feat(helm): add support for per-broker LoadBalancer services and external access configurations in Kafka

CoderYellow · CoderYellow · commit fae58c8cad6c · 2026-05-02T10:00:21.000+08:00
diff --git a/kafka/README.md b/kafka/README.md
@@ -43,6 +43,40 @@ kafka:
 
 With persistence disabled, the broker data path is still mounted, but it uses `emptyDir` and is lost when the pod is deleted.
 
+## Per-broker LoadBalancer services
+
+Kafka external access needs one stable address per broker. Enable per-broker LoadBalancer Services and make each broker advertise the matching external IP or DNS name:
+
+```yaml
+kafka:
+  externalBrokerServices:
+    enabled: true
+    advertisedHosts:
+      - 203.0.113.10
+      - 203.0.113.11
+```
+
+For multi-cluster mode, configure the list per cluster:
+
+```yaml
+kafka:
+  clusters:
+    - name: primary
+      clusterId: MkU3OEVBNTcwNTJENDM2Qk
+      externalBrokerServices:
+        advertisedHosts:
+          - 203.0.113.10
+          - 203.0.113.11
+    - name: standby
+      clusterId: zlFiTJelTOuhnklFwLWixw
+      externalBrokerServices:
+        advertisedHosts:
+          - 203.0.113.12
+          - 203.0.113.13
+```
+
+If your cloud provider assigns IPs dynamically, install once with external services enabled, read the assigned addresses, put those addresses into `advertisedHosts`, then run `helm upgrade`. For production, prefer reserving static IPs and setting `loadBalancerIPs` plus matching `advertisedHosts` up front when your provider supports `loadBalancerIP`.
+
 ## User-managed SASL secrets
 
 For SASL/PLAIN, keep credentials in Kubernetes Secrets and point the chart at those secrets instead of putting JAAS strings in values files.
diff --git a/kafka/templates/NOTES.txt b/kafka/templates/NOTES.txt
@@ -1,13 +1,74 @@
 Kafka has been installed as {{ include "kafka.fullname" . }}.
 
-Bootstrap service:
-  {{ include "kafka.serviceName" . }}:{{ .Values.kafka.ports.client.servicePort }}
-
-Broker DNS names:
-{{- $fullname := include "kafka.fullname" . }}
-{{- $headless := include "kafka.headlessServiceName" . }}
+{{- $root := . }}
 {{- $namespace := include "kafka.namespace" . }}
-{{- $domain := include "kafka.clusterDomain" . }}
-{{- range $i := until (int .Values.kafka.replicaCount) }}
-  {{ $fullname }}-{{ $i }}.{{ $headless }}.{{ $namespace }}.svc.{{ $domain }}:{{ $.Values.kafka.ports.client.servicePort }}
+{{- $clusters := include "kafka.effectiveClusters" . | fromYamlArray }}
+
+Internal bootstrap endpoints:
+{{- range $cluster := $clusters }}
+{{- $ctx := dict "root" $root "cluster" $cluster }}
+{{- $clusterName := default "default" $cluster.name }}
+  {{ $clusterName }}:
+    {{ include "kafka.cluster.bootstrapServers" $ctx }}
+{{- end }}
+
+{{- $globalExternal := .Values.kafka.externalBrokerServices.enabled }}
+{{- $hasExternal := false }}
+{{- range $cluster := $clusters }}
+{{- if (default $globalExternal (dig "externalBrokerServices" "enabled" nil $cluster)) }}
+{{- $hasExternal = true }}
+{{- end }}
+{{- end }}
+
+{{- if $hasExternal }}
+
+External broker LoadBalancer services:
+{{- range $cluster := $clusters }}
+{{- $ctx := dict "root" $root "cluster" $cluster }}
+{{- $clusterFullname := include "kafka.cluster.fullname" $ctx }}
+{{- $clusterName := default "default" $cluster.name }}
+{{- $replicas := int (default $root.Values.kafka.replicaCount $cluster.replicaCount) }}
+{{- if (default $globalExternal (dig "externalBrokerServices" "enabled" nil $cluster)) }}
+  {{ $clusterName }}:
+{{- range $i := until $replicas }}
+    {{ printf "%s-%d-external" $clusterFullname $i | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+Check assigned LoadBalancer IPs/hostnames:
+  kubectl -n {{ $namespace }} get svc -l app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=broker -o wide
+
+If your LoadBalancer IPs were assigned dynamically, copy this upgrade command after the
+external services show an EXTERNAL-IP/hostname. It updates Kafka advertised.listeners
+to match the assigned per-broker addresses.
