Skip to content

Commit 035a06f

Browse files
notshivanshnotshivansh
committed
use stateful set
1 parent 3a29e94 commit 035a06f

8 files changed

Lines changed: 524 additions & 179 deletions

File tree

charts/mini-runtime/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ apiVersion: v2
22
name: akto-mini-runtime
33
description: Helm chart for installing Akto hybrid runtime
44
type: application
5-
version: 0.5.5
6-
appVersion: "0.5.5"
5+
version: 0.6.0
6+
appVersion: "0.6.0"
77
home: https://www.akto.io
88
icon: https://akto-setup.s3.amazonaws.com/templates/128x128.png
99
sources:

charts/mini-runtime/README.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,25 @@ Here are the steps to install Akto mini-runtime via Helm charts -
4141

4242
3. Run `kubectl get pods -n <NAMESPACE>` and verify you can see 1 mini-runtime pod with 4 containers and 1 keel pod.
4343

44+
### Kafka Deployment Options
45+
46+
The chart supports two Kafka deployment modes:
47+
48+
1. **Sidecar Mode (Default)** - Kafka runs as a sidecar container in the same pod as mini-runtime. This is the default for backward compatibility.
49+
- Mini-runtime connects to Kafka via `localhost:29092`
50+
- Single pod contains both mini-runtime and Kafka
51+
52+
2. **Separate Deployment Mode** - Kafka runs as a standalone deployment with its own service.
53+
- Mini-runtime connects to Kafka via FQDN (e.g., `akto-mini-runtime-kafka.<namespace>.svc.cluster.local:9092`)
54+
- Allows independent scaling and resource management
55+
56+
To enable separate Kafka deployment:
57+
```bash
58+
helm install akto-mini-runtime akto/akto-mini-runtime -n <your-namespace> \
59+
--set mini_runtime.aktoApiSecurityRuntime.env.databaseAbstractorToken="<your-token>" \
60+
--set mini_runtime.separateKafkaDeployment=true
61+
```
62+
4463
### Upgrading to new version
4564

