Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Question] Is possible to start two user and topic operators (standalone) watching for different namespaces feeding same Kafka cluster?

See original GitHub issue

Hello.

We’re using Strimzi connected with AWS MSK and the integration went perfectly.

But we have a situation: we’ll work with multiple namespaces in k8s from where will create topics and users feeding the same Kafka server. And we see that topics conflicts each other and get deleted even STRIMZI_RESOURCE_LABELS is different. Do you have any suggestion? Is this a limitation?

The setup is as follows:

Helm charts are based on the suggested setup for standalone operators: https://github.com/strimzi/strimzi-kafka-operator/tree/master/install

Topic operator helm chart values (secrets references, k8s resources and some other env variables are cut) :

name: strimzi-topic-operator
namespace: strimzi-operator

topicOperator:
  - topic: strimzi-msk-namespace1
    image: quay.io/strimzi/operator
    tag: 0.20.0
    env:
      STRIMZI_RESOURCE_LABELS: "strimzi.io/cluster=strimzi-msk-namespace1"
      STRIMZI_KAFKA_BOOTSTRAP_SERVERS: "same AWS MSK kafka cluster"
      STRIMZI_ZOOKEEPER_CONNECT: "same AWS MSK kafka cluster"
      STRIMZI_TLS_ENABLED: "true"
      STRIMZI_NAMESPACE: "namespace1"
  - topic: strimzi-msk-namespace2
     image: quay.io/strimzi/operator
     tag: 0.20.0
     env:
      STRIMZI_RESOURCE_LABELS: "strimzi.io/cluster=strimzi-msk-namespace2"
      STRIMZI_KAFKA_BOOTSTRAP_SERVERS: "same AWS MSK kafka cluster"
      STRIMZI_ZOOKEEPER_CONNECT: "same AWS MSK kafka cluster"
      STRIMZI_TLS_ENABLED: "true"
      STRIMZI_NAMESPACE: "namespace2"

This helm chart values will create the following resources:

A deployment in namespace strimzi-operator (2 pods)

NAME                                                         READY   STATUS    RESTARTS   AGE
strimzi-topic-operator-strimzi-msk-namespace1-74cd9cc78-c29st     1/1     Running   0          34m
strimzi-topic-operator-strimzi-msk-namespace2-84dd5d5447-2zhff   1/1     Running   0          34m

A role in both helm chart release namespace (strimzi-operator) and also in the namespaces to watch (namespace1, namespace2)
A roleBinding in both helm chart release namespace and also in the namespaces to watch (namespace1, namespace2)

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    topic: strimzi-topic-operator-strimzi-msk-namespace1
  name: strimzi-topic-operator-rolebinding-strimzi-msk-namespace1
  namespace: namespace1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: strimzi-topic-operator-role-strimzi-msk-namespace1
subjects:
- kind: ServiceAccount
  name: strimzi-topic-operator-strimzi-msk-namespace1
  namespace: strimzi-operator

A serviceAccount in helm chart release namespace
A namespaced CDR

User operator helm chart values (secrets references, k8s resources and some other env variables are cut):

name: strimzi-user-operator
namespace: strimzi-operator

userOperator:
  - user: strimzi-msk-namespace1
    image: quay.io/strimzi/operator
    tag: 0.20.0
    env:
      STRIMZI_LABELS: "strimzi.io/cluster=strimzi-msk-namespace1"
      STRIMZI_KAFKA_BOOTSTRAP_SERVERS: "same AWS MSK kafka cluster"
      STRIMZI_ZOOKEEPER_CONNECT: "same AWS MSK kafka cluster"
      STRIMZI_TLS_ENABLED: "true"
      STRIMZI_NAMESPACE: "namespace1"
  - user: strimzi-msk-namespace2
    image: quay.io/strimzi/operator
    tag: 0.20.0
    env:
      STRIMZI_LABELS: "strimzi.io/cluster=strimzi-msk-namespace2"
      STRIMZI_KAFKA_BOOTSTRAP_SERVERS: "same AWS MSK kafka cluster"
      STRIMZI_ZOOKEEPER_CONNECT: "same AWS MSK kafka cluster"
      STRIMZI_TLS_ENABLED: "true"
      STRIMZI_NAMESPACE: "namespace2"

This helm chart will create the following resources:

A deployment in namespace strimzi-operator (2 pods)

NAME                                                         READY   STATUS    RESTARTS   AGE
strimzi-user-operator-strimzi-msk-namespace1-6d65dbd67-xxlb6      1/1     Running   0          34m
strimzi-user-operator-strimzi-msk-namespace2-7c7df7dc68-9gpbl    1/1     Running   0          34m

A role in both helm chart release namespace (strimzi-operator) and also in the namespaces to watch (namespace1, namespace2)
A roleBinding in both helm chart release namespace and also in the namespaces to watch (namespace1, namespace2)

