Lenses on Kubernetes

In addition to deploying and monitoring LSQL processors with Kubernetes, Lenses can also be deployed on Kubernetes by leveraging its prebuilt docker image.

Helm Chart

Helm, a package manager for Kubernetes, is the recommended way to install Lenses. Helm can be download from here and relies on kubectl. Helm and KubeCtl are not part of the Lenses package and are must be installed separately.

For a current list of our existing Helm Charts please visit our repo and are available on our github repo.

The chart will also optionally configure:

RBAC
Kubernetes role based access controls. The chart will install the required cluster roles and cluster role bindings.
Services
The chart will create a service to abstract access to the Lenses backend.
Ingress
Lenses exposes a user interface and the endpoints behind. To allow access from outside Kubernetes, the chart can optionally create an ingress. The ingress is expected to be path based on an Ingress Controller such as Traefik.
Secrets
Sensitive data such as usernames, passwords, and TLS information should be distributed to pods by Kubernetes secrets. The chart will create secrets for the pod to mount.
Deployment
The chart will deploy Lenses as a Deployment resource, mounting secrets in /mnt/secrets. The pods will be annotated with Prometheus annotations to allow automatic collection of the JMX metrics Lenses exposes.

LSQL Runners

Lenses can deploy LSQL processors on Kubernetes. Please see here.

Installing via Helm

Add the Landoop Helm chart repo:

# Add repos other connector charts
helm repo add landoop https://landoop.github.io/kafka-helm-charts/

Use helm to install Lenses via the command line:

helm install lenses --name lenses --namespace lenses

Example to override the defaults i.e. enabled ingress and SSL:

helm install lenses --name lenses --namespace lenses --set ingress.enabled=true

Values Configuration

Field Description Type Default Required
image.repository The sql runner image landoop/lenses    
image.tag The sql runner image tag v2.0.0    
replicaCount Number of pods/instances to deploy int 1 yes
monitoring.enabled
Flag to add Prometheus
annotations to the pod for metric
scraping
boolean true no
monitoring.pipeline
A label to attach to
the pods for include in JMX
string   yes
monitoring.port
The port the Prometheus
JMX exporter is exposing metrics on
int 9102 no
monitoring.path
The path which the metrics
are served on
string /metrics no
resources.limit.memory
The kubernetes resource
memory limit allowed for the pod
string 5Gi no
resources.request.memory
The kubernetes resource
memory request allowed for the pod
string 4Gi no
rbacEnable
Create cluster roles and
bindings if the kubernetes cluster
has RBAC enabled
boolean true  
restPort
The port for Lenses
int 3030  
serviceAccount
The Kubernetes service account
Lenses will use to deploy
resources. It must be
patched with the image pull
secret for the Lenses SQL runners
string default no
service.enabled
Create a service for Lenses
boolean true no
service.type Kubernetes service type string ClusterIP no
service.annotations
Annotations to
add to the service
map   no
ingress.enabled
Create an ingress resource
boolean true no
ingress.path
The path based route for the ingress
string /lenses no
ingress.host
The host or ip
of the external load balancer
(Minikube ip)
string   yes
ingress.annotations
The annotations to
add to the ingress resource
map
kubernetes.io/ingress.class: traefik,
traefik.frontend.rule.type: PathPrefixStrip
no
ingress.tls.enabled
Enable TLS ingress
boolean false no
ingress.tls.crt
The TLS certificate
data, base64 encoded
string   no
ingress.tls.key
The TLS key data
base64 encoded
string   no
lenses.jvm.heapOpts
JVM heap options for Lenses
string   no
lenses.jvm.performanceOpts
JVM performance tunning
extra options for Lenses
string   no
lenses.jvm.logBackOpts
Logback options
string   no
lenses.kafka
List of Kafka brokers.
string   yes
lenses.zookeeper
List of Zookeepers.
string   yes
lenses.schemaRegistries
List of Schema Registries.
string   yes
lenses.connectClusters
Array of Connect Clusters.
string   yes
lenses.grafanaUrl The url to the grafana host string   no
lenses.slack.enabled Enable slack integration boolean false no
lenses.slack.iconUrl
The url to the icon to use for slack
string   no
lenses.slack.webhookUrl Slack webhookUrl string   no
lenses.slack.username The username to use for slack string   no
lenses.slack.channel The slack channel to send alerts to string   no
lenses.topics.suffix
A suffix to add to Lenses
system topics
string   no
lenses.sql.processorImage
The processor image to use
for LSQL runners
string eu.gcr.io/k8-engine/lenses-sql-processor no
lenses.sql.processorImageTag The processor image tag string 2.0.0 no
lenses.security.mode
The security mode,
NONE, BASIC or LDAP
string NONE yes
lenses.security.groups
List of groups.
if basic or ldap security enabled
string   no
lenses.security.users
List of users.
if basic mode is enabled
string   no
lenses.security.serviceAccounts
List of service accounts.
if basic mode is enabled
string   no
lenses.security.ldap.url   string   no
lenses.security.ldap.base   string   no
lenses.security.ldap.password LDAP password for the user string   no
lenses.security.ldap.user LDAP user string   no
lenses.security.ldap.plugin.class
FQDN class for the ldap plugin
to use
string   no
lenses.security.ldap.plugin.memberOfKey   string   no
lenses.security.ldap.plugin.groupExtractRegex   string   no
lenses.security.ldap.plugin.personNameKey   string   no
lenses.license The Lenses license data string   no
lenses.licenseUrl Url to fetch the license from string   no
lenses.configOverrides
Extra configs. Allows
for any extra configurations
For example
lenses.interval.summary=1000
list of dictonaries   no
Bootstrap servers

