Resources for Confluent Apps blog post

Author: JohnPreston

README.rst

@@ -0,0 +1,5 @@
+============================
+ComposeX Blog resources
+============================
+
+This repository stores the resources for you to use when following our `blog <blog.ecs-composex.lambda-my-aws.io>`.

confluent-apps-01/README.rst

@@ -0,0 +1,54 @@
+====================
+Confluent Apps
+====================
+
+connect-cluster
+===============
+
+The connect cluster that we deploy in our AWS environment to deploy a connect cluster.
+
+
+control-center
+==============
+
+The control center allows to have a GUI which allows developers and administrators to interact with the kafka and connect
+clusters.
+The control center is deployed behind a load-balancer (ALB) which allows remote access. There is only 1 container running and
+we do not need more than that.
+
+
+Secrets management
+==================
+
+The secrets management is handled in the exact same way as for any other applications, however, the schema changes based
+on what the applications need. Use the templates accordingly.
+
+
+Deployment
+===========
+
+AWS ECS
+--------
+
+All services are deployed in AWS ECS using AWS Fargate for compute provisioning.
+In nonprod environments, they are on a 2:1 ratio between FARGATE and FARGATE_SPOT.
+
+Deploying using composex
+-------------------------
+
+
+.. code-block:: bash
+
+   python -m venv venv
+   source venv/bin/activate
+   pip install pip -U
+   pip install ecs_composex>=0.8.9
+   # AWS_PROFILE is the name of the profile you have authed in using SSO.
+   # When running from codebuild or else, this does not need to be specified.
+   # ENV_NAME can be one of dev, stg or prod.
+   ENV_NAME=dev ecs-composex up -n kafka--confluent-apps-${ENV_NAME} -f docker-compose.yml -envs/${ENV_NAME}.yml
+
+
+.. warning::
+
+   There can only be one Control Center running presently per Kafka cluster, or you need to assign random IDs to these.

confluent-apps-01/connect-cluster/Dockerfile

@@ -0,0 +1,4 @@
+FROM confluentinc/cp-kafka-connect:5.5.1
+RUN apt-get update && apt-get install jq -y && rm -rf /var/lib/apt/lists/*
+COPY start.sh /etc/confluent/docker/start.sh
+CMD ["/etc/confluent/docker/start.sh"]

confluent-apps-01/connect-cluster/connect-cluster_secrets.yaml

@@ -0,0 +1,99 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: |
+  Template to create a new AWS Secret storing credentials for a consumer group of a specific confluent kafka cluster
+
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Cluster Settings
+        Parameters:
+          - ClusterId
+          - BootstrapEndpoint
+          - BootstrapPort
+          - SchemaRegistryUrl
+          - ClusterName
+      - Label:
+          default: Connect general settings
+        Parameters:
+          - ClusterConnectUsername
+          - ClusterConnectPassword
+      - Label:
+          default: Connect consumer settings
+        Parameters:
+          - ClusterConsumerUsername
+          - ClusterConsumerPassword
+      - Label:
+          default: Connect producer settings
+        Parameters:
+          - ClusterProducerUsername
+          - ClusterProducerPassword
+      - Label:
+          default: Schema Registry credentials
+        Parameters:
+          - SchemaRegistryGroupUsername
+          - SchemaRegistryGroupPassword
+
+Parameters:
+  ClusterId:
+    Type: String
+  BootstrapEndpoint:
+    Type: String
+  BootstrapPort:
+    Type: Number
+    MinValue: 1024
+    MaxValue: 65535
+
+  ClusterName:
+    Type: String
+
+  ClusterConnectUsername:
+    Type: String
+    NoEcho: True
+  ClusterConnectPassword:
+    Type: String
+    NoEcho: True
+
+  ClusterProducerUsername:
+    Type: String
+    NoEcho: True
+  ClusterProducerPassword:
+    Type: String
+    NoEcho: True
+
+  ClusterConsumerUsername:
+    Type: String
+    NoEcho: True
+  ClusterConsumerPassword:
+    Type: String
+    NoEcho: True
+
+
+  SchemaRegistryUrl:
+    Type: String
+  SchemaRegistryGroupUsername:
+    Type: String
+    NoEcho: True
+  SchemaRegistryGroupPassword:
+    Type: String
+    NoEcho: True
+
+Resources:
+  KafkaSecret:
+    Type: 'AWS::SecretsManager::Secret'
+    Properties:
+      Name: !Sub '/kafka/${ClusterId}/${ClusterName}'
+      Description: "Secret for Confluent Connect Cluster credentials"
+      SecretString: !Sub |
+        {
+          "SCHEMA_REGISTRY_URL": "${SchemaRegistryUrl}",
+          "SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO": "${SchemaRegistryGroupUsername}:${SchemaRegistryGroupPassword}",
+          "CONNECT_BOOTSTRAP_SERVERS": "${BootstrapEndpoint}:${BootstrapPort}",
+          "CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_URL": "${SchemaRegistryUrl}",
+          "CONNECT_VALUE_CONVERTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO": "${SchemaRegistryGroupUsername}:${SchemaRegistryGroupPassword}",
+          "CONNECT_SASL_JAAS_CONFIG": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${ClusterConnectUsername}\" password=\"${ClusterConnectPassword}\";",
+          "CONNECT_CONSUMER_SASL_JAAS_CONFIG": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${ClusterConsumerUsername}\" password=\"${ClusterConsumerPassword}\";",
+          "CONNECT_PRODUCER_SASL_JAAS_CONFIG": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${ClusterProducerUsername}\" password=\"${ClusterProducerPassword}\";",
+          "CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${ClusterConsumerUsername}\" password=\"${ClusterConsumerPassword}\";",
+          "CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${ClusterProducerUsername}\" password=\"${ClusterProducerPassword}\";"
+        }

