DEV Community: giveitatry The latest articles on DEV Community by giveitatry (@giveitatry). https://dev.to/giveitatry https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F623976%2F3baf0112-f926-4743-b988-89afa8a5fbe5.jpg DEV Community: giveitatry https://dev.to/giveitatry en Deploying RustFS (Single Node) on k3s giveitatry Fri, 24 Apr 2026 08:08:04 +0000 https://dev.to/giveitatry/deploying-rustfs-single-node-on-k3s-28e2 https://dev.to/giveitatry/deploying-rustfs-single-node-on-k3s-28e2 <p>RustFS is an S3-compatible object storage system designed for high performance and distributed environments. For development, testing, or edge deployments, it can be run in <strong>standalone mode (single node, single disk)</strong>.</p> <p>This guide covers:</p> <ul> <li>Helm-based installation</li> <li>Correct credential configuration</li> <li>Optional ingress exposure</li> <li>Verification steps</li> <li>Troubleshooting common issues</li> </ul> <h1> 1. Prerequisites </h1> <p>Ensure the following:</p> <ul> <li>Running k3s cluster</li> <li> <code>kubectl</code> configured</li> <li>Helm installed</li> </ul> <p>Check cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes </code></pre> </div> <h1> 2. Add RustFS Helm repository </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add rustfs https://charts.rustfs.com helm repo update </code></pre> </div> <h1> 3. Create namespace </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create namespace rustfs </code></pre> </div> <h1> 4. Prepare values.yaml </h1> <p>This is the <strong>recommended configuration for single-node deployment</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="na">standalone</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">distributed</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">replicaCount</span><span class="pi">:</span> <span class="m">1</span> <span class="na">image</span><span class="pi">:</span> <span class="na">repository</span><span class="pi">:</span> <span class="s">rustfs/rustfs</span> <span class="na">tag</span><span class="pi">:</span> <span class="s">latest</span> <span class="na">storageclass</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">local-path</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">rustfs</span><span class="pi">:</span> <span class="na">access_key</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">secret_key</span><span class="pi">:</span> <span class="s">supersecretpassword</span> <span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">tls</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <h1> 5. Install RustFS </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>rustfs rustfs/rustfs <span class="se">\</span> <span class="nt">-n</span> rustfs <span class="se">\</span> <span class="nt">-f</span> values.yaml </code></pre> </div> <h1> 6. Verify deployment </h1> <p>Check pods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> rustfs </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rustfs-0 Running </code></pre> </div> <h1> 7. Access RustFS </h1> <h2> Option A: Port-forward (recommended) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl port-forward svc/rustfs-svc 9000:9000 <span class="nt">-n</span> rustfs </code></pre> </div> <p>Then:</p> <ul> <li>API: <a href="http://localhost:9000" rel="noopener noreferrer">http://localhost:9000</a> </li> <li>Console: <a href="http://localhost:9001" rel="noopener noreferrer">http://localhost:9001</a> </li> </ul> <h2> Option B: Enable ingress (optional) </h2> <p>Update <code>values.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ingress</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">className</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">rustfs.127.0.0.1.nip.io</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> </code></pre> </div> <p>Apply:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm upgrade rustfs rustfs/rustfs <span class="nt">-n</span> rustfs <span class="nt">-f</span> values.yaml </code></pre> </div> <h1> 8. Login </h1> <p>Default credentials (as configured):</p> <ul> <li>Username: <code>admin</code> </li> <li>Password: <code>supersecretpassword</code> </li> </ul> <p>Access the web console on port <strong>9001</strong>.</p> <h1> 9. Key Configuration Notes </h1> <h3> Standalone vs Distributed </h3> <ul> <li> <code>standalone</code> = single pod, one volume</li> <li> <code>distributed</code> = multiple pods, erasure coding</li> </ul> <p>Do not mix both modes.</p> <h3> Credentials </h3> <p>RustFS Helm chart uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">secret.rustfs.access_key</span> <span class="s">secret.rustfs.secret_key</span> </code></pre> </div> <p>Not:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">auth.*</span> </code></pre> </div> <h3> Storage </h3> <p>Default:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">storageclass.name</span><span class="pi">:</span> <span class="s">local-path</span> </code></pre> </div> <p>Suitable for k3s environments.</p> <h1> 10. Troubleshooting </h1> <h2> 1. Login does not work </h2> <p><strong>Cause:</strong></p> <ul> <li>Wrong Helm keys used (<code>auth.*</code> instead of <code>secret.rustfs.*</code>)</li> <li>Secret not updated</li> </ul> <p><strong>Fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret <span class="nt">-n</span> rustfs kubectl delete secret &lt;secret-name&gt; <span class="nt">-n</span> rustfs helm upgrade rustfs rustfs/rustfs <span class="nt">-n</span> rustfs <span class="nt">-f</span> values.yaml </code></pre> </div> <h2> 2. Pods fail with "not first disk" or quorum errors </h2> <p><strong>Cause:</strong></p> <ul> <li>Distributed mode enabled unintentionally</li> <li>Invalid cluster topology</li> </ul> <p><strong>Fix:</strong></p> <p>Ensure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">mode</span><span class="pi">:</span> <span class="na">standalone</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">distributed</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">false</span> </code></pre> </div> <h2> 3. TCP connection errors between nodes </h2> <p><strong>Cause:</strong></p> <ul> <li>Port mismatch (9000 vs 9001)</li> <li>Incorrect service configuration</li> </ul> <p><strong>Fix:</strong></p> <ul> <li>Ensure consistent port usage</li> <li>Verify endpoints: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get endpoints <span class="nt">-n</span> rustfs </code></pre> </div> <h2> 4. Ingress fails with validation error </h2> <p>Error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>spec.rules[0].http.paths: Required value </code></pre> </div> <p><strong>Cause:</strong></p> <ul> <li>Missing <code>paths</code> definition</li> </ul> <p><strong>Fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> </code></pre> </div> <h2> 5. Ingress not reachable </h2> <p><strong>Cause:</strong></p> <ul> <li>Missing ingress controller</li> <li>Wrong class name</li> </ul> <p><strong>Fix:</strong></p> <p>For k3s:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">ingress</span><span class="pi">:</span> <span class="na">className</span><span class="pi">:</span> <span class="s">traefik</span> </code></pre> </div> <h2> 6. Cannot access service externally </h2> <p><strong>Cause:</strong></p> <ul> <li>Using ClusterIP without port-forward</li> </ul> <p><strong>Fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl port-forward svc/rustfs-svc 9000:9000 <span class="nt">-n</span> rustfs </code></pre> </div> <h2> 7. Credentials do not change after upgrade </h2> <p><strong>Cause:</strong></p> <ul> <li>Kubernetes Secret not overwritten</li> </ul> <p><strong>Fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete secret &lt;secret-name&gt; <span class="nt">-n</span> rustfs helm upgrade ... </code></pre> </div> <h1> Conclusion </h1> <p>Running RustFS in standalone mode on k3s is straightforward when:</p> <ul> <li>Helm values are correctly defined</li> <li>Secrets use the correct keys</li> <li>Distributed mode is disabled</li> </ul> <p>This setup provides a lightweight, S3-compatible storage backend suitable for development and edge use cases, while preserving a clear upgrade path to distributed deployments.</p> rustfs kubernetes Backup and Restore of a K3s Cluster Using Velero giveitatry Fri, 24 Apr 2026 07:01:18 +0000 https://dev.to/giveitatry/backup-and-restore-of-a-k3s-cluster-using-velero-2ibe https://dev.to/giveitatry/backup-and-restore-of-a-k3s-cluster-using-velero-2ibe <p>This guide provides a practical, production-oriented walkthrough of installing, configuring, and troubleshooting Velero for backing up a K3s cluster. It focuses on reliability and reproducibility rather than theory.</p> <h1> 1. Overview </h1> <p>Velero is an open-source tool designed to:</p> <ul> <li>Back up Kubernetes resources (Deployments, Services, CRDs, etc.)</li> <li>Optionally back up persistent volumes</li> <li>Restore workloads to the same or a different cluster</li> </ul> <p>In K3s environments, Velero is commonly used for:</p> <ul> <li>Disaster recovery</li> <li>Cluster migration</li> <li>CI/CD environment replication</li> </ul> <h1> 2. Installing Velero CLI on Linux </h1> <h2> 2.1 Download </h2> <p>You already identified the correct approach. Use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-L</span> https://github.com/velero-io/velero/releases/download/v1.18.0/velero-v1.18.0-linux-amd64.tar.gz | <span class="nb">tar </span>xz </code></pre> </div> <p>This downloads and extracts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>velero-v1.18.0-linux-amd64/ </code></pre> </div> <h2> 2.2 Install binary system-wide </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>velero-v1.18.0-linux-amd64 <span class="nb">sudo mv </span>velero /usr/local/bin/ </code></pre> </div> <h2> 2.3 Verify installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero version </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Client: Version: v1.18.0 </span></code></pre> </div> <p>At this stage, the server part is not yet installed — that comes next.</p> <h1> 3. Preparing Storage Backend </h1> <p>Velero requires object storage (S3-compatible).</p> <p>Supported options:</p> <ul> <li>AWS S3</li> <li>MinIO (recommended for on-prem)</li> <li>Hetzner Object Storage</li> <li>Azure Blob / GCP</li> </ul> <h2> 3.1 Create credentials file </h2> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> &gt; credentials-velero [default] aws_access_key_id=&lt;ACCESS_KEY&gt; aws_secret_access_key=&lt;SECRET_KEY&gt; </span><span class="no">EOF </span></code></pre> </div> <h1> 4. Installing Velero in K3s </h1> <p>Velero runs inside the cluster as a controller.</p> <h2> 4.1 Installation command </h2> <p>Example (S3-compatible storage):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero <span class="nb">install</span> <span class="se">\</span> <span class="nt">--provider</span> aws <span class="se">\</span> <span class="nt">--plugins</span> velero/velero-plugin-for-aws:v1.8.0 <span class="se">\</span> <span class="nt">--bucket</span> velero <span class="se">\</span> <span class="nt">--secret-file</span> ./credentials-velero <span class="se">\</span> <span class="nt">--use-volume-snapshots</span><span class="o">=</span><span class="nb">false</span> <span class="se">\</span> <span class="nt">--backup-location-config</span> <span class="se">\</span> <span class="nv">region</span><span class="o">=</span>hel1,s3ForcePathStyle<span class="o">=</span><span class="s2">"true"</span>,s3Url<span class="o">=</span>https://&lt;OBJECT_STORAGE_ENDPOINT&gt;:&lt;PORT-IF-NEEDED&gt; </code></pre> </div> <h3> Key parameters explained </h3> <ul> <li><p><code>--provider aws</code><br> Required even for S3-compatible systems</p></li> <li><p><code>--plugins</code><br> Enables S3 integration</p></li> <li><p><code>--bucket</code><br> Must already exist in storage</p></li> <li><p><code>region=minio</code><br> Required (even if not AWS) - any region will work</p></li> <li><p><code>s3ForcePathStyle="true"</code><br> Required for most non-AWS providers</p></li> <li><p><code>s3Url</code><br> Must be reachable from inside the cluster</p></li> </ul> <h2> 4.2 Verify installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> velero </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>velero-xxxxx Running </code></pre> </div> <h2> 4.3 Validate storage </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero backup-location get </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PHASE: Available </code></pre> </div> <p>This is the most important health indicator.</p> <h1> 5. Creating Backups </h1> <h2> 5.1 Full cluster backup </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero backup create full-backup </code></pre> </div> <h2> 5.2 Check status </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero backup get </code></pre> </div> <p>Expected:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>STATUS: Completed </code></pre> </div> <h2> 5.3 Detailed inspection </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero backup describe full-backup <span class="nt">--details</span> </code></pre> </div> <h1> 6. Restoring from Backup </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero restore create <span class="nt">--from-backup</span> full-backup </code></pre> </div> <p>This will:</p> <ul> <li>recreate resources</li> <li>restore metadata</li> <li>optionally restore volumes (if configured)</li> </ul> <h1> 7. Automating Backups </h1> <p>Example: daily backup at 02:00<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero schedule create daily-backup <span class="se">\</span> <span class="nt">--schedule</span><span class="o">=</span><span class="s2">"0 2 * * *"</span> </code></pre> </div> <h1> 8. Persistent Volume Backups (Important) </h1> <p>By default (as in your setup):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">--use-volume-snapshots</span><span class="o">=</span><span class="nb">false</span> </code></pre> </div> <p>This means:</p> <ul> <li>Kubernetes objects are backed up</li> <li>Persistent data is NOT</li> </ul> <h2> Options: </h2> <h3> Option A — CSI snapshots (preferred) </h3> <p>Requires storage support</p> <h3> Option B — Node-agent (Restic) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">--use-node-agent</span> </code></pre> </div> <p>Without this, your backups are incomplete for stateful workloads.</p> <h1> 9. Troubleshooting </h1> <h2> 9.1 CLI works but server not found </h2> <p>Error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>no matches for velero.io/v1 </code></pre> </div> <p>Cause:</p> <ul> <li>Velero not installed in cluster</li> </ul> <p>Fix:</p> <ul> <li>run <code>velero install</code> </li> </ul> <h2> 9.2 Backup fails with <code>FailedValidation</code> </h2> <p>Common causes:</p> <ul> <li>missing region</li> <li>invalid storage config</li> <li>bucket not reachable</li> </ul> <p>Fix:<br> Ensure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">region</span><span class="pi">:</span> <span class="s">minio</span> </code></pre> </div> <h2> 9.3 MissingRegion error </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>MissingRegion: could not find region configuration </code></pre> </div> <p>Fix:<br> Add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">region=minio</span> </code></pre> </div> <h2> 9.4 Storage unavailable </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>BackupStorageLocation is in unavailable state </code></pre> </div> <p>Check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero backup-location get </code></pre> </div> <p>If not <code>Available</code>, verify:</p> <ul> <li>endpoint URL (must be reachable from cluster)</li> <li>credentials</li> <li>bucket existence</li> </ul> <h2> 9.5 Connection timeout </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>dial tcp ... i/o timeout </code></pre> </div> <p>Cause:</p> <ul> <li>cluster cannot reach storage</li> </ul> <p>Fix:</p> <ul> <li>verify network access from pod: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl run <span class="nb">test</span> <span class="nt">--rm</span> <span class="nt">-it</span> <span class="nt">--image</span><span class="o">=</span>busybox <span class="nt">--</span> sh wget <span class="nt">-O-</span> https://&lt;endpoint&gt; </code></pre> </div> <h2> 9.6 Incorrect protocol (HTTP vs HTTPS) </h2> <p>Many providers require HTTPS.</p> <p>Incorrect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">http://... </span></code></pre> </div> <p>Correct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">https://... </span></code></pre> </div> <h2> 9.7 Plugin process exited (not an error) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>plugin process exited </code></pre> </div> <p>This is normal behavior:</p> <ul> <li>plugin runs per request</li> <li>exits after execution</li> </ul> <p>No action required.</p> <h2> 9.8 Inconsistent logs (0/0/1 state) </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>available/unavailable/unknown: 0/0/1 </code></pre> </div> <p>Occurs during startup.