akto-api-security
diff --git a/‎charts/mini-runtime/Chart.yaml‎
Lines changed: 2 additions & 2 deletions b/‎charts/mini-runtime/Chart.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎charts/mini-runtime/README.md‎
Lines changed: 19 additions & 0 deletions b/‎charts/mini-runtime/README.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎charts/mini-runtime/templates/_helpers.tpl‎
Lines changed: 218 additions & 0 deletions b/‎charts/mini-runtime/templates/_helpers.tpl‎
Lines changed: 218 additions & 0 deletions
@@ -2,8 +2,8 @@ apiVersion: v2
 name: akto-mini-runtime
 description: Helm chart for installing Akto hybrid runtime
 type: application
-version: 0.5.5
-appVersion: "0.5.5"
+version: 0.6.0
+appVersion: "0.6.0"
 home: https://www.akto.io
 icon: https://akto-setup.s3.amazonaws.com/templates/128x128.png
 sources:
 
@@ -41,6 +41,25 @@ Here are the steps to install Akto mini-runtime via Helm charts -
 
 3. Run `kubectl get pods -n <NAMESPACE>` and verify you can see 1 mini-runtime pod with 4 containers and 1 keel pod.
 
+### Kafka Deployment Options
+
+The chart supports two Kafka deployment modes:
+
+1. **Sidecar Mode (Default)** - Kafka runs as a sidecar container in the same pod as mini-runtime. This is the default for backward compatibility.
+   - Mini-runtime connects to Kafka via `localhost:29092`
+   - Single pod contains both mini-runtime and Kafka
+
+2. **Separate Deployment Mode** - Kafka runs as a standalone deployment with its own service.
+   - Mini-runtime connects to Kafka via FQDN (e.g., `akto-mini-runtime-kafka.<namespace>.svc.cluster.local:9092`)
+   - Allows independent scaling and resource management
+
+To enable separate Kafka deployment:
+```bash
+helm install akto-mini-runtime akto/akto-mini-runtime -n <your-namespace> \
+  --set mini_runtime.aktoApiSecurityRuntime.env.databaseAbstractorToken="<your-token>" \
+  --set mini_runtime.separateKafkaDeployment=true
+```
+
 ### Upgrading to new version
 
