.cluster.fullname" . -}}
+{{- $headless := include "kafka.cluster.headlessServiceName" . -}}
+{{- $namespace := include "kafka.namespace" $root -}}
+{{- $domain := include "kafka.clusterDomain" $root -}}
+{{- $port := int (default $root.Values.kafka.ports.controller.containerPort (dig "ports" "controller" "containerPort" nil $cluster)) -}}
+{{- $replicas := int (default $root.Values.kafka.replicaCount $cluster.replicaCount) -}}
+{{- $offset := int (default $root.Values.kafka.brokerIdOffset $cluster.brokerIdOffset) -}}
+{{- $items := list -}}
+{{- range $i := until $replicas -}}
+{{- $items = append $items (printf "%d@%s-%d.%s.%s.svc.%s:%d" (add $i $offset) $fullname $i $headless $namespace $domain $port) -}}
+{{- end -}}
+{{- join "," $items -}}
+{{- end -}}
+
+{{- define "kafka.cluster.bootstrapServers" -}}
+{{- $root := .root -}}
+{{- $cluster := .cluster -}}
+{{- $fullname := include "kafka.cluster.fullname" . -}}
+{{- $headless := include "kafka.cluster.headlessServiceName" . -}}
+{{- $namespace := include "kafka.namespace" $root -}}
+{{- $domain := include "kafka.clusterDomain" $root -}}
+{{- $port := int (default $root.Values.kafka.ports.client.containerPort (dig "ports" "client" "containerPort" nil $cluster)) -}}
+{{- $replicas := int (default $root.Values.kafka.replicaCount $cluster.replicaCount) -}}
+{{- $items := list -}}
+{{- range $i := until $replicas -}}
+{{- $items = append $items (printf "%s-%d.%s.%s.svc.%s:%d" $fullname $i $headless $namespace $domain $port) -}}
+{{- end -}}
+{{- join "," $items -}}
+{{- end -}}
+
+{{- define "kafka.cluster.bootstrapServersWithProtocol" -}}
+{{- $root := .root -}}
+{{- $cluster := .cluster -}}
+{{- $protocol := default $root.Values.kafka.interBrokerListenerName $cluster.interBrokerListenerName -}}
+{{- $items := list -}}
+{{- range $server := splitList "," (include "kafka.cluster.bootstrapServers" .) -}}
+{{- $items = append $items (printf "%s://%s" $protocol $server) -}}
+{{- end -}}
+{{- join "," $items -}}
+{{- end -}}
+
+{{- define "kafka.cluster.keytabPattern" -}}
+{{- $root := .root -}}
+{{- $cluster := .cluster -}}
+{{- if and $cluster.kerberos $cluster.kerberos.keytabPattern -}}
+{{- $cluster.kerberos.keytabPattern -}}
+{{- else if $cluster.name -}}
+{{- printf "%s/keytabs/kafka-%s-%%d.keytab" $root.Values.kerberos.mountPath $cluster.name -}}
+{{- else -}}
+{{- $root.Values.kafka.kerberos.keytabPattern -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "kafka.kerberosSecretName" -}}
 {{- default (printf "%s-kerberos" (include "kafka.fullname" .)) .Values.kerberos.existingSecret -}}
 {{- end -}}
@@ -56,38 +159,31 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "kafka.bootstrapServers" -}}
-{{- $fullname := include "kafka.fullname" . -}}
-{{- $headless := include "kafka.headlessServiceName" . -}}
-{{- $namespace := include "kafka.namespace" . -}}
-{{- $domain := include "kafka.clusterDomain" . -}}
-{{- $port := int .Values.kafka.ports.client.containerPort -}}
-{{- $items := list -}}
-{{- range $i := until (int .Values.kafka.replicaCount) -}}
-{{- $items = append $items (printf "%s-%d.%s.%s.svc.%s:%d" $fullname $i $headless $namespace $domain $port) -}}
-{{- end -}}
-{{- join "," $items -}}
+{{- $cluster := first (include "kafka.effectiveClusters" . | fromYamlArray) -}}
+{{- include "kafka.cluster.bootstrapServers" (dict "root" . "cluster" $cluster) -}}