</p> <p>Ignore if:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero backup-location get </code></pre> </div> <p>shows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Available </code></pre> </div> <h1> 10. Recovery Strategy for K3s </h1> <p>To restore a cluster on a new server:</p> <ol> <li>Install K3s</li> <li>Install Velero</li> <li>Configure same storage</li> <li>Run: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>velero restore create <span class="nt">--from-backup</span> &lt;backup-name&gt; </code></pre> </div> <p>This reconstructs:</p> <ul> <li>workloads</li> <li>configs</li> <li>namespaces</li> </ul> <h1> 11. Best Practices </h1> <ul> <li>Always verify backups with test restores</li> <li>Use external object storage (not same node)</li> <li>Automate backups (schedules)</li> <li>Enable volume backup for production workloads</li> <li>Version control your Velero installation config</li> </ul> kubernetes velero Restarting a Kubernetes Deployment from GitLab CI giveitatry Thu, 23 Apr 2026 10:03:36 +0000 https://dev.to/giveitatry/restarting-a-kubernetes-deployment-from-gitlab-ci-4kdd https://dev.to/giveitatry/restarting-a-kubernetes-deployment-from-gitlab-ci-4kdd <h2> Introduction </h2> <p>In many delivery workflows, a full redeploy is unnecessary. A <strong>rollout restart</strong> is sufficient to force Pods to be recreated (for example after updating ConfigMaps, Secrets, or re-pulling an image with the same tag). This article describes how to trigger:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout restart deployment/&lt;name&gt; </code></pre> </div> <p>from GitLab CI against Kubernetes (including k3s), using a minimal and secure setup.</p> <h2> Kubernetes-side requirements </h2> <p>To allow a CI job to operate on the cluster, you need:</p> <ol> <li> <strong>ServiceAccount</strong> – identity used by the CI job</li> <li> <strong>Role (RBAC)</strong> – permissions (minimal scope)</li> <li> <strong>RoleBinding</strong> – attaches the Role to the ServiceAccount</li> <li> <strong>Token</strong> – credential used by the CI job</li> </ol> <p>A rollout restart is implemented as a <strong>PATCH</strong> to the Deployment (<code>spec.template.metadata.annotations</code>), so the essential permission is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">patch"</span><span class="pi">]</span> </code></pre> </div> <p><code>get</code> is recommended; <code>list</code> is optional.</p> <h2> Kubernetes setup using YAML (recommended) </h2> <p>Create a single manifest with all required resources.</p> <h3> Full manifest </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitlab-deploy</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitlab-deploy-role</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">apps"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">deployments"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">patch"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitlab-deploy-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitlab-deploy</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitlab-deploy-role</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="nn">---</span> <span class="c1"># Non-expiring token for CI/CD</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">gitlab-deploy-token</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">kubernetes.io/service-account.name</span><span class="pi">:</span> <span class="s">gitlab-deploy</span> <span class="na">type</span><span class="pi">:</span> <span class="s">kubernetes.io/service-account-token</span> </code></pre> </div> <h2> Creating a non-expiring token (recommended for CI/CD) </h2> <p>Modern Kubernetes does <strong>not automatically create long-lived tokens</strong>. Instead, you explicitly create one via a Secret (as shown above).</p> <h3> Apply configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> gitlab-deploy.yaml <span class="nt">-n</span> some-namespace </code></pre> </div> <h3> Retrieve the token </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret gitlab-deploy-token <span class="nt">-n</span> some-namespace <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.token}"</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <p>This token:</p> <ul> <li>does <strong>not expire</strong> </li> <li>is stable for CI/CD usage</li> <li>is tied to the ServiceAccount lifecycle</li> </ul> <p>This is the <strong>recommended approach for GitLab CI pipelines</strong>.</p> <h2> Kubernetes setup using CLI (alternative) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create serviceaccount gitlab-deploy <span class="nt">-n</span> some-namespace kubectl create role gitlab-deploy-role <span class="se">\</span> <span class="nt">--verb</span><span class="o">=</span>get,patch <span class="se">\</span> <span class="nt">--resource</span><span class="o">=</span>deployments <span class="se">\</span> <span class="nt">-n</span> some-namespace kubectl create rolebinding gitlab-deploy-binding <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span>gitlab-deploy-role <span class="se">\</span> <span class="nt">--serviceaccount</span><span class="o">=</span>some-namespace:gitlab-deploy <span class="se">\</span> <span class="nt">-n</span> some-namespace </code></pre> </div> <h3> Temporary token (not recommended for CI) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create token gitlab-deploy <span class="nt">-n</span> some-namespace </code></pre> </div> <p>This token:</p> <ul> <li><strong>expires (default ~1 hour)</strong></li> <li>is suitable only for testing</li> </ul> <h2> Obtaining GitLab environment variables </h2> <p>You need three variables in GitLab:</p> <ul> <li><code>KUBE_TOKEN_DEV</code></li> <li><code>KUBE_API_URL</code></li> <li><code>KUBE_CA_PEM</code></li> </ul> <p>Add them under <strong>Settings → CI/CD → Variables</strong>.</p> <h3> 1. <code>KUBE_TOKEN_DEV</code> </h3> <p>For non-expiring token:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret gitlab-deploy-token <span class="nt">-n</span> some-namespace <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.data.token}"</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <p>Copy and store as <code>KUBE_TOKEN_DEV</code>.</p> <h3> 2. <code>KUBE_API_URL</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl config view <span class="nt">--minify</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.clusters[0].cluster.server}"</span> </code></pre> </div> <p>Store output as <code>KUBE_API_URL</code>.</p> <h3> 3. <code>KUBE_CA_PEM</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl config view <span class="nt">--raw</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.clusters[0].cluster.certificate-authority-data}"</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <p>Store full certificate as <code>KUBE_CA_PEM</code>.</p> <p>For k3s:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo cat</span> /etc/rancher/k3s/k3s.yaml </code></pre> </div> <h2> GitLab CI configuration </h2> <h3> <code>.gitlab-ci.yml</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">deploy_dev</span><span class="pi">:</span> <span class="na">stage</span><span class="pi">:</span> <span class="s">deploy</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ubuntu:22.04</span> <span class="na">before_script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">apt-get update &amp;&amp; apt-get install -y curl</span> <span class="pi">-</span> <span class="s">curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"</span> <span class="pi">-</span> <span class="s">install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">echo "$KUBE_CA_PEM" &gt; ca.crt</span> <span class="pi">-</span> <span class="s">kubectl config set-cluster k3s --server=$KUBE_API_URL --certificate-authority=ca.crt</span> <span class="pi">-</span> <span class="s">kubectl config set-credentials gitlab --token=$KUBE_TOKEN_DEV</span> <span class="pi">-</span> <span class="s">kubectl config set-context gitlab --cluster=k3s --user=gitlab --namespace=some-namespace</span> <span class="pi">-</span> <span class="s">kubectl config use-context gitlab</span> <span class="pi">-</span> <span class="s">kubectl rollout restart deployment/pod-deployment</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s1">'</span><span class="s">$CI_COMMIT_BRANCH</span><span class="nv"> </span><span class="s">==</span><span class="nv"> </span><span class="s">"develop"'</span> <span class="na">when</span><span class="pi">:</span> <span class="s">always</span> <span class="pi">-</span> <span class="na">when</span><span class="pi">:</span> <span class="s">never</span> </code></pre> </div> <h2> Explanation of the pipeline </h2> <ol> <li>Installs <code>kubectl</code> </li> <li>Configures cluster endpoint and TLS</li> <li>Authenticates using ServiceAccount token</li> <li>Sets context with namespace</li> <li>Executes rollout restart</li> <li>Runs only on selected branch</li> </ol> <h2> Troubleshooting </h2> <h3> RoleBinding error: cannot change roleRef </h3> <p>Fix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete rolebinding gitlab-deploy-binding <span class="nt">-n</span> some-namespace kubectl apply <span class="nt">-f</span> gitlab-deploy.yaml </code></pre> </div> <h3> Forbidden errors </h3> <p>Check permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl auth can-i patch deployment <span class="se">\</span> <span class="nt">--as</span><span class="o">=</span>system:serviceaccount:some-namespace:gitlab-deploy <span class="se">\</span> <span class="nt">-n</span> some-namespace </code></pre> </div> <h3> Token expired </h3> <p>Cause:</p> <ul> <li>Using <code>kubectl create token</code> </li> </ul> <p>Fix:</p> <ul> <li>Use Secret-based non-expiring token</li> </ul> <h3> Missing annotation warning </h3> <p>Safe to ignore when switching from <code>create</code> to <code>apply</code>.</p> <h3> API connection issues </h3> <p>Verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl config view <span class="nt">--minify</span> </code></pre> </div> k8s k3s gitlab Upgrading K3s: Complete Guide giveitatry Wed, 01 Apr 2026 06:13:00 +0000 https://dev.to/giveitatry/upgrading-k3s-complete-guide-12bj https://dev.to/giveitatry/upgrading-k3s-complete-guide-12bj <h1> TL;DR </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check current version</span> k3s <span class="nt">--version</span> <span class="c"># Upgrade server node to latest stable (run on server first)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_CHANNEL</span><span class="o">=</span>stable sh - <span class="c"># Upgrade to a specific version (upgrade One Minor Version at a Time)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.32.5+k3s1 sh - <span class="c"># Then upgrade each worker node (upgrade One Minor Version at a Time)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_CHANNEL</span><span class="o">=</span>stable <span class="nv">K3S_URL</span><span class="o">=</span>https://&lt;server-ip&gt;:6443 <span class="nv">K3S_TOKEN</span><span class="o">=</span>&lt;token&gt; sh - <span class="c"># Verify</span> kubectl get nodes </code></pre> </div> <h2> Your Current Situation </h2> <p>You're running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">k3s version v1.28.4+k3s2 (6ba6c1b6) go version go1.20.11 </span></code></pre> </div> <p>v1.28 reached end-of-life in late 2024. The current stable lines as of April 2026 are <strong>v1.32</strong> and <strong>v1.33</strong>. That means you're roughly <strong>4 minor versions behind</strong>, which is important — you cannot jump straight from v1.28 to v1.33 in one shot.</p> <h2> The Golden Rule: One Minor Version at a Time </h2> <p>When attempting to upgrade to a new version of K3s, the Kubernetes version skew policy applies. Ensure that your plan does not skip intermediate minor versions when upgrading.</p> <p>This means your upgrade path from v1.28 must go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v1.28 → v1.29 → v1.30 → v1.31 → v1.32 → v1.33 </code></pre> </div> <p>You cannot skip from v1.28 directly to v1.33. Each hop must be done separately, with the cluster verified healthy between each step.</p> <p>Also: when upgrading, upgrade server nodes first one at a time, then any agent nodes. Never upgrade workers before the server.</p> <h2> Important: Traefik Version Change at v1.32 </h2> <p>K3s versions v1.31 and earlier will install Traefik v2, while K3s versions v1.32 and later will install Traefik v3. If you're using Traefik as your ingress controller (which is the K3s default), the jump from v1.31 to v1.32 will upgrade Traefik from v2 to v3. Review the Traefik v3 migration guide before doing that hop if you have custom Traefik configuration or IngressRoute resources.</p> <h2> Important: etcd Warning for v1.34+ </h2> <p>If you plan to go all the way to v1.34 or v1.35, there is a critical etcd requirement. The K3s project announced that there is no safe upgrade path from etcd 3.5 to 3.6 (included in v1.34+) unless you are running etcd v3.5.26 first. The January 2025 releases of K3s v1.32 include etcd v3.5.26, so upgrading to at least <strong>v1.32</strong> before jumping to v1.34+ is mandatory to avoid cluster data issues.</p> <h2> Method 1: Manual Upgrade via Install Script (Recommended) </h2> <p>You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version. The install script is the easiest approach.</p> <h3> Step 1 — Upgrade the server node, one minor version at a time </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SSH into your server node</span> ssh root@&lt;server-ip&gt; <span class="c"># Hop 1: v1.28 → v1.29</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.29.13+k3s1 sh - <span class="c"># Verify server is healthy before proceeding</span> kubectl get nodes k3s <span class="nt">--version</span> <span class="c"># Hop 2: v1.29 → v1.30</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.30.13+k3s1 sh - kubectl get nodes <span class="c"># Hop 3: v1.30 → v1.31</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.31.9+k3s1 sh - kubectl get nodes <span class="c"># Hop 4: v1.31 → v1.32 (Traefik v2 → v3 happens here!)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.32.5+k3s1 sh - kubectl get nodes <span class="c"># Hop 5: v1.32 → v1.33 (optional, if you want latest stable)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.33.1+k3s1 sh - kubectl get nodes </code></pre> </div> <h3> Step 2 — Upgrade each worker node </h3> <p>After each server hop is confirmed healthy, upgrade the workers for that version before proceeding to the next hop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SSH into each worker node</span> ssh root@&lt;worker-ip&gt; <span class="c"># Run the same version as the server just upgraded to</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="se">\</span> <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.29.13+k3s1 <span class="se">\</span> <span class="nv">K3S_URL</span><span class="o">=</span>https://&lt;server-ip&gt;:6443 <span class="se">\</span> <span class="nv">K3S_TOKEN</span><span class="o">=</span>&lt;your-token&gt; <span class="se">\</span> sh - <span class="c"># Verify worker rejoined</span> kubectl get nodes </code></pre> </div> <p>Your token is in <code>/var/lib/rancher/k3s/server/node-token</code> on the server node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /var/lib/rancher/k3s/server/node-token </code></pre> </div> <h3> Step 3 — Verify after each hop </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># All nodes should show same version and Ready status</span> kubectl get nodes <span class="nt">-o</span> wide <span class="c"># Check nothing is broken</span> kubectl get pods <span class="nt">-A</span> | <span class="nb">grep</span> <span class="nt">-v</span> Running | <span class="nb">grep</span> <span class="nt">-v</span> Completed </code></pre> </div> <h2> Method 2: Upgrade via Binary (Manual) </h2> <p>If you prefer more control, or the install script fails:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download the specific version binary</span> wget https://github.com/k3s-io/k3s/releases/download/v1.29.13%2Bk3s1/k3s <span class="c"># Replace the binary</span> <span class="nb">chmod</span> +x k3s <span class="nb">sudo mv </span>k3s /usr/local/bin/k3s <span class="c"># Restart the service</span> <span class="nb">sudo </span>systemctl restart k3s <span class="c"># on server</span> <span class="nb">sudo </span>systemctl restart k3s-agent <span class="c"># on workers</span> <span class="c"># Verify</span> k3s <span class="nt">--version</span> </code></pre> </div> <h2> Draining Nodes Before Upgrading (For Production) </h2> <p>Containers for pods continue running even when K3s is stopped. If your workload is sensitive to brief API server outages, you should manually drain and cordon the node before restarting K3s, and uncordon it afterwards.