-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kafka protocol filter #2852
Comments
First, this is totally awesome. Let's start with additional features (not all are my idea, folks from Confluent helped!):
Here's the other point-of-view: |
This would be dope. A couple use cases to start are request logs and stats. You can also build a nice audit log by taking your request logs and enriching them with the users's info. This could also help people write their own Kafka filters adding features like upconverting old Kafka clients to newer protocol versions. |
Thanks @gwenshap those are all great ideas. Would love to discuss more. If Confluent is potentially interested in helping with this (even if just design) can you or someone else reach out to me? My email address is easy to find or you can DM me on Twitter to connect. |
Other interesting ideas that come to mind:
|
@mattklein123 Do you mind explaining the primary use case you had in mind? Would this be a "Front Envoy" that might be used for ingress into Kubernetes? Or would a side car proxy pretend to be all Kafka brokers to local clients? By "Front Envoy", I mean something like slide 15 in your deck here. |
|
Awesome that you guys are looking into Kafka protocol support, that'd be an amazing feature to have!
|
Here are some ideas I would find useful (some already mentioned)
|
Between @mattklein123 @gwenshap and @wushujames this is an awesome list of features. As a general question, particularly for Matt: would you see any value in capturing some of the more generic features and turning them higher level abstraction for messaging support in the service mesh? |
Perhaps also look at some of what kafka-pixy does. I find the wrapping of Kafka's native protocol into with REST/gRPC to be pretty compelling. This better supports usage from FaaS and apps that don't necessarily have the ability to do a long-lived connection. |
I'd like to see Envoy's Zipkin traces reported to Zipkin using Zipkin's Kafka collector. |
Thanks everyone for the awesome suggestions that have been added to this issue. From Lyft's perspective, we are primarily interested in:
So I think this is where we will focus, probably starting in Q3. I will need to go through and do some basic SWAGing in terms of how much existing code in https://github.com/edenhill/librdkafka can be reused for the protocol parsing portion. We will also coordinate with folks at Confluent on this work as well. Please reach out if you are also interested in helping. |
Are there any plans at this point for how to practically proxy the Kafka protocol to a pool of brokers? In general, clients connect to a seed node and send it a "metadata" request for the topic/partition they're interested in. The response to that includes a hostname and port, which clients then connect to directly. It means that in practice Kafka clients are (by design) very good at dis-intermediating proxies. |
@ebroder One way to do it will be to register the proxy address (probably localhost:port if we are using sidecar) as their advertised-listeners. And then they'll return this address to the clients. |
@gwenshap: Interesting. That would imply a Kafka cluster that would only work with the sidecars then, right? |
I didn't mean to imply that. That's why I said "one way". I know @travisjeffery and @theduderog have ideas about central proxies. Sidecars do seem to be Envoy's main mode of deployment. |
That does require that you have to allocate a sidecar port for every kafka broker you're running, right? It seems like the overhead/management costs there could potentially add up quickly |
I'm not sure? How expensive are ports? Kafka clusters with over 50 brokers are quite rare. |
@ebroder @wushujames @gwenshap TBH I really have not gotten into the details yet. If the Kafka protocol does not support a built-in method of proxying (we should discuss), I think there are a few options:
But again I haven't done any investigation. I was going to carve out some time to learn more about all of this in Q2 and potentially find some people who would like to help me learn more about it. :) |
@mattklein123 @gwenshap @ebroder: Yeah, I had the same idea as Matt's option 3. Since the initial request to the brokers has to flow through the sidecar anyway, it can intercept and rewrite the response back to the client, and transform the request/responses as they flow between client/broker. Sounds expensive to me, but I know very little about envoy's performance. |
@mattklein123 @gwenshap @ebroder @wushujames: take a look at https://medium.com/solo-io/introducing-gloo-nats-bring-events-to-your-api-f7ee450f7f79 & https://github.com/solo-io/envoy-nats-streaming - love to get your thoughts .... we created a NATS filter for Envoy ... |
As @wushujames mentioned:
This will be very useful for cannary release or blue/green deployment since will allow to modify the actual topic without any change in application. |
@mattklein123: There have been a lot of requests in this thread. Will there a design doc with a list of which requested feature will be supported? |
@georgeteo yes when I start working on this (unsure when) I will provide a design doc once I do more research. |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
What's next now that #4950 is merged? |
Bumping this as well. |
any status update on this? |
I am interested in the status on this issue as well. Thanks! |
Me too. |
Me as well |
Same! |
Also interested in this issue. |
Same! Any updates? |
I am interested in the status on this issue as well. Thanks! |
Folks, please stop the "me too" posts. The way to express that is to thumbs-up Matt's comment at the top. |
how can i join kafka protocol filter feature develop?has any check list so i can pick some task for begin :) @mattklein123 @adamkotwasinski |
I'd like to add transparent encryption and decryption to the list of features. In contrast to just doing TLS, this would allow me to have a zero knowledge broker. |
I'm going to close this as the filter is implemented. Let's please open more specific feature requests for the filter so we can track things in a more granular fashion. Thank you @adamkotwasinski!!! |
@mattklein123 yeah, I'm planning to revisit this in April (hopefully) when I'll start work on "fat-mesh" filter. Initially it will be very simple: custom cluster (that manages the internal Kafka-discovery (somewhat similar to redis-cluster code)) and the trivial (non-consumer-group) ProduceRequest & FetchRequest handling. |
All right, I got some initial "stateful" proxy features implemented allowing Envoy to act as a facade for multiple Kafka clusters:
More notes and things that might need to be improved at https://github.com/adamkotwasinski/envoy/blob/ff39845987af5cc5ff8796ad3b683f6a7e8dbe3f/docs/root/configuration/listeners/network_filters/kafka_mesh_filter.rst#notes |
All right, given that some code has been pushed to allow for response rewriting, we can now use Envoy without needing Kafka to change its configuration : #30669 |
Updated the protocol code to handle Kafka 3.8 : #36166 |
Broker filter can now filter requests by API Key - #36978 |
It's looking like Lyft may be able to fund Kafka protocol support in Envoy sometime this year.
Community, can you please chime in on what you would like to see? I know this will be a very popular feature. Stats (as in the Mongo filter) are a no-brainer. What else? Eventually routing and load balancing for languages in which the Kafka client drivers are not as robust?
The text was updated successfully, but these errors were encountered: