DEV Community: giveitatry The latest articles on DEV Community by giveitatry (@giveitatry). https://dev.to/giveitatry https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F623976%2F3baf0112-f926-4743-b988-89afa8a5fbe5.jpg DEV Community: giveitatry https://dev.to/giveitatry en Upgrading K3s: Complete Guide giveitatry Wed, 01 Apr 2026 06:13:00 +0000 https://dev.to/giveitatry/upgrading-k3s-complete-guide-12bj https://dev.to/giveitatry/upgrading-k3s-complete-guide-12bj <h1> TL;DR </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check current version</span> k3s <span class="nt">--version</span> <span class="c"># Upgrade server node to latest stable (run on server first)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_CHANNEL</span><span class="o">=</span>stable sh - <span class="c"># Upgrade to a specific version (upgrade One Minor Version at a Time)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.32.5+k3s1 sh - <span class="c"># Then upgrade each worker node (upgrade One Minor Version at a Time)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_CHANNEL</span><span class="o">=</span>stable <span class="nv">K3S_URL</span><span class="o">=</span>https://&lt;server-ip&gt;:6443 <span class="nv">K3S_TOKEN</span><span class="o">=</span>&lt;token&gt; sh - <span class="c"># Verify</span> kubectl get nodes </code></pre> </div> <h2> Your Current Situation </h2> <p>You're running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">k3s version v1.28.4+k3s2 (6ba6c1b6) go version go1.20.11 </span></code></pre> </div> <p>v1.28 reached end-of-life in late 2024. The current stable lines as of April 2026 are <strong>v1.32</strong> and <strong>v1.33</strong>. That means you're roughly <strong>4 minor versions behind</strong>, which is important — you cannot jump straight from v1.28 to v1.33 in one shot.</p> <h2> The Golden Rule: One Minor Version at a Time </h2> <p>When attempting to upgrade to a new version of K3s, the Kubernetes version skew policy applies. Ensure that your plan does not skip intermediate minor versions when upgrading.</p> <p>This means your upgrade path from v1.28 must go:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>v1.28 → v1.29 → v1.30 → v1.31 → v1.32 → v1.33 </code></pre> </div> <p>You cannot skip from v1.28 directly to v1.33. Each hop must be done separately, with the cluster verified healthy between each step.</p> <p>Also: when upgrading, upgrade server nodes first one at a time, then any agent nodes. Never upgrade workers before the server.</p> <h2> Important: Traefik Version Change at v1.32 </h2> <p>K3s versions v1.31 and earlier will install Traefik v2, while K3s versions v1.32 and later will install Traefik v3. If you're using Traefik as your ingress controller (which is the K3s default), the jump from v1.31 to v1.32 will upgrade Traefik from v2 to v3. Review the Traefik v3 migration guide before doing that hop if you have custom Traefik configuration or IngressRoute resources.</p> <h2> Important: etcd Warning for v1.34+ </h2> <p>If you plan to go all the way to v1.34 or v1.35, there is a critical etcd requirement. The K3s project announced that there is no safe upgrade path from etcd 3.5 to 3.6 (included in v1.34+) unless you are running etcd v3.5.26 first. The January 2025 releases of K3s v1.32 include etcd v3.5.26, so upgrading to at least <strong>v1.32</strong> before jumping to v1.34+ is mandatory to avoid cluster data issues.</p> <h2> Method 1: Manual Upgrade via Install Script (Recommended) </h2> <p>You can upgrade K3s by using the installation script, or by manually installing the binary of the desired version. The install script is the easiest approach.</p> <h3> Step 1 — Upgrade the server node, one minor version at a time </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SSH into your server node</span> ssh root@&lt;server-ip&gt; <span class="c"># Hop 1: v1.28 → v1.29</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.29.13+k3s1 sh - <span class="c"># Verify server is healthy before proceeding</span> kubectl get nodes k3s <span class="nt">--version</span> <span class="c"># Hop 2: v1.29 → v1.30</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.30.13+k3s1 sh - kubectl get nodes <span class="c"># Hop 3: v1.30 → v1.31</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.31.9+k3s1 sh - kubectl get nodes <span class="c"># Hop 4: v1.31 → v1.32 (Traefik v2 → v3 happens here!)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.32.5+k3s1 sh - kubectl get nodes <span class="c"># Hop 5: v1.32 → v1.33 (optional, if you want latest stable)</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.33.1+k3s1 sh - kubectl get nodes </code></pre> </div> <h3> Step 2 — Upgrade each worker node </h3> <p>After each server hop is confirmed healthy, upgrade the workers for that version before proceeding to the next hop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># SSH into each worker node</span> ssh root@&lt;worker-ip&gt; <span class="c"># Run the same version as the server just upgraded to</span> curl <span class="nt">-sfL</span> https://get.k3s.io | <span class="se">\</span> <span class="nv">INSTALL_K3S_VERSION</span><span class="o">=</span>v1.29.13+k3s1 <span class="se">\</span> <span class="nv">K3S_URL</span><span class="o">=</span>https://&lt;server-ip&gt;:6443 <span class="se">\</span> <span class="nv">K3S_TOKEN</span><span class="o">=</span>&lt;your-token&gt; <span class="se">\</span> sh - <span class="c"># Verify worker rejoined</span> kubectl get nodes </code></pre> </div> <p>Your token is in <code>/var/lib/rancher/k3s/server/node-token</code> on the server node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cat</span> /var/lib/rancher/k3s/server/node-token </code></pre> </div> <h3> Step 3 — Verify after each hop </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># All nodes should show same version and Ready status</span> kubectl get nodes <span class="nt">-o</span> wide <span class="c"># Check nothing is broken</span> kubectl get pods <span class="nt">-A</span> | <span class="nb">grep</span> <span class="nt">-v</span> Running | <span class="nb">grep</span> <span class="nt">-v</span> Completed </code></pre> </div> <h2> Method 2: Upgrade via Binary (Manual) </h2> <p>If you prefer more control, or the install script fails:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download the specific version binary</span> wget https://github.com/k3s-io/k3s/releases/download/v1.29.13%2Bk3s1/k3s <span class="c"># Replace the binary</span> <span class="nb">chmod</span> +x k3s <span class="nb">sudo mv </span>k3s /usr/local/bin/k3s <span class="c"># Restart the service</span> <span class="nb">sudo </span>systemctl restart k3s <span class="c"># on server</span> <span class="nb">sudo </span>systemctl restart k3s-agent <span class="c"># on workers</span> <span class="c"># Verify</span> k3s <span class="nt">--version</span> </code></pre> </div> <h2> Draining Nodes Before Upgrading (For Production) </h2> <p>Containers for pods continue running even when K3s is stopped. If your workload is sensitive to brief API server outages, you should manually drain and cordon the node before restarting K3s, and uncordon it afterwards.</p> <p>For a production cluster where you can't afford any disruption:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Before upgrading a node, drain it from the server</span> kubectl drain &lt;node-name&gt; <span class="se">\</span> <span class="nt">--ignore-daemonsets</span> <span class="se">\</span> <span class="nt">--delete-emptydir-data</span> <span class="se">\</span> <span class="nt">--force</span> <span class="c"># Run the upgrade on that node</span> <span class="c"># ...</span> <span class="c"># After the node is back up, uncordon it</span> kubectl uncordon &lt;node-name&gt; </code></pre> </div> <h2> After the Full Upgrade </h2> <p>Once all nodes are on the new version, do a full health check:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># All nodes Ready and on same version</span> kubectl get nodes <span class="nt">-o</span> wide <span class="c"># No pods stuck in bad state</span> kubectl get pods <span class="nt">-A</span> | <span class="nb">grep</span> <span class="nt">-v</span> Running | <span class="nb">grep</span> <span class="nt">-v</span> Completed <span class="c"># Check system pods specifically</span> kubectl get pods <span class="nt">-n</span> kube-system <span class="c"># Verify cert status (especially useful since you're now in cert rotation territory)</span> <span class="nb">sudo </span>k3s certificate check </code></pre> </div> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Your version</th> <th>Target</th> <th>Hops required</th> </tr> </thead> <tbody> <tr> <td>v1.28.4</td> <td>v1.29</td> <td>1</td> </tr> <tr> <td>v1.28.4</td> <td>v1.32</td> <td>4 (go through 29, 30, 31, 32)</td> </tr> <tr> <td>v1.28.4</td> <td>v1.33</td> <td>5 (go through 29, 30, 31, 32, 33)</td> </tr> </tbody> </table></div> <p>Take it one minor version at a time, always server first then workers, verify healthy between each hop, and mind the Traefik v2→v3 change when crossing v1.32.</p> k3s K3s Certificate Rotation: Complete Guide to Managing and Rotating Certificates giveitatry Wed, 01 Apr 2026 06:07:30 +0000 https://dev.to/giveitatry/k3s-certificate-rotation-complete-guide-to-managing-and-rotating-certificates-2ibe https://dev.to/giveitatry/k3s-certificate-rotation-complete-guide-to-managing-and-rotating-certificates-2ibe <h2> TL;DR — All Commands You Need </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Check certificate status on any node</span> <span class="nb">sudo </span>k3s certificate check <span class="c"># 2. Rotate on the SERVER node</span> <span class="nb">sudo </span>systemctl stop k3s <span class="nb">sudo </span>k3s certificate rotate <span class="nb">sudo </span>systemctl start k3s <span class="c"># 3. Update kubeconfig after server rotation</span> <span class="nb">sudo cp</span> /etc/rancher/k3s/k3s.yaml <span class="nv">$HOME</span>/.kube/config <span class="nb">sudo chown</span> <span class="si">$(</span><span class="nb">id</span> <span class="nt">-u</span><span class="si">)</span>:<span class="si">$(</span><span class="nb">id</span> <span class="nt">-g</span><span class="si">)</span> <span class="nv">$HOME</span>/.kube/config <span class="c"># 4. IMMEDIATELY restart k3s-agent on EVERY worker node</span> <span class="c"># (workers will disconnect after server cert rotation — this fixes it)</span> ssh root@&lt;worker-ip&gt; <span class="nb">sudo </span>systemctl restart k3s-agent <span class="c"># 5. Verify all nodes are back</span> kubectl get nodes <span class="nt">-w</span> </code></pre> </div> <h2> Certificate Types and Their Lifetimes </h2> <p>K3s manages two fundamentally different categories of certificates, and confusing them is the most common source of operational mistakes.</p> <h3> Client and Server Certificates — 365 days </h3> <p>K3s client and server certificates are valid for 365 days from their date of issuance. These are the leaf certificates used by every component in the cluster for mutual TLS: the API server, kubelet, etcd, kube-proxy, controller-manager, scheduler, and others. They are signed by the cluster's CA certificates.</p> <p>The full list of rotatable services is: <code>admin</code>, <code>api-server</code>, <code>controller-manager</code>, <code>scheduler</code>, <code>k3s-controller</code>, <code>k3s-server</code>, <code>cloud-controller</code>, <code>etcd</code>, <code>auth-proxy</code>, <code>kubelet</code>, <code>kube-proxy</code>.</p> <h3> CA (Certificate Authority) Certificates — 10 years </h3> <p>By default, K3s generates self-signed CA certificates during startup of the first server node. These CA certificates are valid for 10 years from date of issuance, and are not automatically renewed. They live in <code>/var/lib/rancher/k3s/server/tls</code> and are the root of trust for the entire cluster. The authoritative copy is stored encrypted in the datastore (etcd or SQLite), with copies extracted to disk on startup.</p> <h2> Automatic Certificate Renewal — How It Works </h2> <p>Any certificates that are expired or within 120 days of expiring are automatically renewed every time K3s starts. This renewal reuses the existing keys, and extends the lifetime of the existing certificates.</p> <p>This is the key distinction: automatic renewal <strong>extends the same keys</strong>, it doesn't rotate them. If you want brand new keys generated — for example after a security incident — you need the <code>rotate</code> subcommand covered below.</p> <p><strong>Version note:</strong> Prior to the May 2025 releases (v1.33.1+k3s1, v1.32.5+k3s1, v1.31.9+k3s1, v1.30.13+k3s1), alerts and rotation were triggered at 90 days instead of 120 days. If you're running an older cluster, the threshold is 90 days.</p> <h3> The Practical Implication </h3> <p>If your cluster nodes are rebooted or K3s is restarted at least once every few months as part of normal patching, certificates will silently renew themselves without any operator action. It is expected that you would be taking your hosts down periodically for patching and upgrading every few months — but reality has shown that many do not patch or reboot for more than 3 months, so the best practice is monitoring the certificate expiration.</p> <p>A cluster that runs for an entire year without a restart <strong>will</strong> let its certificates expire.</p> <h2> Warning Signs — What You See Before Expiry </h2> <p>When a certificate is within 120 days of expiring, a Kubernetes Warning Event with <code>reason: CertificateExpirationWarning</code> is created, with a relation to the Node using the certificate.