</p> <p>For a production cluster where you can't afford any disruption:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Before upgrading a node, drain it from the server</span> kubectl drain &lt;node-name&gt; <span class="se">\</span> <span class="nt">--ignore-daemonsets</span> <span class="se">\</span> <span class="nt">--delete-emptydir-data</span> <span class="se">\</span> <span class="nt">--force</span> <span class="c"># Run the upgrade on that node</span> <span class="c"># ...</span> <span class="c"># After the node is back up, uncordon it</span> kubectl uncordon &lt;node-name&gt; </code></pre> </div> <h2> After the Full Upgrade </h2> <p>Once all nodes are on the new version, do a full health check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># All nodes Ready and on same version</span> kubectl get nodes <span class="nt">-o</span> wide <span class="c"># No pods stuck in bad state</span> kubectl get pods <span class="nt">-A</span> | <span class="nb">grep</span> <span class="nt">-v</span> Running | <span class="nb">grep</span> <span class="nt">-v</span> Completed <span class="c"># Check system pods specifically</span> kubectl get pods <span class="nt">-n</span> kube-system <span class="c"># Verify cert status (especially useful since you're now in cert rotation territory)</span> <span class="nb">sudo </span>k3s certificate check </code></pre> </div> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Your version</th> <th>Target</th> <th>Hops required</th> </tr> </thead> <tbody> <tr> <td>v1.28.4</td> <td>v1.29</td> <td>1</td> </tr> <tr> <td>v1.28.4</td> <td>v1.32</td> <td>4 (go through 29, 30, 31, 32)</td> </tr> <tr> <td>v1.28.4</td> <td>v1.33</td> <td>5 (go through 29, 30, 31, 32, 33)</td> </tr> </tbody> </table></div> <p>Take it one minor version at a time, always server first then workers, verify healthy between each hop, and mind the Traefik v2→v3 change when crossing v1.32.</p> k3s K3s Certificate Rotation: Complete Guide to Managing and Rotating Certificates giveitatry Wed, 01 Apr 2026 06:07:30 +0000 https://dev.to/giveitatry/k3s-certificate-rotation-complete-guide-to-managing-and-rotating-certificates-2ibe https://dev.to/giveitatry/k3s-certificate-rotation-complete-guide-to-managing-and-rotating-certificates-2ibe <h2> TL;DR — All Commands You Need </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Check certificate status on any node</span> <span class="nb">sudo </span>k3s certificate check <span class="c"># 2. Rotate on the SERVER node</span> <span class="nb">sudo </span>systemctl stop k3s <span class="nb">sudo </span>k3s certificate rotate <span class="nb">sudo </span>systemctl start k3s <span class="c"># 3. Update kubeconfig after server rotation</span> <span class="nb">sudo cp</span> /etc/rancher/k3s/k3s.yaml <span class="nv">$HOME</span>/.kube/config <span class="nb">sudo chown</span> <span class="si">$(</span><span class="nb">id</span> <span class="nt">-u</span><span class="si">)</span>:<span class="si">$(</span><span class="nb">id</span> <span class="nt">-g</span><span class="si">)</span> <span class="nv">$HOME</span>/.kube/config <span class="c"># 4. IMMEDIATELY restart k3s-agent on EVERY worker node</span> <span class="c"># (workers will disconnect after server cert rotation — this fixes it)</span> ssh root@&lt;worker-ip&gt; <span class="nb">sudo </span>systemctl restart k3s-agent <span class="c"># 5. Verify all nodes are back</span> kubectl get nodes <span class="nt">-w</span> </code></pre> </div> <h2> Certificate Types and Their Lifetimes </h2> <p>K3s manages two fundamentally different categories of certificates, and confusing them is the most common source of operational mistakes.</p> <h3> Client and Server Certificates — 365 days </h3> <p>K3s client and server certificates are valid for 365 days from their date of issuance. These are the leaf certificates used by every component in the cluster for mutual TLS: the API server, kubelet, etcd, kube-proxy, controller-manager, scheduler, and others. They are signed by the cluster's CA certificates.</p> <p>The full list of rotatable services is: <code>admin</code>, <code>api-server</code>, <code>controller-manager</code>, <code>scheduler</code>, <code>k3s-controller</code>, <code>k3s-server</code>, <code>cloud-controller</code>, <code>etcd</code>, <code>auth-proxy</code>, <code>kubelet</code>, <code>kube-proxy</code>.</p> <h3> CA (Certificate Authority) Certificates — 10 years </h3> <p>By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed. They live in <code>/var/lib/rancher/k3s/server/tls</code> and are the root of trust for the entire cluster. The authoritative copy is stored encrypted in the datastore (etcd or SQLite), with copies extracted to disk on startup.</p> <h2> Automatic Certificate Renewal — How It Works </h2> <p>Any certificates that are expired or within 120 days of expiring are automatically renewed every time K3s starts. This renewal reuses the existing keys, and extends the lifetime of the existing certificates.</p> <p>This is the key distinction: automatic renewal <strong>extends the same keys</strong>, it doesn't rotate them. If you want brand new keys generated — for example after a security incident — you need the <code>rotate</code> subcommand covered below.</p> <p><strong>Version note:</strong> Prior to the May 2025 releases (v1.33.1+k3s1, v1.32.5+k3s1, v1.31.9+k3s1, v1.30.13+k3s1), alerts and rotation were triggered at 90 days instead of 120 days. If you're running an older cluster, the threshold is 90 days.</p> <h3> The Practical Implication </h3> <p>If your cluster nodes are rebooted or K3s is restarted at least once every few months as part of normal patching, certificates will silently renew themselves without any operator action. It is expected that you would be taking your hosts down periodically for patching and upgrading every few months — but reality has shown that many do not patch or reboot for more than 3 months, so the best practice is monitoring the certificate expiration.</p> <p>A cluster that runs for an entire year without a restart <strong>will</strong> let its certificates expire.</p> <h2> Warning Signs — What You See Before Expiry </h2> <p>When a certificate is within 120 days of expiring, a Kubernetes Warning Event with <code>reason: CertificateExpirationWarning</code> is created, with a relation to the Node using the certificate.</p> <p>You'll see events like this in your cluster logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Warning CertificateExpirationWarning Node certificates require attention - restart k3s on this node to trigger automatic rotation: kube-proxy/client-kube-proxy.crt: certificate CN=system:kube-proxy will expire within 90 days at 2025-05-03T12:14:51Z </code></pre> </div> <p>On newer versions these appear via:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get events <span class="nt">-A</span> <span class="nt">--field-selector</span> <span class="nv">reason</span><span class="o">=</span>CertificateExpirationWarning </code></pre> </div> <h2> What Happens When Certificates Actually Expire </h2> <p>This is where things get painful. You get something like this from <code>systemctl status k3s</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>x509: certificate has expired or is not yet valid </code></pre> </div> <p>And any <code>kubectl</code> call returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Unable to connect to the server: x509: certificate has expired or is not yet valid </code></pre> </div> <p><strong>What still works:</strong> Apps that are currently running continue to run with no issues — workloads don't immediately crash. The data plane keeps operating. What breaks is the <strong>control plane</strong>: you lose <code>kubectl</code> access entirely, API server communication fails, and no new deployments, scaling, or config changes are possible. If nodes restart or pods crash, Kubernetes cannot reschedule them because the control plane is inaccessible.</p> <p>The good news: certificates that are already expired are still automatically renewed every time K3s starts — so the recovery procedure is identical to the proactive rotation procedure. K3s is designed to self-heal on restart even in the fully expired state.</p> <h2> Checking Certificate Status </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>k3s certificate check </code></pre> </div> <p>Note: the <code>--output table</code> flag was added in the January 2025 releases (v1.32.0+k3s1, v1.31.5+k3s1, v1.30.9+k3s1) and will error on anything older. Check your version first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k3s <span class="nt">--version</span> <span class="c"># Only use --output table if you're on a January 2025+ release</span> <span class="nb">sudo </span>k3s certificate check <span class="nt">--output</span> table </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FILENAME SUBJECT USAGES EXPIRES RESIDUAL TIME STATUS -------- ------- ------ ------- ------------- ------ client-kube-proxy.crt system:kube-proxy ClientAuth Jun 09, 2026 10:17 UTC 1 year OK client-kubelet.crt system:node:k3s-server-1 ClientAuth Jun 09, 2026 10:17 UTC 1 year OK serving-kubelet.crt k3s-server-1 ServerAuth Jun 09, 2026 10:17 UTC 1 year OK client-k3s-controller.crt system:k3s-controller ClientAuth Jun 09, 2026 10:17 UTC 1 year OK </code></pre> </div> <p>Each certificate file in the FILENAME column contains at least two certificates — the leaf (or end entity) client/server certificate, any intermediate Certificate Authority certificates, and the root Certificate Authority certificate. That's why you see each filename appear twice — the leaf cert at 1 year, and the CA cert at 10 years.</p> <p>To inspect a specific cert directly with openssl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>openssl x509 <span class="se">\</span> <span class="nt">-in</span> /var/lib/rancher/k3s/server/tls/client-admin.crt <span class="se">\</span> <span class="nt">-noout</span> <span class="nt">-dates</span> </code></pre> </div> <p>To inspect the certificate currently embedded in your kubeconfig:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo cat</span> /etc/rancher/k3s/k3s.yaml <span class="se">\</span> | <span class="nb">grep</span> <span class="s1">'client-certificate-data'</span> <span class="se">\</span> | <span class="nb">awk</span> <span class="s1">'{print $2}'</span> <span class="se">\</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="se">\</span> | openssl x509 <span class="nt">-noout</span> <span class="nt">-dates</span> </code></pre> </div> <p>This is useful to confirm your local <code>kubectl</code> context is using up-to-date credentials, separate from what the node itself reports.</p> <h2> Manual Rotation — Step by Step </h2> <h3> On the Server Node </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Stop K3s</span> <span class="nb">sudo </span>systemctl stop k3s <span class="c"># Step 2: Rotate certificates (generates new certs AND new keys)</span> <span class="nb">sudo </span>k3s certificate rotate <span class="c"># Step 3: Start K3s</span> <span class="nb">sudo </span>systemctl start k3s </code></pre> </div> <p>After K3s starts back up, the new certificate is written to <code>/etc/rancher/k3s/k3s.yaml</code>. This file is your kubeconfig and now contains the updated client certificate, client key, and certificate authority data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /etc/rancher/k3s <span class="nb">ls</span> <span class="c"># k3s.yaml</span> <span class="nb">cat </span>k3s.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">clusters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="na">certificate-authority-data</span><span class="pi">:</span> <span class="s">&lt;base64-encoded-new-CA&gt;</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://127.0.0.1:6443</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">contexts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">default</span> <span class="na">user</span><span class="pi">:</span> <span class="s">default</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">current-context</span><span class="pi">:</span> <span class="s">default</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">user</span><span class="pi">:</span> <span class="na">client-certificate-data</span><span class="pi">:</span> <span class="s">&lt;base64-encoded-new-cert&gt;</span> <span class="na">client-key-data</span><span class="pi">:</span> <span class="s">&lt;base64-encoded-new-key&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 4: Copy the updated kubeconfig</span> <span class="nb">sudo cp</span> /etc/rancher/k3s/k3s.yaml <span class="nv">$HOME</span>/.kube/config <span class="nb">sudo chown</span> <span class="si">$(</span><span class="nb">id</span> <span class="nt">-u</span><span class="si">)</span>:<span class="si">$(</span><span class="nb">id</span> <span class="nt">-g</span><span class="si">)</span> <span class="nv">$HOME</span>/.kube/config <span class="c"># If managing the cluster from a remote machine, copy it there too</span> scp root@&lt;server-ip&gt;:/etc/rancher/k3s/k3s.yaml ~/.kube/config <span class="c"># Fix the server address if it points to 127.0.0.1</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/127.0.0.1/&lt;your-server-ip&gt;/g'</span> ~/.kube/config <span class="c"># Step 5: Verify server is healthy</span> <span class="nb">sudo </span>k3s certificate check kubectl get nodes </code></pre> </div> <p>Any CI/CD pipelines, Helm deployments, or developer workstations that had a copy of the old kubeconfig will also need this updated file — the old client certificate is invalid the moment rotation runs.</p> <h3> Rotating Specific Services Only </h3> <p>You can limit rotation to specific components rather than rotating everything at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>k3s certificate rotate <span class="nt">--service</span> api-server,kubelet <span class="nb">sudo </span>k3s certificate rotate <span class="nt">--service</span> etcd <span class="nb">sudo </span>k3s certificate rotate <span class="nt">--service</span> admin,controller-manager,scheduler </code></pre> </div> <p>This is useful when only certain certs are approaching expiry, or when you want to minimize the blast radius in a sensitive environment. The stop/start of K3s is still required around this command.</p> <h2> ⚠️ Warning: Worker Nodes Will Disconnect After Rotation </h2> <p>This is something the official documentation doesn't warn you about clearly enough, and it can cause a cascading failure that looks far worse than a simple cert issue.</p> <h3> What Happens </h3> <p>When you rotate certificates on the server node, the API server starts presenting new certificates. Worker nodes running <code>k3s-agent</code> were trusting the <strong>old</strong> certificates. Until the agent is restarted and picks up the new trust chain, kubelet on each worker loses the ability to communicate with the API server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Kubelet stopped posting node status. </code></pre> </div> <p>The workers show as <code>NotReady</code> even though the machines themselves are perfectly healthy.</p> <h3> The Cascade With Local Storage </h3> <p>If you're using <code>local-path</code> storage (the K3s default), this gets significantly worse:</p> <ol> <li>You rotate certs on the server 🔄</li> <li>Kubelet on workers stops trusting the API server ❌</li> <li>Workers become <code>NotReady</code> ❌</li> <li>PVCs using <code>local-path</code> are physically locked to those dead nodes ❌</li> <li>Pods tied to that storage cannot reschedule ❌</li> <li>Scheduler starts throwing <code>volume node affinity conflict</code> ❌</li> <li>Any stateful workload (databases, etc.) is now stuck in <code>Pending</code> or <code>Initializing</code> forever ❌</li> </ol> <p>The fix is straightforward — but you have to do it <strong>immediately</strong> after rotating the server, before anything starts crashing and trying to reschedule.</p> <h3> Fix — Restart the Agent on Every Worker Node </h3> <p>SSH into each worker and restart the agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1 — SSH into the worker</span> ssh root@&lt;worker-ip&gt; <span class="c"># Step 2 — Restart k3s-agent</span> <span class="nb">sudo </span>systemctl restart k3s-agent <span class="c"># Step 3 — Check status</span> <span class="nb">sudo </span>systemctl status k3s-agent </code></pre> </div> <p>If the agent still won't come back after a restart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Full reboot as last resort</span> <span class="nb">sudo </span>reboot </code></pre> </div> <p>Then verify from the control plane that all nodes are back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes <span class="nt">-w</span> </code></pre> </div> <p>Wait for all workers to flip back to <code>Ready</code>. Once they do, any stuck pods will reschedule automatically — no manual intervention on the workloads themselves is needed.