Replace Bitnami with Strimzi Kafka

[nasark]

• install Strimzi by creating a subscription from the community-operators OLM CatalogSource
• move miq-components/kafka.go to its own package miq-components/kafka/kafka.go, this will allow the CRs to be used elsewhere (i.e. downstream)

Depends on:

• Add or update unique volume mount #1008
• Strimzi installation on Kubernetes manageiq-documentation#1769
• AddLabels util function #1020
• Mount messaging cert if root not present manageiq#22773
• Enforce and default Kafka configuration #896
• Change messaging-health-check to manageiq.liveness-check  manageiq#22775
• Deploy messaging by default #1024

TODO:

• Since Strimzi requires SSL, need to mount the ca.crt in orchestrator/workers regardless of whether internal-certificate-secret is present or not
• set node affinity in Kafka CR
• drop bitnami references in CR (marked as deprecated in CR)
• topic management to be handled by orchestrator? (not needed for now)

@miq-bot assign @bdunne
@miq-bot add_reviewer @Fryguy
@miq-bot add_label enhancement

[nasark]

@bdunne Is there a reason why we don't use default values for cr.Spec.KafkaMemoryRequest etc in upstream? I was trying to use those values here but its not in the CR spec

[bdunne]

Upstream we usually only set requests and limits if cr.Spec.EnforceWorkerResourceConstraints is set to allow running on lower resource clusters

If set, we should primarily pull the values from the CR cr.Spec.KafkaMemoryLimit, cr.Spec.KafkaMemoryRequest, cr.Spec.KafkaCpuLimit, cr.Spec.KafkaCpuRequest otherwise have some default values.

[bdunne]

Also, this should be done inside the mutate function in case the CR values are updated

[nasark]

Fixed the strimzi release to 0.35.1 to match downstream, also to prevent breaking changes that may be introduced in latest releases

[bdunne]

We'll need to come up with an upgrade plan at some point. Do you just change the channel name?

[nasark]

FYI key change that differentiates this from downstream. Added a comment in the code as I thought it would be beneficial but I can remove if not necessary

Also see https://github.com/ManageIQ/manageiq-pods/pull/1005/files#diff-64db691596174379fdf471b9867e0698ac2c8a8fb0948b10766bf4e75688b054R312-R320

[nasark]

@bdunne @Fryguy Please review

[bdunne]

Close/reopen to kick tests

[bdunne]

Do we need to store this somewhere? Every time the operator boots, we start at 0 again, right?

[nasark]

If the operator is redeployed then yes, we start at 0 again which I think is fine because the certs will be cleaned up and redeployed again? Let me know if that is okay. The intent behind this global var is so that the value persists between reconciles, so if a cert needs to be renewed we can increment the previous value

[bdunne]

Well, the operator could be rescheduled for any reason (host going down for maintenance, resource usage, etc), so every time a new one starts, it will start at 0 and copying the certs causing kafka to be restarted could be a problem

[nasark]

Applied the following feedback:

• Limit/requests with cr.Spec.EnforceWorkerResourceConstraints, move to mutate function
• Use addLabel function for labels (dependent PR AddLabels util function #1020)
• Productize names
• Use subscription api instead of unstructured objects

[nasark]

Applied the following:

• reworked renewKafkaCASecret() and relevant code to use caGen stored in last-known-revision annotation
  • also a bug fix for updating unstructured kafka objects (explained below)
• Check if openshift is being used by looking for openshift-marketplace namespace and relevant catalog source
• Create operatorgroup in order to allow creation of strimzi subscription from catalogsource

[nasark]

Introduced this function since updates are being made to the Kafka CR outside of reconciliation which can cause conflicts (metadata like creationTimestamp, uid), especially when dealing with unstructured objects since they are considered "dynamic" types. The recommended solution is to simply retry until the update succeeds. In my testing if there is a conflict the update usually succeeds on the 2nd retry.

You can read more about this here:

• https://github.com/kubernetes/client-go/blob/master/examples/dynamic-create-update-delete-deployment/README.md#typed-vs-dynamic
• https://github.com/kubernetes/client-go/blob/master/examples/dynamic-create-update-delete-deployment/main.go#L117-L129
• https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency

[nasark]

For some reason olmv1 doesn't contain the kinds available in olmv1alpha1 but it provides OperatorGroup which is not available in olmv1alpha1, and so we need to import both packages unfortunately 🤕

[nasark]

@miq-bot add_label quinteros/yes?

[bdunne]

Do any of the new objects need to be backed up? If so, we should add backup labels to them

[bdunne]

That linked comment was about the platforms that our operator can run on. We only build for x86_64amd64 right now. This is determining placement for kafka and zookeeper, so it should match the platforms that they are built for.

[bdunne]

Also, it's the same as 2 lines up

[bdunne]

Should this be an else if checking that the manageiq-cluster-ca-cert secret exists since we have the option to deploy without the messaging service in the CRD?

[bdunne]

0.35 doesn't support ppc64le, 0.37.0 looks like the first version that does:

...
        "0.35.0-rc1-amd64",
        "0.35.0-rc1-arm64",
        "0.35.0-rc1-s390x",
        "0.35.0-rc1",
        "0.35.0-0-amd64",
        "0.35.0-0-arm64",
        "0.35.0-0-s390x",
        "0.35.0-0",
        "0.35.0-amd64",
        "0.35.0-arm64",
        "0.35.0-s390x",
        "0.35.0",
        "0.35.1-rc1-amd64",
        "0.35.1-rc1-arm64",
        "0.35.1-rc1-s390x",
        "0.35.1-rc1",
        "0.35.1-0-amd64",
        "0.35.1-0-arm64",
        "0.35.1-0-s390x",
        "0.35.1-0",
        "0.35.1-1-amd64",
        "0.35.1-1-arm64",
        "0.35.1-1-s390x",
        "0.35.1-1",
        "0.35.1-amd64",
        "0.35.1-arm64",
        "0.35.1-s390x",
        "0.35.1",
...

[bdunne]

Suggested change

	kafkaCRSpec = miqutilsv1alpha1.SetKafkaNodeAffinity(kafkaCRSpec, []string{"amd64"})
	kafkaCRSpec = miqutilsv1alpha1.SetKafkaNodeAffinity(kafkaCRSpec, []string{"amd64"})
	kafkaCRSpec = miqutilsv1alpha1.SetKafkaNodeAffinity(kafkaCRSpec, []string{"amd64", "arm64", "ppc64le", "s390x"})

[Fryguy]

@bdunne arm? It can't hurt to add, but we don't need it right?

[bdunne]

🤷🏻‍♂️ It's a scheduling limitation. Since they build it, we may as well allow running there if the resources are available.

[miq-bot]

Checked commits nasark/manageiq-pods@80790f6~...a1fb2fb with ruby 2.7.8, rubocop 1.56.3, haml-lint 0.51.0, and yamllint
1 file checked, 1 offense detected

**

• 💣 💥 🔥 🚒 - Linter/Yaml - missing config files

[Fryguy]

Backported to quinteros in commit 22aa97a.

commit 22aa97ad00f6db6097eb1e65300aff2a894fddd5
Author: Brandon Dunne <[email protected]>
Date:   Thu Jan 4 17:18:11 2024 -0500

    Merge pull request #1005 from nasark/strimzi_kafka
    
    Replace Bitnami with Strimzi Kafka
    
    (cherry picked from commit 0ccfda19e605fa147218ce6ee3881c2f1934ca83)