feat(helm): add ServiceAccount, RBAC, and external LoadBalancer auto-discovery for Kafka brokers

Author: CoderYellow

kafka/README.md

@@ -51,31 +51,47 @@ Kafka external access needs one stable address per broker. Enable per-broker Loa
 kafka:
   externalBrokerServices:
     enabled: true
+```
+
+By default, the chart creates a ServiceAccount plus namespaced RBAC, then each broker initContainer waits for its own LoadBalancer Service address and uses it as the external advertised listener. This avoids the install-then-upgrade flow for dynamically assigned LoadBalancer IPs.
+
+If you want to disable Kubernetes API discovery and provide static advertised hosts yourself:
+
+```yaml
+kafka:
+  externalBrokerServices:
+    enabled: true
+    autoDiscovery:
+      enabled: false
     advertisedHosts:
       - 203.0.113.10
       - 203.0.113.11
 ```
 
-For multi-cluster mode, configure the list per cluster:
+For multi-cluster mode, configure static lists per cluster only when `autoDiscovery.enabled=false`:
 
 ```yaml
 kafka:
   clusters:
     - name: primary
       clusterId: MkU3OEVBNTcwNTJENDM2Qk
       externalBrokerServices:
+        autoDiscovery:
+          enabled: false
         advertisedHosts:
           - 203.0.113.10
           - 203.0.113.11
     - name: standby
       clusterId: zlFiTJelTOuhnklFwLWixw
       externalBrokerServices:
+        autoDiscovery:
+          enabled: false
         advertisedHosts:
           - 203.0.113.12
           - 203.0.113.13
 ```
 
-If your cloud provider assigns IPs dynamically, install once with external services enabled, read the assigned addresses, put those addresses into `advertisedHosts`, then run `helm upgrade`. For production, prefer reserving static IPs and setting `loadBalancerIPs` plus matching `advertisedHosts` up front when your provider supports `loadBalancerIP`.
+For production, static LoadBalancer IPs are still preferable when your provider supports them. Set `loadBalancerIPs` to reserve/request the service addresses. You can keep auto discovery enabled so brokers still read the actual assigned addresses at startup.
 
 ## User-managed SASL secrets
 

kafka/templates/NOTES.txt

@@ -13,10 +13,15 @@ Internal bootstrap endpoints:
 {{- end }}
 
 {{- $globalExternal := .Values.kafka.externalBrokerServices.enabled }}
+{{- $globalDiscovery := .Values.kafka.externalBrokerServices.autoDiscovery.enabled }}
 {{- $hasExternal := false }}
+{{- $hasStaticExternal := false }}
 {{- range $cluster := $clusters }}
 {{- if (default $globalExternal (dig "externalBrokerServices" "enabled" nil $cluster)) }}
 {{- $hasExternal = true }}
+{{- if not (default $globalDiscovery (dig "externalBrokerServices" "autoDiscovery" "enabled" nil $cluster)) }}
+{{- $hasStaticExternal = true }}
+{{- end }}
 {{- end }}
 {{- end }}
 
@@ -39,6 +44,10 @@ External broker LoadBalancer services:
 Check assigned LoadBalancer IPs/hostnames:
   kubectl -n {{ $namespace }} get svc -l app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=broker -o wide
 
+{{- if not $hasStaticExternal }}
+Broker external advertised listener discovery is enabled. Each broker waits for its
+own LoadBalancer Service address at startup and advertises that address automatically.
+{{- else }}
 If your LoadBalancer IPs were assigned dynamically, copy this upgrade command after the
 external services show an EXTERNAL-IP/hostname. It updates Kafka advertised.listeners
 to match the assigned per-broker addresses.
@@ -72,3 +81,4 @@ For production, prefer reserving static LoadBalancer IPs and setting both
 externalBrokerServices.loadBalancerIPs and externalBrokerServices.advertisedHosts
 before the first install.