</p> <h3> The Correct Order of Operations for a Full Cluster Rotation </h3> <p>To avoid the disconnection cascade entirely, always treat cert rotation as a coordinated cluster-wide operation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>1. Stop k3s on server → <span class="nb">sudo </span>systemctl stop k3s 2. Rotate certs on server → <span class="nb">sudo </span>k3s certificate rotate 3. Start k3s on server → <span class="nb">sudo </span>systemctl start k3s 4. Update kubeconfig → <span class="nb">cp</span> /etc/rancher/k3s/k3s.yaml ~/.kube/config 5. Restart agent on each worker → <span class="nb">sudo </span>systemctl restart k3s-agent 6. Verify all nodes Ready → kubectl get nodes </code></pre> </div> <p>Don't wait between steps 4 and 5. The longer workers run without restarting their agent, the higher the chance that a pod crash or node pressure event triggers a rescheduling attempt that hits the <code>volume node affinity conflict</code> wall.</p> <h2> CA Certificate Rotation </h2> <p>CA rotation is a completely different operation from leaf cert rotation. To rotate CA certificates and keys, use the <code>k3s certificate rotate-ca</code> command. The command performs integrity checks to confirm that the updated certificates and keys are usable. If the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts. If problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes.</p> <h3> Non-disruptive vs. Disruptive Rotation </h3> <p>A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used. If a new root CA is required, the rotation will be disruptive. The <code>k3s certificate rotate-ca --force</code> option must be used, all nodes that were joined with a secure token (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA.</p> <p>The safe path is to generate new intermediate CAs signed by the existing root CA — existing trust chains remain valid, nodes can rejoin without token changes, and pods don't need restarts.</p> <h3> CA Rotation Procedure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stage new CA certificates into a TEMP directory</span> <span class="c"># Do NOT place them directly into the live /server/tls directory</span> <span class="nb">mkdir</span> <span class="nt">-p</span> /tmp/k3s-ca-rotate <span class="c"># Use the helper script from the K3s repo to generate new CAs</span> curl <span class="nt">-o</span> /tmp/generate-custom-ca-certs.sh <span class="se">\</span> https://raw.githubusercontent.com/k3s-io/k3s/main/contrib/util/generate-custom-ca-certs.sh <span class="nb">chmod</span> +x /tmp/generate-custom-ca-certs.sh <span class="nv">K3S_DATADIR</span><span class="o">=</span>/tmp/k3s-ca-rotate /tmp/generate-custom-ca-certs.sh <span class="c"># Load the new CAs into the datastore</span> <span class="nb">sudo </span>k3s certificate rotate-ca <span class="nt">--path</span> /tmp/k3s-ca-rotate/server/tls <span class="c"># Restart K3s on all nodes — servers first, then agents</span> <span class="nb">sudo </span>systemctl restart k3s </code></pre> </div> <p>Back up the generated root and intermediate CA files somewhere safe after this — you'll need them if you ever need to rotate CAs again in the future.</p> <h2> Monitoring — Preventing Surprise Expiry </h2> <p><strong>Watch for Kubernetes warning events:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get events <span class="nt">-A</span> <span class="se">\</span> <span class="nt">--field-selector</span> <span class="nv">reason</span><span class="o">=</span>CertificateExpirationWarning <span class="se">\</span> <span class="nt">--watch</span> </code></pre> </div> <p><strong>Prometheus alert rule</strong> (works with kube-prometheus-stack):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">K3sCertificateExpiringSoon</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(k3s_certificate_expiry_seconds - time()) &lt; 30 * 24 * 3600</span> <span class="na">for</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">K3s</span><span class="nv"> </span><span class="s">certificate</span><span class="nv"> </span><span class="s">expiring</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">less</span><span class="nv"> </span><span class="s">than</span><span class="nv"> </span><span class="s">30</span><span class="nv"> </span><span class="s">days</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.node</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <p><strong>Simple weekly cron check</strong> on the server node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># /etc/cron.weekly/k3s-cert-check</span> k3s certificate check | mail <span class="nt">-s</span> <span class="s2">"K3s cert check on </span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2">"</span> ops@yourcompany.com </code></pre> </div> <h2> Summary Table </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Certificate type</th> <th>Validity</th> <th>Auto-renewal</th> <th>Rotation command</th> </tr> </thead> <tbody> <tr> <td>Client/Server leaf certs</td> <td>365 days</td> <td>Yes, on restart (if &lt; 120 days remaining)</td> <td><code>k3s certificate rotate</code></td> </tr> <tr> <td>CA certificates</td> <td>10 years</td> <td><strong>No</strong></td> <td><code>k3s certificate rotate-ca</code></td> </tr> <tr> <td>kubeconfig embedded cert</td> <td>Same as leaf</td> <td>Follows leaf rotation</td> <td>Copy updated <code>k3s.yaml</code> </td> </tr> </tbody> </table></div> <h2> Key Takeaways </h2> <ol> <li> <strong>Restart K3s regularly.</strong> Even just for patching every few months — this is what triggers automatic certificate renewal. A cluster that never restarts will expire its certs at the 1-year mark.</li> <li> <strong><code>rotate</code> ≠ <code>restart</code>.</strong> A plain restart extends existing keys. <code>k3s certificate rotate</code> generates entirely new keys. Use rotate when you need cryptographic freshness, not just extended validity.</li> <li> <strong>Always restart worker agents immediately after rotating the server.</strong> Workers disconnect the moment the server starts presenting new certs. Don't wait — do it before anything tries to reschedule.</li> <li> <strong><code>local-path</code> storage amplifies worker disconnection.</strong> PVCs are locked to specific nodes. If a worker goes <code>NotReady</code> while holding a PVC, any pod using that storage is stuck until the worker comes back.</li> <li> <strong>Update your kubeconfig</strong> after server node rotation — the embedded client certificate changes, and any CI/CD pipelines using the old kubeconfig will break immediately.</li> <li> <strong>CA certs are your 10-year bomb.</strong> Mark a calendar reminder. They won't warn you and won't auto-renew.</li> <li> <strong>Backups are automatic.</strong> Old certs are saved to <code>/var/lib/rancher/k3s/server/tls-&lt;timestamp&gt;</code> before rotation, giving you a rollback path.</li> </ol> k8s k3s kubernetes Running a TeamCity Agent as a systemd Service giveitatry Tue, 24 Mar 2026 06:44:39 +0000 https://dev.to/giveitatry/running-a-teamcity-agent-as-a-systemd-service-3gpp https://dev.to/giveitatry/running-a-teamcity-agent-as-a-systemd-service-3gpp <p>Running a TeamCity agent as a system service ensures it continues working after logout and automatically starts on boot. This is the recommended production setup.</p> <h2> 📁 Prerequisites </h2> <p>Make sure your TeamCity agent is installed in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/opt/teamcity/bin/agent.sh </code></pre> </div> <p>👉 The <code>agent.sh</code> script <strong>must exist inside the <code>bin</code> directory</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/opt/teamcity/bin/agent.sh </code></pre> </div> <p>Also ensure it is executable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x /opt/teamcity/bin/agent.sh </code></pre> </div> <h2> ⚙️ Create systemd service </h2> <p>Create the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/systemd/system/teamcity-agent.service </code></pre> </div> <p>Paste the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="s">TeamCity Build Agent</span> <span class="py">After</span><span class="p">=</span><span class="s">network.target</span> <span class="nn">[Service]</span> <span class="py">Type</span><span class="p">=</span><span class="s">oneshot</span> <span class="py">User</span><span class="p">=</span><span class="s">root</span> <span class="py">Group</span><span class="p">=</span><span class="s">root</span> <span class="py">WorkingDirectory</span><span class="p">=</span><span class="s">/opt/teamcity</span> <span class="py">ExecStart</span><span class="p">=</span><span class="s">/opt/teamcity/bin/agent.sh start</span> <span class="py">ExecStop</span><span class="p">=</span><span class="s">/opt/teamcity/bin/agent.sh stop</span> <span class="py">RemainAfterExit</span><span class="p">=</span><span class="s">yes</span> <span class="py">SuccessExitStatus</span><span class="p">=</span><span class="s">0 143</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="s">multi-user.target</span> </code></pre> </div> <h2> 🚀 Enable and start the service </h2> <p>Reload systemd and start the agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl daemon-reload <span class="nb">sudo </span>systemctl <span class="nb">enable </span>teamcity-agent <span class="nb">sudo </span>systemctl start teamcity-agent </code></pre> </div> <h2> 🔍 Verify status </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl status teamcity-agent </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Active: active (exited) </code></pre> </div> <p>This is normal for TeamCity agents when using <code>Type=oneshot</code>.</p> <h2> ⚠️ Notes </h2> <ul> <li>The agent <strong>must be located in <code>/opt/teamcity/bin/agent.sh</code></strong> </li> <li> <code>RemainAfterExit=yes</code> is required so systemd considers the service active</li> <li> <code>SuccessExitStatus=143</code> prevents false failure detection</li> <li>Using <code>root</code> works, but for production it's safer to use a dedicated user</li> </ul> teamcity Kafka 4.2.0 on Kubernetes - Complete Setup Guide - Exposed to Internet giveitatry Mon, 23 Mar 2026 08:20:43 +0000 https://dev.to/giveitatry/kafka-on-kubernetes-complete-setup-guide-exposed-to-internet-2l83 https://dev.to/giveitatry/kafka-on-kubernetes-complete-setup-guide-exposed-to-internet-2l83 <p>3-broker Kafka cluster on k3s with KRaft, SASL/SCRAM, and external access via Traefik.</p> <p><strong>Before you start — get your Traefik IP:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc traefik <span class="nt">-n</span> kube-system </code></pre> </div> <p>Copy any IP from the <code>EXTERNAL-IP</code> column. Replace every occurrence of<br> <code>192.168.1.119</code> in the YAMLs below with your actual IP.</p> <h1> Stage 1 — Bootstrap </h1> <p>Apply all of these files in order. This stage starts the cluster with port 9094<br> open (no auth) so you can register SCRAM credentials.</p> <h2> 1.1 namespace.yaml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> namespace.yaml </code></pre> </div> <h2> 1.2 kafka-jaas.yaml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">data</span><span class="pi">:</span> <span class="na">jaas.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">KafkaServer {</span> <span class="s">org.apache.kafka.common.security.scram.ScramLoginModule required</span> <span class="s">username="admin"</span> <span class="s">password="supersecret";</span> <span class="s">};</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-jaas.yaml </code></pre> </div> <h2> 1.3 kafka-sasl.yaml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-sasl</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">password</span><span class="pi">:</span> <span class="s">supersecret</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-sasl.yaml </code></pre> </div> <h2> 1.4 traefik-config.yaml </h2> <p>Opens three TCP entrypoints on Traefik — one per broker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">helm.cattle.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HelmChartConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">valuesContent</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">ports:</span> <span class="s">kafka-0:</span> <span class="s">port: 9092</span> <span class="s">expose:</span> <span class="s">default: true</span> <span class="s">exposedPort: 9092</span> <span class="s">protocol: TCP</span> <span class="s">kafka-1:</span> <span class="s">port: 9093</span> <span class="s">expose:</span> <span class="s">default: true</span> <span class="s">exposedPort: 9093</span> <span class="s">protocol: TCP</span> <span class="s">kafka-2:</span> <span class="s">port: 9094</span> <span class="s">expose:</span> <span class="s">default: true</span> <span class="s">exposedPort: 9094</span> <span class="s">protocol: TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> traefik-config.yaml kubectl rollout status deployment/traefik <span class="nt">-n</span> kube-system </code></pre> </div> <p>Verify ports appeared:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc traefik <span class="nt">-n</span> kube-system <span class="c"># PORT(S) should include 9092, 9093, 9094 alongside 80 and 443</span> </code></pre> </div> <h2> 1.5 kafka-traefik.yaml </h2> <p>Headless service for internal pod DNS, one ClusterIP service per broker<br> (Traefik v3 routes to port 9095 on each pod), and IngressRouteTCP rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">internal</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">controller</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">plaintext-bootstrap</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9094</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-0-external</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">statefulset.kubernetes.io/pod-name</span><span class="pi">:</span> <span class="s">kafka-0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-1-external</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">statefulset.kubernetes.io/pod-name</span><span class="pi">:</span> <span class="s">kafka-1</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-2-external</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">statefulset.kubernetes.io/pod-name</span><span class="pi">:</span> <span class="s">kafka-2</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRouteTCP</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-0-tcp</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka-0</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">HostSNI(`*`)</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-0-external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRouteTCP</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-1-tcp</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka-1</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">HostSNI(`*`)</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-1-external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRouteTCP</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-2-tcp</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka-2</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">HostSNI(`*`)</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-2-external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-traefik.yaml </code></pre> </div> <h2> 1.6 kafka-stateful-bootstrap.yaml </h2> <blockquote> <p>⚠️ Replace <code>192.168.1.119</code> with your Traefik IP before applying.</p> </blockquote> <p>Includes:</p> <ul> <li> <code>EXTERNAL</code> listener on port 9095 — Traefik routes external traffic here</li> <li> <code>PLAINTEXT</code> listener on port 9094 — temporary, no auth, used to register SCRAM credentials</li> <li>init container calculates the external port per broker: kafka-0 → 9092, kafka-1 → 9093, kafka-2 → 9094 </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">init-node-id</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.36</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">ORDINAL=$(hostname | awk -F'-' '{print $NF}')</span> <span class="s">echo "$ORDINAL" &gt; /config/node-id</span> <span class="s">EXTERNAL_PORT=$((9092 + ORDINAL))</span> <span class="s">echo "$EXTERNAL_PORT" &gt; /config/external-port</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">format-storage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">NODE_ID=$(cat /config/node-id)</span> <span class="s">if [ ! -f "/data/meta.properties" ]; then</span> <span class="s">echo "Formatting storage for node $NODE_ID..."</span> <span class="s">echo "node.id=$NODE_ID" &gt; /tmp/kraft.properties</span> <span class="s">echo "process.roles=broker,controller" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.quorum.voters=0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listeners=PLAINTEXT://:9092,CONTROLLER://:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "advertised.listeners=PLAINTEXT://localhost:9092" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listener.security.protocol.map=PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "inter.broker.listener.name=PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.listener.names=CONTROLLER" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "log.dirs=/data" &gt;&gt; /tmp/kraft.properties</span> <span class="s">/opt/kafka/bin/kafka-storage.sh format \</span> <span class="s">--ignore-formatted \</span> <span class="s">--cluster-id q1Sh-9_ISia_zwGINzRvyQ \</span> <span class="s">--config /tmp/kraft.properties</span> <span class="s">else</span> <span class="s">echo "Already formatted, skipping."