[Kafka] Change Kafka installation - multi namespace support #213
+314
−41
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shay79il
force-pushed
the
CEML-492-change-kafka-installation
branch
2 times, most recently
from
e2f8281 to
db827ac
Compare
Collaborator
|
Looks good, can you edit the |
There was a problem hiding this comment.
Pull request overview
This PR migrates the Kafka deployment from Bitnami Kafka to the Strimzi Kafka Operator, enabling multi-namespace support and modernizing the Kafka infrastructure with KRaft mode (ZooKeeper-less operation).
Key Changes:
- Replaced Bitnami Kafka chart dependency with Strimzi Kafka Operator (version 0.48.0)
- Introduced new Kubernetes custom resources for Kafka deployment including KafkaNodePool, Kafka cluster, RBAC resources, and network policies
- Configured single-node Kafka cluster with KRaft mode for simplified deployment
Reviewed changes
Copilot reviewed 8 out of 10 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| charts/mlrun-ce/values.yaml | Replaced Bitnami Kafka configuration with Strimzi operator values, including storage, resources, listeners, and RBAC settings; removed unrelated minio image config |
| charts/mlrun-ce/templates/kafka/kafka-cluster.yaml | Added Kafka custom resource definition for Strimzi operator with listener and config management |
| charts/mlrun-ce/templates/kafka/kafka-nodepool.yaml | Added KafkaNodePool resource for KRaft-mode Kafka cluster management |
| charts/mlrun-ce/templates/kafka/kafka-rbac.yaml | Created RBAC resources (ServiceAccount, Role, RoleBinding) for cross-namespace Kafka access |
| charts/mlrun-ce/templates/kafka/kafka-network-policy.yaml | Added NetworkPolicy to control egress traffic to Kafka cluster across namespaces |
| charts/mlrun-ce/templates/kafka/kafka-bootstrap-alias.yaml | Created service alias for simplified Kafka bootstrap server naming |
| charts/mlrun-ce/requirements.yaml | Updated chart dependency from bitnami/kafka to strimzi-kafka-operator |
| charts/mlrun-ce/requirements.lock | Updated lock file with new Strimzi operator dependency and digest |
| charts/mlrun-ce/Chart.yaml | Bumped chart version from 0.10.0-rc5 to 0.10.0-rc6 |
| .gitignore | Added comprehensive .DS_Store file patterns for macOS |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
54
to
59
| # Allow egress to the internet/other services (optional) | ||
| # Comment out the next section if you want to restrict to Kafka only | ||
| - to: | ||
| - namespaceSelector: {} | ||
| - podSelector: {} | ||
|
|
There was a problem hiding this comment.
The NetworkPolicy allows unrestricted egress to all namespaces and pods (lines 56-58), which defeats the purpose of the network policy. This rule effectively allows traffic to anywhere, making the specific Kafka access rules redundant. Consider removing this overly permissive rule or adding a comment explaining why unrestricted egress is necessary for this use case.
Suggested change
| # Allow egress to the internet/other services (optional) | |
| # Comment out the next section if you want to restrict to Kafka only | |
| - to: | |
| - namespaceSelector: {} | |
| - podSelector: {} | |
shay79il
force-pushed
the
CEML-492-change-kafka-installation
branch
2 times, most recently
from
f7d0d5d to
2ad98a4
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
shay79il
force-pushed
the
CEML-492-change-kafka-installation
branch
4 times, most recently
from
0034134 to
71e385e
Compare
Collaborator
Author
MLRun CE Install GuidePrerequisites
kubectl config get-contexts
kubectl config use-context docker-desktop1) Install ingress-nginx (for docker-desktop)If you want ingress URLs to work on Docker Desktop: kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.11.3/deploy/static/provider/cloud/deploy.yaml