+
+{{- if .Values.kafka.clusters }}
+  helm upgrade {{ .Release.Name }} ./kafka -n {{ $namespace }} -f <your-values.yaml> \
+{{- range $clusterIndex, $cluster := $clusters }}
+{{- $ctx := dict "root" $root "cluster" $cluster }}
+{{- $clusterFullname := include "kafka.cluster.fullname" $ctx }}
+{{- $replicas := int (default $root.Values.kafka.replicaCount $cluster.replicaCount) }}
+{{- if (default $globalExternal (dig "externalBrokerServices" "enabled" nil $cluster)) }}
+{{- range $i := until $replicas }}
+    --set-string 'kafka.clusters[{{ $clusterIndex }}].externalBrokerServices.advertisedHosts[{{ $i }}]'="$(kubectl -n {{ $namespace }} get svc {{ printf "%s-%d-external" $clusterFullname $i | trunc 63 | trimSuffix "-" }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}')" \
+{{- end }}
+{{- end }}
+{{- end }}
+    --reuse-values
+{{- else }}
+{{- $cluster := first $clusters }}
+{{- $ctx := dict "root" $root "cluster" $cluster }}
+{{- $clusterFullname := include "kafka.cluster.fullname" $ctx }}
+{{- $replicas := int (default $root.Values.kafka.replicaCount $cluster.replicaCount) }}
+  helm upgrade {{ .Release.Name }} ./kafka -n {{ $namespace }} -f <your-values.yaml> \
+{{- range $i := until $replicas }}
+    --set-string 'kafka.externalBrokerServices.advertisedHosts[{{ $i }}]'="$(kubectl -n {{ $namespace }} get svc {{ printf "%s-%d-external" $clusterFullname $i | trunc 63 | trimSuffix "-" }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}{.status.loadBalancer.ingress[0].hostname}')" \
+{{- end }}
+    --reuse-values
+{{- end }}
+
+For production, prefer reserving static LoadBalancer IPs and setting both
+externalBrokerServices.loadBalancerIPs and externalBrokerServices.advertisedHosts
+before the first install.
 {{- end }}
diff --git a/kafka/templates/kafka-statefulset.yaml b/kafka/templates/kafka-statefulset.yaml
@@ -15,6 +15,17 @@
 {{- $clientPort := int (default $root.Values.kafka.ports.client.containerPort (dig "ports" "client" "containerPort" nil $cluster)) -}}
 {{- $clientServicePort := int (default $root.Values.kafka.ports.client.servicePort (dig "ports" "client" "servicePort" nil $cluster)) -}}
 {{- $clientProtocol := default $root.Values.kafka.ports.client.protocol (dig "ports" "client" "protocol" nil $cluster) -}}
+{{- $externalServicesEnabled := default $root.Values.kafka.externalBrokerServices.enabled (dig "externalBrokerServices" "enabled" nil $cluster) -}}
+{{- $externalServiceType := default $root.Values.kafka.externalBrokerServices.type (dig "externalBrokerServices" "type" nil $cluster) -}}
+{{- $externalListenerName := default $root.Values.kafka.externalBrokerServices.listenerName (dig "externalBrokerServices" "listenerName" nil $cluster) -}}
+{{- $externalContainerPort := int (default $root.Values.kafka.externalBrokerServices.containerPort (dig "externalBrokerServices" "containerPort" nil $cluster)) -}}
+{{- $externalServicePort := int (default $root.Values.kafka.externalBrokerServices.servicePort (dig "externalBrokerServices" "servicePort" nil $cluster)) -}}
+{{- $externalProtocol := default $root.Values.kafka.externalBrokerServices.protocol (dig "externalBrokerServices" "protocol" nil $cluster) -}}
+{{- $externalAnnotations := default $root.Values.kafka.externalBrokerServices.annotations (dig "externalBrokerServices" "annotations" nil $cluster) -}}