</p> <p>You'll see events like this in your cluster logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Warning CertificateExpirationWarning Node certificates require attention - restart k3s on this node to trigger automatic rotation: kube-proxy/client-kube-proxy.crt: certificate CN=system:kube-proxy will expire within 90 days at 2025-05-03T12:14:51Z </code></pre> </div> <p>On newer versions these appear via:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get events <span class="nt">-A</span> <span class="nt">--field-selector</span> <span class="nv">reason</span><span class="o">=</span>CertificateExpirationWarning </code></pre> </div> <h2> What Happens When Certificates Actually Expire </h2> <p>This is where things get painful. You get something like this from <code>systemctl status k3s</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>x509: certificate has expired or is not yet valid </code></pre> </div> <p>And any <code>kubectl</code> call returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Unable to connect to the server: x509: certificate has expired or is not yet valid </code></pre> </div> <p><strong>What still works:</strong> Apps that are currently running continue to run with no issues — workloads don't immediately crash. The data plane keeps operating. What breaks is the <strong>control plane</strong>: you lose <code>kubectl</code> access entirely, API server communication fails, and no new deployments, scaling, or config changes are possible. If nodes restart or pods crash, Kubernetes cannot reschedule them because the control plane is inaccessible.</p> <p>The good news: certificates that are already expired are still automatically renewed every time K3s starts — so the recovery procedure is identical to the proactive rotation procedure. K3s is designed to self-heal on restart even in the fully expired state.</p> <h2> Checking Certificate Status </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>k3s certificate check </code></pre> </div> <p>Note: the <code>--output table</code> flag was added in the January 2025 releases (v1.32.0+k3s1, v1.31.5+k3s1, v1.30.9+k3s1) and will error on anything older. Check your version first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k3s <span class="nt">--version</span> <span class="c"># Only use --output table if you're on a January 2025+ release</span> <span class="nb">sudo </span>k3s certificate check <span class="nt">--output</span> table </code></pre> </div> <p>Example output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FILENAME SUBJECT USAGES EXPIRES RESIDUAL TIME STATUS -------- ------- ------ ------- ------------- ------ client-kube-proxy.crt system:kube-proxy ClientAuth Jun 09, 2026 10:17 UTC 1 year OK client-kubelet.crt system:node:k3s-server-1 ClientAuth Jun 09, 2026 10:17 UTC 1 year OK serving-kubelet.crt k3s-server-1 ServerAuth Jun 09, 2026 10:17 UTC 1 year OK client-k3s-controller.crt system:k3s-controller ClientAuth Jun 09, 2026 10:17 UTC 1 year OK </code></pre> </div> <p>Each certificate file in the FILENAME column contains at least two certificates — the leaf (or end entity) client/server certificate, any intermediate Certificate Authority certificates, and the root Certificate Authority certificate. That's why you see each filename appear twice — the leaf cert at 1 year, and the CA cert at 10 years.</p> <p>To inspect a specific cert directly with openssl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>openssl x509 <span class="se">\</span> <span class="nt">-in</span> /var/lib/rancher/k3s/server/tls/client-admin.crt <span class="se">\</span> <span class="nt">-noout</span> <span class="nt">-dates</span> </code></pre> </div> <p>To inspect the certificate currently embedded in your kubeconfig:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo cat</span> /etc/rancher/k3s/k3s.yaml <span class="se">\</span> | <span class="nb">grep</span> <span class="s1">'client-certificate-data'</span> <span class="se">\</span> | <span class="nb">awk</span> <span class="s1">'{print $2}'</span> <span class="se">\</span> | <span class="nb">base64</span> <span class="nt">-d</span> <span class="se">\</span> | openssl x509 <span class="nt">-noout</span> <span class="nt">-dates</span> </code></pre> </div> <p>This is useful to confirm your local <code>kubectl</code> context is using up-to-date credentials, separate from what the node itself reports.</p> <h2> Manual Rotation — Step by Step </h2> <h3> On the Server Node </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1: Stop K3s</span> <span class="nb">sudo </span>systemctl stop k3s <span class="c"># Step 2: Rotate certificates (generates new certs AND new keys)</span> <span class="nb">sudo </span>k3s certificate rotate <span class="c"># Step 3: Start K3s</span> <span class="nb">sudo </span>systemctl start k3s </code></pre> </div> <p>After K3s starts back up, the new certificate is written to <code>/etc/rancher/k3s/k3s.yaml</code>. This file is your kubeconfig and now contains the updated client certificate, client key, and certificate authority data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> /etc/rancher/k3s <span class="nb">ls</span> <span class="c"># k3s.yaml</span> <span class="nb">cat </span>k3s.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">clusters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="na">certificate-authority-data</span><span class="pi">:</span> <span class="s">&lt;base64-encoded-new-CA&gt;</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://127.0.0.1:6443</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">contexts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">default</span> <span class="na">user</span><span class="pi">:</span> <span class="s">default</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">current-context</span><span class="pi">:</span> <span class="s">default</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">default</span> <span class="na">user</span><span class="pi">:</span> <span class="na">client-certificate-data</span><span class="pi">:</span> <span class="s">&lt;base64-encoded-new-cert&gt;</span> <span class="na">client-key-data</span><span class="pi">:</span> <span class="s">&lt;base64-encoded-new-key&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 4: Copy the updated kubeconfig</span> <span class="nb">sudo cp</span> /etc/rancher/k3s/k3s.yaml <span class="nv">$HOME</span>/.kube/config <span class="nb">sudo chown</span> <span class="si">$(</span><span class="nb">id</span> <span class="nt">-u</span><span class="si">)</span>:<span class="si">$(</span><span class="nb">id</span> <span class="nt">-g</span><span class="si">)</span> <span class="nv">$HOME</span>/.kube/config <span class="c"># If managing the cluster from a remote machine, copy it there too</span> scp root@&lt;server-ip&gt;:/etc/rancher/k3s/k3s.yaml ~/.kube/config <span class="c"># Fix the server address if it points to 127.0.0.1</span> <span class="nb">sed</span> <span class="nt">-i</span> <span class="s1">'s/127.0.0.1/&lt;your-server-ip&gt;/g'</span> ~/.kube/config <span class="c"># Step 5: Verify server is healthy</span> <span class="nb">sudo </span>k3s certificate check kubectl get nodes </code></pre> </div> <p>Any CI/CD pipelines, Helm deployments, or developer workstations that had a copy of the old kubeconfig will also need this updated file — the old client certificate is invalid the moment rotation runs.</p> <h3> Rotating Specific Services Only </h3> <p>You can limit rotation to specific components rather than rotating everything at once:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>k3s certificate rotate <span class="nt">--service</span> api-server,kubelet <span class="nb">sudo </span>k3s certificate rotate <span class="nt">--service</span> etcd <span class="nb">sudo </span>k3s certificate rotate <span class="nt">--service</span> admin,controller-manager,scheduler </code></pre> </div> <p>This is useful when only certain certs are approaching expiry, or when you want to minimize the blast radius in a sensitive environment. The stop/start of K3s is still required around this command.</p> <h2> ⚠️ Warning: Worker Nodes Will Disconnect After Rotation </h2> <p>This is something the official documentation doesn't warn you about clearly enough, and it can cause a cascading failure that looks far worse than a simple cert issue.</p> <h3> What Happens </h3> <p>When you rotate certificates on the server node, the API server starts presenting new certificates. Worker nodes running <code>k3s-agent</code> were trusting the <strong>old</strong> certificates. Until the agent is restarted and picks up the new trust chain, kubelet on each worker loses the ability to communicate with the API server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Kubelet stopped posting node status. </code></pre> </div> <p>The workers show as <code>NotReady</code> even though the machines themselves are perfectly healthy.</p> <h3> The Cascade With Local Storage </h3> <p>If you're using <code>local-path</code> storage (the K3s default), this gets significantly worse:</p> <ol> <li>You rotate certs on the server 🔄</li> <li>Kubelet on workers stops trusting the API server ❌</li> <li>Workers become <code>NotReady</code> ❌</li> <li>PVCs using <code>local-path</code> are physically locked to those dead nodes ❌</li> <li>Pods tied to that storage cannot reschedule ❌</li> <li>Scheduler starts throwing <code>volume node affinity conflict</code> ❌</li> <li>Any stateful workload (databases, etc.) is now stuck in <code>Pending</code> or <code>Initializing</code> forever ❌</li> </ol> <p>The fix is straightforward — but you have to do it <strong>immediately</strong> after rotating the server, before anything starts crashing and trying to reschedule.</p> <h3> Fix — Restart the Agent on Every Worker Node </h3> <p>SSH into each worker and restart the agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Step 1 — SSH into the worker</span> ssh root@&lt;worker-ip&gt; <span class="c"># Step 2 — Restart k3s-agent</span> <span class="nb">sudo </span>systemctl restart k3s-agent <span class="c"># Step 3 — Check status</span> <span class="nb">sudo </span>systemctl status k3s-agent </code></pre> </div> <p>If the agent still won't come back after a restart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Full reboot as last resort</span> <span class="nb">sudo </span>reboot </code></pre> </div> <p>Then verify from the control plane that all nodes are back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get nodes <span class="nt">-w</span> </code></pre> </div> <p>Wait for all workers to flip back to <code>Ready</code>. Once they do, any stuck pods will reschedule automatically — no manual intervention on the workloads themselves is needed.</p> <h3> The Correct Order of Operations for a Full Cluster Rotation </h3> <p>To avoid the disconnection cascade entirely, always treat cert rotation as a coordinated cluster-wide operation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>1. Stop k3s on server → <span class="nb">sudo </span>systemctl stop k3s 2. Rotate certs on server → <span class="nb">sudo </span>k3s certificate rotate 3. Start k3s on server → <span class="nb">sudo </span>systemctl start k3s 4. Update kubeconfig → <span class="nb">cp</span> /etc/rancher/k3s/k3s.yaml ~/.kube/config 5. Restart agent on each worker → <span class="nb">sudo </span>systemctl restart k3s-agent 6. Verify all nodes Ready → kubectl get nodes </code></pre> </div> <p>Don't wait between steps 4 and 5. The longer workers run without restarting their agent, the higher the chance that a pod crash or node pressure event triggers a rescheduling attempt that hits the <code>volume node affinity conflict</code> wall.</p> <h2> CA Certificate Rotation </h2> <p>CA rotation is a completely different operation from leaf cert rotation. To rotate CA certificates and keys, use the <code>k3s certificate rotate-ca</code> command. The command performs integrity checks to confirm that the updated certificates and keys are usable. If the updated data is acceptable, the datastore's encrypted bootstrap key is updated, and the new certificates and keys will be used the next time K3s starts. If problems are encountered while validating the certificates and keys, an error is reported to the system log and the operation is cancelled without changes.</p> <h3> Non-disruptive vs. Disruptive Rotation </h3> <p>A cluster that has been started with custom CA certificates can renew or rotate the CA certificates and keys non-disruptively, as long as the same root CA is used. If a new root CA is required, the rotation will be disruptive. The <code>k3s certificate rotate-ca --force</code> option must be used, all nodes that were joined with a secure token (including servers) will need to be reconfigured to use the new token value, and pods will need to be restarted to trust the new root CA.</p> <p>The safe path is to generate new intermediate CAs signed by the existing root CA — existing trust chains remain valid, nodes can rejoin without token changes, and pods don't need restarts.</p> <h3> CA Rotation Procedure </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Stage new CA certificates into a TEMP directory</span> <span class="c"># Do NOT place them directly into the live /server/tls directory</span> <span class="nb">mkdir</span> <span class="nt">-p</span> /tmp/k3s-ca-rotate <span class="c"># Use the helper script from the K3s repo to generate new CAs</span> curl <span class="nt">-o</span> /tmp/generate-custom-ca-certs.sh <span class="se">\</span> https://raw.githubusercontent.com/k3s-io/k3s/main/contrib/util/generate-custom-ca-certs.sh <span class="nb">chmod</span> +x /tmp/generate-custom-ca-certs.sh <span class="nv">K3S_DATADIR</span><span class="o">=</span>/tmp/k3s-ca-rotate /tmp/generate-custom-ca-certs.sh <span class="c"># Load the new CAs into the datastore</span> <span class="nb">sudo </span>k3s certificate rotate-ca <span class="nt">--path</span> /tmp/k3s-ca-rotate/server/tls <span class="c"># Restart K3s on all nodes — servers first, then agents</span> <span class="nb">sudo </span>systemctl restart k3s </code></pre> </div> <p>Back up the generated root and intermediate CA files somewhere safe after this — you'll need them if you ever need to rotate CAs again in the future.