 {{- end }}
+{{- end }}

kafka/templates/_helpers.tpl

@@ -30,6 +30,14 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- default "cluster.local" .Values.clusterDomain -}}
 {{- end -}}
 
+{{- define "kafka.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+{{- default (include "kafka.fullname" .) .Values.serviceAccount.name -}}
+{{- else -}}
+{{- default "default" .Values.serviceAccount.name -}}
+{{- end -}}
+{{- end -}}
+
 {{- define "kafka.headlessServiceName" -}}
 {{- default (printf "%s-headless" (include "kafka.fullname" .)) .Values.kafka.headlessService.nameOverride -}}
 {{- end -}}

kafka/templates/kafka-statefulset.yaml

@@ -26,6 +26,12 @@
 {{- $externalSourceRanges := default $root.Values.kafka.externalBrokerServices.loadBalancerSourceRanges (dig "externalBrokerServices" "loadBalancerSourceRanges" nil $cluster) -}}
 {{- $externalLBIPs := default $root.Values.kafka.externalBrokerServices.loadBalancerIPs (dig "externalBrokerServices" "loadBalancerIPs" nil $cluster) -}}
 {{- $externalAdvertisedHosts := default $root.Values.kafka.externalBrokerServices.advertisedHosts (dig "externalBrokerServices" "advertisedHosts" nil $cluster) -}}
+{{- $externalAutoDiscoveryEnabled := default $root.Values.kafka.externalBrokerServices.autoDiscovery.enabled (dig "externalBrokerServices" "autoDiscovery" "enabled" nil $cluster) -}}
+{{- $externalAutoDiscoveryImage := default $root.Values.kafka.externalBrokerServices.autoDiscovery.image.repository (dig "externalBrokerServices" "autoDiscovery" "image" "repository" nil $cluster) -}}
+{{- $externalAutoDiscoveryTag := default $root.Values.kafka.externalBrokerServices.autoDiscovery.image.tag (dig "externalBrokerServices" "autoDiscovery" "image" "tag" nil $cluster) -}}
+{{- $externalAutoDiscoveryPullPolicy := default $root.Values.kafka.externalBrokerServices.autoDiscovery.image.pullPolicy (dig "externalBrokerServices" "autoDiscovery" "image" "pullPolicy" nil $cluster) -}}
+{{- $externalAutoDiscoveryTimeout := int (default $root.Values.kafka.externalBrokerServices.autoDiscovery.timeoutSeconds (dig "externalBrokerServices" "autoDiscovery" "timeoutSeconds" nil $cluster)) -}}
+{{- $externalAutoDiscoveryPollInterval := int (default $root.Values.kafka.externalBrokerServices.autoDiscovery.pollIntervalSeconds (dig "externalBrokerServices" "autoDiscovery" "pollIntervalSeconds" nil $cluster)) -}}
 {{- $controllerName := default $root.Values.kafka.ports.controller.name (dig "ports" "controller" "name" nil $cluster) -}}
 {{- $controllerPort := int (default $root.Values.kafka.ports.controller.containerPort (dig "ports" "controller" "containerPort" nil $cluster)) -}}
 {{- $controllerServicePort := int (default $root.Values.kafka.ports.controller.servicePort (dig "ports" "controller" "servicePort" nil $cluster)) -}}
@@ -176,6 +182,39 @@ spec:
       securityContext:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "kafka.serviceAccountName" $root }}
+      automountServiceAccountToken: {{ $root.Values.serviceAccount.automountServiceAccountToken }}
+      {{- if and $externalServicesEnabled $externalAutoDiscoveryEnabled }}
+      initContainers:
+        - name: external-address-discovery
+          image: "{{ $externalAutoDiscoveryImage }}:{{ $externalAutoDiscoveryTag }}"
+          imagePullPolicy: {{ $externalAutoDiscoveryPullPolicy }}
+          command:
+            - /bin/sh
+            - -ec
+            - |
+              ORDINAL="${HOSTNAME##*-}"
+              SERVICE_NAME="{{ $clusterName }}-${ORDINAL}-external"
+              NAMESPACE="$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)"
+              ATTEMPTS=$((({{ $externalAutoDiscoveryTimeout }} + {{ $externalAutoDiscoveryPollInterval }} - 1) / {{ $externalAutoDiscoveryPollInterval }}))
+              i=1
+              while [ "${i}" -le "${ATTEMPTS}" ]; do
+                EXTERNAL_HOST="$(kubectl -n "${NAMESPACE}" get svc "${SERVICE_NAME}" -o jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}' 2>/dev/null || true)"
+                if [ -n "${EXTERNAL_HOST}" ]; then
+                  printf '%s' "${EXTERNAL_HOST}" > /broker-external/external-host
+                  echo "Discovered ${SERVICE_NAME} external address: ${EXTERNAL_HOST}"
+                  exit 0
+                fi
+                echo "Waiting for ${SERVICE_NAME} LoadBalancer external address"
+                i=$((i + 1))
+                sleep {{ $externalAutoDiscoveryPollInterval }}
+              done
+              echo "Timed out waiting for ${SERVICE_NAME} LoadBalancer external address" >&2
+              exit 1
+          volumeMounts:
+            - name: broker-external
+              mountPath: /broker-external
+      {{- end }}
       containers:
         - name: kafka
           image: "{{ $image }}:{{ $tag }}"
@@ -194,13 +233,21 @@ spec:
               export KAFKA_CONTROLLER_LISTENER_NAMES="CONTROLLER"