lenses.brokers.bootstrapServers is a list of bootstrap servers. Multiple brokers are supported.

If your brokers are inside Kubernetes add the service name to lenses.brokers.host.

If your brokers are outside Kubernetes add hostnames lenses.brokers.host.

Field Description Type Default Required
lenses.kafka.ssl.enabled SSL is enabled on the brokers false    
lenses.kafka.ssl.truststoreFileData
The base64 encoded contents
of the truststore
     
lenses.kafka.ssl.keystoreFileData
The base64 encoded contents
of the keystore
     
lenses.kafka.ssl.truststorePassword The truststore password      
lenses.kafka.ssl.keystorePassword The keystore password      
lenses.kafka.sasl.enabled SASL is enabled on the brokers false    
lenses.kafka.sasl.keyTabData
The base64 encoded contents
of the keytab file is sasl enabled with GSSAPI
     
lenses.kafka.sasl.jaasFileData
The contents of the jaas.conf file
is sasl is enabled
     
lenses.kafka.sasl.mechanism
The security.mechanism to use.
GSSAPI, SCRAM or PLAINTEXT
GSSAPI    
lenses.kafka.sasl.krb5Conf
The contents of the krb5Conf file

if the sasl mechanism is GSSAPI

     
lenses.kafka.bootstrapServers.name Host name of the broker      
lenses.kafka.bootstrapServers.port The PLAINTEXT default Kafka port 9092    
lenses.kafka.bootstrapServers.sslPort The SSL Kafka port 9093    
lenses.kafka.bootstrapServers.saslPort The SASL_SSL Kafka port 9094    
lenses.kafka.bootstrapServers.saslPlainTextPort The SASL_PLAINTEXT Kafka port 9095    

Example:

lenses:
  kafka:
    ssl:
      enabled: false
      trustStoreFileData:
      keyStoreFileData:
      trustStorePassword:
      keyStorePassword:
      keyPassword:
    sasl:
      enabled: false
      # keyTabData is the base64 enecoded contents kerberos keytab file is using kerberos mounted in /mnt/secrets
      keyTabData: |-

      # jaasFileData is the contents of the kafka jaas file mounted in /mnt/secrets
      jaasFileData: |-

      # mechanism is the sasl autentication mechnaism GSSAPI, SCRAM or PLAIN
      mechanism: "GSSAPI"
      # krb5Conf is the kerberos config data to be mounted into /ect
      krb5Conf: |-

    bootstrapServers:
      - name: kafka
        port: 9092
        sslPort: 9093
        saslSslPort: 9094
        saslPlainTextPort: 9095
Zookeepers

lenses.zookeepers is a list of zookeepers detailing the hostname, HTTP protocol, and ports. Multiple zookeepers are supported.

If you are deploying a quorum of zookeepers inside Kubernetes they should be deployed as a statefulset like this. This allows the pods to have stable network identifiers. Each pods address should be added as an entry. The address takes the form of:

<statefulset-name>-<pod ordinal identifier>.<service name>.<namespace>.svc.cluster.local

For example, a statefulset of 3 replicas called zookeeper with a headless service called zookeeper, the addresses would be:

zookeeper-0.zookeeper.defaut.svc.cluster.local
zookeeper-1.zookeeper.defaut.svc.cluster.local

Note

New zookeepers added or removed on scaling will not be reflected. Currently Lenses will require a config update. Future releases will address this.