 1. Update helm repo
 
@@ -59,3 +59,221 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Kafka service name based on deployment mode
+Usage: {{ include "akto.kafka.serviceName" (dict "root" . "separate" true/false) }}
+*/}}
+{{- define "akto.kafka.serviceName" -}}
+{{- if .separate }}
+{{- printf "%s-kafka" (include "akto.fullname" .root) }}
+{{- else }}
+{{- printf "%s-mini-runtime" (include "akto.fullname" .root) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Kafka FQDN based on deployment mode
+Usage: {{ include "akto.kafka.fqdn" (dict "root" . "separate" true/false) }}
+*/}}
+{{- define "akto.kafka.fqdn" -}}
+{{- $serviceName := include "akto.kafka.serviceName" . }}
+{{- printf "%s.%s.svc.%s" $serviceName .root.Release.Namespace .root.Values.kubernetesClusterDomain }}
+{{- end }}
+
+{{/*
+Kafka service template
+Usage: {{ include "akto.kafka.service" (dict "root" . "separate" true/false) }}
+*/}}
+{{- define "akto.kafka.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "akto.kafka.serviceName" . }}
+  labels:
+  {{- include "akto.labels" .root | nindent 4 }}
+  annotations:
+    {{- with .root.Values.mini_runtime.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .root.Values.mini_runtime.type }}
+  selector:
+    app: {{ include "akto.kafka.serviceName" . }}
+  {{- include "akto.selectorLabels" .root | nindent 4 }}
+  ports:
+  {{- if .root.Values.mini_runtime.kafka1.useSasl }}
+  {{- .root.Values.ports.sasl | toYaml | nindent 4 -}}
+  {{- else if .root.Values.mini_runtime.kafka1.useTls }}
+  {{- .root.Values.ports.tls | toYaml | nindent 4 -}}
+  {{- else }}
+  {{- .root.Values.ports.default | toYaml | nindent 4 -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Kafka advertised listeners based on mode and security settings
+Usage: {{ include "akto.kafka.advertisedListeners" (dict "root" . "separate" true/false) }}
+*/}}
+{{- define "akto.kafka.advertisedListeners" -}}
+{{- $fqdn := include "akto.kafka.fqdn" . }}
+{{- if .root.Values.mini_runtime.kafka1.env.kafkaAdvertisedListeners }}
+  {{ .root.Values.mini_runtime.kafka1.env.kafkaAdvertisedListeners }}
+{{- else if and .root.Values.mini_runtime.kafka1.useSasl .root.Values.mini_runtime.kafka1.useTls }}
+  LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL://{{ $fqdn }}:9093, LISTENER_DOCKER_EXTERNAL_LOCALHOST_SASL://localhost:29092
+{{- else if .root.Values.mini_runtime.kafka1.useSasl }}
+  LISTENER_DOCKER_EXTERNAL_LOCALHOST_SASL://localhost:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL://{{ $fqdn }}:9092
+{{- else if .root.Values.mini_runtime.kafka1.useTls }}
+  LISTENER_DOCKER_EXTERNAL_LOCALHOST://localhost:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST://{{ $fqdn }}:9092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_ENCRYPTED://{{ $fqdn }}:9093
+{{- else }}
+  LISTENER_DOCKER_EXTERNAL_LOCALHOST://localhost:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST://{{ $fqdn }}:9092
+{{- end }}
+{{- end }}
+
+{{/*
+Kafka container template
+Usage: {{ include "akto.kafka.container" (dict "root" . "separate" true/false) }}
+*/}}
+{{- define "akto.kafka.container" -}}
+- env:
+  - name: MY_POD_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+  - name: KAFKA_ADVERTISED_LISTENERS
+    value: >-
+      {{- include "akto.kafka.advertisedListeners" . | nindent 6 }}
+  - name: KAFKA_BROKER_ID
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaBrokerId }}
+  - name: KAFKA_CLEANUP_POLICY
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaCleanupPolicy }}
+  - name: KAFKA_CREATE_TOPICS
+    {{- if and .separate .root.Values.mini_runtime.kafkaSeparate.kafkaCreateTopics }}
+    value: {{ quote .root.Values.mini_runtime.kafkaSeparate.kafkaCreateTopics }}
+    {{- else }}
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaCreateTopics }}
+    {{- end }}
+  - name: KAFKA_INTER_BROKER_LISTENER_NAME
+    value: >-
+      {{- if .root.Values.mini_runtime.kafka1.env.kafkaAdvertisedListeners }}
+        {{ .root.Values.mini_runtime.kafka1.env.kafkaInterBrokerListenerName }}
+      {{- else if .root.Values.mini_runtime.kafka1.useSasl }}
+        LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL
+      {{- else if .root.Values.mini_runtime.kafka1.useTls }}
+        LISTENER_DOCKER_EXTERNAL_DIFFHOST
+      {{- else }}
+        {{ .root.Values.mini_runtime.kafka1.env.kafkaInterBrokerListenerName }}
+      {{- end }}
+  - name: KAFKA_LISTENER_SECURITY_PROTOCOL_MAP
+    value: >-
+      {{- if and .root.Values.mini_runtime.kafka1.useSasl .root.Values.mini_runtime.kafka1.useTls }}
+        {{ .root.Values.mini_runtime.kafka1.env.kafkaListenerSecurityProtocolMapSaslTls }}
+      {{- else if .root.Values.mini_runtime.kafka1.useSasl }}
+        {{ .root.Values.mini_runtime.kafka1.env.kafkaListenerSecurityProtocolMapSasl }}
+      {{- else if .root.Values.mini_runtime.kafka1.useTls }}
+        {{ .root.Values.mini_runtime.kafka1.env.kafkaListenerSecurityProtocolMapSsl }}
+      {{- else }}
+        {{ .root.Values.mini_runtime.kafka1.env.kafkaListenerSecurityProtocolMap }}
