[#222] Support Kafka based messaging in Hono. #237
Conversation
|
To be added:
|
|
Replaced by updated version below. |
b-abel
force-pushed
the
PR/#222_support_kafka_messaging
branch
from
1e16c9a to
5919c80
Compare
|
The chart used for the deployment of Kafka requires Helm version 3.1.0. With a lower version, the deployment might not work when the property |
|
@b-abel Can you rebase and update the chart version? |
b-abel
force-pushed
the
PR/#222_support_kafka_messaging
branch
from
5919c80 to
b62f797
Compare
|
Rebased. |
b-abel
force-pushed
the
PR/#222_support_kafka_messaging
branch
from
b62f797 to
ac4fa72
Compare
|
This includes now authentication and transport encryption. |
How to use Kafka-based Messaging with Authentication and TLSDeploy to minikubeDeploy from the current branch: # in directory packages/charts/hono
helm install --dependency-update -n hono --values ./profileKafkaMessaging.yaml eclipse-hono .Send eventsDownload Hono's Command Line Client. # in directory where the hono-cli-*-exec.jar file has been downloaded to
export PATH_TO_PACKAGES=<path/to/the/packages/project>
export MY_TENANT=DEFAULT_TENANT
export KAFKA_IP=$(kubectl get service eclipse-hono-kafka-0-external --output="jsonpath={.status.loadBalancer.ingress[0]['hostname','ip']}" -n hono)
java -jar hono-cli-*-exec.jar --tenant.id=$MY_TENANT --spring.profiles.active=receiver,kafka --hono.kafka.commonClientConfig.bootstrap.servers=$KAFKA_IP:9094 --hono.kafka.commonClientConfig.security.protocol=SASL_SSL --hono.kafka.commonClientConfig.sasl.mechanism=SCRAM-SHA-512 --hono.kafka.commonClientConfig.sasl.jaas.config="org.apache.kafka.common.security.scram.ScramLoginModule required username=\"hono\" password=\"hono-secret\";" --hono.kafka.commonClientConfig.ssl.endpoint.identification.algorithm="" --hono.kafka.commonClientConfig.ssl.truststore.location=$PATH_TO_PACKAGES/charts/hono/example/certs/trustStore.jks --hono.kafka.commonClientConfig.ssl.truststore.password=honotrustSend the event: export MY_TENANT=DEFAULT_TENANT
export MY_DEVICE=sensor1
export MY_PWD=hono-secret
export HTTP_ADAPTER_IP=$(kubectl get service eclipse-hono-adapter-http-vertx --output="jsonpath={.status.loadBalancer.ingress[0]['hostname','ip']}" -n hono)
curl -i -u $MY_DEVICE@$MY_TENANT:$MY_PWD -H 'Content-Type: application/json' --data-binary '{"alarm": "fire"}' http://$HTTP_ADAPTER_IP:8080/eventSend and receive CommandsStart a simulated devices: export MY_TENANT=DEFAULT_TENANT
export MY_DEVICE=sensor1
export MY_PWD=hono-secret
export MQTT_ADAPTER_IP=$(kubectl get service eclipse-hono-adapter-mqtt-vertx --output="jsonpath={.status.loadBalancer.ingress[0]['hostname','ip']}" -n hono)
mosquitto_sub -v -h $MQTT_ADAPTER_IP -u $MY_DEVICE@$MY_TENANT -P $MY_PWD -t command/+/+/req/#Change the path to the packages project in the following script block and run it to send a command with Hono's CLI: # in directory where the hono-cli-*-exec.jar file has been downloaded to
export PATH_TO_PACKAGES=<path/to/the/packages/project>
export MY_TENANT=DEFAULT_TENANT
export MY_DEVICE=4711
export KAFKA_IP=$(kubectl get service eclipse-hono-kafka-0-external --output="jsonpath={.status.loadBalancer.ingress[0]['hostname','ip']}" -n hono)
java -jar hono-cli-*-exec.jar --tenant.id=$MY_TENANT --device.id=$MY_DEVICE --spring.profiles.active=command,kafka --hono.kafka.commonClientConfig.bootstrap.servers=$KAFKA_IP:9094 --hono.kafka.commonClientConfig.security.protocol=SASL_SSL --hono.kafka.commonClientConfig.sasl.mechanism=SCRAM-SHA-512 --hono.kafka.commonClientConfig.sasl.jaas.config="org.apache.kafka.common.security.scram.ScramLoginModule required username=\"hono\" password=\"hono-secret\";" --hono.kafka.commonClientConfig.ssl.endpoint.identification.algorithm="" --hono.kafka.commonClientConfig.ssl.truststore.location=$PATH_TO_PACKAGES/charts/hono/example/certs/trustStore.jks --hono.kafka.commonClientConfig.ssl.truststore.password=honotrustConnect external tools to the Kafka clusterThe following example shows how the Kafka CLI can be used as a northbound receiver. First, download Kafka and extract it like this: tar -xzf kafka_2.13-2.8.0.tgz