+{{- $externalTrafficPolicy := default $root.Values.kafka.externalBrokerServices.externalTrafficPolicy (dig "externalBrokerServices" "externalTrafficPolicy" nil $cluster) -}}
+{{- $externalSourceRanges := default $root.Values.kafka.externalBrokerServices.loadBalancerSourceRanges (dig "externalBrokerServices" "loadBalancerSourceRanges" nil $cluster) -}}
+{{- $externalLBIPs := default $root.Values.kafka.externalBrokerServices.loadBalancerIPs (dig "externalBrokerServices" "loadBalancerIPs" nil $cluster) -}}
+{{- $externalAdvertisedHosts := default $root.Values.kafka.externalBrokerServices.advertisedHosts (dig "externalBrokerServices" "advertisedHosts" nil $cluster) -}}
 {{- $controllerName := default $root.Values.kafka.ports.controller.name (dig "ports" "controller" "name" nil $cluster) -}}
 {{- $controllerPort := int (default $root.Values.kafka.ports.controller.containerPort (dig "ports" "controller" "containerPort" nil $cluster)) -}}
 {{- $controllerServicePort := int (default $root.Values.kafka.ports.controller.servicePort (dig "ports" "controller" "servicePort" nil $cluster)) -}}
@@ -80,6 +91,46 @@ spec:
       port: {{ $jmxServicePort }}
       targetPort: {{ $jmxName }}
       protocol: {{ $jmxProtocol }}
+{{- if $externalServicesEnabled }}
+{{- range $i := until $replicas }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ printf "%s-%d-external" $clusterName $i | trunc 63 | trimSuffix "-" }}
+  labels:
+    {{- include "kafka.labels" $root | nindent 4 }}
+    app.kubernetes.io/component: broker
+    app.kubernetes.io/part-of: {{ $clusterLabel }}
+    statefulset.kubernetes.io/pod-name: {{ printf "%s-%d" $clusterName $i }}
+  {{- with $externalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ $externalServiceType }}
+  {{- with $externalTrafficPolicy }}
+  externalTrafficPolicy: {{ . }}
+  {{- end }}
+  {{- with $externalSourceRanges }}
+  loadBalancerSourceRanges:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if lt $i (len $externalLBIPs) }}
+  loadBalancerIP: {{ index $externalLBIPs $i | quote }}
+  {{- end }}
+  selector:
+    {{- include "kafka.selectorLabels" $root | nindent 4 }}
+    app.kubernetes.io/component: broker
+    app.kubernetes.io/part-of: {{ $clusterLabel }}
+    statefulset.kubernetes.io/pod-name: {{ printf "%s-%d" $clusterName $i }}
+  ports:
+    - name: {{ lower $externalListenerName | trunc 15 | trimSuffix "-" }}
+      port: {{ $externalServicePort }}
+      targetPort: {{ lower $externalListenerName | trunc 15 | trimSuffix "-" }}
+      protocol: {{ $externalProtocol }}
+{{- end }}
+{{- end }}
 ---
 apiVersion: apps/v1
 kind: StatefulSet
@@ -141,9 +192,17 @@ spec:
               export KAFKA_PROCESS_ROLES="{{ default $root.Values.kafka.processRoles $cluster.processRoles }}"
               export KAFKA_CONTROLLER_QUORUM_VOTERS="{{ include "kafka.cluster.controllerQuorum" $ctx }}"
               export KAFKA_CONTROLLER_LISTENER_NAMES="CONTROLLER"
-              export KAFKA_LISTENER_SECURITY_PROTOCOL_MAP="{{ default $root.Values.kafka.listenerSecurityProtocolMap $cluster.listenerSecurityProtocolMap }}"
-              export KAFKA_LISTENERS="SASL_PLAINTEXT://0.0.0.0:{{ $clientPort }},CONTROLLER://${POD_FQDN}:{{ $controllerPort }}"