4665
1. Update helm repo

charts/mini-runtime/templates/_helpers.tpl

Lines changed: 289 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,3 +59,292 @@ Create the name of the service account to use
5959
{{- default "default" .Values.serviceAccount.name }}
6060
{{- end }}
6161
{{- end }}
62+
63+
{{/*
64+
Kafka service name based on deployment mode
65+
Usage: {{ include "akto.kafka.serviceName" (dict "root" . "separate" true/false) }}
66+
*/}}
67+
{{- define "akto.kafka.serviceName" -}}
68+
{{- if .separate }}
69+
{{- printf "%s-kafka" (include "akto.fullname" .root) }}
70+
{{- else }}
71+
{{- printf "%s-mini-runtime" (include "akto.fullname" .root) }}
72+
{{- end }}
73+
{{- end }}
74+
75+
{{/*
76+
Kafka FQDN based on deployment mode
77+
Usage: {{ include "akto.kafka.fqdn" (dict "root" . "separate" true/false) }}
78+
*/}}
79+
{{- define "akto.kafka.fqdn" -}}
80+
{{- $serviceName := include "akto.kafka.serviceName" . }}
81+
{{- printf "%s.%s.svc.%s" $serviceName .root.Release.Namespace .root.Values.kubernetesClusterDomain }}
82+
{{- end }}
83+
84+
{{/*
85+
Kafka service template
86+
Usage: {{ include "akto.kafka.service" (dict "root" . "separate" true/false) }}
87+
*/}}
88+
{{- define "akto.kafka.service" -}}
89+
apiVersion: v1
90+
kind: Service
91+
metadata:
92+
name: {{ include "akto.kafka.serviceName" . }}
93+
labels:
94+
{{- include "akto.labels" .root | nindent 4 }}
95+
annotations:
96+
{{- with .root.Values.mini_runtime.annotations }}
97+
{{- toYaml . | nindent 4 }}
98+
{{- end }}
99+
spec:
100+
type: {{ .root.Values.mini_runtime.type }}
101+
selector:
102+
app: {{ include "akto.kafka.serviceName" . }}
103+
{{- include "akto.selectorLabels" .root | nindent 4 }}
104+
ports:
105+
{{- if .root.Values.mini_runtime.kafka1.useSasl }}
106+
{{- .root.Values.ports.sasl | toYaml | nindent 4 -}}
107+
{{- else if .root.Values.mini_runtime.kafka1.useTls }}
108+
{{- .root.Values.ports.tls | toYaml | nindent 4 -}}
109+
{{- else }}
110+
{{- .root.Values.ports.default | toYaml | nindent 4 -}}
111+
{{- end }}
112+
{{- end }}
113+
114+
{{/*
115+
Common Kafka environment variables shared between sidecar and StatefulSet
116+
Usage: {{ include "akto.kafka.commonEnv" . }}
117+
*/}}
118+
{{- define "akto.kafka.commonEnv" -}}
119+
- name: KAFKA_LOG_CLEANER_ENABLE
120+
value: {{ .Values.mini_runtime.kafka1.env.kafkaLogCleanerEnable | default "true" | quote }}
121+
- name: KAFKA_LOG_RETENTION_BYTES
122+
value: {{ .Values.mini_runtime.kafka1.env.kafkaLogRetentionBytes | default "10737418240" | quote }}
123+
- name: KAFKA_LOG_RETENTION_CHECK_INTERVAL_MS
124+
value: {{ .Values.mini_runtime.kafka1.env.kafkaLogRetentionCheckIntervalMs | default "60000" | quote }}
125+
- name: KAFKA_LOG_RETENTION_HOURS
126+
value: {{ .Values.mini_runtime.kafka1.env.kafkaLogRetentionHours | default "5" | quote }}
127+
- name: KAFKA_LOG_SEGMENT_BYTES
128+
value: {{ .Values.mini_runtime.kafka1.env.kafkaLogSegmentBytes | default "104857600" | quote }}
129+
- name: KAFKA_CLEANUP_POLICY
130+
value: {{ .Values.mini_runtime.kafka1.env.kafkaCleanupPolicy | default "delete" | quote }}
131+
- name: CLUSTER_ID
132+
value: {{ .Values.mini_runtime.kafka1.env.kafkaClusterId | quote }}
133+
{{- end }}
134+
135+
{{/*
136+
Kafka image
137+
Usage: {{ include "akto.kafka.image" . }}
138+
*/}}
139+
{{- define "akto.kafka.image" -}}
140+
{{ .Values.mini_runtime.kafka1.image.repository }}:{{ .Values.mini_runtime.kafka1.image.tag | default .Chart.AppVersion }}
141+
{{- end }}
142+
143+
{{/*
144+