kubectl rollout status -n ingress-nginx deployment/ingress-nginx-controller --timeout=2m2) Add /etc/hosts entries (per namespace)Add these for each namespace you deploy (example for sudo /bin/sh -c 'printf "\n# mlrun-hosts:mlrun:docker-desktop BEGIN\n127.0.0.1 jupyter.mlrun.docker-desktop.lab.iguazeng.com\n127.0.0.1 mlrun-ui.mlrun.docker-desktop.lab.iguazeng.com\n127.0.0.1 mlrun-api.mlrun.docker-desktop.lab.iguazeng.com\n127.0.0.1 nuclio.mlrun.docker-desktop.lab.iguazeng.com\n127.0.0.1 s3.mlrun.docker-desktop.lab.iguazeng.com\n127.0.0.1 minio-console.mlrun.docker-desktop.lab.iguazeng.com\n127.0.0.1 tdengine.mlrun.docker-desktop.lab.iguazeng.com\n# mlrun-hosts:mlrun:docker-desktop END\n" >> /etc/hosts'To remove: sudo /bin/sh -c "sed -i '' '/# mlrun-hosts:mlrun:docker-desktop BEGIN/,/# mlrun-hosts:mlrun:docker-desktop END/d' /etc/hosts"3) Single namespace (no controller)helm upgrade --install mlrun \
-n mlrun --create-namespace \
--insecure-skip-tls-verify \
ce/charts/mlrun-ce \
-f ce/charts/mlrun-ce/values.yaml4) Multi namespace (controller + per‑namespace)4.1) Controller (once)helm upgrade --install mlrun-ce-controller \
-n controller --create-namespace \
--insecure-skip-tls-verify \
ce/charts/mlrun-ce \
-f ce/charts/mlrun-ce/admin_installation_values.yaml4.2) Namespace install (repeat per namespace)Replace helm upgrade --install <ns> \
-n <ns> --create-namespace \
--insecure-skip-tls-verify \
ce/charts/mlrun-ce \
-f ce/charts/mlrun-ce/values.yaml \
--set nuclio.crd.create=false \
--set mpi-operator.enabled=false \
--set mpi-operator.crd.create=false \
--set mpi-operator.rbac.clusterResources.create=false \
--set spark-operator.enabled=false \
--set kube-prometheus-stack.enabled=false \
--set pipelines.crd.enabled=false \
--set pipelines.priority_class.enabled=false \
--set pipelines.service.type=ClusterIP \
--set mlrun.api.service.type=ClusterIP \
--set mlrun.ui.service.type=ClusterIP \
--set jupyterNotebook.service.type=ClusterIP \
--set minio.service.type=ClusterIP \
--set minio.consoleService.type=ClusterIP \
--set nuclio.dashboard.nodePort= \
--set global.nuclio.dashboard.nodePort= \
--set mlrun.api.ingress.enabled=true \
--set mlrun.ui.ingress.enabled=true \
--set jupyterNotebook.ingress.enabled=true \
--set minio.ingress.enabled=true \
--set minio.consoleIngress.enabled=true \
--set nuclio.dashboard.ingress.enabled=true \
--set tdengine.ingress.enabled=true \
--set-string=mlrun.api.ingress.hosts[0].host=mlrun-api.<ns>.<cluster>.lab.iguazeng.com \
--set-string=mlrun.ui.ingress.hosts[0].host=mlrun-ui.<ns>.<cluster>.lab.iguazeng.com \
--set-string=jupyterNotebook.ingress.hosts[0].host=jupyter.<ns>.<cluster>.lab.iguazeng.com \
--set-string=nuclio.dashboard.ingress.hosts[0]=nuclio.<ns>.<cluster>.lab.iguazeng.com \
--set-string=minio.ingress.hosts[0]=s3.<ns>.<cluster>.lab.iguazeng.com \
--set-string=minio.consoleIngress.hosts[0]=minio-console.<ns>.<cluster>.lab.iguazeng.com \
--set-string=tdengine.ingress.hosts[0]=tdengine.<ns>.<cluster>.lab.iguazeng.com \
--set-string=mlrun.api.ingress.hosts[0].paths[0].path=/ \
--set-string=mlrun.api.ingress.hosts[0].paths[0].pathType=Prefix \
--set-string=mlrun.ui.ingress.hosts[0].paths[0].path=/ \
--set-string=mlrun.ui.ingress.hosts[0].paths[0].pathType=Prefix \
--set mlrun.api.ingress.ingressClassName=nginx \
--set mlrun.ui.ingress.ingressClassName=nginx \
--set jupyterNotebook.ingress.ingressClassName=nginx \
--set minio.ingress.ingressClassName=nginx \
--set minio.consoleIngress.ingressClassName=nginx \
--set nuclio.dashboard.ingress.ingressClassName=nginx \
--set tdengine.ingress.ingressClassName=nginxVerifykubectl get pods -n <ns>
kubectl get ing -n <ns> |
Add Strimzi Kafka operator configuration and update values for Kafka deployment [JIRA](https://iguazio.atlassian.net/browse/CEML-492)
shay79il
force-pushed
the
CEML-492-change-kafka-installation
branch
from
63b0fb9 to
4d234b5
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Migrating bitnami kafka to Strimzi Kafka operator
Add Strimzi Kafka operator configuration
Update values for Kafka deployment
JIRA