cd kafka_2.13-2.8.0Change the path to the packages project in the following script block and run it to create a client config file: export PATH_TO_PACKAGES=<path/to/the/packages/project>
cat <<EOS >> hono-client-sasl-ssl.config
security.protocol=SASL_SSL
sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="hono" \
password="hono-secret";
# disable hostname verification because the certificate does not contain load balancer IPs
ssl.endpoint.identification.algorithm=
ssl.truststore.location=$PATH_TO_PACKAGES/charts/hono/example/certs/trustStore.jks
ssl.truststore.password=honotrust
EOSNow, start the console consumer on the events topic of the tenant: export MY_TENANT=DEFAULT_TENANT
export MY_DEVICE=4711
export TOPIC=hono.event.$MY_TENANT
export KAFKA_IP=$(kubectl get service eclipse-hono-kafka-0-external --output="jsonpath={.status.loadBalancer.ingress[0]['hostname','ip']}" -n hono)
bin/kafka-console-consumer.sh --topic $TOPIC --bootstrap-server $KAFKA_IP:9094 --consumer.config ./hono-client-sasl-ssl.configTo list all topics in Kafka, run: bin/kafka-topics.sh --bootstrap-server $KAFKA_IP:9094 --list --command-config ./hono-client-sasl-ssl.config |
b-abel
force-pushed
the
PR/#222_support_kafka_messaging
branch
2 times, most recently
from
eb1fa73 to
4cd1115
Compare
|
Regarding the documentation I think it would be best to have the "How to..." part from above integrated somehow into Hono's Getting Started instead of adding more documentation here. |
|
When deploying the dispatch router, there is one port for TLS and one for plaintext connections. The Kafka cluster is now configured so that clients can only connect with TLS. At least with Bitnami's Helm chart, I haven't seen an easy way to provide both options at the same time. Instead of adding that manually, I tend to leave the configuration for TLS and rather document how to set up connections from the client with the truststore (I would add a new Getting Started guide for Kafka-based messaging to Hono's documentation). |
The PR eclipse-hono/hono#2682 adds a Getting Started guide for Kafka-based messaging to Hono. It shows the required configuration of the Hono CLI to connect to the Kafka broker if it is configured for TLS only. |
b-abel
force-pushed
the
PR/#222_support_kafka_messaging
branch
from
4cd1115 to
63d0169
Compare
|
When using minikube, |
The chart itself can also use Node Ports instead of using LoadBalancer. We explicitly added the useLoadBalancer property for that purpose. I therefore would prefer, if we could also use kafka with Node Ports only (based on the value of the property), if possible. |
It is quite easy to configure the Bitnami Kafka chart to use Node Ports instead of LoadBalancer. What seems to be problematic is changing this depending on the useLoadBalancer property. The reason is that the Bitnami chart is configured in the file |
charts/hono/example/ca_opts
Outdated
| subjectKeyIdentifier = hash | ||
| keyUsage = keyAgreement,keyEncipherment,digitalSignature | ||
| extendedKeyUsage = serverAuth, clientAuth | ||
| subjectAltName = DNS.1:*.eclipse-hono-kafka-headless,DNS.2:*.eclipse-hono-kafka-headless.hono,DNS.3:*.eclipse-hono-kafka-headless.hono.svc.cluster.local,DNS.4:localhost |
There was a problem hiding this comment.
Is the *. prefix needed here?
There was a problem hiding this comment.