</p> <h2> Monitoring — Preventing Surprise Expiry </h2> <p><strong>Watch for Kubernetes warning events:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get events <span class="nt">-A</span> <span class="se">\</span> <span class="nt">--field-selector</span> <span class="nv">reason</span><span class="o">=</span>CertificateExpirationWarning <span class="se">\</span> <span class="nt">--watch</span> </code></pre> </div> <p><strong>Prometheus alert rule</strong> (works with kube-prometheus-stack):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">alert</span><span class="pi">:</span> <span class="s">K3sCertificateExpiringSoon</span> <span class="na">expr</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">(k3s_certificate_expiry_seconds - time()) &lt; 30 * 24 * 3600</span> <span class="na">for</span><span class="pi">:</span> <span class="s">1h</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">warning</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">summary</span><span class="pi">:</span> <span class="s2">"</span><span class="s">K3s</span><span class="nv"> </span><span class="s">certificate</span><span class="nv"> </span><span class="s">expiring</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">less</span><span class="nv"> </span><span class="s">than</span><span class="nv"> </span><span class="s">30</span><span class="nv"> </span><span class="s">days</span><span class="nv"> </span><span class="s">on</span><span class="nv"> </span><span class="s">{{</span><span class="nv"> </span><span class="s">$labels.node</span><span class="nv"> </span><span class="s">}}"</span> </code></pre> </div> <p><strong>Simple weekly cron check</strong> on the server node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># /etc/cron.weekly/k3s-cert-check</span> k3s certificate check | mail <span class="nt">-s</span> <span class="s2">"K3s cert check on </span><span class="si">$(</span><span class="nb">hostname</span><span class="si">)</span><span class="s2">"</span> ops@yourcompany.com </code></pre> </div> <h2> Summary Table </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Certificate type</th> <th>Validity</th> <th>Auto-renewal</th> <th>Rotation command</th> </tr> </thead> <tbody> <tr> <td>Client/Server leaf certs</td> <td>365 days</td> <td>Yes, on restart (if &lt; 120 days remaining)</td> <td><code>k3s certificate rotate</code></td> </tr> <tr> <td>CA certificates</td> <td>10 years</td> <td><strong>No</strong></td> <td><code>k3s certificate rotate-ca</code></td> </tr> <tr> <td>kubeconfig embedded cert</td> <td>Same as leaf</td> <td>Follows leaf rotation</td> <td>Copy updated <code>k3s.yaml</code> </td> </tr> </tbody> </table></div> <h2> Key Takeaways </h2> <ol> <li> <strong>Restart K3s regularly.</strong> Even just for patching every few months — this is what triggers automatic certificate renewal. A cluster that never restarts will expire its certs at the 1-year mark.</li> <li> <strong><code>rotate</code> ≠ <code>restart</code>.</strong> A plain restart extends existing keys. <code>k3s certificate rotate</code> generates entirely new keys. Use rotate when you need cryptographic freshness, not just extended validity.</li> <li> <strong>Always restart worker agents immediately after rotating the server.</strong> Workers disconnect the moment the server starts presenting new certs. Don't wait — do it before anything tries to reschedule.</li> <li> <strong><code>local-path</code> storage amplifies worker disconnection.</strong> PVCs are locked to specific nodes. If a worker goes <code>NotReady</code> while holding a PVC, any pod using that storage is stuck until the worker comes back.</li> <li> <strong>Update your kubeconfig</strong> after server node rotation — the embedded client certificate changes, and any CI/CD pipelines using the old kubeconfig will break immediately.</li> <li> <strong>CA certs are your 10-year bomb.</strong> Mark a calendar reminder. They won't warn you and won't auto-renew.</li> <li> <strong>Backups are automatic.</strong> Old certs are saved to <code>/var/lib/rancher/k3s/server/tls-&lt;timestamp&gt;</code> before rotation, giving you a rollback path.</li> </ol> k8s k3s kubernetes Running a TeamCity Agent as a systemd Service giveitatry Tue, 24 Mar 2026 06:44:39 +0000 https://dev.to/giveitatry/running-a-teamcity-agent-as-a-systemd-service-3gpp https://dev.to/giveitatry/running-a-teamcity-agent-as-a-systemd-service-3gpp <p>Running a TeamCity agent as a system service ensures it continues working after logout and automatically starts on boot. This is the recommended production setup.</p> <h2> 📁 Prerequisites </h2> <p>Make sure your TeamCity agent is installed in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/opt/teamcity/bin/agent.sh </code></pre> </div> <p>👉 The <code>agent.sh</code> script <strong>must exist inside the <code>bin</code> directory</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/opt/teamcity/bin/agent.sh </code></pre> </div> <p>Also ensure it is executable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x /opt/teamcity/bin/agent.sh </code></pre> </div> <h2> ⚙️ Create systemd service </h2> <p>Create the file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>nano /etc/systemd/system/teamcity-agent.service </code></pre> </div> <p>Paste the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[Unit]</span> <span class="py">Description</span><span class="p">=</span><span class="s">TeamCity Build Agent</span> <span class="py">After</span><span class="p">=</span><span class="s">network.target</span> <span class="nn">[Service]</span> <span class="py">Type</span><span class="p">=</span><span class="s">oneshot</span> <span class="py">User</span><span class="p">=</span><span class="s">root</span> <span class="py">Group</span><span class="p">=</span><span class="s">root</span> <span class="py">WorkingDirectory</span><span class="p">=</span><span class="s">/opt/teamcity</span> <span class="py">ExecStart</span><span class="p">=</span><span class="s">/opt/teamcity/bin/agent.sh start</span> <span class="py">ExecStop</span><span class="p">=</span><span class="s">/opt/teamcity/bin/agent.sh stop</span> <span class="py">RemainAfterExit</span><span class="p">=</span><span class="s">yes</span> <span class="py">SuccessExitStatus</span><span class="p">=</span><span class="s">0 143</span> <span class="nn">[Install]</span> <span class="py">WantedBy</span><span class="p">=</span><span class="s">multi-user.target</span> </code></pre> </div> <h2> 🚀 Enable and start the service </h2> <p>Reload systemd and start the agent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl daemon-reload <span class="nb">sudo </span>systemctl <span class="nb">enable </span>teamcity-agent <span class="nb">sudo </span>systemctl start teamcity-agent </code></pre> </div> <h2> 🔍 Verify status </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl status teamcity-agent </code></pre> </div> <p>Expected result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Active: active (exited) </code></pre> </div> <p>This is normal for TeamCity agents when using <code>Type=oneshot</code>.</p> <h2> ⚠️ Notes </h2> <ul> <li>The agent <strong>must be located in <code>/opt/teamcity/bin/agent.sh</code></strong> </li> <li> <code>RemainAfterExit=yes</code> is required so systemd considers the service active</li> <li> <code>SuccessExitStatus=143</code> prevents false failure detection</li> <li>Using <code>root</code> works, but for production it's safer to use a dedicated user</li> </ul> teamcity Kafka 4.2.0 on Kubernetes - Complete Setup Guide - Exposed to Internet giveitatry Mon, 23 Mar 2026 08:20:43 +0000 https://dev.to/giveitatry/kafka-on-kubernetes-complete-setup-guide-exposed-to-internet-2l83 https://dev.to/giveitatry/kafka-on-kubernetes-complete-setup-guide-exposed-to-internet-2l83 <p>3-broker Kafka cluster on k3s with KRaft, SASL/SCRAM, and external access via Traefik.</p> <p><strong>Before you start — get your Traefik IP:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc traefik <span class="nt">-n</span> kube-system </code></pre> </div> <p>Copy any IP from the <code>EXTERNAL-IP</code> column. Replace every occurrence of<br> <code>192.168.1.119</code> in the YAMLs below with your actual IP.</p> <h1> Stage 1 — Bootstrap </h1> <p>Apply all of these files in order. This stage starts the cluster with port 9094<br> open (no auth) so you can register SCRAM credentials.</p> <h2> 1.1 namespace.yaml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> namespace.yaml </code></pre> </div> <h2> 1.2 kafka-jaas.yaml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">data</span><span class="pi">:</span> <span class="na">jaas.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">KafkaServer {</span> <span class="s">org.apache.kafka.common.security.scram.ScramLoginModule required</span> <span class="s">username="admin"</span> <span class="s">password="supersecret";</span> <span class="s">};</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-jaas.yaml </code></pre> </div> <h2> 1.3 kafka-sasl.yaml </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-sasl</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">password</span><span class="pi">:</span> <span class="s">supersecret</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-sasl.yaml </code></pre> </div> <h2> 1.4 traefik-config.yaml </h2> <p>Opens three TCP entrypoints on Traefik — one per broker.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">helm.cattle.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">HelmChartConfig</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">valuesContent</span><span class="pi">:</span> <span class="pi">|-</span> <span class="s">ports:</span> <span class="s">kafka-0:</span> <span class="s">port: 9092</span> <span class="s">expose:</span> <span class="s">default: true</span> <span class="s">exposedPort: 9092</span> <span class="s">protocol: TCP</span> <span class="s">kafka-1:</span> <span class="s">port: 9093</span> <span class="s">expose:</span> <span class="s">default: true</span> <span class="s">exposedPort: 9093</span> <span class="s">protocol: TCP</span> <span class="s">kafka-2:</span> <span class="s">port: 9094</span> <span class="s">expose:</span> <span class="s">default: true</span> <span class="s">exposedPort: 9094</span> <span class="s">protocol: TCP</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> traefik-config.yaml kubectl rollout status deployment/traefik <span class="nt">-n</span> kube-system </code></pre> </div> <p>Verify ports appeared:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc traefik <span class="nt">-n</span> kube-system <span class="c"># PORT(S) should include 9092, 9093, 9094 alongside 80 and 443</span> </code></pre> </div> <h2> 1.5 kafka-traefik.yaml </h2> <p>Headless service for internal pod DNS, one ClusterIP service per broker<br> (Traefik v3 routes to port 9095 on each pod), and IngressRouteTCP rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">internal</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">controller</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">plaintext-bootstrap</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9094</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-0-external</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">statefulset.kubernetes.io/pod-name</span><span class="pi">:</span> <span class="s">kafka-0</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-1-external</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">statefulset.kubernetes.io/pod-name</span><span class="pi">:</span> <span class="s">kafka-1</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-2-external</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">ClusterIP</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">statefulset.kubernetes.io/pod-name</span><span class="pi">:</span> <span class="s">kafka-2</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRouteTCP</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-0-tcp</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka-0</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">HostSNI(`*`)</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-0-external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRouteTCP</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-1-tcp</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka-1</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">HostSNI(`*`)</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-1-external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRouteTCP</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-2-tcp</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka-2</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">HostSNI(`*`)</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-2-external</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-traefik.yaml </code></pre> </div> <h2> 1.6 kafka-stateful-bootstrap.yaml </h2> <blockquote> <p>⚠️ Replace <code>192.168.1.119</code> with your Traefik IP before applying.</p> </blockquote> <p>Includes:</p> <ul> <li> <code>EXTERNAL</code> listener on port 9095 — Traefik routes external traffic here</li> <li> <code>PLAINTEXT</code> listener on port 9094 — temporary, no auth, used to register SCRAM credentials</li> <li>init container calculates the external port per broker: kafka-0 → 9092, kafka-1 → 9093, kafka-2 → 9094 </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">init-node-id</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.36</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">ORDINAL=$(hostname | awk -F'-' '{print $NF}')</span> <span class="s">echo "$ORDINAL" &gt; /config/node-id</span> <span class="s">EXTERNAL_PORT=$((9092 + ORDINAL))</span> <span class="s">echo "$EXTERNAL_PORT" &gt; /config/external-port</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">format-storage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">NODE_ID=$(cat /config/node-id)</span> <span class="s">if [ ! -f "/data/meta.properties" ]; then</span> <span class="s">echo "Formatting storage for node $NODE_ID..."</span> <span class="s">echo "node.id=$NODE_ID" &gt; /tmp/kraft.properties</span> <span class="s">echo "process.roles=broker,controller" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.quorum.voters=0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listeners=PLAINTEXT://:9092,CONTROLLER://:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "advertised.listeners=PLAINTEXT://localhost:9092" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listener.security.protocol.map=PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "inter.broker.listener.name=PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.listener.names=CONTROLLER" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "log.dirs=/data" &gt;&gt; /tmp/kraft.properties</span> <span class="s">/opt/kafka/bin/kafka-storage.sh format \</span> <span class="s">--ignore-formatted \</span> <span class="s">--cluster-id q1Sh-9_ISia_zwGINzRvyQ \</span> <span class="s">--config /tmp/kraft.properties</span> <span class="s">else</span> <span class="s">echo "Already formatted, skipping."</span> <span class="s">fi</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">export KAFKA_NODE_ID=$(cat /config/node-id)</span> <span class="s">export EXTERNAL_PORT=$(cat /config/external-port)</span> <span class="s">export KAFKA_ADVERTISED_LISTENERS="INTERNAL://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9092,EXTERNAL://192.168.1.119:${EXTERNAL_PORT},PLAINTEXT://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9094"</span> <span class="s">exec /etc/kafka/docker/run</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9094</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLUSTER_ID</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">q1Sh-9_ISia_zwGINzRvyQ"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_PROCESS_ROLES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">broker,controller"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_LISTENER_NAMES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CONTROLLER"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_QUORUM_VOTERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://:9092,CONTROLLER://:9093,EXTERNAL://:9095,PLAINTEXT://:9094"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT,PLAINTEXT:PLAINTEXT"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_INTER_BROKER_LISTENER_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_ENABLED_MECHANISMS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_MIN_ISR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_MIN_INSYNC_REPLICAS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LOG_DIRS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Djava.security.auth.login.config=/opt/kafka/config/jaas/jaas.conf"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/kafka/config/jaas</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">4Gi</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ReadWriteOnce"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-stateful-bootstrap.yaml kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h2> 1.7 Register SCRAM credentials </h2> <p>Port 9094 is open and unauthenticated. Use it to write the admin user into<br> Kafka's metadata store. This is a one-time operation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-configs.sh <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9094 <span class="se">\</span> <span class="nt">--alter</span> <span class="se">\</span> <span class="nt">--add-config</span> <span class="s1">'SCRAM-SHA-512=[password=supersecret]'</span> <span class="se">\</span> <span class="nt">--entity-type</span> <span class="nb">users</span> <span class="se">\</span> <span class="nt">--entity-name</span> admin </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Completed updating config for user admin. </code></pre> </div> <p>To add more users (application service accounts), repeat the command with<br> different <code>--entity-name</code> and password values while port 9094 is still open.</p> <h1> Stage 2 — Production (close port 9094) </h1> <p>Port 9094 is now unnecessary and a security risk. Apply the final StatefulSet<br> to remove it. No other files change.</p> <h2> 2.1 kafka-stateful-final.yaml </h2> <blockquote> <p>⚠️ Replace <code>192.168.1.119</code> with your Traefik IP before applying.</p> </blockquote> <p>Identical to the bootstrap version except:</p> <ul> <li> <code>PLAINTEXT://:9094</code> removed from <code>KAFKA_LISTENERS</code> </li> <li> <code>PLAINTEXT:PLAINTEXT</code> removed from <code>KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</code> </li> <li>PLAINTEXT entry removed from <code>KAFKA_ADVERTISED_LISTENERS</code> </li> <li> <code>containerPort: 9094</code> removed </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">init-node-id</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.36</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">ORDINAL=$(hostname | awk -F'-' '{print $NF}')</span> <span class="s">echo "$ORDINAL" &gt; /config/node-id</span> <span class="s">EXTERNAL_PORT=$((9092 + ORDINAL))</span> <span class="s">echo "$EXTERNAL_PORT" &gt; /config/external-port</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">format-storage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">NODE_ID=$(cat /config/node-id)</span> <span class="s">if [ ! -f "/data/meta.properties" ]; then</span> <span class="s">echo "Formatting storage for node $NODE_ID..."</span> <span class="s">echo "node.id=$NODE_ID" &gt; /tmp/kraft.properties</span> <span class="s">echo "process.roles=broker,controller" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.quorum.voters=0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listeners=PLAINTEXT://:9092,CONTROLLER://:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "advertised.listeners=PLAINTEXT://localhost:9092" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listener.security.protocol.map=PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "inter.broker.listener.name=PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.listener.names=CONTROLLER" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "log.dirs=/data" &gt;&gt; /tmp/kraft.properties</span> <span class="s">/opt/kafka/bin/kafka-storage.sh format \</span> <span class="s">--ignore-formatted \</span> <span class="s">--cluster-id q1Sh-9_ISia_zwGINzRvyQ \</span> <span class="s">--config /tmp/kraft.properties</span> <span class="s">else</span> <span class="s">echo "Already formatted, skipping."</span> <span class="s">fi</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">export KAFKA_NODE_ID=$(cat /config/node-id)</span> <span class="s">export EXTERNAL_PORT=$(cat /config/external-port)</span> <span class="s">export KAFKA_ADVERTISED_LISTENERS="INTERNAL://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9092,EXTERNAL://192.168.1.119:${EXTERNAL_PORT}"</span> <span class="s">exec /etc/kafka/docker/run</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9095</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLUSTER_ID</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">q1Sh-9_ISia_zwGINzRvyQ"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_PROCESS_ROLES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">broker,controller"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_LISTENER_NAMES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CONTROLLER"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_QUORUM_VOTERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://:9092,CONTROLLER://:9093,EXTERNAL://:9095"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_INTER_BROKER_LISTENER_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_ENABLED_MECHANISMS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_MIN_ISR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_MIN_INSYNC_REPLICAS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LOG_DIRS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Djava.security.auth.login.config=/opt/kafka/config/jaas/jaas.conf"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/kafka/config/jaas</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">4Gi</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ReadWriteOnce"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-stateful-final.yaml kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h2> 2.2 Verify </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-metadata-quorum.sh <span class="se">\</span> <span class="nt">--bootstrap-controller</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9093 <span class="se">\</span> describe <span class="nt">--status</span> </code></pre> </div> <p>Healthy output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">LeaderId:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">MaxFollowerLag:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">MaxFollowerLagTimeMs:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">CurrentVoters:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">}]</span><span class="w"> </span><span class="err">CurrentObservers:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></code></pre> </div> <h2> 2.3 Python client </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>kafka-python-ng </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">kafka</span> <span class="kn">import</span> <span class="n">KafkaProducer</span><span class="p">,</span> <span class="n">KafkaConsumer</span><span class="p">,</span> <span class="n">KafkaAdminClient</span> <span class="kn">from</span> <span class="n">kafka.admin</span> <span class="kn">import</span> <span class="n">NewTopic</span> <span class="kn">from</span> <span class="n">kafka.errors</span> <span class="kn">import</span> <span class="n">TopicAlreadyExistsError</span> <span class="kn">import</span> <span class="n">json</span><span class="p">,</span> <span class="n">time</span> <span class="c1"># Replace 192.168.1.119 with your Traefik IP </span><span class="n">BOOTSTRAP_SERVERS</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">192.168.1.119:9092</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># kafka-0 </span> <span class="sh">"</span><span class="s">192.168.1.119:9093</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># kafka-1 </span> <span class="sh">"</span><span class="s">192.168.1.119:9094</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># kafka-2 </span><span class="p">]</span> <span class="n">SASL_CONFIG</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">security_protocol</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SASL_PLAINTEXT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sasl_mechanism</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">SCRAM-SHA-512</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sasl_plain_username</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">admin</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sasl_plain_password</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">supersecret</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="n">TOPIC</span> <span class="o">=</span> <span class="sh">"</span><span class="s">orders</span><span class="sh">"</span> <span class="k">def</span> <span class="nf">create_topic</span><span class="p">(</span><span class="n">topic</span><span class="p">):</span> <span class="n">admin</span> <span class="o">=</span> <span class="nc">KafkaAdminClient</span><span class="p">(</span><span class="n">bootstrap_servers</span><span class="o">=</span><span class="n">BOOTSTRAP_SERVERS</span><span class="p">,</span> <span class="o">**</span><span class="n">SASL_CONFIG</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">admin</span><span class="p">.</span><span class="nf">create_topics</span><span class="p">([</span> <span class="nc">NewTopic</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">topic</span><span class="p">,</span> <span class="n">num_partitions</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span> <span class="n">replication_factor</span><span class="o">=</span><span class="mi">3</span><span class="p">)</span> <span class="p">])</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Topic </span><span class="sh">'</span><span class="si">{</span><span class="n">topic</span><span class="si">}</span><span class="sh">'</span><span class="s"> created.</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">TopicAlreadyExistsError</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Topic </span><span class="sh">'</span><span class="si">{</span><span class="n">topic</span><span class="si">}</span><span class="sh">'</span><span class="s"> already exists.</span><span class="sh">"</span><span class="p">)</span> <span class="k">finally</span><span class="p">:</span> <span class="n">admin</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">def</span> <span class="nf">produce</span><span class="p">(</span><span class="n">topic</span><span class="o">=</span><span class="n">TOPIC</span><span class="p">,</span> <span class="n">count</span><span class="o">=</span><span class="mi">10</span><span class="p">):</span> <span class="n">producer</span> <span class="o">=</span> <span class="nc">KafkaProducer</span><span class="p">(</span> <span class="n">bootstrap_servers</span><span class="o">=</span><span class="n">BOOTSTRAP_SERVERS</span><span class="p">,</span> <span class="o">**</span><span class="n">SASL_CONFIG</span><span class="p">,</span> <span class="n">value_serializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">v</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">v</span><span class="p">).