 {{- end -}}
 
 {{- define "kafka.bootstrapServersWithProtocol" -}}
-{{- $protocol := .Values.kafka.interBrokerListenerName -}}
-{{- $items := list -}}
-{{- range $server := splitList "," (include "kafka.bootstrapServers" .) -}}
-{{- $items = append $items (printf "%s://%s" $protocol $server) -}}
-{{- end -}}
-{{- join "," $items -}}
+{{- $cluster := first (include "kafka.effectiveClusters" . | fromYamlArray) -}}
+{{- include "kafka.cluster.bootstrapServersWithProtocol" (dict "root" . "cluster" $cluster) -}}
 {{- end -}}
 
 {{- define "kafka.kdcExtraServicePrincipals" -}}
-{{- $fullname := include "kafka.fullname" . -}}
-{{- $headless := include "kafka.headlessServiceName" . -}}
+{{- $root := . -}}
 {{- $namespace := include "kafka.namespace" . -}}
 {{- $domain := include "kafka.clusterDomain" . -}}
 {{- $realm := .Values.kerberos.realm -}}
 {{- $items := list -}}
 {{- if .Values.kerberos.generateKafkaPrincipals -}}
-{{- range $i := until (int .Values.kafka.replicaCount) -}}
+{{- range $cluster := (include "kafka.effectiveClusters" . | fromYamlArray) -}}
+{{- $fullname := include "kafka.cluster.fullname" (dict "root" $root "cluster" $cluster) -}}
+{{- $headless := include "kafka.cluster.headlessServiceName" (dict "root" $root "cluster" $cluster) -}}
+{{- $replicas := int (default $root.Values.kafka.replicaCount $cluster.replicaCount) -}}
+{{- range $i := until $replicas -}}
 {{- $fqdn := printf "%s-%d.%s.%s.svc.%s" $fullname $i $headless $namespace $domain -}}
-{{- $items = append $items (printf "kafka/%s@%s:%s/kafka-%d.keytab" $fqdn $realm $.Values.kerberos.keytabsDir $i) -}}
+{{- $keytabName := ternary (printf "kafka-%s-%d.keytab" $cluster.name $i) (printf "kafka-%d.keytab" $i) (ne (default "" $cluster.name) "") -}}
+{{- $items = append $items (printf "kafka/%s@%s:%s/%s" $fqdn $realm $root.Values.kerberos.keytabsDir $keytabName) -}}
+{{- end -}}
 {{- end -}}
 {{- end -}}
 {{- range .Values.kerberos.extraServicePrincipals -}}

kafka/templates/kafbat-ui.yaml

@@ -53,28 +53,62 @@ spec:
               value: "-Djava.security.krb5.conf={{ .Values.kerberos.krb5ConfigPath }}"
             - name: DYNAMIC_CONFIG_ENABLED
               value: {{ .Values.kafbatUi.dynamicConfigEnabled | quote }}
-            {{- range $i, $cluster := .Values.kafbatUi.clusters }}
-            - name: KAFKA_CLUSTERS_{{ $i }}_NAME
+            {{- $kafkaClusters := include "kafka.effectiveClusters" . | fromYamlArray }}
+            {{- $idx := 0 }}
+            {{- if .Values.kafbatUi.autoClusters }}
+            {{- range $kafkaCluster := $kafkaClusters }}
+            - name: KAFKA_CLUSTERS_{{ $idx }}_NAME
+              value: {{ default "default" $kafkaCluster.name | quote }}
+            - name: KAFKA_CLUSTERS_{{ $idx }}_BOOTSTRAPSERVERS
+              value: {{ include "kafka.cluster.bootstrapServers" (dict "root" $ "cluster" $kafkaCluster) | quote }}
+            {{- if $.Values.schemaRegistry.enabled }}
+            - name: KAFKA_CLUSTERS_{{ $idx }}_SCHEMAREGISTRY
+              value: {{ printf "http://%s-schema-registry:%v" (include "kafka.fullname" $) $.Values.schemaRegistry.service.port | quote }}
+            {{- end }}
+            {{- if and $.Values.kerberos.enabled $.Values.kafbatUi.kerberos.enabled }}
+            - name: KAFKA_CLUSTERS_{{ $idx }}_PROPERTIES_SECURITY_PROTOCOL
+              value: SASL_PLAINTEXT
+            - name: KAFKA_CLUSTERS_{{ $idx }}_PROPERTIES_SASL_MECHANISM
+              value: GSSAPI
+            - name: KAFKA_CLUSTERS_{{ $idx }}_PROPERTIES_SASL_KERBEROS_SERVICE_NAME
+              value: {{ $.Values.kafka.saslKerberosServiceName | quote }}
+            - name: KAFKA_CLUSTERS_{{ $idx }}_PROPERTIES_SASL_JAAS_CONFIG
+              value: {{ printf "com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab=\"%s\" principal=\"%s\";" $.Values.kafbatUi.kerberos.keytab $.Values.kafbatUi.kerberos.principal | quote }}
+            {{- end }}
+            {{- $idx = add1 $idx }}
+            {{- end }}
+            {{- end }}
+            {{- range $cluster := .Values.kafbatUi.clusters }}
+            {{- $targetCluster := first $kafkaClusters }}
+            {{- if $cluster.kafkaCluster }}
+            {{- range $candidate := $kafkaClusters }}
+            {{- if eq $candidate.name $cluster.kafkaCluster }}
+            {{- $targetCluster = $candidate }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
+            - name: KAFKA_CLUSTERS_{{ $idx }}_NAME
               value: {{ $cluster.name | quote }}
-            - name: KAFKA_CLUSTERS_{{ $i }}_BOOTSTRAPSERVERS
-              value: {{ default (include "kafka.bootstrapServers" $) $cluster.bootstrapServers | quote }}
+            - name: KAFKA_CLUSTERS_{{ $idx }}_BOOTSTRAPSERVERS
+              value: {{ default (include "kafka.cluster.bootstrapServers" (dict "root" $ "cluster" $targetCluster)) $cluster.bootstrapServers | quote }}
             {{- if $cluster.schemaRegistry }}
-            - name: KAFKA_CLUSTERS_{{ $i }}_SCHEMAREGISTRY
+            - name: KAFKA_CLUSTERS_{{ $idx }}_SCHEMAREGISTRY
               value: {{ $cluster.schemaRegistry | quote }}
             {{- else if $.Values.schemaRegistry.enabled }}
-            - name: KAFKA_CLUSTERS_{{ $i }}_SCHEMAREGISTRY
+            - name: KAFKA_CLUSTERS_{{ $idx }}_SCHEMAREGISTRY
               value: {{ printf "http://%s-schema-registry:%v" (include "kafka.fullname" $) $.Values.schemaRegistry.service.port | quote }}
             {{- end }}
             {{- if and $.Values.kerberos.enabled $.Values.kafbatUi.kerberos.enabled }}
-            - name: KAFKA_CLUSTERS_{{ $i }}_PROPERTIES_SECURITY_PROTOCOL
+            - name: KAFKA_CLUSTERS_{{ $idx }}_PROPERTIES_SECURITY_PROTOCOL
               value: SASL_PLAINTEXT
-            - name: KAFKA_CLUSTERS_{{ $i }}_PROPERTIES_SASL_MECHANISM
+            - name: KAFKA_CLUSTERS_{{ $idx }}_PROPERTIES_SASL_MECHANISM
               value: GSSAPI
-            - name: KAFKA_CLUSTERS_{{ $i }}_PROPERTIES_SASL_KERBEROS_SERVICE_NAME
+            - name: KAFKA_CLUSTERS_{{ $idx }}_PROPERTIES_SASL_KERBEROS_SERVICE_NAME
               value: {{ $.Values.kafka.saslKerberosServiceName | quote }}
-            - name: KAFKA_CLUSTERS_{{ $i }}_PROPERTIES_SASL_JAAS_CONFIG
+            - name: KAFKA_CLUSTERS_{{ $idx }}_PROPERTIES_SASL_JAAS_CONFIG
               value: {{ printf "com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true keyTab=\"%s\" principal=\"%s\";" $.Values.kafbatUi.kerberos.keytab $.Values.kafbatUi.kerberos.principal | quote }}
             {{- end }}
+            {{- $idx = add1 $idx }}
             {{- end }}
             {{- range $name, $value := .Values.kafbatUi.env }}
             - name: {{ $name }}