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    user: strimzi-user-operator-strimzi-msk-namespace1
  name: strimzi-user-operator-rolebinding-strimzi-msk-namespace1
  namespace: namespace1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: strimzi-user-operator-role-strimzi-msk-namespace1
subjects:
- kind: ServiceAccount
  name: strimzi-user-operator-strimzi-msk-namespace1
  namespace: strimzi-operator

A serviceAccount in helm chart release namespace
A namespaced CDR

Strimzi:

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: my-topic-namespace1
  labels:
    strimzi.io/cluster: "strimzi-msk-namespace1"
  namespace: namespace1
spec:
  partitions: 3
  replicas: 1
---
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: my-topic-namespace2
  labels:
    strimzi.io/cluster: "strimzi-msk-namespace2"
  namespace: namespace2
spec:
  partitions: 3
  replicas: 1
---
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: my-user-namespace1
  namespace: namespace1
  labels:
    strimzi.io/cluster: "strimzi-msk-namespace1"
spec:
  authentication:
    type: tls
---
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: my-user-namespace2
  namespace: namespace2
  labels:
    strimzi.io/cluster: "strimzi-msk-namespace2"
spec:
  authentication:
    type: tls

Some logs of the pod

2020-11-25 15:19:27 INFO  ZkTopicsWatcher:96 - Created topics: [my-topic-namespace1]
2020-11-25 15:19:27 INFO  TopicOperator:684 - 1521|/brokers/topics -my-topic-namespace1|15948178: All three topics are identical
2020-11-25 15:19:27 INFO  TopicOperator:536 - 1522|/brokers/topics +my-topic-namespace1|15948178: Reconciling topic my-topic-namespace1, k8sTopic:nonnull, kafkaTopic:nonnull, privateTopic:nonnull
2020-11-25 15:19:27 INFO  TopicOperator:684 - 1522|/brokers/topics +my-topic-namespace1|15948178: All three topics are identical
2020-11-25 15:19:27 INFO  ZkTopicsWatcher:80 - Deleted topics: [my-topic-namespace1]
2020-11-25 15:19:27 INFO  TopicOperator:536 - 1523|/brokers/topics -my-topic-namespace1|15948178: Reconciling topic my-topic-namespace1, k8sTopic:nonnull, kafkaTopic:null, privateTopic:nonnull
2020-11-25 15:19:27 INFO  K8sTopicWatcher:43 - 1524|kube =my-topic-namespace1|15948359: event MODIFIED on resource my-topic-namespace1 generation=2, labels={strimzi.io/cluster=strimzi-msk-namespace1}
2020-11-25 15:19:28 INFO  K8sTopicWatcher:43 - 1525|kube -my-topic-namespace1|15948364: event DELETED on resource my-topic-namespace1 generation=2, labels={strimzi.io/cluster=strimzi-msk-namespace1}

Issue Analytics

State:
Created 3 years ago
Comments:10 (5 by maintainers)

Top GitHub Comments

3reactions

scholzjcommented, Nov 25, 2020

I’m afraid the operators do not work like that. You can have only one of them installed and connected to a single MSK cluster. When you have more of them, the following would be happening:

You create KafkaUser in namespace1
The operator in namespace1 creates the KafkaUser in Kafka (ACLs, SCRAM password, quotas etc.)
Operator in namespace2 will see that these values are in Kafka. But he will not see the corresponding KafkaUser resource. So it decides to delete the ALCs, SCRAM passwords, quotas etc. because according to namespace2, they should not be there.
The operator in namespace1 will later see they are not in Kafka, but it has the KafkaUSer. So it will create it again.
And so on …

So they will basically play back and forth creating and deleting the user. Similarly with the topics. So this is not possible.

2reactions

scholzjcommented, Nov 14, 2021

It does allow you to specify annotations for the secret … https://strimzi.io/docs/operators/latest/full/using.html#type-KafkaUserTemplate-reference … I do not remember exactly when it was added, I think it was relatively recent, maybe 0.25?

Top Results From Across the Web

Chapter 2. Getting started with AMQ Streams

This procedure shows how to deploy the Cluster Operator to watch AMQ Streams resources in a single namespace in your OpenShift cluster. Prerequisites....

Documentation - Apache Kafka

A topic is a category or feed name to which messages are published. For each topic, the Kafka cluster maintains a partitioned log...

Deploying and Upgrading Strimzi

One namespace should be watched by only one Topic Operator. If you use Strimzi to deploy multiple Kafka clusters into the same namespace, ......

Apache Kafka Use Cases: When To Use It? When Not To?

A partition is the smallest storage unit in Kafka. Partitions serve to split data across brokers to accelerate performance. Each Kafka topic is ......

Custom Resources - Kubernetes

Custom resources are extensions of the Kubernetes API. This page discusses when to add a custom resource to your Kubernetes cluster and when ......