</span> <span class="s">fi</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">export KAFKA_NODE_ID=$(cat /config/node-id)</span> <span class="s">export EXTERNAL_PORT=$(cat /config/external-port)</span> <span class="s">export KAFKA_ADVERTISED_LISTENERS="INTERNAL://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9092,EXTERNAL://192.168.1.119:${EXTERNAL_PORT},PLAINTEXT://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9094"</span> <span class="s">exec /etc/kafka/docker/run</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9094</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLUSTER_ID</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">q1Sh-9_ISia_zwGINzRvyQ"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_PROCESS_ROLES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">broker,controller"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_LISTENER_NAMES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CONTROLLER"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_QUORUM_VOTERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://:9092,CONTROLLER://:9093,EXTERNAL://:9095,PLAINTEXT://:9094"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT,PLAINTEXT:PLAINTEXT"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_INTER_BROKER_LISTENER_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_ENABLED_MECHANISMS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_MIN_ISR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_MIN_INSYNC_REPLICAS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LOG_DIRS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Djava.security.auth.login.config=/opt/kafka/config/jaas/jaas.conf"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/kafka/config/jaas</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">4Gi</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ReadWriteOnce"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-stateful-bootstrap.yaml kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h2> 1.7 Register SCRAM credentials </h2> <p>Port 9094 is open and unauthenticated. Use it to write the admin user into<br> Kafka's metadata store. This is a one-time operation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-configs.sh <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9094 <span class="se">\</span> <span class="nt">--alter</span> <span class="se">\</span> <span class="nt">--add-config</span> <span class="s1">'SCRAM-SHA-512=[password=supersecret]'</span> <span class="se">\</span> <span class="nt">--entity-type</span> <span class="nb">users</span> <span class="se">\</span> <span class="nt">--entity-name</span> admin </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Completed updating config for user admin. </code></pre> </div> <p>To add more users (application service accounts), repeat the command with<br> different <code>--entity-name</code> and password values while port 9094 is still open.</p> <h1> Stage 2 — Production (close port 9094) </h1> <p>Port 9094 is now unnecessary and a security risk. Apply the final StatefulSet<br> to remove it. No other files change.</p> <h2> 2.1 kafka-stateful-final.yaml </h2> <blockquote> <p>⚠️ Replace <code>192.168.1.119</code> with your Traefik IP before applying.</p> </blockquote> <p>Identical to the bootstrap version except:</p> <ul> <li> <code>PLAINTEXT://:9094</code> removed from <code>KAFKA_LISTENERS</code> </li> <li> <code>PLAINTEXT:PLAINTEXT</code> removed from <code>KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</code> </li> <li>PLAINTEXT entry removed from <code>KAFKA_ADVERTISED_LISTENERS</code> </li> <li> <code>containerPort: 9094</code> removed </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">init-node-id</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.36</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">ORDINAL=$(hostname | awk -F'-' '{print $NF}')</span> <span class="s">echo "$ORDINAL" &gt; /config/node-id</span> <span class="s">EXTERNAL_PORT=$((9092 + ORDINAL))</span> <span class="s">echo "$EXTERNAL_PORT" &gt; /config/external-port</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">format-storage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">NODE_ID=$(cat /config/node-id)</span> <span class="s">if [ ! -f "/data/meta.properties" ]; then</span> <span class="s">echo "Formatting storage for node $NODE_ID..."</span> <span class="s">echo "node.id=$NODE_ID" &gt; /tmp/kraft.properties</span> <span class="s">echo "process.roles=broker,controller" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.quorum.voters=0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listeners=PLAINTEXT://:9092,CONTROLLER://:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "advertised.listeners=PLAINTEXT://localhost:9092" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listener.security.protocol.map=PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "inter.broker.listener.name=PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.listener.names=CONTROLLER" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "log.dirs=/data" &gt;&gt; /tmp/kraft.properties</span> <span class="s">/opt/kafka/bin/kafka-storage.sh format \</span> <span class="s">--ignore-formatted \</span> <span class="s">--cluster-id q1Sh-9_ISia_zwGINzRvyQ \</span> <span class="s">--config /tmp/kraft.properties</span> <span class="s">else</span> <span class="s">echo "Already formatted, skipping."</span> <span class="s">fi</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">export KAFKA_NODE_ID=$(cat /config/node-id)</span> <span class="s">export EXTERNAL_PORT=$(cat /config/external-port)</span> <span class="s">export KAFKA_ADVERTISED_LISTENERS="INTERNAL://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9092,EXTERNAL://192.168.1.119:${EXTERNAL_PORT}"</span> <span class="s">exec /etc/kafka/docker/run</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLUSTER_ID</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">q1Sh-9_ISia_zwGINzRvyQ"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_PROCESS_ROLES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">broker,controller"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_LISTENER_NAMES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CONTROLLER"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_QUORUM_VOTERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://:9092,CONTROLLER://:9093,EXTERNAL://:9095"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_INTER_BROKER_LISTENER_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_ENABLED_MECHANISMS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_MIN_ISR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_MIN_INSYNC_REPLICAS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LOG_DIRS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Djava.security.auth.login.config=/opt/kafka/config/jaas/jaas.conf"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/kafka/config/jaas</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">4Gi</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ReadWriteOnce"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-stateful-final.yaml kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h2> 2.2 Verify </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-metadata-quorum.sh <span class="se">\</span> <span class="nt">--bootstrap-controller</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9093 <span class="se">\</span> describe <span class="nt">--status</span> </code></pre> </div> <p>Healthy output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">LeaderId:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">MaxFollowerLag:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">MaxFollowerLagTimeMs:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">CurrentVoters:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">}]</span><span class="w"> </span><span class="err">CurrentObservers:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></code></pre> </div> <h2> 2.3 Python client </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>kafka-python-ng </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">kafka</span> <span class="kn">import</span> <span class="n">KafkaProducer</span><span class="p">,</span> <span class="n">KafkaConsumer</span><span class="p">,</span> <span class="n">KafkaAdminClient</span> <span class="kn">from</span> <span class="n">kafka.admin</span> <span class="kn">import</span> <span class="n">NewTopic</span> <span class="kn">from</span> <span class="n">kafka.errors</span> <span class="kn">import</span> <span class="n">TopicAlreadyExistsError</span> <span class="kn">import</span> <span class="n">json</span><span class="p">,</span> <span class="n">time</span> <span class="c1"># Replace 192.168.1.119 with your Traefik IP </span><span class="n">BOOTSTRAP_SERVERS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">192.168.1.119:9092</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># kafka-0 </span> <span class="sh">"</span><span class="s">192.168.1.119:9093</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># kafka-1 </span> <span class="sh">"</span><span class="s">192.168.1.119:9094</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># kafka-2 </span><span class="p">]</span> <span class="n">SASL_CONFIG</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">security_protocol</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SASL_PLAINTEXT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sasl_mechanism</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SCRAM-SHA-512</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sasl_plain_username</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sasl_plain_password</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">supersecret</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="n">TOPIC</span> <span class="o">=</span> <span class="sh">"</span><span class="s">orders</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">create_topic</span><span class="p">(</span><span class="n">topic</span><span class="p">):</span> <span class="n">admin</span> <span class="o">=</span> <span class="nc">KafkaAdminClient</span><span class="p">(</span><span class="n">bootstrap_servers</span><span class="o">=</span><span class="n">BOOTSTRAP_SERVERS</span><span class="p">,</span> <span class="o">**</span><span class="n">SASL_CONFIG</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">admin</span><span class="p">.</span><span class="nf">create_topics</span><span class="p">([</span> <span class="nc">NewTopic</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">topic</span><span class="p">,</span> <span class="n">num_partitions</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span> <span class="n">replication_factor</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Topic </span><span class="sh">'</span><span class="si">{</span><span class="n">topic</span><span class="si">}</span><span class="sh">'</span><span class="s"> created.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">TopicAlreadyExistsError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Topic </span><span class="sh">'</span><span class="si">{</span><span class="n">topic</span><span class="si">}</span><span class="sh">'</span><span class="s"> already exists.</span><span class="sh">"</span><span class="p">)</span> <span class="k">finally</span><span class="p">:</span> <span class="n">admin</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">def</span> <span class="nf">produce</span><span class="p">(</span><span class="n">topic</span><span class="o">=</span><span class="n">TOPIC</span><span class="p">,</span> <span class="n">count</span><span class="o">=</span><span class="mi">10</span><span class="p">):</span> <span class="n">producer</span> <span class="o">=</span> <span class="nc">KafkaProducer</span><span class="p">(</span> <span class="n">bootstrap_servers</span><span class="o">=</span><span class="n">BOOTSTRAP_SERVERS</span><span class="p">,</span> <span class="o">**</span><span class="n">SASL_CONFIG</span><span class="p">,</span> <span class="n">value_serializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">v</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">v</span><span class="p">).</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">key_serializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">k</span><span class="p">:</span> <span class="n">k</span><span class="p">.</span><span class="nf">encode</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="n">acks</span><span class="o">=</span><span class="sh">"</span><span class="s">all</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">count</span><span class="p">):</span> <span class="n">meta</span> <span class="o">=</span> <span class="n">producer</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span> <span class="n">topic</span><span class="p">,</span> <span class="n">key</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">i</span><span class="p">),</span> <span class="n">value</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">i</span><span class="p">,</span> <span class="sh">"</span><span class="s">ts</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()}</span> <span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> sent [</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s">] partition=</span><span class="si">{</span><span class="n">meta</span><span class="p">.</span><span class="n">partition</span><span class="si">}</span><span class="s"> offset=</span><span class="si">{</span><span class="n">meta</span><span class="p">.</span><span class="n">offset</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">producer</span><span class="p">.</span><span class="nf">flush</span><span class="p">()</span> <span class="n">producer</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">def</span> <span class="nf">consume</span><span class="p">(</span><span class="n">topic</span><span class="o">=</span><span class="n">TOPIC</span><span class="p">):</span> <span class="n">consumer</span> <span class="o">=</span> <span class="nc">KafkaConsumer</span><span class="p">(</span> <span class="n">topic</span><span class="p">,</span> <span class="n">bootstrap_servers</span><span class="o">=</span><span class="n">BOOTSTRAP_SERVERS</span><span class="p">,</span> <span class="o">**</span><span class="n">SASL_CONFIG</span><span class="p">,</span> <span class="n">value_deserializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">v</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">v</span><span class="p">.</span><span class="nf">decode</span><span class="p">()),</span> <span class="n">key_deserializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">k</span><span class="p">:</span> <span class="n">k</span><span class="p">.