If you only have one zookeeper you can set the service name.

If your zookeepers are outside Kubernetes add host names.

Field Description Type Default Required
lenses.zookeepers.host The hostname of the zookeeper instance string zookeeper yes
lenses.zookeepers.port The port for the zookeeper instance int 8081 yes
lenses.zookeepers.jmxPort The JMX port for the zookeeper instance int 9102 yes

Example:

lenses:
  zookeepers:
    - host: zookeeper-1
      port: 2181
      jmxPort: 9102
    - host: zookeeper-2
      port: 2181
      jmxPort: 9102
Schema Registries

lenses.schemaRegistries is a list of schemaRegistries detailing the hostname, HTTP protocol and ports. Multiple schema registries are supported.

If you are deploying multiple schema registries for high availability inside Kubernetes they should be deployed as a statefulset. This allows the pods to have stable network identifiers. Each pods address should be added as an entry. The address takes the form of:

<statefulset-name>-<pod ordinal identifier>.<service name>.<namespace>.svc.cluster.local

For example, a statefulset of 2 replicas called schema-registry with a headless service called schema-registry, the addresses would be:

schema-registry-0.schema.defaut.svc.cluster.local
schema-registry-1.schema.defaut.svc.cluster.local

Note

New schema registries added or removed on scaling will not be reflected. Currently Lenses will require a config update. Future releases will address this.

If you only have one schema registry you can set the service name.

If your schema registries are outside Kubernetes add host names.

Field Description Type Default Required
lenses.schemaRegistries.enabled Enable schema registry support boolean false  
lenses.schemaRegistries.hosts.host The host name of the schema registry instance string schema-registry yes
lenses.schemaRegistries.hosts.protocol The HTTP protocol, http or https string http yes
lenses.schemaRegistries.hosts.port The port for the schema registry instance int 8081 yes
lenses.schemaRegistries.hosts.jmxPort The jmx port for the schema registry instance int 9102 yes

Example:

lenses:
  schemaRegistries:
    enabled: true
    hosts:
      - host: schema-registry-1
        protocol: http
        port: 8081
        jmxPort: 9102
      - host: schema-registry-2
        protocol: http
        port: 8081
        jmxPort: 9102
Connect clusters

The lenses.connectClusters is a array of Connect clusters detailing the cluster name, ports, backing topics and worker hosts. Multiple clusters can be configured.

If you are deploying a Connect cluster inside Kubernetes they should be deployed as a statefulset. This allows the pods to have stable network identifiers. Each pods address should be added as an entry. The address takes the form of:

<statefulset-name>-<pod ordinal identifier>.<service name>.<namespace>.svc.cluster.local

For example, a statefulset of 2 replicas called connect with a headless service called connect, the addresses would be:

connect-worker-0.connect.defaut.svc.cluster.local
connect-worker-1.connect.defaut.svc.cluster.local

Note

New workers added or removed on scaling will not be reflected. Currently Lenses will require a config update. Future releases will address this.

If you only have one zookeeper you can set the service name.

If your zookeepers are outside Kubernetes add host names.

Field Description Type Default Required
lenses.connectClusters.enabled Enabled Kafka Connect support boolean false yes
lenses.connectClusters.clusters.name The name/alais for the cluster string   yes
lenses.connectClusters.clusters.port The workers rest port int 8083 yes
lenses.connectClusters.clusters.jmxPort The jmx port for the workers int 9102 yes
lenses.connectClusters.clusters.offsetsTopic
The offset backing topic
for the cluster
string connect-offsets yes
lenses.connectClusters.clusters.statusTopic
The statuses backing topic
for the cluster
string connect-statuses yes
lenses.connectClusters.clusters.configsTopic
The configs backing topic
for the cluster
string connect-configs yes
lenses.connectClusters.clusters.hosts List of connect worker host names string   yes

Example:

connectClusters:
  enabled: true
  clusters:
    - name: datascience
      port: 8083
      jmxPort: 9102
      offsetsTopic: connect-offsets-datascience
      statusTopic: connect-statuses-datascience
      configTopic: connect-configs-datascience
      hosts:
        - worker-ds-1
        - worker-ds-1
        - worker-ds-1

    - name: dataengineering
      port: 8083
      jmxPort: 9102
      offsetsTopic: connect-offsets-dataengineering
      statusTopic: connect-statuses-dataengineering
      configTopic: connect-configs-dataengineering
      hosts:
        - worker-de-1
        - worker-de-1
        - worker-de-1
Alert Managers

lenses.alertmanagers is a list of AlertManagers detailing the hostname, HTTP protocol, and ports. Multiple AlertManagers are supported.