Kafka advertised listeners based on mode and security settings
145+
Usage: {{ include "akto.kafka.advertisedListeners" (dict "root" . "separate" true/false) }}
146+
*/}}
147+
{{- define "akto.kafka.advertisedListeners" -}}
148+
{{- $fqdn := include "akto.kafka.fqdn" . }}
149+
{{- if .root.Values.mini_runtime.kafka1.env.kafkaAdvertisedListeners }}
150+
{{ .root.Values.mini_runtime.kafka1.env.kafkaAdvertisedListeners }}
151+
{{- else if and .root.Values.mini_runtime.kafka1.useSasl .root.Values.mini_runtime.kafka1.useTls }}
152+
LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL://{{ $fqdn }}:9093, LISTENER_DOCKER_EXTERNAL_LOCALHOST_SASL://localhost:29092
153+
{{- else if .root.Values.mini_runtime.kafka1.useSasl }}
154+
LISTENER_DOCKER_EXTERNAL_LOCALHOST_SASL://localhost:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL://{{ $fqdn }}:9092
155+
{{- else if .root.Values.mini_runtime.kafka1.useTls }}
156+
LISTENER_DOCKER_EXTERNAL_LOCALHOST://localhost:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST://{{ $fqdn }}:9092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_ENCRYPTED://{{ $fqdn }}:9093
157+
{{- else }}
158+
LISTENER_DOCKER_EXTERNAL_LOCALHOST://localhost:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST://{{ $fqdn }}:9092
159+
{{- end }}
160+
{{- end }}
161+
162+
{{/*
163+
Kafka container template (for sidecar mode)
164+
Usage: {{ include "akto.kafka.container" (dict "root" . "separate" true/false) }}
165+
*/}}
166+
{{- define "akto.kafka.container" -}}
167+
- env:
168+
- name: MY_POD_NAMESPACE
169+
valueFrom:
170+
fieldRef:
171+
fieldPath: metadata.namespace
172+
- name: KAFKA_ADVERTISED_LISTENERS
173+
value: >-
174+
{{- include "akto.kafka.advertisedListeners" . | nindent 6 }}
175+
- name: KAFKA_BROKER_ID
176+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaBrokerId }}
177+
- name: KAFKA_CREATE_TOPICS
178+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaCreateTopics }}
179+
- name: KAFKA_INTER_BROKER_LISTENER_NAME
180+
value: >-
181+
{{- if .root.Values.mini_runtime.kafka1.env.kafkaAdvertisedListeners }}
182+
{{ .root.Values.mini_runtime.kafka1.env.kafkaInterBrokerListenerName }}
183+
{{- else if .root.Values.mini_runtime.kafka1.useSasl }}
184+
LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL
185+
{{- else if .root.Values.mini_runtime.kafka1.useTls }}
186+
LISTENER_DOCKER_EXTERNAL_DIFFHOST
187+
{{- else }}
188+
{{ .root.Values.mini_runtime.kafka1.env.kafkaInterBrokerListenerName }}
189+
{{- end }}
190+
- name: KAFKA_LISTENER_SECURITY_PROTOCOL_MAP
191+
value: >-
192+
{{- if and .root.Values.mini_runtime.kafka1.useSasl .root.Values.mini_runtime.kafka1.useTls }}
193+
{{ .root.Values.mini_runtime.kafka1.env.kafkaListenerSecurityProtocolMapSaslTls }}
194+
{{- else if .root.Values.mini_runtime.kafka1.useSasl }}
195+
{{ .root.Values.mini_runtime.kafka1.env.kafkaListenerSecurityProtocolMapSasl }}
196+
{{- else if .root.Values.mini_runtime.kafka1.useTls }}
197+
{{ .root.Values.mini_runtime.kafka1.env.kafkaListenerSecurityProtocolMapSsl }}
198+
{{- else }}
199+
{{ .root.Values.mini_runtime.kafka1.env.kafkaListenerSecurityProtocolMap }}
200+
{{- end }}
201+
- name: KAFKA_PROCESS_ROLES
202+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaProcessRoles }}
203+
- name: KAFKA_NODE_ID
204+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaNodeId }}
205+
- name: KAFKA_CONTROLLER_QUORUM_VOTERS
206+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaControllerQuorumVoters }}
207+
- name: KAFKA_CONTROLLER_LISTENER_NAMES