</span><span class="nf">encode</span><span class="p">(),</span> <span class="n">key_serializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">k</span><span class="p">:</span> <span class="n">k</span><span class="p">.</span><span class="nf">encode</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="n">acks</span><span class="o">=</span><span class="sh">"</span><span class="s">all</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">count</span><span class="p">):</span> <span class="n">meta</span> <span class="o">=</span> <span class="n">producer</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span> <span class="n">topic</span><span class="p">,</span> <span class="n">key</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">i</span><span class="p">),</span> <span class="n">value</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">i</span><span class="p">,</span> <span class="sh">"</span><span class="s">ts</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()}</span> <span class="p">).</span><span class="nf">get</span><span class="p">(</span><span class="n">timeout</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> sent [</span><span class="si">{</span><span class="n">i</span><span class="si">}</span><span class="s">] partition=</span><span class="si">{</span><span class="n">meta</span><span class="p">.</span><span class="n">partition</span><span class="si">}</span><span class="s"> offset=</span><span class="si">{</span><span class="n">meta</span><span class="p">.</span><span class="n">offset</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="n">producer</span><span class="p">.</span><span class="nf">flush</span><span class="p">()</span> <span class="n">producer</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">def</span> <span class="nf">consume</span><span class="p">(</span><span class="n">topic</span><span class="o">=</span><span class="n">TOPIC</span><span class="p">):</span> <span class="n">consumer</span> <span class="o">=</span> <span class="nc">KafkaConsumer</span><span class="p">(</span> <span class="n">topic</span><span class="p">,</span> <span class="n">bootstrap_servers</span><span class="o">=</span><span class="n">BOOTSTRAP_SERVERS</span><span class="p">,</span> <span class="o">**</span><span class="n">SASL_CONFIG</span><span class="p">,</span> <span class="n">value_deserializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">v</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">v</span><span class="p">.</span><span class="nf">decode</span><span class="p">()),</span> <span class="n">key_deserializer</span><span class="o">=</span><span class="k">lambda</span> <span class="n">k</span><span class="p">:</span> <span class="n">k</span><span class="p">.</span><span class="nf">decode</span><span class="p">()</span> <span class="k">if</span> <span class="n">k</span> <span class="k">else</span> <span class="bp">None</span><span class="p">,</span> <span class="n">group_id</span><span class="o">=</span><span class="sh">"</span><span class="s">my-group</span><span class="sh">"</span><span class="p">,</span> <span class="n">auto_offset_reset</span><span class="o">=</span><span class="sh">"</span><span class="s">earliest</span><span class="sh">"</span><span class="p">,</span> <span class="n">consumer_timeout_ms</span><span class="o">=</span><span class="mi">5000</span><span class="p">,</span> <span class="p">)</span> <span class="k">for</span> <span class="n">msg</span> <span class="ow">in</span> <span class="n">consumer</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s"> recv key=</span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="n">key</span><span class="si">}</span><span class="s"> </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">partition=</span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="n">partition</span><span class="si">}</span><span class="s"> </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">offset=</span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="n">offset</span><span class="si">}</span><span class="s"> </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">value=</span><span class="si">{</span><span class="n">msg</span><span class="p">.</span><span class="n">value</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">consumer</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">create_topic</span><span class="p">(</span><span class="n">TOPIC</span><span class="p">)</span> <span class="nf">produce</span><span class="p">()</span> <span class="nf">consume</span><span class="p">()</span> </code></pre> </div> <h2> Troubleshooting </h2> <p><strong>Pods not starting</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> kafka kafka-0 <span class="nt">-c</span> format-storage kubectl logs <span class="nt">-n</span> kafka kafka-0 <span class="nt">-c</span> init-node-id </code></pre> </div> <p><strong>SCRAM registration times out</strong></p> <p>Port 9094 is not reachable. Check the headless service includes it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc kafka-headless <span class="nt">-n</span> kafka </code></pre> </div> <p><strong>Python client connects but gets wrong broker addresses</strong></p> <p>The Traefik IP in the StatefulSet command block is wrong. Fix it and roll:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout restart statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <p><strong>Traefik ports not appearing</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout restart deployment/traefik <span class="nt">-n</span> kube-system kubectl get svc traefik <span class="nt">-n</span> kube-system </code></pre> </div> devops kubernetes networking tutorial Deploying Apache Kafka 4.2.0 on Kubernetes with KRaft, SASL, and High Availability giveitatry Sun, 22 Mar 2026 12:41:13 +0000 https://dev.to/giveitatry/deploying-apache-kafka-4x-on-kubernetes-with-kraft-sasl-and-high-availability-3m0k https://dev.to/giveitatry/deploying-apache-kafka-4x-on-kubernetes-with-kraft-sasl-and-high-availability-3m0k <h2> Overview </h2> <p>This guide walks through deploying a production-grade Apache Kafka cluster on Kubernetes using KRaft mode (no ZooKeeper), SASL/SCRAM-SHA-512 authentication, and a 3-node StatefulSet for high availability. It covers every manifest file required, the reasoning behind each configuration decision, the SCRAM credential bootstrap process, common pitfalls encountered in practice, and the steps needed to take the cluster from running to production-ready.</p> <h2> Prerequisites </h2> <h3> Tools </h3> <ul> <li> <code>kubectl</code> configured against your target cluster</li> <li>A Kubernetes cluster with at least 3 nodes (one per Kafka pod) with sufficient resources</li> <li>Persistent volume provisioner available (e.g. local-path, Longhorn, Ceph, AWS EBS)</li> <li> <code>keytool</code> (part of the JDK) if you plan to add TLS later</li> </ul> <h3> Cluster Resources </h3> <p>Each Kafka pod in this guide requests 500m CPU and 1Gi RAM, with limits of 2 CPU and 4Gi RAM. For production you should size these based on your throughput requirements. A minimum of 10Gi persistent storage per broker is configured.</p> <h3> Kubernetes Version </h3> <p>Kubernetes 1.21 or later is recommended. StatefulSets, headless Services, and ConfigMaps used in this guide are stable APIs available in all modern versions.</p> <h2> Architecture </h2> <p>The cluster consists of three pods (<code>kafka-0</code>, <code>kafka-1</code>, <code>kafka-2</code>) each running in combined broker+controller mode using KRaft. This means each pod participates in the Raft quorum for metadata management as well as serving producer and consumer traffic.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────┐ │ Kafka Namespace │ │ │ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │ │ kafka-0 │ │ kafka-1 │ │ kafka-2 │ │ │ │ broker │ │ broker │ │ broker │ │ │ │ + ctrl │ │ + ctrl │ │ + ctrl │ │ │ └────┬────┘ └────┬────┘ └────┬────┘ │ │ │ │ │ │ │ port 9092 (SASL_PLAINTEXT — broker) │ │ port 9093 (PLAINTEXT — controller) │ │ │ │ ┌─────────────────────────────────┐ │ │ │ kafka-headless (ClusterIP: │ │ │ │ None) — DNS per pod │ │ │ └─────────────────────────────────┘ │ └─────────────────────────────────────────┘ </code></pre> </div> <p>KRaft requires a majority quorum (2 out of 3) to elect a leader and commit metadata. The cluster can tolerate the loss of one node.</p> <h2> File Structure </h2> <p>You need five manifest files plus one temporary modification during the SCRAM bootstrap process:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="s">namespace.yaml — Kafka namespace</span> <span class="s">kafka-svc.yaml — Headless service for pod DNS</span> <span class="s">kafka-jaas.yaml — JAAS config for inter-broker SCRAM auth</span> <span class="s">kafka-sasl.yaml — Secret holding admin credentials for client apps</span> <span class="s">kafka-stateful-set.yaml — Brokers, init containers, volumes, config</span> </code></pre> </div> <h2> Step 1 — Namespace </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># namespace.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Namespace</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> </code></pre> </div> <p>Apply first so all subsequent resources land in the correct namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> namespace.yaml </code></pre> </div> <h2> Step 2 — Headless Service </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-svc.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">internal</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">controller</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> </code></pre> </div> <p>A headless service (<code>clusterIP: None</code>) causes Kubernetes DNS to create per-pod A records:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kafka-0.kafka-headless.kafka.svc.cluster.local kafka-1.kafka-headless.kafka.svc.cluster.local kafka-2.kafka-headless.kafka.svc.cluster.local </code></pre> </div> <p>These stable DNS names are what the KRaft quorum voters list and the advertised listeners are built from. They survive pod restarts and rescheduling because they are tied to the StatefulSet ordinal, not the pod IP.</p> <h2> Step 3 — JAAS Configuration </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-jaas.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">data</span><span class="pi">:</span> <span class="na">jaas.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">KafkaServer {</span> <span class="s">org.apache.kafka.common.security.scram.ScramLoginModule required</span> <span class="s">username="admin"</span> <span class="s">password="supersecret";</span> <span class="s">};</span> </code></pre> </div> <p>This file configures the Java Authentication and Authorization Service (JAAS) for the Kafka broker process itself. The <code>username</code> and <code>password</code> here are the inter-broker credentials — what each broker uses when authenticating to other brokers on the <code>INTERNAL</code> listener.</p> <p><strong>Important:</strong> JAAS alone does not create the SCRAM user in Kafka's metadata store. That is a separate bootstrap step performed after the cluster is running (see Step 7). The JAAS file tells the broker process what credentials to use, but those credentials must also exist in Kafka's internal metadata before inter-broker authentication will succeed.</p> <h2> Step 4 — SASL Secret </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-sasl.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-sasl</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">username</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">password</span><span class="pi">:</span> <span class="s">supersecret</span> </code></pre> </div> <p>This secret can be mounted into client pods or referenced by applications that need to connect to Kafka. It is separate from the JAAS ConfigMap so that client credentials can be managed independently of the broker configuration.</p> <h2> Step 5 — StatefulSet </h2> <p>This is the core manifest. It contains two init containers and one main broker container.</p> <h3> Why Two Init Containers? </h3> <p><strong>init-node-id</strong> runs a tiny busybox container to extract the pod ordinal (0, 1, or 2) from the hostname and writes it to a shared <code>emptyDir</code> volume. This is necessary because Kubernetes environment variable substitution does not support string manipulation, so you cannot derive the integer <code>0</code> from the pod name <code>kafka-0</code> using env vars alone.</p> <p><strong>format-storage</strong> runs the actual Kafka image to format the KRaft log directory using <code>kafka-storage.sh</code>. It only runs if <code>/data/meta.properties</code> does not already exist, making it safe on pod restarts. The temporary <code>kraft.properties</code> file used during formatting includes a dummy plaintext broker listener — this is required because Kafka's config validator refuses to proceed if the only listener defined is a controller listener. These values are only used during formatting and are not used by the running broker.</p> <h3> Why <code>/etc/kafka/docker/run</code> Instead of <code>kafka-server-start.sh</code>? </h3> <p>The official <code>apache/kafka</code> Docker image ships an entrypoint at <code>/etc/kafka/docker/run</code> that translates <code>KAFKA_*</code> environment variables into <code>server.properties</code> entries before starting the broker. Calling <code>kafka-server-start.sh</code> directly bypasses this translation entirely — env vars like <code>KAFKA_LOG_DIRS</code> are ignored and the broker falls back to compiled-in defaults, causing it to look for data in the wrong directory.