</span><span class="nf">decode</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="n">group_id</span><span class="o">=</span><span class="sh">"</span><span class="s">my-group</span><span class="sh">"</span><span class="p">,</span> <span class="n">auto_offset_reset</span><span class="o">=</span><span class="sh">"</span><span class="s">earliest</span><span class="sh">"</span><span class="p">,</span> <span class="n">consumer_timeout_ms</span><span class="o">=</span><span class="mi">5000</span><span class="p">,</span> <span class="p">)</span> <span class="k">for</span> <span class="n">msg</span> <span class="ow">in</span> <span class="n">consumer</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s"> recv key=</span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="n">key</span><span class="si">}</span><span class="s"> </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">partition=</span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="n">partition</span><span class="si">}</span><span class="s"> </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">offset=</span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="n">offset</span><span class="si">}</span><span class="s"> </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">value=</span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="n">value</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">consumer</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">create_topic</span><span class="p">(</span><span class="n">TOPIC</span><span class="p">)</span> <span class="nf">produce</span><span class="p">()</span> <span class="nf">consume</span><span class="p">()</span> </code></pre> </div> <h2> Troubleshooting </h2> <p><strong>Pods not starting</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> kafka kafka-0 <span class="nt">-c</span> format-storage kubectl logs <span class="nt">-n</span> kafka kafka-0 <span class="nt">-c</span> init-node-id </code></pre> </div> <p><strong>SCRAM registration times out</strong></p> <p>Port 9094 is not reachable. Check the headless service includes it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc kafka-headless <span class="nt">-n</span> kafka </code></pre> </div> <p><strong>Python client connects but gets wrong broker addresses</strong></p> <p>The Traefik IP in the StatefulSet command block is wrong. Fix it and roll:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout restart statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <p><strong>Traefik ports not appearing</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout restart deployment/traefik <span class="nt">-n</span> kube-system kubectl get svc traefik <span class="nt">-n</span> kube-system </code></pre> </div> devops kubernetes networking tutorial Deploying Apache Kafka 4.2.0 on Kubernetes with KRaft, SASL, and High Availability giveitatry Sun, 22 Mar 2026 12:41:13 +0000 https://dev.to/giveitatry/deploying-apache-kafka-4x-on-kubernetes-with-kraft-sasl-and-high-availability-3m0k https://dev.to/giveitatry/deploying-apache-kafka-4x-on-kubernetes-with-kraft-sasl-and-high-availability-3m0k <h2> Overview </h2> <p>This guide walks through deploying a production-grade Apache Kafka cluster on Kubernetes using KRaft mode (no ZooKeeper), SASL/SCRAM-SHA-512 authentication, and a 3-node StatefulSet for high availability. It covers every manifest file required, the reasoning behind each configuration decision, the SCRAM credential bootstrap process, common pitfalls encountered in practice, and the steps needed to take the cluster from running to production-ready.</p> <h2> Prerequisites </h2> <h3> Tools </h3> <ul> <li> <code>kubectl</code> configured against your target cluster</li> <li>A Kubernetes cluster with at least 3 nodes (one per Kafka pod) with sufficient resources</li> <li>Persistent volume provisioner available (e.g. local-path, Longhorn, Ceph, AWS EBS)</li> <li> <code>keytool</code> (part of the JDK) if you plan to add TLS later</li> </ul> <h3> Cluster Resources </h3> <p>Each Kafka pod in this guide requests 500m CPU and 1Gi RAM, with limits of 2 CPU and 4Gi RAM. For production you should size these based on your throughput requirements. A minimum of 10Gi persistent storage per broker is configured.</p> <h3> Kubernetes Version </h3> <p>Kubernetes 1.21 or later is recommended. StatefulSets, headless Services, and ConfigMaps used in this guide are stable APIs available in all modern versions.</p> <h2> Architecture </h2> <p>The cluster consists of three pods (<code>kafka-0</code>, <code>kafka-1</code>, <code>kafka-2</code>) each running in combined broker+controller mode using KRaft. This means each pod participates in the Raft quorum for metadata management as well as serving producer and consumer traffic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────┐ │ Kafka Namespace │ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ kafka-0 │ │ kafka-1 │ │ kafka-2 │ │ │ │ broker │ │ broker │ │ broker │ │ │ │ + ctrl │ │ + ctrl │ │ + ctrl │ │ │ └────┬────┘ └────┬────┘ └────┬────┘ │ │ │ │ │ │ │ port 9092 (SASL_PLAINTEXT — broker) │ │ port 9093 (PLAINTEXT — controller) │ │ │ │ ┌─────────────────────────────────┐ │ │ │ kafka-headless (ClusterIP: │ │ │ │ None) — DNS per pod │ │ │ └─────────────────────────────────┘ │ └─────────────────────────────────────────┘ </code></pre> </div> <p>KRaft requires a majority quorum (2 out of 3) to elect a leader and commit metadata. The cluster can tolerate the loss of one node.</p> <h2> File Structure </h2> <p>You need five manifest files plus one temporary modification during the SCRAM bootstrap process:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">namespace.yaml — Kafka namespace</span> <span class="s">kafka-svc.yaml — Headless service for pod DNS</span> <span class="s">kafka-jaas.yaml — JAAS config for inter-broker SCRAM auth</span> <span class="s">kafka-sasl.yaml — Secret holding admin credentials for client apps</span> <span class="s">kafka-stateful-set.yaml — Brokers, init containers, volumes, config</span> </code></pre> </div> <h2> Step 1 — Namespace </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># namespace.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> </code></pre> </div> <p>Apply first so all subsequent resources land in the correct namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> namespace.yaml </code></pre> </div> <h2> Step 2 — Headless Service </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-svc.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">internal</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">controller</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> </code></pre> </div> <p>A headless service (<code>clusterIP: None</code>) causes Kubernetes DNS to create per-pod A records:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kafka-0.kafka-headless.kafka.svc.cluster.local kafka-1.kafka-headless.kafka.svc.cluster.local kafka-2.kafka-headless.kafka.svc.cluster.local </code></pre> </div> <p>These stable DNS names are what the KRaft quorum voters list and the advertised listeners are built from. They survive pod restarts and rescheduling because they are tied to the StatefulSet ordinal, not the pod IP.</p> <h2> Step 3 — JAAS Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-jaas.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">data</span><span class="pi">:</span> <span class="na">jaas.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">KafkaServer {</span> <span class="s">org.apache.kafka.common.security.scram.ScramLoginModule required</span> <span class="s">username="admin"</span> <span class="s">password="supersecret";</span> <span class="s">};</span> </code></pre> </div> <p>This file configures the Java Authentication and Authorization Service (JAAS) for the Kafka broker process itself. The <code>username</code> and <code>password</code> here are the inter-broker credentials — what each broker uses when authenticating to other brokers on the <code>INTERNAL</code> listener.</p> <p><strong>Important:</strong> JAAS alone does not create the SCRAM user in Kafka's metadata store. That is a separate bootstrap step performed after the cluster is running (see Step 7). The JAAS file tells the broker process what credentials to use, but those credentials must also exist in Kafka's internal metadata before inter-broker authentication will succeed.</p> <h2> Step 4 — SASL Secret </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-sasl.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-sasl</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">password</span><span class="pi">:</span> <span class="s">supersecret</span> </code></pre> </div> <p>This secret can be mounted into client pods or referenced by applications that need to connect to Kafka. It is separate from the JAAS ConfigMap so that client credentials can be managed independently of the broker configuration.</p> <h2> Step 5 — StatefulSet </h2> <p>This is the core manifest. It contains two init containers and one main broker container.</p> <h3> Why Two Init Containers? </h3> <p><strong>init-node-id</strong> runs a tiny busybox container to extract the pod ordinal (0, 1, or 2) from the hostname and writes it to a shared <code>emptyDir</code> volume. This is necessary because Kubernetes environment variable substitution does not support string manipulation, so you cannot derive the integer <code>0</code> from the pod name <code>kafka-0</code> using env vars alone.</p> <p><strong>format-storage</strong> runs the actual Kafka image to format the KRaft log directory using <code>kafka-storage.sh</code>. It only runs if <code>/data/meta.properties</code> does not already exist, making it safe on pod restarts. The temporary <code>kraft.properties</code> file used during formatting includes a dummy plaintext broker listener — this is required because Kafka's config validator refuses to proceed if the only listener defined is a controller listener. These values are only used during formatting and are not used by the running broker.</p> <h3> Why <code>/etc/kafka/docker/run</code> Instead of <code>kafka-server-start.sh</code>? </h3> <p>The official <code>apache/kafka</code> Docker image ships an entrypoint at <code>/etc/kafka/docker/run</code> that translates <code>KAFKA_*</code> environment variables into <code>server.properties</code> entries before starting the broker. Calling <code>kafka-server-start.sh</code> directly bypasses this translation entirely — env vars like <code>KAFKA_LOG_DIRS</code> are ignored and the broker falls back to compiled-in defaults, causing it to look for data in the wrong directory.</p> <h3> Why <code>CLUSTER_ID</code> as an Env Var? </h3> <p>If <code>CLUSTER_ID</code> is not set, the official entrypoint generates a new random cluster ID on every pod start and attempts to re-format storage. This fails because the existing <code>meta.properties</code> already has a different ID written by the init container. Always set <code>CLUSTER_ID</code> to match the value used during the format step.</p> <h3> Generating Your Own Cluster ID </h3> <p>The cluster ID <code>q1Sh-9_ISia_zwGINzRvyQ</code> used in this guide was generated with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/opt/kafka/bin/kafka-storage.sh random-uuid </code></pre> </div> <p>Generate your own unique ID for each cluster you deploy. Do not reuse IDs across clusters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-stateful-set.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">init-node-id</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.36</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">ORDINAL=$(hostname | awk -F'-' '{print $NF}')</span> <span class="s">echo "$ORDINAL" &gt; /config/node-id</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">format-storage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">NODE_ID=$(cat /config/node-id)</span> <span class="s">if [ ! -f "/data/meta.properties" ]; then</span> <span class="s">echo "Formatting storage for node $NODE_ID..."</span> <span class="s">echo "node.id=$NODE_ID" &gt; /tmp/kraft.properties</span> <span class="s">echo "process.roles=broker,controller" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.quorum.voters=0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listeners=PLAINTEXT://:9092,CONTROLLER://:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "advertised.listeners=PLAINTEXT://localhost:9092" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listener.security.protocol.map=PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "inter.broker.listener.name=PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.listener.names=CONTROLLER" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "log.dirs=/data" &gt;&gt; /tmp/kraft.properties</span> <span class="s">/opt/kafka/bin/kafka-storage.sh format \</span> <span class="s">--ignore-formatted \</span> <span class="s">--cluster-id q1Sh-9_ISia_zwGINzRvyQ \</span> <span class="s">--config /tmp/kraft.properties</span> <span class="s">else</span> <span class="s">echo "Already formatted, skipping."</span> <span class="s">fi</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">export KAFKA_NODE_ID=$(cat /config/node-id)</span> <span class="s">exec /etc/kafka/docker/run</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9093</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLUSTER_ID</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">q1Sh-9_ISia_zwGINzRvyQ"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_PROCESS_ROLES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">broker,controller"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_LISTENER_NAMES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CONTROLLER"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_QUORUM_VOTERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://:9092,CONTROLLER://:9093"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_INTER_BROKER_LISTENER_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_ADVERTISED_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9092"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_ENABLED_MECHANISMS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_MIN_ISR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_MIN_INSYNC_REPLICAS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LOG_DIRS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Djava.security.auth.login.config=/opt/kafka/config/jaas/jaas.conf"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/kafka/config/jaas</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">4Gi</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ReadWriteOnce"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> </code></pre> </div> <h2> Step 6 — Initial Deployment </h2> <p>Apply all manifests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> namespace.yaml kubectl apply <span class="nt">-f</span> kafka-svc.yaml kubectl apply <span class="nt">-f</span> kafka-jaas.yaml kubectl apply <span class="nt">-f</span> kafka-sasl.yaml kubectl apply <span class="nt">-f</span> kafka-stateful-set.yaml </code></pre> </div> <p>Watch the pods come up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> kafka <span class="nt">-w</span> </code></pre> </div> <p>All three pods should reach <code>Running</code> status within a minute or two. Check kafka-0 logs to confirm a clean startup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> kafka kafka-0 </code></pre> </div> <p>A healthy startup ends with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[KafkaRaftServer nodeId=0] Kafka Server started </code></pre> </div> <h2> Step 7 — Bootstrap SCRAM Credentials </h2> <p>This is the most involved post-deployment step, and also the most commonly misunderstood. Here is why it requires a special process.</p> <h3> The Chicken-and-Egg Problem </h3> <p>The broker's <code>INTERNAL</code> listener (port 9092) requires SASL/SCRAM-SHA-512 authentication. The <code>kafka-configs.sh</code> admin tool needs to connect to a broker to write SCRAM credentials into Kafka's metadata. But to connect to the broker, you need valid SCRAM credentials — which don't exist yet because you haven't written them.</p> <p>There are two apparent escape hatches that do not actually work:</p> <ul> <li> <strong>Using the JAAS file credentials directly against port 9092</strong> — the JAAS file tells the broker process what credentials to use for its own inter-broker connections, but those credentials must also exist in Kafka's metadata store before the SCRAM handshake will succeed. The JAAS file does not pre-populate metadata.</li> <li> <strong>Using <code>--bootstrap-controller</code> against port 9093</strong> — Kafka 4.x does not support the <code>alterUserScramCredentials</code> admin API via the controller quorum endpoint. It must go through a broker.</li> </ul> <p>The solution is to temporarily open an unauthenticated <code>PLAINTEXT</code> listener on a separate port (9094), use it to write the credentials, then close it again.</p> <h3> 7a — Add the Temporary Listener to the Service </h3> <p>Edit <code>kafka-svc.yaml</code> to add port 9094:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-svc.yaml (temporary — port 9094 will be removed after bootstrap)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">internal</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">controller</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">plaintext-bootstrap</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9094</span> </code></pre> </div> <h3> 7b — Add the Temporary Listener to the StatefulSet </h3> <p>Edit <code>kafka-stateful-set.yaml</code> and make these changes to the broker container:</p> <p>Add <code>containerPort: 9094</code> to the ports list.