Sign upLogin

devshawn/kafka-gitops

View on GitHub
Star
docs/services.md

Summary

Maintainability
Test Coverage
# Services

If you have security on your cluster, you can use `kafka-gitops` to manage ACLs. Kafka GitOps automatically builds the necessary ACLs for most use cases. 

## Application Example

A basic example shown below defines one topic, `test-topic`, and one service, `my-application`. 

The service `my-application` both consumes from and produces to `test-topic`. This will generate the necessary ACLs for `my-application` to do this.

?> **NOTE**: If using Confluent Cloud, omit the principal field.

```yaml
topics:
  test-topic:
    partitions: 6
    replication: 1

services:
  my-application:
    type: application
    principal: User:myapp
    consumes:
      - test-topic
    produces:
      - test-topic
```

Behind the scenes, this will generate three ACLs:

- `READ` for topic `test-topic`
- `WRITE` for topic `test-topic`
- `READ` for consumer group `my-application`

#### Group ID

The `group.id` used for consumer ACLs defaults to the service name. You can override this by specifying the `group-id` property, as shown below:

```yaml
services:
  my-application:
    type: application
    principal: User:myapp
    group-id: my-application-service
    consumes:
      - test-topic
    produces:
      - test-topic
```

This would allow your consumer group to access kafka using `my-application-service` as the `group.id`.

## Kafka Streams Example

A basic example shown below defines one topic, `test-topic`, and one kafka streams application, `my-stream`. 

The service `my-stream` both consumes from and produces to `test-topic`. This will generate the necessary ACLs for `my-stream` to do this.

```yaml
topics:
  test-topic:
    partitions: 6
    replication: 1

services:
  my-stream:
    type: kafka-streams
    principal: User:mystream
    consumes:
      - test-topic
    produces:
      - test-topic
```

Behind the scenes, this generates ACLs such as:

- `READ` for topic `test-topic`
- `WRITE` for topic `test-topic`
- `READ` for consumer group `my-stream`
- Various ACLs for Kafka streams internal topic management

#### Application ID

The `application.id` used for streams ACLs defaults to the service name. You can override this by specifying the `application-id` property, as shown below:

```yaml
services:
  my-stream:
    type: kafka-streams
    principal: User:mystream
    application-id: my-stream-application
    consumes:
      - test-topic
    produces:
      - test-topic
```

This would allow your streams application to access kafka using `my-stream-application` as the `application.id`.

## Kafka Connect Example

A basic example which defines one Kafka Connect cluster that has one connector running. 

```yaml
topics:
  connect-configs-my-connect-cluster:
    partitions: 1
    replication: 1
    configs:
      cleanup.policy: compact

  connect-offsets-my-connect-cluster:
    partitions: 25
    replication: 1
    configs:
      cleanup.policy: compact

  connect-status-my-connect-cluster:
    partitions: 5
    replication: 1
    configs:
      cleanup.policy: compact
      
  rabbitmq-data:
    partitions: 6
    replication: 1

services:
  my-connect-cluster:
    type: kafka-connect
    principal: User:myconnectcluster
    connectors:
      rabbitmq-sink:
        consumes:
          - rabbitmq-data
```

Behind the scenes, this generates ACLs such as:

- `READ` for topic `rabbitmq-data`
- `READ` for the consumer group `connect-rabbitmq-sink`
- `READ` and `WRITE` for the internal kafka connect topics
- `READ` for the consumer group `my-connect-cluster`

#### Storage Topics

By default, `kafka-gitops` generates ACLs for the internal storage topics following this format:

- `connect-configs-{service-name}`
- `connect-offsets-{service-name}`
- `connect-status-{service-name}`

You can specify custom internal storage topics using the `storage-topics` property:

```yaml
services:
  my-connect-cluster:
    type: kafka-connect
    principal: User:myconnectcluster
    storage-topics:
      config: custom-config-topic
      offset: custom-offset-topic
      status: custom-status-topic
    connectors:
      rabbitmq-sink:
        consumes:
          - rabbitmq-data
```

#### Group ID

The `group.id` used for the connect cluster ACLs defaults to the service name. You can override this by specifying the `group-id` property, as shown below:

```yaml
services:
  my-connect-cluster:
    type: kafka-connect
    principal: User:myconnectcluster
    group-id: kafka-connect-cluster
    connectors:
      rabbitmq-sink:
        consumes:
          - rabbitmq-data
```

This allows your connect cluster to access kafka using `kafka-connect-cluster` as the `group.id`. 

!> **NOTE**: The `group-id` setting only affects the connect cluster `group.id`, and not any sink connector group IDs.