Lenses on Kubernetes¶
In addition to deploying and monitoring LSQL processors with Kubernetes, Lenses can also be deployed on Kubernetes by leveraging its prebuilt docker image.
Helm Chart¶
Helm, a package manager for Kubernetes, is the recommended way to install Lenses. Helm can be download from here and relies on kubectl. Helm and KubeCtl are not part of the Lenses package and are must be installed separately.
For a current list of our existing Helm Charts please visit our repo and are available on our github repo.
The chart will also optionally configure:
- RBAC
- Kubernetes role based access controls. The chart will install the required cluster roles and cluster role bindings.
- Services
- The chart will create a service to abstract access to the Lenses backend.
- Ingress
- Lenses exposes a user interface and the endpoints behind. To allow access from outside Kubernetes, the chart can optionally create an ingress. The ingress is expected to be path based on an Ingress Controller such as Traefik.
- Secrets
- Sensitive data such as usernames, passwords, and TLS information should be distributed to pods by Kubernetes secrets. The chart will create secrets for the pod to mount.
- Deployment
- The chart will deploy Lenses as a
Deployment
resource, mounting secrets in/mnt/secrets
. The pods will be annotated withPrometheus
annotations to allow automatic collection of the JMX metrics Lenses exposes.
Installing via Helm¶
Add the Landoop Helm chart repo:
# Add repos other connector charts
helm repo add landoop https://landoop.github.io/kafka-helm-charts/
Use helm to install Lenses via the command line:
helm install lenses --name lenses --namespace lenses
Example to override the defaults i.e. enabled ingress and SSL:
helm install lenses --name lenses --namespace lenses --set ingress.enabled=true
Values Configuration¶
Field | Description | Type | Default | Required |
---|---|---|---|---|
image.repository | The sql runner image | landoop/lenses | ||
image.tag | The sql runner image tag | v2.0.0 | ||
replicaCount | Number of pods/instances to deploy | int | 1 | yes |
monitoring.enabled | Flag to add Prometheus
annotations to the pod for metric
scraping
|
boolean | true | no |
monitoring.pipeline | A label to attach to
the pods for include in JMX
|
string | yes | |
monitoring.port | The port the Prometheus
JMX exporter is exposing metrics on
|
int | 9102 | no |
monitoring.path | The path which the metrics
are served on
|
string | /metrics | no |
resources.limit.memory | The kubernetes resource
memory limit allowed for the pod
|
string | 5Gi | no |
resources.request.memory | The kubernetes resource
memory request allowed for the pod
|
string | 4Gi | no |
rbacEnable | Create cluster roles and
bindings if the kubernetes cluster
has RBAC enabled
|
boolean | true | |
restPort | The port for Lenses
|
int | 3030 | |
serviceAccount | The Kubernetes service account
Lenses will use to deploy
resources. It must be
patched with the image pull
secret for the Lenses SQL runners
|
string | default | no |
service.enabled | Create a service for Lenses
|
boolean | true | no |
service.type | Kubernetes service type | string | ClusterIP | no |
service.annotations | Annotations to
add to the service
|
map | no | |
ingress.enabled | Create an ingress resource
|
boolean | true | no |
ingress.path | The path based route for the ingress
|
string | /lenses | no |
ingress.host | The host or ip
of the external load balancer
(Minikube ip)
|
string | yes | |
ingress.annotations | The annotations to
add to the ingress resource
|
map | kubernetes.io/ingress.class: traefik,
traefik.frontend.rule.type: PathPrefixStrip
|
no |
ingress.tls.enabled | Enable TLS ingress
|
boolean | false | no |
ingress.tls.crt | The TLS certificate
data, base64 encoded
|
string | no | |
ingress.tls.key | The TLS key data
base64 encoded
|
string | no | |
lenses.jvm.heapOpts | JVM heap options for Lenses
|
string | no | |
lenses.jvm.performanceOpts | JVM performance tunning
extra options for Lenses
|
string | no | |
lenses.jvm.logBackOpts | Logback options
|
string | no | |
lenses.kafka | List of Kafka brokers.
See brokers
|
string | yes | |
lenses.zookeeper | List of Zookeepers.
See zookeepers
|
string | yes | |
lenses.schemaRegistries | List of Schema Registries.
|
string | yes | |
lenses.connectClusters | Array of Connect Clusters.
See connect clusters
|
string | yes | |
lenses.grafanaUrl | The url to the grafana host | string | no | |
lenses.slack.enabled | Enable slack integration | boolean | false | no |
lenses.slack.iconUrl | The url to the icon to use for slack
|
string | no | |
lenses.slack.webhookUrl | Slack webhookUrl | string | no | |
lenses.slack.username | The username to use for slack | string | no | |
lenses.slack.channel | The slack channel to send alerts to | string | no | |
lenses.topics.suffix | A suffix to add to Lenses
system topics
|
string | no | |
lenses.sql.processorImage | The processor image to use
for LSQL runners
|
string | eu.gcr.io/k8-engine/lenses-sql-processor | no |
lenses.sql.processorImageTag | The processor image tag | string | 2.0.0 | no |
lenses.security.mode | The security mode,
NONE, BASIC or LDAP
|
string | NONE | yes |
lenses.security.groups | string | no | ||
lenses.security.users | string | no | ||
lenses.security.serviceAccounts | string | no | ||
lenses.security.ldap.url | string | no | ||
lenses.security.ldap.base | string | no | ||
lenses.security.ldap.password | LDAP password for the user | string | no | |
lenses.security.ldap.user | LDAP user | string | no | |
lenses.security.ldap.plugin.class | FQDN class for the ldap plugin
to use
|
string | no | |
lenses.security.ldap.plugin.memberOfKey | string | no | ||
lenses.security.ldap.plugin.groupExtractRegex | string | no | ||
lenses.security.ldap.plugin.personNameKey | string | no | ||
lenses.license | The Lenses license data | string | no | |
lenses.licenseUrl | Url to fetch the license from | string | no | |
lenses.configOverrides | Extra configs. Allows
for any extra configurations
For example
lenses.interval.summary=1000
|
list of dictonaries | no |
- Bootstrap servers
lenses.brokers.bootstrapServers
is a list ofbootstrap servers
. Multiple brokers are supported.If your brokers are inside Kubernetes add the service name to
lenses.brokers.host
.If your brokers are outside Kubernetes add hostnames
lenses.brokers.host
.Field Description Type Default Required lenses.kafka.ssl.enabled SSL is enabled on the brokers false lenses.kafka.ssl.truststoreFileData The base64 encoded contentsof the truststorelenses.kafka.ssl.keystoreFileData The base64 encoded contentsof the keystorelenses.kafka.ssl.truststorePassword The truststore password lenses.kafka.ssl.keystorePassword The keystore password lenses.kafka.sasl.enabled SASL is enabled on the brokers false lenses.kafka.sasl.keyTabData The base64 encoded contentsof the keytab file is sasl enabled with GSSAPIlenses.kafka.sasl.jaasFileData The contents of the jaas.conf fileis sasl is enabledlenses.kafka.sasl.mechanism Thesecurity.mechanism
to use.GSSAPI, SCRAM or PLAINTEXTGSSAPI lenses.kafka.sasl.krb5Conf The contents of the krb5Conf fileif the sasl mechanism is GSSAPI
lenses.kafka.bootstrapServers.name Host name of the broker lenses.kafka.bootstrapServers.port The PLAINTEXT default Kafka port 9092 lenses.kafka.bootstrapServers.sslPort The SSL Kafka port 9093 lenses.kafka.bootstrapServers.saslPort The SASL_SSL Kafka port 9094 lenses.kafka.bootstrapServers.saslPlainTextPort The SASL_PLAINTEXT Kafka port 9095 Example:
lenses: kafka: ssl: enabled: false trustStoreFileData: keyStoreFileData: trustStorePassword: keyStorePassword: keyPassword: sasl: enabled: false # keyTabData is the base64 enecoded contents kerberos keytab file is using kerberos mounted in /mnt/secrets keyTabData: |- # jaasFileData is the contents of the kafka jaas file mounted in /mnt/secrets jaasFileData: |- # mechanism is the sasl autentication mechnaism GSSAPI, SCRAM or PLAIN mechanism: "GSSAPI" # krb5Conf is the kerberos config data to be mounted into /ect krb5Conf: |- bootstrapServers: - name: kafka port: 9092 sslPort: 9093 saslSslPort: 9094 saslPlainTextPort: 9095
- Zookeepers
lenses.zookeepers
is a list ofzookeepers
detailing the hostname, HTTP protocol, and ports. Multiple zookeepers are supported.If you are deploying a quorum of zookeepers inside Kubernetes they should be deployed as a statefulset like this. This allows the pods to have stable network identifiers. Each pods address should be added as an entry. The address takes the form of:
<statefulset-name>-<pod ordinal identifier>.<service name>.<namespace>.svc.cluster.local
For example, a statefulset of 3 replicas called
zookeeper
with a headless service calledzookeeper
, the addresses would be:zookeeper-0.zookeeper.defaut.svc.cluster.local zookeeper-1.zookeeper.defaut.svc.cluster.local
Note
New zookeepers added or removed on scaling will not be reflected. Currently Lenses will require a config update. Future releases will address this.