208+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaControllerListenerNames }}
209+
- name: KAFKA_LISTENERS
210+
value: >-
211+
{{- if .root.Values.mini_runtime.kafka1.env.kafkaListeners }}
212+
{{ .root.Values.mini_runtime.kafka1.env.kafkaListeners }}
213+
{{- else if and .root.Values.mini_runtime.kafka1.useSasl .root.Values.mini_runtime.kafka1.useTls }}
214+
CONTROLLER://0.0.0.0:9094,LISTENER_DOCKER_EXTERNAL_LOCALHOST_SASL://0.0.0.0:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL://0.0.0.0:9093
215+
{{- else if .root.Values.mini_runtime.kafka1.useSasl }}
216+
CONTROLLER://0.0.0.0:9094,LISTENER_DOCKER_EXTERNAL_LOCALHOST_SASL://0.0.0.0:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL://0.0.0.0:9092
217+
{{- else if .root.Values.mini_runtime.kafka1.useTls }}
218+
CONTROLLER://0.0.0.0:9094,LISTENER_DOCKER_EXTERNAL_LOCALHOST://0.0.0.0:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_ENCRYPTED://0.0.0.0:9093
219+
{{- else }}
220+
CONTROLLER://0.0.0.0:9094,LISTENER_DOCKER_EXTERNAL_LOCALHOST://0.0.0.0:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST://0.0.0.0:9092
221+
{{- end }}
222+
- name: KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR
223+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaOffsetsTopicReplicationFactor }}
224+
- name: KAFKA_TRANSACTION_STATE_LOG_MIN_ISR
225+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaTransactionStateLogMinIsr }}
226+
- name: KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR
227+
value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaTransactionStateLogReplicationFactor }}
228+
{{- include "akto.kafka.commonEnv" .root | nindent 2 }}
229+
{{- if .root.Values.mini_runtime.kafka1.useTls }}
230+
- name: KAFKA_SSL_KEYSTORE_LOCATION
231+
value: {{ quote .root.Values.mini_runtime.kafka1.env.sslKeystoreLocation }}
232+
- name: KAFKA_SSL_KEYSTORE_PASSWORD
233+
value: {{ quote .root.Values.mini_runtime.kafka1.env.sslKeystorePassword }}
234+
- name: KAFKA_SSL_KEY_PASSWORD
235+
value: {{ quote .root.Values.mini_runtime.kafka1.env.sslKeyPassword }}
236+
- name: KAFKA_SSL_TRUSTSTORE_LOCATION
237+
value: {{ quote .root.Values.mini_runtime.kafka1.env.sslTruststoreLocation }}
238+
- name: KAFKA_SSL_TRUSTSTORE_PASSWORD
239+
value: {{ quote .root.Values.mini_runtime.kafka1.env.sslTruststorePassword }}
240+
{{- end }}
241+
{{- if .root.Values.mini_runtime.kafka1.useSasl }}
242+
- name: KAFKA_OPTS
243+
value: "-Djava.security.auth.login.config=/etc/kafka/config/kafka_server_jaas.conf"
244+
- name: KAFKA_SASL_ENABLED_MECHANISMS
245+
value: "PLAIN"
246+
- name: KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL
247+
value: "PLAIN"
248+
{{- end }}
249+
- name: KUBERNETES_CLUSTER_DOMAIN
250+
value: {{ quote .root.Values.kubernetesClusterDomain }}
251+
image: {{ include "akto.kafka.image" .root }}
252+
{{- if or .root.Values.mini_runtime.kafka1.useTls .root.Values.mini_runtime.kafka1.useSasl }}
253+
volumeMounts:
254+
{{- if .root.Values.mini_runtime.kafka1.useTls }}
255+
- name: kafka-certs
256+
mountPath: {{ quote .root.Values.mini_runtime.kafka1.env.sslBaseMountPath }}
257+
{{- end }}
258+
{{- if .root.Values.mini_runtime.kafka1.useSasl }}
259+
- name: kafka-jaas-config
260+
mountPath: /etc/kafka/config
261+
readOnly: true
262+
{{- end }}
263+
{{- end }}
264+
name: {{ if .separate }}kafka{{ else }}kafka1{{ end }}
265+
ports:
266+
- containerPort: 9092
267+
- containerPort: 9093
268+
- containerPort: 29092
269+
- containerPort: 9999
270+