confluent-apps-01/connect-cluster/start.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+export CONNECT_REST_ADVERTISED_HOST_NAME=$(hostname)
+echo $CONNECT_REST_ADVERTISED_HOST_NAME
+
+IFS=$'\n'
+for s in $(echo $CONNECT_CREDS | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ); do export $s ;  done
+/etc/confluent/docker/run || exit 1

confluent-apps-01/control-center/Dockerfile

@@ -0,0 +1,5 @@
+FROM confluentinc/cp-enterprise-control-center:5.5.1
+RUN apt-get update && apt-get install jq -y && rm -rf /var/lib/apt/lists/*
+
+COPY start.sh /etc/confluent/docker/start.sh
+CMD ["/etc/confluent/docker/start.sh"]

confluent-apps-01/control-center/control_center_secrets.yaml

@@ -0,0 +1,89 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: |
+  Template to create a new AWS Secret storing credentials for a consumer group of a specific confluent kafka cluster
+  If you
+
+Metadata:
+  Author: johnpreston
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: Cluster Settings
+        Parameters:
+          - ClusterId
+          - BootstrapEndpoint
+          - BootstrapPort
+          - SchemaRegistryUrl
+      - Label:
+          default: Consumer group settings
+        Parameters:
+          - ConsumerGroupName
+          - ConsumerGroupUsername
+          - ConsumerGroupPassword
+      - Label:
+          default: Schema Registry credentials
+        Parameters:
+          - SchemaRegistryGroupUsername
+          - SchemaRegistryGroupPassword
+
+Parameters:
+  ClusterId:
+    Type: String
+  BootstrapEndpoint:
+    Type: String
+  BootstrapPort:
+    Type: Number
+    MinValue: 1024
+    MaxValue: 65535
+
+  ConsumerGroupName:
+    Type: String
+  ConsumerGroupUsername:
+    Type: String
+    NoEcho: True
+  ConsumerGroupPassword:
+    Type: String
+    NoEcho: True
+
+  SchemaRegistryUrl:
+    Type: String
+  SchemaRegistryGroupUsername:
+    Type: String
+    NoEcho: True
+  SchemaRegistryGroupPassword:
+    Type: String
+    NoEcho: True
+  License:
+    Default: none
+    Type: String
+    NoEcho: True
+
+Conditions:
+  NoLicense: !Equals [ !Ref License, "none" ]
+
+Resources:
+  KafkaSecret:
+    Type: 'AWS::SecretsManager::Secret'
+    Properties:
+      Name: !Sub '/kafka/${ClusterId}/${ConsumerGroupName}'
+      Description: "Secret for Confluent Control Center"
+      SecretString: !If
+        - NoLicense
+        - !Sub |
+          {
+            "SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO": "${SchemaRegistryGroupUsername}:${SchemaRegistryGroupPassword}",
+            "CONTROL_CENTER_BOOTSTRAP_SERVERS": "${BootstrapEndpoint}:${BootstrapPort}",
+            "CONTROL_CENTER_SCHEMA_REGISTRY_URL": "${SchemaRegistryUrl}",
+            "CONTROL_CENTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO": "${SchemaRegistryGroupUsername}:${SchemaRegistryGroupPassword}",
+            "CONTROL_CENTER_STREAMS_SASL_JAAS_CONFIG": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${ConsumerGroupUsername}\" password=\"${ConsumerGroupPassword}\";",
+            "CONFLUENT_LICENSE": "${License}",
+            "CONTROL_CENTER_LICENSE": "${License}"
+          }
+        - !Sub |
+          {
+            "SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO": "${SchemaRegistryGroupUsername}:${SchemaRegistryGroupPassword}",
+            "CONTROL_CENTER_BOOTSTRAP_SERVERS": "${BootstrapEndpoint}:${BootstrapPort}",
+            "CONTROL_CENTER_SCHEMA_REGISTRY_URL": "${SchemaRegistryUrl}",
+            "CONTROL_CENTER_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO": "${SchemaRegistryGroupUsername}:${SchemaRegistryGroupPassword}",
+            "CONTROL_CENTER_STREAMS_SASL_JAAS_CONFIG": "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"${ConsumerGroupUsername}\" password=\"${ConsumerGroupPassword}\";",
+          }