</p> <h3> Why <code>CLUSTER_ID</code> as an Env Var? </h3> <p>If <code>CLUSTER_ID</code> is not set, the official entrypoint generates a new random cluster ID on every pod start and attempts to re-format storage. This fails because the existing <code>meta.properties</code> already has a different ID written by the init container. Always set <code>CLUSTER_ID</code> to match the value used during the format step.</p> <h3> Generating Your Own Cluster ID </h3> <p>The cluster ID <code>q1Sh-9_ISia_zwGINzRvyQ</code> used in this guide was generated with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/opt/kafka/bin/kafka-storage.sh random-uuid </code></pre> </div> <p>Generate your own unique ID for each cluster you deploy. Do not reuse IDs across clusters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-stateful-set.yaml</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StatefulSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">serviceName</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">securityContext</span><span class="pi">:</span> <span class="na">fsGroup</span><span class="pi">:</span> <span class="m">1001</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">init-node-id</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox:1.36</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">ORDINAL=$(hostname | awk -F'-' '{print $NF}')</span> <span class="s">echo "$ORDINAL" &gt; /config/node-id</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">format-storage</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">NODE_ID=$(cat /config/node-id)</span> <span class="s">if [ ! -f "/data/meta.properties" ]; then</span> <span class="s">echo "Formatting storage for node $NODE_ID..."</span> <span class="s">echo "node.id=$NODE_ID" &gt; /tmp/kraft.properties</span> <span class="s">echo "process.roles=broker,controller" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.quorum.voters=0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listeners=PLAINTEXT://:9092,CONTROLLER://:9093" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "advertised.listeners=PLAINTEXT://localhost:9092" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "listener.security.protocol.map=PLAINTEXT:PLAINTEXT,CONTROLLER:PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "inter.broker.listener.name=PLAINTEXT" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "controller.listener.names=CONTROLLER" &gt;&gt; /tmp/kraft.properties</span> <span class="s">echo "log.dirs=/data" &gt;&gt; /tmp/kraft.properties</span> <span class="s">/opt/kafka/bin/kafka-storage.sh format \</span> <span class="s">--ignore-formatted \</span> <span class="s">--cluster-id q1Sh-9_ISia_zwGINzRvyQ \</span> <span class="s">--config /tmp/kraft.properties</span> <span class="s">else</span> <span class="s">echo "Already formatted, skipping."</span> <span class="s">fi</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">image</span><span class="pi">:</span> <span class="s">apache/kafka:4.2.0</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sh</span> <span class="pi">-</span> <span class="s">-c</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">export KAFKA_NODE_ID=$(cat /config/node-id)</span> <span class="s">exec /etc/kafka/docker/run</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">9093</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">CLUSTER_ID</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">q1Sh-9_ISia_zwGINzRvyQ"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_PROCESS_ROLES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">broker,controller"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_LISTENER_NAMES</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">CONTROLLER"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_CONTROLLER_QUORUM_VOTERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0@kafka-0.kafka-headless.kafka.svc.cluster.local:9093,1@kafka-1.kafka-headless.kafka.svc.cluster.local:9093,2@kafka-2.kafka-headless.kafka.svc.cluster.local:9093"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://:9092,CONTROLLER://:9093"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_INTER_BROKER_LISTENER_NAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">POD_NAME</span> <span class="na">valueFrom</span><span class="pi">:</span> <span class="na">fieldRef</span><span class="pi">:</span> <span class="na">fieldPath</span><span class="pi">:</span> <span class="s">metadata.name</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_ADVERTISED_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9092"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_ENABLED_MECHANISMS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL</span> <span class="na">value</span><span class="pi">:</span> <span class="s">SCRAM-SHA-512</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_TRANSACTION_STATE_LOG_MIN_ISR</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_MIN_INSYNC_REPLICAS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LOG_DIRS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Djava.security.auth.login.config=/opt/kafka/config/jaas/jaas.conf"</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/config</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-jaas</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt/kafka/config/jaas</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s">500m</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">2"</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">4Gi</span> <span class="na">volumeClaimTemplates</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-data</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">ReadWriteOnce"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">10Gi</span> </code></pre> </div> <h2> Step 6 — Initial Deployment </h2> <p>Apply all manifests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> namespace.yaml kubectl apply <span class="nt">-f</span> kafka-svc.yaml kubectl apply <span class="nt">-f</span> kafka-jaas.yaml kubectl apply <span class="nt">-f</span> kafka-sasl.yaml kubectl apply <span class="nt">-f</span> kafka-stateful-set.yaml </code></pre> </div> <p>Watch the pods come up:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> kafka <span class="nt">-w</span> </code></pre> </div> <p>All three pods should reach <code>Running</code> status within a minute or two. Check kafka-0 logs to confirm a clean startup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> kafka kafka-0 </code></pre> </div> <p>A healthy startup ends with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[KafkaRaftServer nodeId=0] Kafka Server started </code></pre> </div> <h2> Step 7 — Bootstrap SCRAM Credentials </h2> <p>This is the most involved post-deployment step, and also the most commonly misunderstood. Here is why it requires a special process.</p> <h3> The Chicken-and-Egg Problem </h3> <p>The broker's <code>INTERNAL</code> listener (port 9092) requires SASL/SCRAM-SHA-512 authentication. The <code>kafka-configs.sh</code> admin tool needs to connect to a broker to write SCRAM credentials into Kafka's metadata. But to connect to the broker, you need valid SCRAM credentials — which don't exist yet because you haven't written them.</p> <p>There are two apparent escape hatches that do not actually work:</p> <ul> <li> <strong>Using the JAAS file credentials directly against port 9092</strong> — the JAAS file tells the broker process what credentials to use for its own inter-broker connections, but those credentials must also exist in Kafka's metadata store before the SCRAM handshake will succeed. The JAAS file does not pre-populate metadata.</li> <li> <strong>Using <code>--bootstrap-controller</code> against port 9093</strong> — Kafka 4.x does not support the <code>alterUserScramCredentials</code> admin API via the controller quorum endpoint. It must go through a broker.</li> </ul> <p>The solution is to temporarily open an unauthenticated <code>PLAINTEXT</code> listener on a separate port (9094), use it to write the credentials, then close it again.</p> <h3> 7a — Add the Temporary Listener to the Service </h3> <p>Edit <code>kafka-svc.yaml</code> to add port 9094:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-svc.yaml (temporary — port 9094 will be removed after bootstrap)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">internal</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">controller</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">plaintext-bootstrap</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9094</span> </code></pre> </div> <h3> 7b — Add the Temporary Listener to the StatefulSet </h3> <p>Edit <code>kafka-stateful-set.yaml</code> and make these changes to the broker container:</p> <p>Add <code>containerPort: 9094</code> to the ports list.</p> <p>Change <code>KAFKA_LISTENERS</code> to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://:9092,CONTROLLER://:9093,PLAINTEXT://:9094"</span> </code></pre> </div> <p>Change <code>KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</code> to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL:SASL_PLAINTEXT,CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT"</span> </code></pre> </div> <p>Change <code>KAFKA_ADVERTISED_LISTENERS</code> to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_ADVERTISED_LISTENERS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">INTERNAL://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9092,PLAINTEXT://$(POD_NAME).kafka-headless.kafka.svc.cluster.local:9094"</span> </code></pre> </div> <h3> 7c — Apply and Wait for Rollout </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-svc.yaml kubectl apply <span class="nt">-f</span> kafka-stateful-set.yaml kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h3> 7d — Register the SCRAM Credentials </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-configs.sh <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9094 <span class="se">\</span> <span class="nt">--alter</span> <span class="se">\</span> <span class="nt">--add-config</span> <span class="s1">'SCRAM-SHA-512=[password=supersecret]'</span> <span class="se">\</span> <span class="nt">--entity-type</span> <span class="nb">users</span> <span class="se">\</span> <span class="nt">--entity-name</span> admin </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Completed updating config for user admin. </code></pre> </div> <p>If you need additional users (application service accounts), register them now while port 9094 is still open:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-configs.sh <span class="se">\</span> <span class="nt">--bootstrap-server</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9094 <span class="se">\</span> <span class="nt">--alter</span> <span class="se">\</span> <span class="nt">--add-config</span> <span class="s1">'SCRAM-SHA-512=[password=apppassword]'</span> <span class="se">\</span> <span class="nt">--entity-type</span> <span class="nb">users</span> <span class="se">\</span> <span class="nt">--entity-name</span> myapp </code></pre> </div> <h3> 7e — Remove the Temporary Listener </h3> <p>Revert <code>kafka-svc.yaml</code> to remove port 9094:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># kafka-svc.yaml (final)</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-headless</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">clusterIP</span><span class="pi">:</span> <span class="s">None</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">internal</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">controller</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> </code></pre> </div> <p>Revert the StatefulSet changes — remove the <code>PLAINTEXT</code> entries from <code>KAFKA_LISTENERS</code>, <code>KAFKA_LISTENER_SECURITY_PROTOCOL_MAP</code>, and <code>KAFKA_ADVERTISED_LISTENERS</code>, and remove the <code>containerPort: 9094</code> line.</p> <p>Apply and wait:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> kafka-svc.yaml kubectl apply <span class="nt">-f</span> kafka-stateful-set.yaml kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h2> Step 8 — Verify the Cluster </h2> <p>Check the KRaft quorum status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> /opt/kafka/bin/kafka-metadata-quorum.sh <span class="se">\</span> <span class="nt">--bootstrap-controller</span> kafka-0.kafka-headless.kafka.svc.cluster.local:9093 <span class="se">\</span> describe <span class="nt">--status</span> </code></pre> </div> <p>A healthy cluster shows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">LeaderId:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">LeaderEpoch:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="err">HighWatermark:</span><span class="w"> </span><span class="mi">303</span><span class="w"> </span><span class="err">MaxFollowerLag:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">MaxFollowerLagTimeMs:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="err">CurrentVoters:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="err">...</span><span class="p">}]</span><span class="w"> </span><span class="err">CurrentObservers:</span><span class="w"> </span><span class="p">[]</span><span class="w"> </span></code></pre> </div> <p><code>MaxFollowerLag: 0</code> confirms all three nodes are fully in sync. Three voters and no observers confirms all nodes are full participants in the quorum.