If the AlertManagers are running inside Kubernetes add the service name to lenses.alertmanagers.host, otherwise just add the hostnames to lenses.alertmanagers.host.

Field Description Type Default Required
lenses.alertmanagers.enabled Enable alertmanager integration boolean false no
lenses.alertmanagers.sourceName
The source name for alerts
The Helm release name and namespace
are used as a suffix
string Lenses™-k8-<release-name>-<namespace>  
lenses.alertmanagers.consumersLagThreshold
The default consumer
lag for alerting
int 50000  
lenses.alertmanagers.host The host name of the alertmanagers instance string alertmanagers yes
lenses.alertmanagers.port The port for the alertmanagers instance int 8081 yes
lenses.alertmanagers.protocol The HTTP protocol, http or https string http yes

Example:

alertManagers:
  enabled: false
  endpoints:
    - host: alertmanager
      protocol: http
      port: 9094

  sourceName: Lenses-k8
  consumersLagThreshold: 50000
Security Groups

The security group section contains a list of groups with the following attributes:

Field Description Type Default Required
lenses.security.groups.name The name for a security group string   yes
lenses.security.groups.roles List of roles for the security group (read, write, admin, nodata) string   yes

example:

lenses:
  security:
    groups:
      - name: adminGroup
        roles:
          - admin
          - write
          - read
      - name: writeGroup
        roles:
          - read
          - write
      - name: readGroup
        roles:
          - read
Security Users

The security users section contains a list of users with the following attributes:

Field Description Type Default Required
lenses.security.users.username User name string   no
lenses.security.users.password User password string   no
lenses.security.users.displayName Display name for the user string   no
lenses.security.users.groups Array of security group names string   no
lenses.security.users.topic.whitelist List of topic names to whitelist string   no
lenses.security.users.topic.blacklist List of topic names to blacklist string   no

example:

lenses:
  security:
    users:
      - username: admin
        password: admin
        displayname: LensesAdmin
        groups:
          - adminGroup
        topic:
          blacklist:
            - andrew
          whitelist:
            - position_reports.*
      - username: write
        password: write
        displayname: Writer
        groups:
          - writeGroup
      - username: read
        password: read
        displayname: Reader
        groups:
          - readGroup
Security Service Accounts

The security service accounts section contains a list of service accounts with the following attributes:

Field Description Type Default Required
lenses.security.serviceAccounts.username Username for the service account string   no
lenses.security.serviceAccounts.token Token for the service account string   no
lenses.security.serviceAccounts.groups List of security groups the service acocunt belongs to string   no

example:

lenses:
  serviceAccounts:
    - username: jenkins
    token: jenkins
    groups:
      - adminGroup

LoadBalancer Service

You can also set the service.serviceType to LoadBalancer and set a static address. To do this you must comment out the LoadBalancer section and set the values accordingly.

Secrets

Kafka Secrets

kafka.ssl and kafka.sasl values are placed in a Secret called <release-name>. Both the key/trust stores and the passwords are added. The items from this secret are then mounted in /mnt/secrets.

Take care with SASL enabled Kafka clusters to set the path correctly in the JAAS config data to /mnt/secrets for the keytab file. The kafka.sasl.keyTabData is mounted as a /mnt/secrets/keytab. If sasl is enabled -Djava.security.auth.login.config=/etc/mnt/secrets/jaas.conf is added to the Lenses java opts.

Lenses Secrets
Lenses secrets, lenses.license and lenses.security** values are placed in a secret named after the helm release.

RBAC

If your Kubernetes cluster has RBAC enabled then Lenses requires the following access:

Resource Verbs
namespaces list, watch, get, create
pods list, watch, get, update, create, patch, delete
deployments list, watch, get, update, create, patch, delete
replicaSet list, watch, get, update, create, patch, delete
events list, watch, get

The Lenses Helm chart will create the required cluster roles and bindings.

Standard Manifest

A standard Kubernetes manifest can be found here.

Lenses requires the configuration to be split into two: the main one and the security-related settings - usually named as security.conf. The contents of a security.conf file can be mounted into the pods via:

kubectl create secret generic lenses-secrets --from-file=./LENSES_SECURITY_USERS --from-file=./license.json

The pod manifest will mount the contents of LENSES_SECURITY_USERS.