+      {{- end }}
+  - name: KAFKA_PROCESS_ROLES
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaProcessRoles }}
+  - name: KAFKA_NODE_ID
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaNodeId }}
+  - name: KAFKA_CONTROLLER_QUORUM_VOTERS
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaControllerQuorumVoters }}
+  - name: KAFKA_CONTROLLER_LISTENER_NAMES
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaControllerListenerNames }}
+  - name: KAFKA_LISTENERS
+    value: >-
+      {{- if .root.Values.mini_runtime.kafka1.env.kafkaListeners }}
+        {{ .root.Values.mini_runtime.kafka1.env.kafkaListeners }}
+      {{- else if and .root.Values.mini_runtime.kafka1.useSasl .root.Values.mini_runtime.kafka1.useTls }}
+        CONTROLLER://0.0.0.0:9094,LISTENER_DOCKER_EXTERNAL_LOCALHOST_SASL://0.0.0.0:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL://0.0.0.0:9093
+      {{- else if .root.Values.mini_runtime.kafka1.useSasl }}
+        CONTROLLER://0.0.0.0:9094,LISTENER_DOCKER_EXTERNAL_LOCALHOST_SASL://0.0.0.0:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_SASL://0.0.0.0:9092
+      {{- else if .root.Values.mini_runtime.kafka1.useTls }}
+        CONTROLLER://0.0.0.0:9094,LISTENER_DOCKER_EXTERNAL_LOCALHOST://0.0.0.0:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST_ENCRYPTED://0.0.0.0:9093
+      {{- else }}
+        CONTROLLER://0.0.0.0:9094,LISTENER_DOCKER_EXTERNAL_LOCALHOST://0.0.0.0:29092,LISTENER_DOCKER_EXTERNAL_DIFFHOST://0.0.0.0:9092
+      {{- end }}
+  - name: KAFKA_LOG_CLEANER_ENABLE
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaLogCleanerEnable }}
+  - name: KAFKA_LOG_RETENTION_BYTES
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaLogRetentionBytes }}
+  - name: KAFKA_LOG_RETENTION_CHECK_INTERVAL_MS
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaLogRetentionCheckIntervalMs }}
+  - name: KAFKA_LOG_RETENTION_HOURS
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaLogRetentionHours }}
+  - name: KAFKA_LOG_SEGMENT_BYTES
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaLogSegmentBytes }}
+  - name: KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaOffsetsTopicReplicationFactor }}
+  - name: KAFKA_TRANSACTION_STATE_LOG_MIN_ISR
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaTransactionStateLogMinIsr }}
+  - name: KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaTransactionStateLogReplicationFactor }}
+  - name: CLUSTER_ID
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.kafkaClusterId }}
+  {{- if .root.Values.mini_runtime.kafka1.useTls }}
+  - name: KAFKA_SSL_KEYSTORE_LOCATION
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.sslKeystoreLocation }}
+  - name: KAFKA_SSL_KEYSTORE_PASSWORD
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.sslKeystorePassword }}
+  - name: KAFKA_SSL_KEY_PASSWORD
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.sslKeyPassword }}
+  - name: KAFKA_SSL_TRUSTSTORE_LOCATION
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.sslTruststoreLocation }}
+  - name: KAFKA_SSL_TRUSTSTORE_PASSWORD
+    value: {{ quote .root.Values.mini_runtime.kafka1.env.sslTruststorePassword }}
+  {{- end }}
+  {{- if .root.Values.mini_runtime.kafka1.useSasl }}
+  - name: KAFKA_OPTS
+    value: "-Djava.security.auth.login.config=/etc/kafka/config/kafka_server_jaas.conf"
+  - name: KAFKA_SASL_ENABLED_MECHANISMS
+    value: "PLAIN"
+  - name: KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL
+    value: "PLAIN"
+  {{- end }}
+  - name: KUBERNETES_CLUSTER_DOMAIN
+    value: {{ quote .root.Values.kubernetesClusterDomain }}
+  image: {{ .root.Values.mini_runtime.kafka1.image.repository }}:{{ .root.Values.mini_runtime.kafka1.image.tag | default .root.Chart.AppVersion }}
+  {{- if or .root.Values.mini_runtime.kafka1.useTls .root.Values.mini_runtime.kafka1.useSasl }}
+  volumeMounts:
+    {{- if .root.Values.mini_runtime.kafka1.useTls }}
+    - name: kafka-certs
+      mountPath: {{ quote .root.Values.mini_runtime.kafka1.env.sslBaseMountPath }}
+    {{- end }}
+    {{- if .root.Values.mini_runtime.kafka1.useSasl }}
+    - name: kafka-jaas-config
+      mountPath: /etc/kafka/config
+      readOnly: true
+    {{- end }}
+  {{- end }}
+  name: {{ if .separate }}kafka{{ else }}kafka1{{ end }}
+  ports:
+  - containerPort: 9092
+  - containerPort: 9093
+  - containerPort: 29092
+  - containerPort: 9999
+  resources: {{- toYaml .root.Values.mini_runtime.kafka1.resources | nindent 4 }}
+{{- end }}
+
+{{/*
+Kafka volumes template
+Usage: {{ include "akto.kafka.volumes" . }}
+*/}}
+{{- define "akto.kafka.volumes" -}}
+{{- if or .Values.mini_runtime.kafka1.useTls .Values.mini_runtime.kafka1.useSasl }}
+volumes:
+  {{- if .Values.mini_runtime.kafka1.useTls }}
+  - name: kafka-certs
+    secret:
+      secretName: {{ quote .Values.mini_runtime.kafka1.env.sslSecretName }}
+  {{- end }}
+  {{- if .Values.mini_runtime.kafka1.useSasl }}
+  - name: kafka-jaas-config
+    configMap:
+      name: {{ include "akto.fullname" . }}-kafka-jaas-config
+  {{- end }}
+{{- end }}
+{{- end }}