</p> <p>Verify SASL authentication works on port 9092:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> bash <span class="nt">-c</span> <span class="s1">' cat &gt; /tmp/client.properties &lt;&lt; EOF security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="supersecret"; EOF /opt/kafka/bin/kafka-topics.sh \ --bootstrap-server kafka-0.kafka-headless.kafka.svc.cluster.local:9092 \ --command-config /tmp/client.properties \ --list '</span> </code></pre> </div> <p>Create a test topic and produce/consume a message:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> bash <span class="nt">-c</span> <span class="s1">' cat &gt; /tmp/client.properties &lt;&lt; EOF security.protocol=SASL_PLAINTEXT sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="admin" password="supersecret"; EOF /opt/kafka/bin/kafka-topics.sh \ --bootstrap-server kafka-0.kafka-headless.kafka.svc.cluster.local:9092 \ --command-config /tmp/client.properties \ --create --topic test --partitions 3 --replication-factor 3 echo "hello kafka" | /opt/kafka/bin/kafka-console-producer.sh \ --bootstrap-server kafka-0.kafka-headless.kafka.svc.cluster.local:9092 \ --producer.config /tmp/client.properties \ --topic test /opt/kafka/bin/kafka-console-consumer.sh \ --bootstrap-server kafka-0.kafka-headless.kafka.svc.cluster.local:9092 \ --consumer.config /tmp/client.properties \ --topic test --from-beginning --max-messages 1 '</span> </code></pre> </div> <h2> Production Hardening Checklist </h2> <p>The cluster at this point is functional and secured with SASL. The following additional steps are needed before handling real production traffic.</p> <h3> Add TLS Encryption </h3> <p>The current setup uses <code>SASL_PLAINTEXT</code>, meaning credentials and data are transmitted unencrypted within the cluster. For any environment where network traffic could be intercepted, upgrade to <code>SASL_SSL</code>.</p> <p>Generate a keystore and truststore using <code>keytool</code>. The Subject Alternative Names (SANs) must cover all broker hostnames — this is the most common mistake when setting up TLS for Kafka on Kubernetes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">PASS</span><span class="o">=</span>yourpassword <span class="nv">SAN</span><span class="o">=</span><span class="s2">"dns:kafka-0.kafka-headless.kafka.svc.cluster.local,</span><span class="se">\</span><span class="s2"> dns:kafka-1.kafka-headless.kafka.svc.cluster.local,</span><span class="se">\</span><span class="s2"> dns:kafka-2.kafka-headless.kafka.svc.cluster.local,</span><span class="se">\</span><span class="s2"> dns:kafka-headless.kafka.svc.cluster.local"</span> <span class="c"># Generate CA</span> keytool <span class="nt">-genkeypair</span> <span class="nt">-alias</span> ca <span class="nt">-keyalg</span> RSA <span class="nt">-keysize</span> 2048 <span class="se">\</span> <span class="nt">-dname</span> <span class="s2">"CN=kafka-ca"</span> <span class="nt">-validity</span> 3650 <span class="se">\</span> <span class="nt">-keystore</span> ca.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-storetype</span> JKS keytool <span class="nt">-exportcert</span> <span class="nt">-alias</span> ca <span class="nt">-keystore</span> ca.jks <span class="se">\</span> <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-file</span> ca.crt <span class="c"># Generate broker keypair and CSR</span> keytool <span class="nt">-genkeypair</span> <span class="nt">-alias</span> kafka <span class="nt">-keyalg</span> RSA <span class="nt">-keysize</span> 2048 <span class="se">\</span> <span class="nt">-dname</span> <span class="s2">"CN=kafka"</span> <span class="nt">-validity</span> 3650 <span class="se">\</span> <span class="nt">-keystore</span> keystore.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-storetype</span> JKS keytool <span class="nt">-certreq</span> <span class="nt">-alias</span> kafka <span class="nt">-keystore</span> keystore.jks <span class="se">\</span> <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-file</span> kafka.csr <span class="c"># Sign the CSR with the CA, including all broker SANs</span> keytool <span class="nt">-gencert</span> <span class="nt">-alias</span> ca <span class="nt">-keystore</span> ca.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="se">\</span> <span class="nt">-infile</span> kafka.csr <span class="nt">-outfile</span> kafka.crt <span class="nt">-validity</span> 3650 <span class="se">\</span> <span class="nt">-ext</span> <span class="s2">"SAN=</span><span class="nv">$SAN</span><span class="s2">"</span> <span class="c"># Import CA + signed cert into the keystore</span> keytool <span class="nt">-importcert</span> <span class="nt">-alias</span> ca <span class="nt">-file</span> ca.crt <span class="se">\</span> <span class="nt">-keystore</span> keystore.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-noprompt</span> keytool <span class="nt">-importcert</span> <span class="nt">-alias</span> kafka <span class="nt">-file</span> kafka.crt <span class="se">\</span> <span class="nt">-keystore</span> keystore.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-noprompt</span> <span class="c"># Build truststore containing only the CA</span> keytool <span class="nt">-importcert</span> <span class="nt">-alias</span> ca <span class="nt">-file</span> ca.crt <span class="se">\</span> <span class="nt">-keystore</span> truststore.jks <span class="nt">-storepass</span> <span class="nv">$PASS</span> <span class="nt">-noprompt</span> <span class="c"># Store in Kubernetes</span> kubectl create secret generic kafka-tls <span class="nt">-n</span> kafka <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span>keystore.jks<span class="o">=</span>keystore.jks <span class="se">\</span> <span class="nt">--from-file</span><span class="o">=</span>truststore.jks<span class="o">=</span>truststore.jks <span class="se">\</span> <span class="nt">--from-literal</span><span class="o">=</span><span class="nv">password</span><span class="o">=</span><span class="nv">$PASS</span> <span class="se">\</span> <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-o</span> yaml | kubectl apply <span class="nt">-f</span> - </code></pre> </div> <p>Then update the StatefulSet to mount the secret and change the listener protocols:</p> <ul> <li> <code>INTERNAL:SASL_PLAINTEXT</code> → <code>INTERNAL:SASL_SSL</code> </li> <li> <code>CONTROLLER:PLAINTEXT</code> → <code>CONTROLLER:SSL</code> </li> <li>Add <code>KAFKA_SSL_KEYSTORE_LOCATION</code>, <code>KAFKA_SSL_TRUSTSTORE_LOCATION</code>, <code>KAFKA_SSL_KEYSTORE_PASSWORD</code>, <code>KAFKA_SSL_TRUSTSTORE_PASSWORD</code> env vars</li> <li>Mount the <code>kafka-tls</code> secret as a volume at <code>/tls</code> </li> </ul> <h3> Change Default Credentials </h3> <p>The <code>admin</code>/<code>supersecret</code> credentials used in this guide are for demonstration only. Before going to production:</p> <ol> <li>Update <code>kafka-jaas.yaml</code> with a strong randomly generated password</li> <li>Update <code>kafka-sasl.yaml</code> with the same password</li> <li>Re-register the SCRAM credentials using the bootstrap process in Step 7</li> <li>Rotate any client configurations that reference the old credentials</li> </ol> <h3> Network Policies </h3> <p>Add a NetworkPolicy to restrict which pods can reach Kafka:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-network-policy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="pi">-</span> <span class="s">Egress</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9093</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">namespaceSelector</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">egress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">to</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> </code></pre> </div> <h3> Pod Anti-Affinity </h3> <p>Prevent Kubernetes from scheduling multiple Kafka pods on the same node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">affinity</span><span class="pi">:</span> <span class="na">podAntiAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">labelSelector</span><span class="pi">:</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">app</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">In</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">kafka</span> <span class="na">topologyKey</span><span class="pi">:</span> <span class="s">kubernetes.io/hostname</span> </code></pre> </div> <p>Add this under <code>spec.template.spec</code> in the StatefulSet.</p> <h3> Pod Disruption Budget </h3> <p>Ensure Kubernetes never takes down more than one Kafka pod at a time during voluntary disruptions such as node drains or rolling updates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">policy/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PodDisruptionBudget</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kafka-pdb</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kafka</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">minAvailable</span><span class="pi">:</span> <span class="m">2</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">kafka</span> </code></pre> </div> <h3> Liveness and Readiness Probes </h3> <p>Add probes so Kubernetes can detect and restart unhealthy pods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">livenessProbe</span><span class="pi">:</span> <span class="na">tcpSocket</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">30</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">10</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">6</span> <span class="na">readinessProbe</span><span class="pi">:</span> <span class="na">tcpSocket</span><span class="pi">:</span> <span class="na">port</span><span class="pi">:</span> <span class="m">9092</span> <span class="na">initialDelaySeconds</span><span class="pi">:</span> <span class="m">20</span> <span class="na">periodSeconds</span><span class="pi">:</span> <span class="m">5</span> <span class="na">failureThreshold</span><span class="pi">:</span> <span class="m">3</span> </code></pre> </div> <h3> Resource Tuning </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Workload</th> <th>CPU Request</th> <th>Memory Request</th> <th>Storage</th> </tr> </thead> <tbody> <tr> <td>Development</td> <td>250m</td> <td>512Mi</td> <td>5Gi</td> </tr> <tr> <td>Low traffic</td> <td>500m</td> <td>1Gi</td> <td>20Gi</td> </tr> <tr> <td>Medium traffic</td> <td>1</td> <td>2Gi</td> <td>50Gi</td> </tr> <tr> <td>High traffic</td> <td>2–4</td> <td>4–8Gi</td> <td>100Gi+</td> </tr> </tbody> </table></div> <h3> JVM Heap Tuning </h3> <p>Set the JVM heap via the <code>KAFKA_HEAP_OPTS</code> env var. A common rule of thumb is 50% of the container memory limit, not exceeding 6Gi:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_HEAP_OPTS</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">-Xms2g</span><span class="nv"> </span><span class="s">-Xmx2g"</span> </code></pre> </div> <h3> Monitoring </h3> <p>The official <code>apache/kafka</code> image exposes JMX metrics. Enable them with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_JMX_PORT</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">9999"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">KAFKA_JMX_HOSTNAME</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">0.0.0.0"</span> </code></pre> </div> <p>Key metrics to monitor:</p> <ul> <li> <code>kafka.server:type=ReplicaManager,name=UnderReplicatedPartitions</code> — should always be 0</li> <li> <code>kafka.controller:type=KafkaController,name=ActiveControllerCount</code> — should be 1 across the cluster</li> <li> <code>kafka.network:type=RequestMetrics,name=TotalTimeMs</code> — producer/consumer latency</li> <li>JVM GC pause times — long pauses indicate heap needs tuning</li> </ul> <h2> Common Troubleshooting </h2> <p><strong>Pod stuck in Init state</strong></p> <p>Check the init container logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> kafka kafka-0 <span class="nt">-c</span> format-storage kubectl logs <span class="nt">-n</span> kafka kafka-0 <span class="nt">-c</span> init-node-id </code></pre> </div> <p><strong><code>No readable meta.properties</code> error</strong></p> <p>The broker cannot find formatted storage. Ensure you are using <code>/etc/kafka/docker/run</code> as the entrypoint, not <code>kafka-server-start.sh</code>. The latter ignores <code>KAFKA_*</code> env vars and the broker looks in the wrong directory.</p> <p><strong><code>Invalid cluster.id</code> error</strong></p> <p>The <code>CLUSTER_ID</code> env var does not match what was written to <code>meta.properties</code> during the format step. Delete the PVCs to force a reformat:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete pvc <span class="nt">-n</span> kafka <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>kafka </code></pre> </div> <p><strong><code>There must be at least one broker advertised listener</code> during format</strong></p> <p>The temp <code>kraft.properties</code> used in the format-storage init container must include a non-controller listener. Ensure <code>listeners</code>, <code>advertised.listeners</code>, <code>listener.security.protocol.map</code>, and <code>inter.broker.listener.name</code> are all present in the temp properties file.</p> <p><strong>SASL authentication timeout on port 9092</strong></p> <p>The SCRAM credentials have not been registered. The JAAS file alone is not enough — run the bootstrap process in Step 7 to write the credentials into Kafka's metadata store.</p> <p><strong><code>UnsupportedEndpointTypeException</code> when using <code>--bootstrap-controller</code></strong></p> <p>The <code>alterUserScramCredentials</code> admin API is not supported via the controller quorum endpoint in Kafka 4.x. You must connect through a broker (port 9092). Use the temporary PLAINTEXT listener on port 9094 as described in Step 7.</p> <p><strong>Port 9094 connection refused</strong></p> <p>The headless service does not expose port 9094 by default. You must explicitly add it to <code>kafka-svc.yaml</code> during the bootstrap process (Step 7a) and remove it afterwards.