confluent-apps-01/control-center/start.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+for c in $CONNECT_CLUSTERS; do
+    NAME=$(echo $c | awk -F\:\: '{print $1}')
+    URL=$(echo $c | awk -F\:\: '{print $2}')
+    echo $NAME - $URL
+    export CONFLUENT_CONTROL_CENTER_CONNECT_${NAME}_CLUSTER=$URL
+    export CONTROL_CENTER_CONNECT_${NAME}_CLUSTER=$URL
+    env | grep CONTROL_CENTER_CONNECT
+done
+
+CONFLUENT_CONTROLCENTER_ID=$RANDOM
+CONTROL_CENTER_ID=$RANDOM
+
+IFS=$'\n'
+for s in $(echo $CC_CREDS | jq -r "to_entries|map(\"\(.key)=\(.value|tostring)\")|.[]" ); do
+    export $s
+done
+echo "STARTING CONTROL CENTER"
+/etc/confluent/docker/run

confluent-apps-01/docker-compose.yml

@@ -0,0 +1,91 @@
+---
+version: '3.8'
+services:
+  controlcenter:
+    build:
+      context: control-center
+      dockerfile: Dockerfile
+    image: ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/confluentinc/cp-enterprise-control-center:5.5.1
+    deploy:
+      resources:
+        reservations:
+          cpus: "1.0"
+          memory: "2G"
+    ports:
+      - 8080:8080
+    environment:
+      CONTROL_CENTER_SCHEMA_REGISTRY_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
+      CONTROL_CENTER_STREAMS_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: "HTTPS"
+      CONTROL_CENTER_STREAMS_SECURITY_PROTOCOL: SASL_SSL
+      CONTROL_CENTER_STREAMS_SASL_MECHANISM: PLAIN
+      CONTROL_CENTER_REPLICATION_FACTOR: 3
+      CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_REPLICATION: 3
+      CONTROL_CENTER_INTERNAL_TOPICS_REPLICATION: 3
+      CONTROL_CENTER_COMMAND_TOPIC_REPLICATION: 3
+      CONTROL_CENTER_METRICS_TOPIC_REPLICATION: 3
+      CONFLUENT_METRICS_TOPIC_REPLICATION: 3
+      CONTROL_CENTER_STREAMS_NUM_STREAM_THREADS: 3
+      CONTROL_CENTER_INTERNAL_TOPICS_PARTITIONS: 1
+      CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_PARTITIONS: 1
+      # Workaround for MMA-3564
+      CONTROL_CENTER_METRICS_TOPIC_MAX_MESSAGE_BYTES: 8388608
+      CONTROL_CENTER_REST_LISTENERS: "http://0.0.0.0:8080"
+      PORT: 8080
+    secrets:
+      - CC_CREDS
+    depends_on:
+      - connect
+
+  connect:
+    build:
+      context: connect-cluster
+      dockerfile: Dockerfile
+    image: ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/confluentinc/cp-kafka-connect:5.5.1
+    ports:
+      - 8083:8083
+    environment:
+      CONNECT_REST_PORT: 8083
+      CONNECT_GROUP_ID: "connect"
+      CONNECT_CONFIG_STORAGE_TOPIC: "connect-configs"
+      CONNECT_OFFSET_STORAGE_TOPIC: "connect-offsets"
+      CONNECT_STATUS_STORAGE_TOPIC: "connect-status"
+      CONNECT_REPLICATION_FACTOR: 3
+      CONNECT_CONFIG_STORAGE_REPLICATION_FACTOR: 3
+      CONNECT_OFFSET_STORAGE_REPLICATION_FACTOR: 3
+      CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 3
+
+      CONNECT_KEY_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
+      CONNECT_VALUE_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
+
+      CONNECT_VALUE_CONVERTER_SCHEMAS_ENABLE: "true"
+      CONNECT_VALUE_CONVERTER_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
+
+      CONNECT_INTERNAL_KEY_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
+      CONNECT_INTERNAL_VALUE_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"
+
+      CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components"
+      CONNECT_LOG4J_ROOT_LOGLEVEL: INFO
+      CONNECT_LOG4J_LOGGERS: org.reflections=ERROR
+
+      # CLASSPATH required due to CC-2422
+      CLASSPATH: /usr/share/java/monitoring-interceptors/monitoring-interceptors-5.5.1.jar
+
+      # Connect worker
+      CONNECT_SECURITY_PROTOCOL: SASL_SSL
+      CONNECT_SASL_MECHANISM: PLAIN
+      CONNECT_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: "HTTPS"
+      # Connect producer
+      CONNECT_PRODUCER_SECURITY_PROTOCOL: SASL_SSL
+      CONNECT_PRODUCER_SASL_MECHANISM: PLAIN
+      CONNECT_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor"
+      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL
+      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: PLAIN
+      # Connect consumer
+      CONNECT_CONSUMER_SECURITY_PROTOCOL: SASL_SSL
+      CONNECT_CONSUMER_SASL_MECHANISM: PLAIN
+      CONNECT_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor"
+      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL
+      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: PLAIN
+      TZ: "Europe/London"
+    secrets:
+      - CONNECT_CREDS