If you only have one zookeeper you can set the service name.
If your zookeepers are outside Kubernetes add host names.
Field Description Type Default Required lenses.zookeepers.host The hostname of the zookeeper instance string zookeeper yes lenses.zookeepers.port The port for the zookeeper instance int 8081 yes lenses.zookeepers.jmxPort The JMX port for the zookeeper instance int 9102 yes Example:
lenses: zookeepers: - host: zookeeper-1 port: 2181 jmxPort: 9102 - host: zookeeper-2 port: 2181 jmxPort: 9102
- Schema Registries
lenses.schemaRegistries
is a list ofschemaRegistries
detailing the hostname, HTTP protocol and ports. Multiple schema registries are supported.If you are deploying multiple schema registries for high availability inside Kubernetes they should be deployed as a statefulset. This allows the pods to have stable network identifiers. Each pods address should be added as an entry. The address takes the form of:
<statefulset-name>-<pod ordinal identifier>.<service name>.<namespace>.svc.cluster.local
For example, a statefulset of 2 replicas called
schema-registry
with a headless service calledschema-registry
, the addresses would be:schema-registry-0.schema.defaut.svc.cluster.local schema-registry-1.schema.defaut.svc.cluster.local
Note
New schema registries added or removed on scaling will not be reflected. Currently Lenses will require a config update. Future releases will address this.
If you only have one schema registry you can set the service name.
If your schema registries are outside Kubernetes add host names.
Field Description Type Default Required lenses.schemaRegistries.enabled Enable schema registry support boolean false lenses.schemaRegistries.hosts.host The host name of the schema registry instance string schema-registry yes lenses.schemaRegistries.hosts.protocol The HTTP protocol, http or https string http yes lenses.schemaRegistries.hosts.port The port for the schema registry instance int 8081 yes lenses.schemaRegistries.hosts.jmxPort The jmx port for the schema registry instance int 9102 yes
Example:
lenses: schemaRegistries: enabled: true hosts: - host: schema-registry-1 protocol: http port: 8081 jmxPort: 9102 - host: schema-registry-2 protocol: http port: 8081 jmxPort: 9102
- Connect clusters
The
lenses.connectClusters
is a array of Connect clusters detailing the cluster name, ports, backing topics and worker hosts. Multiple clusters can be configured.If you are deploying a Connect cluster inside Kubernetes they should be deployed as a statefulset. This allows the pods to have stable network identifiers. Each pods address should be added as an entry. The address takes the form of:
<statefulset-name>-<pod ordinal identifier>.<service name>.<namespace>.svc.cluster.local
For example, a statefulset of 2 replicas called
connect
with a headless service calledconnect
, the addresses would be:connect-worker-0.connect.defaut.svc.cluster.local connect-worker-1.connect.defaut.svc.cluster.local
Note
New workers added or removed on scaling will not be reflected. Currently Lenses will require a config update. Future releases will address this.
If you only have one zookeeper you can set the service name.
If your zookeepers are outside Kubernetes add host names.