-              export KAFKA_ADVERTISED_LISTENERS="SASL_PLAINTEXT://${POD_FQDN}:{{ $clientPort }}"
+              export KAFKA_LISTENER_SECURITY_PROTOCOL_MAP="{{ default $root.Values.kafka.listenerSecurityProtocolMap $cluster.listenerSecurityProtocolMap }}{{- if $externalServicesEnabled }},{{ $externalListenerName }}:SASL_PLAINTEXT{{- end }}"
+              {{- if $externalServicesEnabled }}
+              EXTERNAL_ADVERTISED_HOSTS="{{ join "," $externalAdvertisedHosts }}"
+              EXTERNAL_HOST="$(echo "${EXTERNAL_ADVERTISED_HOSTS}" | cut -d, -f$((ORDINAL + 1)))"
+              if [ -z "${EXTERNAL_HOST}" ]; then
+                echo "Missing kafka.externalBrokerServices.advertisedHosts entry for ${HOSTNAME}" >&2
+                exit 1
+              fi
+              {{- end }}
+              export KAFKA_LISTENERS="SASL_PLAINTEXT://0.0.0.0:{{ $clientPort }}{{- if $externalServicesEnabled }},{{ $externalListenerName }}://0.0.0.0:{{ $externalContainerPort }}{{- end }},CONTROLLER://${POD_FQDN}:{{ $controllerPort }}"
+              export KAFKA_ADVERTISED_LISTENERS="SASL_PLAINTEXT://${POD_FQDN}:{{ $clientPort }}{{- if $externalServicesEnabled }},{{ $externalListenerName }}://${EXTERNAL_HOST}:{{ $externalServicePort }}{{- end }}"
               export KAFKA_INTER_BROKER_LISTENER_NAME="{{ default $root.Values.kafka.interBrokerListenerName $cluster.interBrokerListenerName }}"
               export KAFKA_SASL_ENABLED_MECHANISMS="{{ default $root.Values.kafka.saslEnabledMechanisms $cluster.saslEnabledMechanisms }}"
               export KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL="{{ default $root.Values.kafka.saslMechanismInterBrokerProtocol $cluster.saslMechanismInterBrokerProtocol }}"
@@ -190,6 +249,11 @@ spec:
             - name: {{ $jmxName }}
               containerPort: {{ $jmxPort }}
               protocol: {{ $jmxProtocol }}
+            {{- if $externalServicesEnabled }}
+            - name: {{ lower $externalListenerName | trunc 15 | trimSuffix "-" }}
+              containerPort: {{ $externalContainerPort }}
+              protocol: {{ $externalProtocol }}
+            {{- end }}
           env:
             - name: KAFKA_SUPER_USERS
               value: {{ join ";" (default $root.Values.kafka.superUsers $cluster.superUsers) | quote }}
diff --git a/kafka/values-sample.yaml b/kafka/values-sample.yaml
@@ -29,6 +29,18 @@ kafka:
     - name: standby
       clusterId: zlFiTJelTOuhnklFwLWixw
       replicaCount: 2
+  externalBrokerServices:
+    enabled: true
+    type: LoadBalancer
+#    annotations: {}
+#    externalTrafficPolicy: ""
+#    loadBalancerSourceRanges: []
+#    loadBalancerIPs: []
+#    advertisedHosts: []
+#    servicePort: 9092
+#    containerPort: 19092
+#    protocol: TCP
+#    listenerName: EXTERNAL
 
 schemaRegistry:
   enabled: true
diff --git a/kafka/values.yaml b/kafka/values.yaml
@@ -87,6 +87,18 @@ kafka:
     nameOverride: ""
     type: ClusterIP
     annotations: {}
+  externalBrokerServices:
+    enabled: false
+    type: LoadBalancer
+    annotations: {}
+    externalTrafficPolicy: ""
+    loadBalancerSourceRanges: []
+    loadBalancerIPs: []
+    advertisedHosts: []
+    servicePort: 9092
+    containerPort: 19092
+    protocol: TCP
+    listenerName: EXTERNAL
   headlessService:
     nameOverride: ""
     annotations: {}