</p> <p>Change <code>KAFKA_LISTENERS</code> to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://:9092,CONTROLLER://:9093,PLAINTEXT://:9094"</span> </code></pre> </div> <p>Change <code>KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</code> to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT"</span> </code></pre> </div> <p>Change <code>KAFKA_ADVERTISED_LISTENERS</code> to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_ADVERTISED_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9092,PLAINTEXT://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9094"</span> </code></pre> </div> <h3> 7c — Apply and Wait for Rollout </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-svc.yaml kubectl apply <span class="nt">-f</span> kafka-stateful-set.yaml kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h3> 7d — Register the SCRAM Credentials </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-configs.sh <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9094 <span class="se">\</span> <span class="nt">--alter</span> <span class="se">\</span> <span class="nt">--add-config</span> <span class="s1">'SCRAM-SHA-512=[password=supersecret]'</span> <span class="se">\</span> <span class="nt">--entity-type</span> <span class="nb">users</span> <span class="se">\</span> <span class="nt">--entity-name</span> admin </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Completed updating config for user admin. </code></pre> </div> <p>If you need additional users (application service accounts), register them now while port 9094 is still open:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-configs.sh <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9094 <span class="se">\</span> <span class="nt">--alter</span> <span class="se">\</span> <span class="nt">--add-config</span> <span class="s1">'SCRAM-SHA-512=[password=apppassword]'</span> <span class="se">\</span> <span class="nt">--entity-type</span> <span class="nb">users</span> <span class="se">\</span> <span class="nt">--entity-name</span> myapp </code></pre> </div> <h3> 7e — Remove the Temporary Listener </h3> <p>Revert <code>kafka-svc.yaml</code> to remove port 9094:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-svc.yaml (final)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">internal</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">controller</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> </code></pre> </div> <p>Revert the StatefulSet changes — remove the <code>PLAINTEXT</code> entries from <code>KAFKA_LISTENERS</code>, <code>KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</code>, and <code>KAFKA_ADVERTISED_LISTENERS</code>, and remove the <code>containerPort: 9094</code> line.</p> <p>Apply and wait:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-svc.yaml kubectl apply <span class="nt">-f</span> kafka-stateful-set.yaml kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h2> Step 8 — Verify the Cluster </h2> <p>Check the KRaft quorum status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-metadata-quorum.sh <span class="se">\</span> <span class="nt">--bootstrap-controller</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9093 <span class="se">\</span> describe <span class="nt">--status</span> </code></pre> </div> <p>A healthy cluster shows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">LeaderId:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">LeaderEpoch:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="err">HighWatermark:</span><span class="w"> </span><span class="mi">303</span><span class="w"> </span><span class="err">MaxFollowerLag:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">MaxFollowerLagTimeMs:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">CurrentVoters:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">}]</span><span class="w"> </span><span class="err">CurrentObservers:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></code></pre> </div> <p><code>MaxFollowerLag: 0</code> confirms all three nodes are fully in sync. Three voters and no observers confirms all nodes are full participants in the quorum.</p> <p>Verify SASL authentication works on port 9092:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> bash <span class="nt">-c</span> <span class="s1">' cat &gt; /tmp/client.properties &lt;&lt; EOF security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="supersecret"; EOF /opt/kafka/bin/kafka-topics.sh \ --bootstrap-server kafka-0.kafka-headless.kafka.svc.cluster.local:9092 \ --command-config /tmp/client.properties \ --list '</span> </code></pre> </div> <p>Create a test topic and produce/consume a message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> bash <span class="nt">-c</span> <span class="s1">' cat &gt; /tmp/client.properties &lt;&lt; EOF security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="supersecret"; EOF /opt/kafka/bin/kafka-topics.sh \ --bootstrap-server kafka-0.kafka-headless.kafka.svc.cluster.local:9092 \ --command-config /tmp/client.properties \ --create --topic test --partitions 3 --replication-factor 3 echo "hello kafka" | /opt/kafka/bin/kafka-console-producer.sh \ --bootstrap-server kafka-0.kafka-headless.kafka.svc.cluster.local:9092 \ --producer.config /tmp/client.properties \ --topic test /opt/kafka/bin/kafka-console-consumer.sh \ --bootstrap-server kafka-0.kafka-headless.kafka.svc.cluster.local:9092 \ --consumer.config /tmp/client.properties \ --topic test --from-beginning --max-messages 1 '</span> </code></pre> </div> <h2> Production Hardening Checklist </h2> <p>The cluster at this point is functional and secured with SASL. The following additional steps are needed before handling real production traffic.</p> <h3> Add TLS Encryption </h3> <p>The current setup uses <code>SASL_PLAINTEXT</code>, meaning credentials and data are transmitted unencrypted within the cluster. For any environment where network traffic could be intercepted, upgrade to <code>SASL_SSL</code>.</p> <p>Generate a keystore and truststore using <code>keytool</code>. The Subject Alternative Names (SANs) must cover all broker hostnames — this is the most common mistake when setting up TLS for Kafka on Kubernetes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">PASS</span><span class="o">=</span>yourpassword <span class="nv">SAN</span><span class="o">=</span><span class="s2">"dns:kafka-0.kafka-headless.kafka.svc.cluster.local,</span><span class="se">\</span><span class="s2"> dns:kafka-1.kafka-headless.kafka.svc.cluster.local,</span><span class="se">\</span><span class="s2"> dns:kafka-2.kafka-headless.kafka.svc.cluster.local,</span><span class="se">\</span><span class="s2"> dns:kafka-headless.kafka.svc.cluster.local"</span> <span class="c"># Generate CA</span> keytool <span class="nt">-genkeypair</span> <span class="nt">-alias</span> ca <span class="nt">-keyalg</span> RSA <span class="nt">-keysize</span> 2048 <span class="se">\</span> <span class="nt">-dname</span> <span class="s2">"CN=kafka-ca"</span> <span class="nt">-validity</span> 3650 <span class="se">\</span> <span class="nt">-keystore</span> ca.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-storetype</span> JKS keytool <span class="nt">-exportcert</span> <span class="nt">-alias</span> ca <span class="nt">-keystore</span> ca.jks <span class="se">\</span> <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-file</span> ca.crt <span class="c"># Generate broker keypair and CSR</span> keytool <span class="nt">-genkeypair</span> <span class="nt">-alias</span> kafka <span class="nt">-keyalg</span> RSA <span class="nt">-keysize</span> 2048 <span class="se">\</span> <span class="nt">-dname</span> <span class="s2">"CN=kafka"</span> <span class="nt">-validity</span> 3650 <span class="se">\</span> <span class="nt">-keystore</span> keystore.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-storetype</span> JKS keytool <span class="nt">-certreq</span> <span class="nt">-alias</span> kafka <span class="nt">-keystore</span> keystore.jks <span class="se">\</span> <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-file</span> kafka.csr <span class="c"># Sign the CSR with the CA, including all broker SANs</span> keytool <span class="nt">-gencert</span> <span class="nt">-alias</span> ca <span class="nt">-keystore</span> ca.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="se">\</span> <span class="nt">-infile</span> kafka.csr <span class="nt">-outfile</span> kafka.crt <span class="nt">-validity</span> 3650 <span class="se">\</span> <span class="nt">-ext</span> <span class="s2">"SAN=</span><span class="nv">$SAN</span><span class="s2">"</span> <span class="c"># Import CA + signed cert into the keystore</span> keytool <span class="nt">-importcert</span> <span class="nt">-alias</span> ca <span class="nt">-file</span> ca.crt <span class="se">\</span> <span class="nt">-keystore</span> keystore.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-noprompt</span> keytool <span class="nt">-importcert</span> <span class="nt">-alias</span> kafka <span class="nt">-file</span> kafka.crt <span class="se">\</span> <span class="nt">-keystore</span> keystore.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-noprompt</span> <span class="c"># Build truststore containing only the CA</span> keytool <span class="nt">-importcert</span> <span class="nt">-alias</span> ca <span class="nt">-file</span> ca.crt <span class="se">\</span> <span class="nt">-keystore</span> truststore.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-noprompt</span> <span class="c"># Store in Kubernetes</span> kubectl create secret generic kafka-tls <span class="nt">-n</span> kafka <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span>keystore.jks<span class="o">=</span>keystore.jks <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span>truststore.jks<span class="o">=</span>truststore.jks <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">password</span><span class="o">=</span><span class="nv">$PASS</span> <span class="se">\</span> <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-o</span> yaml | kubectl apply <span class="nt">-f</span> - </code></pre> </div> <p>Then update the StatefulSet to mount the secret and change the listener protocols:</p> <ul> <li> <code>INTERNAL:SASL_PLAINTEXT</code> → <code>INTERNAL:SASL_SSL</code> </li> <li> <code>CONTROLLER:PLAINTEXT</code> → <code>CONTROLLER:SSL</code> </li> <li>Add <code>KAFKA_SSL_KEYSTORE_LOCATION</code>, <code>KAFKA_SSL_TRUSTSTORE_LOCATION</code>, <code>KAFKA_SSL_KEYSTORE_PASSWORD</code>, <code>KAFKA_SSL_TRUSTSTORE_PASSWORD</code> env vars</li> <li>Mount the <code>kafka-tls</code> secret as a volume at <code>/tls</code> </li> </ul> <h3> Change Default Credentials </h3> <p>The <code>admin</code>/<code>supersecret</code> credentials used in this guide are for demonstration only. Before going to production:</p> <ol> <li>Update <code>kafka-jaas.yaml</code> with a strong randomly generated password</li> <li>Update <code>kafka-sasl.yaml</code> with the same password</li> <li>Re-register the SCRAM credentials using the bootstrap process in Step 7</li> <li>Rotate any client configurations that reference the old credentials</li> </ol> <h3> Network Policies </h3> <p>Add a NetworkPolicy to restrict which pods can reach Kafka:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-network-policy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="pi">-</span> <span class="s">Egress</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespaceSelector</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">egress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">to</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> </code></pre> </div> <h3> Pod Anti-Affinity </h3> <p>Prevent Kubernetes from scheduling multiple Kafka pods on the same node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">affinity</span><span class="pi">:</span> <span class="na">podAntiAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">labelSelector</span><span class="pi">:</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">app</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s">kubernetes.io/hostname</span> </code></pre> </div> <p>Add this under <code>spec.template.spec</code> in the StatefulSet.</p> <h3> Pod Disruption Budget </h3> <p>Ensure Kubernetes never takes down more than one Kafka pod at a time during voluntary disruptions such as node drains or rolling updates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodDisruptionBudget</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-pdb</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">minAvailable</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> </code></pre> </div> <h3> Liveness and Readiness Probes </h3> <p>Add probes so Kubernetes can detect and restart unhealthy pods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">tcpSocket</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">6</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">tcpSocket</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">20</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> </code></pre> </div> <h3> Resource Tuning </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Workload</th> <th>CPU Request</th> <th>Memory Request</th> <th>Storage</th> </tr> </thead> <tbody> <tr> <td>Development</td> <td>250m</td> <td>512Mi</td> <td>5Gi</td> </tr> <tr> <td>Low traffic</td> <td>500m</td> <td>1Gi</td> <td>20Gi</td> </tr> <tr> <td>Medium traffic</td> <td>1</td> <td>2Gi</td> <td>50Gi</td> </tr> <tr> <td>High traffic</td> <td>2–4</td> <td>4–8Gi</td> <td>100Gi+</td> </tr> </tbody> </table></div> <h3> JVM Heap Tuning </h3> <p>Set the JVM heap via the <code>KAFKA_HEAP_OPTS</code> env var. A common rule of thumb is 50% of the container memory limit, not exceeding 6Gi:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_HEAP_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Xms2g</span><span class="nv"> </span><span class="s">-Xmx2g"</span> </code></pre> </div> <h3> Monitoring </h3> <p>The official <code>apache/kafka</code> image exposes JMX metrics. Enable them with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_JMX_PORT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">9999"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_JMX_HOSTNAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0"</span> </code></pre> </div> <p>Key metrics to monitor:</p> <ul> <li> <code>kafka.server:type=ReplicaManager,name=UnderReplicatedPartitions</code> — should always be 0</li> <li> <code>kafka.controller:type=KafkaController,name=ActiveControllerCount</code> — should be 1 across the cluster</li> <li> <code>kafka.network:type=RequestMetrics,name=TotalTimeMs</code> — producer/consumer latency</li> <li>JVM GC pause times — long pauses indicate heap needs tuning</li> </ul> <h2> Common Troubleshooting </h2> <p><strong>Pod stuck in Init state</strong></p> <p>Check the init container logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> kafka kafka-0 <span class="nt">-c</span> format-storage kubectl logs <span class="nt">-n</span> kafka kafka-0 <span class="nt">-c</span> init-node-id </code></pre> </div> <p><strong><code>No readable meta.properties</code> error</strong></p> <p>The broker cannot find formatted storage. Ensure you are using <code>/etc/kafka/docker/run</code> as the entrypoint, not <code>kafka-server-start.sh</code>. The latter ignores <code>KAFKA_*</code> env vars and the broker looks in the wrong directory.</p> <p><strong><code>Invalid cluster.id</code> error</strong></p> <p>The <code>CLUSTER_ID</code> env var does not match what was written to <code>meta.properties</code> during the format step. Delete the PVCs to force a reformat:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete pvc <span class="nt">-n</span> kafka <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>kafka </code></pre> </div> <p><strong><code>There must be at least one broker advertised listener</code> during format</strong></p> <p>The temp <code>kraft.properties</code> used in the format-storage init container must include a non-controller listener. Ensure <code>listeners</code>, <code>advertised.listeners</code>, <code>listener.security.protocol.map</code>, and <code>inter.broker.listener.name</code> are all present in the temp properties file.</p> <p><strong>SASL authentication timeout on port 9092</strong></p> <p>The SCRAM credentials have not been registered. The JAAS file alone is not enough — run the bootstrap process in Step 7 to write the credentials into Kafka's metadata store.</p> <p><strong><code>UnsupportedEndpointTypeException</code> when using <code>--bootstrap-controller</code></strong></p> <p>The <code>alterUserScramCredentials</code> admin API is not supported via the controller quorum endpoint in Kafka 4.x. You must connect through a broker (port 9092). Use the temporary PLAINTEXT listener on port 9094 as described in Step 7.</p> <p><strong>Port 9094 connection refused</strong></p> <p>The headless service does not expose port 9094 by default. You must explicitly add it to <code>kafka-svc.yaml</code> during the bootstrap process (Step 7a) and remove it afterwards.</p> <p><strong>Brokers cannot reach each other</strong></p> <p>Verify the headless service exists and pod DNS resolves from within a pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> nslookup kafka-1.kafka-headless.kafka.svc.cluster.local </code></pre> </div> <p><strong><code>MaxFollowerLag</code> is non-zero</strong></p> <p>One broker is behind. Check its logs for errors. Common causes are disk I/O pressure, a recent pod restart, or network instability.</p> <h2> Upgrading Kafka </h2> <p>To upgrade to a new Kafka version, update the <code>image</code> field in the StatefulSet. Kubernetes performs a rolling restart one pod at a time. Since KRaft requires a majority, the cluster stays available as long as at least 2 of 3 pods are running.