               export KAFKA_LISTENER_SECURITY_PROTOCOL_MAP="{{ default $root.Values.kafka.listenerSecurityProtocolMap $cluster.listenerSecurityProtocolMap }}{{- if $externalServicesEnabled }},{{ $externalListenerName }}:SASL_PLAINTEXT{{- end }}"
               {{- if $externalServicesEnabled }}
+              {{- if $externalAutoDiscoveryEnabled }}
+              EXTERNAL_HOST="$(cat /broker-external/external-host 2>/dev/null || true)"
+              if [ -z "${EXTERNAL_HOST}" ]; then
+                echo "Missing discovered external address for ${HOSTNAME}" >&2
+                exit 1
+              fi
+              {{- else }}
               EXTERNAL_ADVERTISED_HOSTS="{{ join "," $externalAdvertisedHosts }}"
               EXTERNAL_HOST="$(echo "${EXTERNAL_ADVERTISED_HOSTS}" | cut -d, -f$((ORDINAL + 1)))"
               if [ -z "${EXTERNAL_HOST}" ]; then
                 echo "Missing kafka.externalBrokerServices.advertisedHosts entry for ${HOSTNAME}" >&2
                 exit 1
               fi
               {{- end }}
+              {{- end }}
               export KAFKA_LISTENERS="SASL_PLAINTEXT://0.0.0.0:{{ $clientPort }}{{- if $externalServicesEnabled }},{{ $externalListenerName }}://0.0.0.0:{{ $externalContainerPort }}{{- end }},CONTROLLER://${POD_FQDN}:{{ $controllerPort }}"
               export KAFKA_ADVERTISED_LISTENERS="SASL_PLAINTEXT://${POD_FQDN}:{{ $clientPort }}{{- if $externalServicesEnabled }},{{ $externalListenerName }}://${EXTERNAL_HOST}:{{ $externalServicePort }}{{- end }}"
               export KAFKA_INTER_BROKER_LISTENER_NAME="{{ default $root.Values.kafka.interBrokerListenerName $cluster.interBrokerListenerName }}"
@@ -281,6 +328,10 @@ spec:
             {{- with (concat (default list $root.Values.kafka.extraVolumeMounts) (default list $cluster.extraVolumeMounts)) }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+            {{- if and $externalServicesEnabled $externalAutoDiscoveryEnabled }}
+            - name: broker-external
+              mountPath: /broker-external
+            {{- end }}
           {{- with (default $root.Values.kafka.containerSecurityContext $cluster.containerSecurityContext) }}
           securityContext:
             {{- toYaml . | nindent 12 }}
@@ -302,6 +353,10 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
+        {{- if and $externalServicesEnabled $externalAutoDiscoveryEnabled }}
+        - name: broker-external
+          emptyDir: {}
+        {{- end }}
         {{- if not (default $root.Values.kafka.persistence.enabled (dig "persistence" "enabled" nil $cluster)) }}
         - name: data
           emptyDir:

kafka/templates/rbac.yaml

@@ -0,0 +1,39 @@
+{{- $root := . -}}
+{{- $clusters := include "kafka.effectiveClusters" . | fromYamlArray -}}
+{{- $globalExternal := .Values.kafka.externalBrokerServices.enabled -}}
+{{- $globalDiscovery := .Values.kafka.externalBrokerServices.autoDiscovery.enabled -}}
+{{- $needsRbac := false -}}
+{{- range $cluster := $clusters -}}
+{{- $externalEnabled := default $globalExternal (dig "externalBrokerServices" "enabled" nil $cluster) -}}
+{{- $discoveryEnabled := default $globalDiscovery (dig "externalBrokerServices" "autoDiscovery" "enabled" nil $cluster) -}}
+{{- if and $externalEnabled $discoveryEnabled -}}
+{{- $needsRbac = true -}}
+{{- end -}}
+{{- end -}}
+{{- if and .Values.rbac.create $needsRbac }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kafka.fullname" . }}-broker-services
+  labels:
+    {{- include "kafka.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kafka.fullname" . }}-broker-services
+  labels:
+    {{- include "kafka.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kafka.fullname" . }}-broker-services
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kafka.serviceAccountName" . }}
+    namespace: {{ include "kafka.namespace" . }}
+{{- end }}

kafka/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kafka.serviceAccountName" . }}
+  labels:
+    {{- include "kafka.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end }}

kafka/values.yaml

@@ -10,6 +10,15 @@ nodeSelector: {}
 tolerations: []
 affinity: {}
 
+serviceAccount:
+  create: true
+  name: ""
+  annotations: {}
+  automountServiceAccountToken: true
+
+rbac:
+  create: true
+
 kerberos:
   enabled: true
   existingSecret: ""
@@ -99,6 +108,16 @@ kafka:
     containerPort: 19092
     protocol: TCP
     listenerName: EXTERNAL
+    autoDiscovery:
+      # When enabled, each broker initContainer waits for its own LoadBalancer
+      # Service address and uses that as the external advertised listener.
+      enabled: true
+      image:
+        repository: alpine/k8s
+        tag: 1.33.11
+        pullPolicy: IfNotPresent
+      timeoutSeconds: 600
+      pollIntervalSeconds: 5
   headlessService:
     nameOverride: ""
     annotations: {}