resources: {{- toYaml .root.Values.mini_runtime.kafka1.resources | nindent 4 }}
271+
{{- end }}
272+
273+
{{/*
274+
Kafka volumes template
275+
Usage: {{ include "akto.kafka.volumes" . }}
276+
*/}}
277+
{{- define "akto.kafka.volumes" -}}
278+
{{- if or .Values.mini_runtime.kafka1.useTls .Values.mini_runtime.kafka1.useSasl }}
279+
volumes:
280+
{{- if .Values.mini_runtime.kafka1.useTls }}
281+
- name: kafka-certs
282+
secret:
283+
secretName: {{ quote .Values.mini_runtime.kafka1.env.sslSecretName }}
284+
{{- end }}
285+
{{- if .Values.mini_runtime.kafka1.useSasl }}
286+
- name: kafka-jaas-config
287+
configMap:
288+
name: {{ include "akto.fullname" . }}-kafka-jaas-config
289+
{{- end }}
290+
{{- end }}
291+
{{- end }}
292+
293+
{{/*
294+
Generate Kafka controller quorum voters for KRaft mode
295+
Format: nodeId@hostname:port,nodeId@hostname:port,...
296+
*/}}
297+
{{- define "akto.kafka.quorumVoters" -}}
298+
{{- $replicas := .Values.mini_runtime.kafkaSeparate.replicas | default 3 | int }}
299+
{{- $fullname := include "akto.fullname" . }}
300+
{{- $namespace := .Release.Namespace }}
301+
{{- $clusterDomain := .Values.kubernetesClusterDomain }}
302+
{{- $voters := list }}
303+
{{- range $i := until $replicas }}
304+
{{- $voters = append $voters (printf "%d@%s-kafka-%d.%s-kafka-headless.%s.svc.%s:9094" $i $fullname $i $fullname $namespace $clusterDomain) }}
305+
{{- end }}
306+
{{- join "," $voters }}
307+
{{- end }}
308+
309+
{{/*
310+
Generate Kafka bootstrap servers for clients (for mini-runtime sidecar use)
311+
*/}}
312+
{{- define "akto.kafka.bootstrapServers" -}}
313+
{{- if .Values.mini_runtime.useExternalKafka }}
314+
{{- .Values.mini_runtime.externalKafka.brokerUrl }}
315+
{{- else if .Values.mini_runtime.separateKafkaDeployment }}
316+
{{- $replicas := .Values.mini_runtime.kafkaSeparate.replicas | default 3 | int }}
317+
{{- $fullname := include "akto.fullname" . }}
318+
{{- $namespace := .Release.Namespace }}
319+
{{- $clusterDomain := .Values.kubernetesClusterDomain }}
320+
{{- $servers := list }}
321+
{{- range $i := until $replicas }}
322+
{{- $servers = append $servers (printf "%s-kafka-%d.%s-kafka-headless.%s.svc.%s:9092" $fullname $i $fullname $namespace $clusterDomain) }}
323+
{{- end }}
324+
{{- join "," $servers }}
325+
{{- else }}
326+
{{- .Values.mini_runtime.aktoApiSecurityRuntime.env.aktoKafkaBrokerUrl }}
327+
{{- end }}
328+
{{- end }}
329+
330+
{{/*
331+
Generate Kafka bootstrap servers for external clients (other pods, not sidecar)
332+
*/}}
333+
{{- define "akto.kafka.bootstrapServersExternal" -}}
334+
{{- if .Values.mini_runtime.useExternalKafka }}
335+
{{- .Values.mini_runtime.externalKafka.brokerUrl }}
336+
{{- else if .Values.mini_runtime.separateKafkaDeployment }}
337+
{{- $replicas := .Values.mini_runtime.kafkaSeparate.replicas | default 3 | int }}
338+
{{- $fullname := include "akto.fullname" . }}
339+
{{- $namespace := .Release.Namespace }}
340+
{{- $clusterDomain := .Values.kubernetesClusterDomain }}
341+
{{- $servers := list }}
342+
{{- range $i := until $replicas }}
343+
{{- $servers = append $servers (printf "%s-kafka-%d.%s-kafka-headless.%s.svc.%s:9092" $fullname $i $fullname $namespace $clusterDomain) }}
344+
{{- end }}
345+
{{- join "," $servers }}
346+
{{- else }}
347+
{{- /* Sidecar mode - use service URL for external clients */}}
348+
{{- printf "%s-mini-runtime.%s.svc.%s:9092" (include "akto.fullname" .) .Release.Namespace .Values.kubernetesClusterDomain }}
349+
{{- end }}
350+
{{- end }}

0 commit comments

Comments
 (0)