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">set </span>image statefulset/kafka <span class="se">\</span> <span class="nv">kafka</span><span class="o">=</span>apache/kafka:4.3.0 <span class="se">\</span> <span class="nt">-n</span> kafka kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td>namespace.yaml</td> <td>Isolates all Kafka resources</td> </tr> <tr> <td>kafka-svc.yaml</td> <td>Headless service for stable pod DNS</td> </tr> <tr> <td>kafka-jaas.yaml</td> <td>JAAS config for inter-broker SCRAM auth</td> </tr> <tr> <td>kafka-sasl.yaml</td> <td>Secret for client applications</td> </tr> <tr> <td>kafka-stateful-set.yaml</td> <td>Brokers, init containers, storage, config</td> </tr> <tr> <td>Step 7 — SCRAM bootstrap</td> <td>Temporarily open port 9094, write credentials to metadata, close port 9094</td> </tr> </tbody> </table></div> <p>The cluster is production-ready when TLS is enabled, credentials are rotated to strong values, pod anti-affinity and a PodDisruptionBudget are in place, resource limits are tuned for your workload, and monitoring is active.</p> kafka kubernetes How GNOME drives me Crazy on Ubuntu giveitatry Fri, 20 Feb 2026 19:22:06 +0000 https://dev.to/giveitatry/how-to-gnome-drives-me-crazy-on-ubuntu-1len https://dev.to/giveitatry/how-to-gnome-drives-me-crazy-on-ubuntu-1len <p>If you’re using Ubuntu with the default GNOME desktop, you’ve probably experienced this:</p> <p>You click a pinned app in the dock (for example Firefox), and instead of switching to your already open window… GNOME shows you thumbnails of all open windows.</p> <p>This makes me <strong>crazy</strong>. I need additional click to switch the app.</p> <p>I don’t want previews.<br> I just want it to <strong>switch to the next window</strong>.</p> <p>Luckily, Ubuntu makes this easy to fix.</p> <h2> Why This Happens </h2> <p>Ubuntu uses a modified GNOME dock called <strong>Ubuntu Dock</strong>, which is based on Dash to Dock.</p> <p>By default, clicking a pinned app:</p> <ul> <li>Shows window previews if multiple windows are open.</li> </ul> <p>But we can change that behavior.</p> <h2> The Fix: Make Click Cycle Through Windows </h2> <h3> Step 1 – Open Dock Settings </h3> <p>Run this command in Terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gnome-extensions prefs ubuntu-dock@ubuntu.com </code></pre> </div> <h3> Step 2 – Change Click Behavior </h3> <ol> <li>Go to the <strong>Behavior</strong> tab.</li> <li>Find <strong>Click action</strong> </li> <li>Change it to:</li> </ol> <blockquote> <p><strong>Cycle through windows</strong></p> </blockquote> <p>That’s it.</p> linux productivity tutorial ubuntu How to Add a Subdomain with Hetzner DNS API giveitatry Sun, 01 Feb 2026 18:19:42 +0000 https://dev.to/giveitatry/how-to-add-a-subdomain-with-hetzner-dns-api-5g1d https://dev.to/giveitatry/how-to-add-a-subdomain-with-hetzner-dns-api-5g1d <p>Hetzner’s <strong>DNS Public API</strong> allows you to programmatically manage your domains, including creating subdomains. A subdomain is simply a DNS record under your main zone.</p> <h2> 1. Get Your Zone ID </h2> <p>Each domain in Hetzner DNS has a unique <code>zone_id</code>. To find it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> GET <span class="s2">"https://dns.hetzner.com/api/v1/zones"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Auth-API-Token: </span><span class="nv">$API_TOKEN</span><span class="s2">"</span> </code></pre> </div> <p>Look for your domain in the response and note its <code>id</code>. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ABC..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"domain.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 2. Add the Subdomain Record </h2> <p>Once you have the <code>zone_id</code>, you can create a subdomain by adding a DNS record. For example, to create <code>xxx.domain.com</code> pointing to <code>1.2.3.4</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="s2">"https://dns.hetzner.com/api/v1/records"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Auth-API-Token: </span><span class="nv">$API_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "zone_id": "ABC...", "type": "A", "name": "xxx", "value": "1.2.3.4", "ttl": 300 }'</span> </code></pre> </div> <p><strong>Parameters:</strong></p> <ul> <li> <code>zone_id</code> → The zone where the subdomain will be added.</li> <li> <code>type</code> → DNS record type (<code>A</code>, <code>CNAME</code>, <code>MX</code>, etc.).</li> <li> <code>name</code> → Subdomain prefix (<code>xxx</code>).</li> <li> <code>value</code> → IP address or target domain (<code>1.2.3.4</code> here).</li> <li> <code>ttl</code> → Time-to-live in seconds (optional, default 300).</li> </ul> <h2> 3. Verify the Subdomain </h2> <p>To confirm the subdomain was created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> GET <span class="s2">"https://dns.hetzner.com/api/v1/records?zone_id=ABC..."</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Auth-API-Token: </span><span class="nv">$API_TOKEN</span><span class="s2">"</span> </code></pre> </div> <p>Check for your new record in the response.</p> <h2> ✅ Summary </h2> <ul> <li>Subdomains are <strong>just DNS records</strong> in Hetzner.</li> <li>Use <code>GET /zones</code> to find your <code>zone_id</code>.</li> <li>Use <code>POST /records</code> to add subdomains.</li> <li>Use <code>GET /records</code> to list or verify existing subdomains.</li> </ul> <p>This approach lets you <strong>automate DNS management</strong> for your domains using Hetzner’s DNS API.</p> api devops networking tutorial How to Clone a GitLab Repository with a Self-Signed Certificate giveitatry Sun, 01 Feb 2026 12:55:26 +0000 https://dev.to/giveitatry/how-to-clone-a-gitlab-repository-with-a-self-signed-certificate-437l https://dev.to/giveitatry/how-to-clone-a-gitlab-repository-with-a-self-signed-certificate-437l <p>When working with a <strong>GitLab instance using a self-signed SSL certificate</strong>, attempting to clone a repository over HTTPS often fails with an error like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fatal: unable to access 'https://gitlab.example.com/group/project.git/': server certificate verification failed. CAfile: none CRLfile: none </code></pre> </div> <p>This happens because Git does not trust self-signed certificates by default. Below are <strong>safe, step-by-step ways to fix it</strong>.</p> <h2> 1. Understanding the Problem </h2> <p>Git verifies SSL certificates to ensure the server you’re connecting to is legitimate. Self-signed certificates <strong>aren’t trusted by default</strong> because they’re not signed by a recognized Certificate Authority (CA).</p> <p>This means HTTPS connections fail unless Git is explicitly told to trust the certificate.</p> <h2> 2. Export the Self-Signed Certificate </h2> <h3> Option A: Export via Chrome </h3> <ol> <li>Open your GitLab URL in <strong>Chrome</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://gitlab.example.com </code></pre> </div> <ol> <li>Click the <strong>lock icon</strong> in the address bar → <strong>Connection is secure</strong> → <strong>Certificate is valid</strong>.</li> <li>Go to the <strong>Details</strong> tab → Click <strong>Export…</strong>.</li> <li>Save the certificate as <code>gitlab-selfsigned.crt</code> in a permanent location:</li> </ol> <ul> <li>Windows: <code>C:\certs\gitlab-selfsigned.crt</code> </li> <li>Linux/macOS: <code>/home/username/certs/gitlab-selfsigned.crt</code> </li> </ul> <h3> Option B: Export via Firefox </h3> <p>Firefox doesn’t always allow direct export from the page, but here are two reliable ways:</p> <h4> Method 1: Using Firefox Preferences </h4> <ol> <li>Open Firefox and go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>about:preferences#privacy </code></pre> </div> <ol> <li>Scroll down to <strong>Certificates</strong> → Click <strong>View Certificates</strong>.</li> <li>Go to the <strong>Servers</strong> tab, find your GitLab domain (<code>gitlab.example.com</code>), select it → <strong>Export…</strong> </li> <li>Save as <code>gitlab-selfsigned.crt</code>.</li> </ol> <h4> Method 2: Using OpenSSL (cross-platform, recommended) </h4> <p>Open a terminal (Linux, macOS, or Git Bash on Windows) and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> | openssl s_client <span class="nt">-connect</span> gitlab.example.com:443 <span class="nt">-showcerts</span> 2&gt;/dev/null | openssl x509 <span class="nt">-outform</span> PEM <span class="o">&gt;</span> gitlab-selfsigned.crt </code></pre> </div> <ul> <li>This fetches the certificate directly from GitLab.</li> <li>Saves it as <code>gitlab-selfsigned.crt</code> in the current directory.</li> </ul> <h2> 3. Configure Git to Trust the Certificate </h2> <p>Once you have the <code>.crt</code> file:</p> <h4> Windows: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslCAInfo <span class="s2">"C:/certs/gitlab-selfsigned.crt"</span> </code></pre> </div> <h4> Linux / macOS: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslCAInfo <span class="s2">"/home/username/certs/gitlab-selfsigned.crt"</span> </code></pre> </div> <p>Verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> <span class="nt">--get</span> http.sslCAInfo </code></pre> </div> <h2> 4. Clone the Repository </h2> <p>Now, you can securely clone your repository over HTTPS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://gitlab.example.com/group/project.git </code></pre> </div> <h2> 5. Alternative: Use SSH Instead of HTTPS </h2> <p>SSH avoids all certificate issues:</p> <ol> <li>Generate an SSH key if you don’t have one: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="nt">-t</span> ed25519 <span class="nt">-C</span> <span class="s2">"your_email@example.com"</span> </code></pre> </div> <ol> <li><p>Copy the public key (<code>~/.ssh/id_ed25519.pub</code>) and add it to GitLab:<br> <strong>User Settings → SSH Keys → Add Key</strong></p></li> <li><p>Clone via SSH:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone git@gitlab.example.com:group/project.git </code></pre> </div> <p>No SSL certificate issues occur using SSH.</p> <h2> 6. Quick &amp; Unsafe Workaround (Testing Only) </h2> <p>You can temporarily disable SSL verification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslVerify <span class="nb">false</span> </code></pre> </div> <p>⚠️ <strong>Warning:</strong> This is insecure. It allows MITM attacks and should <strong>never</strong> be used permanently.</p> <h2> 7. PyCharm Considerations </h2> <p>PyCharm may use a separate Git executable. To ensure it works:</p> <ol> <li>Go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>File → Settings → Version Control → Git </code></pre> </div> <ol> <li>Check the <strong>Path to Git executable</strong>.</li> <li>Click <strong>Test</strong>.</li> <li>Make sure this Git has the <code>http.sslCAInfo</code> configuration set (or use SSH instead).</li> </ol> <h2> 8. Summary </h2> <p><strong>Recommended workflow for self-signed GitLab:</strong></p> <ol> <li>Export the self-signed certificate (Chrome or Firefox/OpenSSL).</li> <li>Configure Git to trust the certificate.</li> <li>Clone via HTTPS.</li> </ol> <p><strong>Alternative:</strong> Use SSH to avoid certificate issues entirely.</p> <p><strong>Avoid:</strong> disabling SSL verification permanently — it is insecure.</p> gitlab How to Clone a GitLab Repository with a Self-Signed Certificate giveitatry Sun, 01 Feb 2026 08:52:44 +0000 https://dev.to/giveitatry/how-to-clone-a-gitlab-repository-with-a-self-signed-certificate-3me9 https://dev.to/giveitatry/how-to-clone-a-gitlab-repository-with-a-self-signed-certificate-3me9 <p>When working with a <strong>GitLab instance using a self-signed SSL certificate</strong>, attempting to clone a repository over HTTPS often fails with an error like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fatal: unable to access 'https://gitlab.example.com/group/project.git/': server certificate verification failed. CAfile: none CRLfile: none </code></pre> </div> <p>This happens because Git does not trust self-signed certificates by default. Below are <strong>safe, step-by-step ways to fix it</strong>.</p> <h2> 1. Understanding the Problem </h2> <p>Git verifies SSL certificates to ensure the server you’re connecting to is legitimate. Self-signed certificates <strong>aren’t trusted by default</strong> because they’re not signed by a recognized Certificate Authority (CA).</p> <p>This means HTTPS connections fail unless Git is explicitly told to trust the certificate.</p> <h2> 2. Export the Self-Signed Certificate </h2> <h3> Option A: Export via Chrome </h3> <ol> <li>Open your GitLab URL in <strong>Chrome</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://gitlab.example.com </code></pre> </div> <ol> <li>Click the <strong>lock icon</strong> in the address bar → <strong>Connection is secure</strong> → <strong>Certificate is valid</strong>.</li> <li>Go to the <strong>Details</strong> tab → Click <strong>Export…</strong>.</li> <li>Save the certificate as <code>gitlab-selfsigned.crt</code> in a permanent location:</li> </ol> <ul> <li>Windows: <code>C:\certs\gitlab-selfsigned.crt</code> </li> <li>Linux/macOS: <code>/home/username/certs/gitlab-selfsigned.crt</code> </li> </ul> <h3> Option B: Export via Firefox </h3> <p>Firefox doesn’t always allow direct export from the page, but here are two reliable ways:</p> <h4> Method 1: Using Firefox Preferences </h4> <ol> <li>Open Firefox and go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>about:preferences#privacy </code></pre> </div> <ol> <li>Scroll down to <strong>Certificates</strong> → Click <strong>View Certificates</strong>.</li> <li>Go to the <strong>Servers</strong> tab, find your GitLab domain (<code>gitlab.example.com</code>), select it → <strong>Export…</strong> </li> <li>Save as <code>gitlab-selfsigned.crt</code>.</li> </ol> <h4> Method 2: Using OpenSSL (cross-platform, recommended) </h4> <p>Open a terminal (Linux, macOS, or Git Bash on Windows) and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> | openssl s_client <span class="nt">-connect</span> gitlab.example.com:443 <span class="nt">-showcerts</span> 2&gt;/dev/null | openssl x509 <span class="nt">-outform</span> PEM <span class="o">&gt;</span> gitlab-selfsigned.crt </code></pre> </div> <ul> <li>This fetches the certificate directly from GitLab.</li> <li>Saves it as <code>gitlab-selfsigned.crt</code> in the current directory.</li> </ul> <h2> 3. Configure Git to Trust the Certificate </h2> <p>Once you have the <code>.crt</code> file:</p> <h4> Windows: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslCAInfo <span class="s2">"C:/certs/gitlab-selfsigned.crt"</span> </code></pre> </div> <h4> Linux / macOS: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslCAInfo <span class="s2">"/home/username/certs/gitlab-selfsigned.crt"</span> </code></pre> </div> <p>Verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> <span class="nt">--get</span> http.sslCAInfo </code></pre> </div> <h2> 4. Clone the Repository </h2> <p>Now, you can securely clone your repository over HTTPS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://gitlab.example.com/group/project.git </code></pre> </div> <h2> 5. Alternative: Use SSH Instead of HTTPS </h2> <p>SSH avoids all certificate issues:</p> <ol> <li>Generate an SSH key if you don’t have one: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="nt">-t</span> ed25519 <span class="nt">-C</span> <span class="s2">"your_email@example.com"</span> </code></pre> </div> <ol> <li><p>Copy the public key (<code>~/.ssh/id_ed25519.pub</code>) and add it to GitLab:<br> <strong>User Settings → SSH Keys → Add Key</strong></p></li> <li><p>Clone via SSH:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone git@gitlab.example.com:group/project.git </code></pre> </div> <p>No SSL certificate issues occur using SSH.</p> <h2> 6. Quick &amp; Unsafe Workaround (Testing Only) </h2> <p>You can temporarily disable SSL verification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslVerify <span class="nb">false</span> </code></pre> </div> <p>⚠️ <strong>Warning:</strong> This is insecure. It allows MITM attacks and should <strong>never</strong> be used permanently.</p> <h2> 7. PyCharm Considerations </h2> <p>PyCharm may use a separate Git executable. To ensure it works:</p> <ol> <li>Go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>File → Settings → Version Control → Git </code></pre> </div> <ol> <li>Check the <strong>Path to Git executable</strong>.</li> <li>Click <strong>Test</strong>.</li> <li>Make sure this Git has the <code>http.sslCAInfo</code> configuration set (or use SSH instead).</li> </ol> <h2> 8. Summary </h2> <p><strong>Recommended workflow for self-signed GitLab:</strong></p> <ol> <li>Export the self-signed certificate (Chrome or Firefox/OpenSSL).</li> <li>Configure Git to trust the certificate.</li> <li>Clone via HTTPS.</li> </ol> <p><strong>Alternative:</strong> Use SSH to avoid certificate issues entirely.</p> <p><strong>Avoid:</strong> disabling SSL verification permanently — it is insecure.</p> devops git security tutorial