Field Description Type Default Required lenses.connectClusters.enabled Enabled Kafka Connect support boolean false yes lenses.connectClusters.clusters.name The name/alais for the cluster string yes lenses.connectClusters.clusters.port The workers rest port int 8083 yes lenses.connectClusters.clusters.jmxPort The jmx port for the workers int 9102 yes lenses.connectClusters.clusters.offsetsTopic The offset backing topicfor the clusterstring connect-offsets yes lenses.connectClusters.clusters.statusTopic The statuses backing topicfor the clusterstring connect-statuses yes lenses.connectClusters.clusters.configsTopic The configs backing topicfor the clusterstring connect-configs yes lenses.connectClusters.clusters.hosts List of connect worker host names string yes Example:
connectClusters: enabled: true clusters: - name: datascience port: 8083 jmxPort: 9102 offsetsTopic: connect-offsets-datascience statusTopic: connect-statuses-datascience configTopic: connect-configs-datascience hosts: - worker-ds-1 - worker-ds-1 - worker-ds-1 - name: dataengineering port: 8083 jmxPort: 9102 offsetsTopic: connect-offsets-dataengineering statusTopic: connect-statuses-dataengineering configTopic: connect-configs-dataengineering hosts: - worker-de-1 - worker-de-1 - worker-de-1
- Alert Managers
lenses.alertmanagers
is a list ofAlertManagers
detailing the hostname, HTTP protocol, and ports. Multiple AlertManagers are supported.If the AlertManagers are running inside Kubernetes add the service name to
lenses.alertmanagers.host
, otherwise just add the hostnames tolenses.alertmanagers.host
.Field Description Type Default Required lenses.alertmanagers.enabled Enable alertmanager integration boolean false no lenses.alertmanagers.sourceName The source name for alertsThe Helm release name and namespaceare used as a suffixstring Lenses™-k8-<release-name>-<namespace> lenses.alertmanagers.consumersLagThreshold The default consumerlag for alertingint 50000 lenses.alertmanagers.host The host name of the alertmanagers instance string alertmanagers yes lenses.alertmanagers.port The port for the alertmanagers instance int 8081 yes lenses.alertmanagers.protocol The HTTP protocol, http or https string http yes Example:
alertManagers: enabled: false endpoints: - host: alertmanager protocol: http port: 9094 sourceName: Lenses-k8 consumersLagThreshold: 50000
- Security Groups
The security group section contains a list of groups with the following attributes:
Field Description Type Default Required lenses.security.groups.name The name for a security group string yes lenses.security.groups.roles List of roles for the security group (read, write, admin, nodata) string yes example:
lenses: security: groups: - name: adminGroup roles: - admin - write - read - name: writeGroup roles: - read - write - name: readGroup roles: - read
- Security Users
The security users section contains a list of users with the following attributes:
Field Description Type Default Required lenses.security.users.username User name string no lenses.security.users.password User password string no lenses.security.users.displayName Display name for the user string no lenses.security.users.groups Array of security group names string no lenses.security.users.topic.whitelist List of topic names to whitelist string no lenses.security.users.topic.blacklist List of topic names to blacklist string no example:
lenses: security: users: - username: admin password: admin displayname: LensesAdmin groups: - adminGroup topic: blacklist: - andrew whitelist: - position_reports.* - username: write password: write displayname: Writer groups: - writeGroup - username: read password: read displayname: Reader groups: - readGroup
- Security Service Accounts
The security service accounts section contains a list of service accounts with the following attributes:
Field Description Type Default Required lenses.security.serviceAccounts.username Username for the service account string no lenses.security.serviceAccounts.token Token for the service account string no lenses.security.serviceAccounts.groups List of security groups the service acocunt belongs to string no example:
lenses: serviceAccounts: - username: jenkins token: jenkins groups: - adminGroup
LoadBalancer Service¶
You can also set the service.serviceType
to LoadBalancer
and set a static address.
To do this you must comment out the LoadBalancer section and set the values accordingly.
Secrets¶
- Kafka Secrets
kafka.ssl
andkafka.sasl
values are placed in a Secret called<release-name>
. Both the key/trust stores and the passwords are added. The items from this secret are then mounted in/mnt/secrets
.Take care with SASL enabled Kafka clusters to set the path correctly in the JAAS config data to
/mnt/secrets
for the keytab file. Thekafka.sasl.keyTabData
is mounted as a/mnt/secrets/keytab
. If sasl is enabled-Djava.security.auth.login.config=/etc/mnt/secrets/jaas.conf
is added to the Lenses java opts.- Lenses Secrets
- Lenses secrets,
lenses.license
andlenses.security**
values are placed in a secret named after the helm release.
RBAC¶
If your Kubernetes cluster has RBAC enabled then Lenses requires the following access:
Resource | Verbs |
---|---|
namespaces | list, watch, get, create |
pods | list, watch, get, update, create, patch, delete |
deployments | list, watch, get, update, create, patch, delete |
replicaSet | list, watch, get, update, create, patch, delete |
events | list, watch, get |
The Lenses Helm chart will create the required cluster roles and bindings.
Standard Manifest¶
A standard Kubernetes manifest can be found here.
Lenses requires the configuration to be split into two: the main one and the security-related settings - usually named as security.conf
.
The contents of a security.conf
file can be mounted into the pods via:
kubectl create secret generic lenses-secrets --from-file=./LENSES_SECURITY_USERS --from-file=./license.json
The pod manifest will mount the contents of LENSES_SECURITY_USERS
.