I think so. The idea here is that clients directly address a pod using the headless service. The address is then <release-name>-0.<release-name>-headless.<namespace>.svc.cluster.local. The wildcard matches the pod name (would even work for multiple brokers).
But looking at this, I found another problem: the release names are part of the service names, and they are determined only during deployment. I created an issue for this: #252.
b-abel
force-pushed
the
PR/#222_support_kafka_messaging
branch
from
c62cd90 to
6289a8c
Compare
@sophokles73 I added a check that lets the deployment fail if those two properties are not consistent with each other. |
charts/hono/README.md
Outdated
| The following command provides a quickstart for Kafka based messaging: | ||
|
|
||
| ```bash | ||
| helm install --dependency-update -n hono --set messagingNetworkType=kafka --set kafkaMessagingClusterExample.enabled=true --set amqpMessagingNetworkExample.enabled=false eclipse-hono eclipse-iot/hono |
There was a problem hiding this comment.
How about adding a note here, that minikube tunnel needs to be running if using minikube.
I can imagine this being a common mistake when using minikube, with the install command running into a timeout in that case.
This adds the support for the Kafka based messaging to the Hono chart. The property `messagingNetworkType` is used to select which type of configuration is added to the adapters and services (either `amqp` or `kafka`). The property `kafkaMessagingClusterExample.enabled` indicates whether the example Kafka cluster should be deployed and used. Signed-off-by: Abel Buechner-Mihaljevic <[email protected]>
b-abel
force-pushed
the
PR/#222_support_kafka_messaging
branch
from
07735a7 to
d08ddaa
Compare
Signed-off-by: Abel Buechner-Mihaljevic <[email protected]>
New certificates are created for the example Kafka broker. The broker is configured to expect TLS encrypted connections from clients. The truststore is added to all services and adapters that need to connect to Kafka. This is currently a "jks" file because in Kafka the support for the "pem" format was added in version 2.7 and Hono currently uses the Kafka clients in version 2.6. Signed-off-by: Abel Buechner-Mihaljevic <[email protected]>
b-abel
force-pushed
the
PR/#222_support_kafka_messaging
branch
from
d08ddaa to
acb227f
Compare
| truststore.jks: {{ .Files.Get "example/certs/trustStore.jks" | b64enc }} |
There was a problem hiding this comment.
what do we need this for? We already configure the trusted-certs.pem which contains all the trusted certificates ....
There was a problem hiding this comment.
Kafka does not support pem files before version 2.7. Hono uses the Kafka clients in version 2.6.
There was a problem hiding this comment.
But Hono also supports JKS files so FMPOV we should either use JKS or PEM files, but not both ...
There was a problem hiding this comment.
I can provide a PR that replaces the trusted-certs.pem with a JKS file if you like.
There was a problem hiding this comment.
with a JKS file? My understanding is that we should be able to use only the truststore.jks file or does that contain other certs than trusted-certs.pem?
There was a problem hiding this comment.
Right, trustStore.jks is the JKS file to be used everywhere instead of trusted-certs.pem.
There was a problem hiding this comment.
I think you should indeed change it that way.
There was a problem hiding this comment.
@sophokles73 Please have a look at #257.
There was a problem hiding this comment.
Kafka does not support pem files before version 2.7. Hono uses the Kafka clients in version 2.6.
Is there a particular reason why we do not simply use the 2.7.x client and continue to use our PEM files?
There was a problem hiding this comment.
Kafka does not support pem files before version 2.7. Hono uses the Kafka clients in version 2.6.
Is there a particular reason why we do not simply use the 2.7.x client and continue to use our PEM files?
Hono does not directly use the Kafka clients, but they are a transitive dependency of the Vert.x Kafka client. Currently, it is version 3.9.7 of vertx-kafka-client which depends on version 2.6.0 of the Kafka clients.
Another minor point might be client/broker compatibility. Kafka version 2.7 is pretty recent. While I find it hard to find general reliable information on that topic, it seems advisable to use brokers with an equal or higher version than the clients. So, this would potentially increase the minimal Kafka version required by Hono.
This fixes #222. It adds the support for Kafka-based messaging to the Hono chart. The property
messagingNetworkTypeis used to select which type of configuration is added to the adapters and services (eitheramqporkafka). The propertykafkaMessagingClusterExample.enabledindicates whether the example Kafka cluster should be deployed and used.