</p> <p><strong>Brokers cannot reach each other</strong></p> <p>Verify the headless service exists and pod DNS resolves from within a pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">exec</span> <span class="nt">-n</span> kafka kafka-0 <span class="nt">--</span> <span class="se">\</span> nslookup kafka-1.kafka-headless.kafka.svc.cluster.local </code></pre> </div> <p><strong><code>MaxFollowerLag</code> is non-zero</strong></p> <p>One broker is behind. Check its logs for errors. Common causes are disk I/O pressure, a recent pod restart, or network instability.</p> <h2> Upgrading Kafka </h2> <p>To upgrade to a new Kafka version, update the <code>image</code> field in the StatefulSet. Kubernetes performs a rolling restart one pod at a time. Since KRaft requires a majority, the cluster stays available as long as at least 2 of 3 pods are running.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">set </span>image statefulset/kafka <span class="se">\</span> <span class="nv">kafka</span><span class="o">=</span>apache/kafka:4.3.0 <span class="se">\</span> <span class="nt">-n</span> kafka kubectl rollout status statefulset/kafka <span class="nt">-n</span> kafka </code></pre> </div> <h2> Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Step</th> <th>What it does</th> </tr> </thead> <tbody> <tr> <td>namespace.yaml</td> <td>Isolates all Kafka resources</td> </tr> <tr> <td>kafka-svc.yaml</td> <td>Headless service for stable pod DNS</td> </tr> <tr> <td>kafka-jaas.yaml</td> <td>JAAS config for inter-broker SCRAM auth</td> </tr> <tr> <td>kafka-sasl.yaml</td> <td>Secret for client applications</td> </tr> <tr> <td>kafka-stateful-set.yaml</td> <td>Brokers, init containers, storage, config</td> </tr> <tr> <td>Step 7 — SCRAM bootstrap</td> <td>Temporarily open port 9094, write credentials to metadata, close port 9094</td> </tr> </tbody> </table></div> <p>The cluster is production-ready when TLS is enabled, credentials are rotated to strong values, pod anti-affinity and a PodDisruptionBudget are in place, resource limits are tuned for your workload, and monitoring is active.</p> kafka kubernetes How GNOME drives me Crazy on Ubuntu giveitatry Fri, 20 Feb 2026 19:22:06 +0000 https://dev.to/giveitatry/how-to-gnome-drives-me-crazy-on-ubuntu-1len https://dev.to/giveitatry/how-to-gnome-drives-me-crazy-on-ubuntu-1len <p>If you’re using Ubuntu with the default GNOME desktop, you’ve probably experienced this:</p> <p>You click a pinned app in the dock (for example Firefox), and instead of switching to your already open window… GNOME shows you thumbnails of all open windows.</p> <p>This makes me <strong>crazy</strong>. I need additional click to switch the app.</p> <p>I don’t want previews.<br> I just want it to <strong>switch to the next window</strong>.</p> <p>Luckily, Ubuntu makes this easy to fix.</p> <h2> Why This Happens </h2> <p>Ubuntu uses a modified GNOME dock called <strong>Ubuntu Dock</strong>, which is based on Dash to Dock.</p> <p>By default, clicking a pinned app:</p> <ul> <li>Shows window previews if multiple windows are open.</li> </ul> <p>But we can change that behavior.</p> <h2> The Fix: Make Click Cycle Through Windows </h2> <h3> Step 1 – Open Dock Settings </h3> <p>Run this command in Terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gnome-extensions prefs ubuntu-dock@ubuntu.com </code></pre> </div> <h3> Step 2 – Change Click Behavior </h3> <ol> <li>Go to the <strong>Behavior</strong> tab.</li> <li>Find <strong>Click action</strong> </li> <li>Change it to:</li> </ol> <blockquote> <p><strong>Cycle through windows</strong></p> </blockquote> <p>That’s it.</p> linux productivity tutorial ubuntu How to Add a Subdomain with Hetzner DNS API giveitatry Sun, 01 Feb 2026 18:19:42 +0000 https://dev.to/giveitatry/how-to-add-a-subdomain-with-hetzner-dns-api-5g1d https://dev.to/giveitatry/how-to-add-a-subdomain-with-hetzner-dns-api-5g1d <p>Hetzner’s <strong>DNS Public API</strong> allows you to programmatically manage your domains, including creating subdomains. A subdomain is simply a DNS record under your main zone.</p> <h2> 1. Get Your Zone ID </h2> <p>Each domain in Hetzner DNS has a unique <code>zone_id</code>. To find it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> GET <span class="s2">"https://dns.hetzner.com/api/v1/zones"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Auth-API-Token: </span><span class="nv">$API_TOKEN</span><span class="s2">"</span> </code></pre> </div> <p>Look for your domain in the response and note its <code>id</code>. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ABC..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"domain.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 2. Add the Subdomain Record </h2> <p>Once you have the <code>zone_id</code>, you can create a subdomain by adding a DNS record. For example, to create <code>xxx.domain.com</code> pointing to <code>1.2.3.4</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST <span class="s2">"https://dns.hetzner.com/api/v1/records"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Auth-API-Token: </span><span class="nv">$API_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "zone_id": "ABC...", "type": "A", "name": "xxx", "value": "1.2.3.4", "ttl": 300 }'</span> </code></pre> </div> <p><strong>Parameters:</strong></p> <ul> <li> <code>zone_id</code> → The zone where the subdomain will be added.</li> <li> <code>type</code> → DNS record type (<code>A</code>, <code>CNAME</code>, <code>MX</code>, etc.).</li> <li> <code>name</code> → Subdomain prefix (<code>xxx</code>).</li> <li> <code>value</code> → IP address or target domain (<code>1.2.3.4</code> here).</li> <li> <code>ttl</code> → Time-to-live in seconds (optional, default 300).</li> </ul> <h2> 3. Verify the Subdomain </h2> <p>To confirm the subdomain was created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> GET <span class="s2">"https://dns.hetzner.com/api/v1/records?zone_id=ABC..."</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Auth-API-Token: </span><span class="nv">$API_TOKEN</span><span class="s2">"</span> </code></pre> </div> <p>Check for your new record in the response.</p> <h2> ✅ Summary </h2> <ul> <li>Subdomains are <strong>just DNS records</strong> in Hetzner.</li> <li>Use <code>GET /zones</code> to find your <code>zone_id</code>.</li> <li>Use <code>POST /records</code> to add subdomains.</li> <li>Use <code>GET /records</code> to list or verify existing subdomains.</li> </ul> <p>This approach lets you <strong>automate DNS management</strong> for your domains using Hetzner’s DNS API.</p> api devops networking tutorial How to Clone a GitLab Repository with a Self-Signed Certificate giveitatry Sun, 01 Feb 2026 12:55:26 +0000 https://dev.to/giveitatry/how-to-clone-a-gitlab-repository-with-a-self-signed-certificate-437l https://dev.to/giveitatry/how-to-clone-a-gitlab-repository-with-a-self-signed-certificate-437l <p>When working with a <strong>GitLab instance using a self-signed SSL certificate</strong>, attempting to clone a repository over HTTPS often fails with an error like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fatal: unable to access 'https://gitlab.example.com/group/project.git/': server certificate verification failed. CAfile: none CRLfile: none </code></pre> </div> <p>This happens because Git does not trust self-signed certificates by default. Below are <strong>safe, step-by-step ways to fix it</strong>.</p> <h2> 1. Understanding the Problem </h2> <p>Git verifies SSL certificates to ensure the server you’re connecting to is legitimate. Self-signed certificates <strong>aren’t trusted by default</strong> because they’re not signed by a recognized Certificate Authority (CA).</p> <p>This means HTTPS connections fail unless Git is explicitly told to trust the certificate.</p> <h2> 2. Export the Self-Signed Certificate </h2> <h3> Option A: Export via Chrome </h3> <ol> <li>Open your GitLab URL in <strong>Chrome</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://gitlab.example.com </code></pre> </div> <ol> <li>Click the <strong>lock icon</strong> in the address bar → <strong>Connection is secure</strong> → <strong>Certificate is valid</strong>.</li> <li>Go to the <strong>Details</strong> tab → Click <strong>Export…</strong>.</li> <li>Save the certificate as <code>gitlab-selfsigned.crt</code> in a permanent location:</li> </ol> <ul> <li>Windows: <code>C:\certs\gitlab-selfsigned.crt</code> </li> <li>Linux/macOS: <code>/home/username/certs/gitlab-selfsigned.crt</code> </li> </ul> <h3> Option B: Export via Firefox </h3> <p>Firefox doesn’t always allow direct export from the page, but here are two reliable ways:</p> <h4> Method 1: Using Firefox Preferences </h4> <ol> <li>Open Firefox and go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>about:preferences#privacy </code></pre> </div> <ol> <li>Scroll down to <strong>Certificates</strong> → Click <strong>View Certificates</strong>.</li> <li>Go to the <strong>Servers</strong> tab, find your GitLab domain (<code>gitlab.example.com</code>), select it → <strong>Export…</strong> </li> <li>Save as <code>gitlab-selfsigned.crt</code>.</li> </ol> <h4> Method 2: Using OpenSSL (cross-platform, recommended) </h4> <p>Open a terminal (Linux, macOS, or Git Bash on Windows) and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> | openssl s_client <span class="nt">-connect</span> gitlab.example.com:443 <span class="nt">-showcerts</span> 2&gt;/dev/null | openssl x509 <span class="nt">-outform</span> PEM <span class="o">&gt;</span> gitlab-selfsigned.crt </code></pre> </div> <ul> <li>This fetches the certificate directly from GitLab.</li> <li>Saves it as <code>gitlab-selfsigned.crt</code> in the current directory.</li> </ul> <h2> 3. Configure Git to Trust the Certificate </h2> <p>Once you have the <code>.crt</code> file:</p> <h4> Windows: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslCAInfo <span class="s2">"C:/certs/gitlab-selfsigned.crt"</span> </code></pre> </div> <h4> Linux / macOS: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslCAInfo <span class="s2">"/home/username/certs/gitlab-selfsigned.crt"</span> </code></pre> </div> <p>Verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> <span class="nt">--get</span> http.sslCAInfo </code></pre> </div> <h2> 4. Clone the Repository </h2> <p>Now, you can securely clone your repository over HTTPS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://gitlab.example.com/group/project.git </code></pre> </div> <h2> 5. Alternative: Use SSH Instead of HTTPS </h2> <p>SSH avoids all certificate issues:</p> <ol> <li>Generate an SSH key if you don’t have one: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="nt">-t</span> ed25519 <span class="nt">-C</span> <span class="s2">"your_email@example.com"</span> </code></pre> </div> <ol> <li><p>Copy the public key (<code>~/.ssh/id_ed25519.pub</code>) and add it to GitLab:<br> <strong>User Settings → SSH Keys → Add Key</strong></p></li> <li><p>Clone via SSH:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone git@gitlab.example.com:group/project.git </code></pre> </div> <p>No SSL certificate issues occur using SSH.</p> <h2> 6. Quick &amp; Unsafe Workaround (Testing Only) </h2> <p>You can temporarily disable SSL verification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslVerify <span class="nb">false</span> </code></pre> </div> <p>⚠️ <strong>Warning:</strong> This is insecure. It allows MITM attacks and should <strong>never</strong> be used permanently.</p> <h2> 7. PyCharm Considerations </h2> <p>PyCharm may use a separate Git executable. To ensure it works:</p> <ol> <li>Go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>File → Settings → Version Control → Git </code></pre> </div> <ol> <li>Check the <strong>Path to Git executable</strong>.</li> <li>Click <strong>Test</strong>.</li> <li>Make sure this Git has the <code>http.sslCAInfo</code> configuration set (or use SSH instead).</li> </ol> <h2> 8. Summary </h2> <p><strong>Recommended workflow for self-signed GitLab:</strong></p> <ol> <li>Export the self-signed certificate (Chrome or Firefox/OpenSSL).</li> <li>Configure Git to trust the certificate.</li> <li>Clone via HTTPS.</li> </ol> <p><strong>Alternative:</strong> Use SSH to avoid certificate issues entirely.</p> <p><strong>Avoid:</strong> disabling SSL verification permanently — it is insecure.</p> gitlab How to Clone a GitLab Repository with a Self-Signed Certificate giveitatry Sun, 01 Feb 2026 08:52:44 +0000 https://dev.to/giveitatry/how-to-clone-a-gitlab-repository-with-a-self-signed-certificate-3me9 https://dev.to/giveitatry/how-to-clone-a-gitlab-repository-with-a-self-signed-certificate-3me9 <p>When working with a <strong>GitLab instance using a self-signed SSL certificate</strong>, attempting to clone a repository over HTTPS often fails with an error like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>fatal: unable to access 'https://gitlab.example.com/group/project.git/': server certificate verification failed. CAfile: none CRLfile: none </code></pre> </div> <p>This happens because Git does not trust self-signed certificates by default. Below are <strong>safe, step-by-step ways to fix it</strong>.</p> <h2> 1. Understanding the Problem </h2> <p>Git verifies SSL certificates to ensure the server you’re connecting to is legitimate. Self-signed certificates <strong>aren’t trusted by default</strong> because they’re not signed by a recognized Certificate Authority (CA).</p> <p>This means HTTPS connections fail unless Git is explicitly told to trust the certificate.</p> <h2> 2. Export the Self-Signed Certificate </h2> <h3> Option A: Export via Chrome </h3> <ol> <li>Open your GitLab URL in <strong>Chrome</strong>: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://gitlab.example.com </code></pre> </div> <ol> <li>Click the <strong>lock icon</strong> in the address bar → <strong>Connection is secure</strong> → <strong>Certificate is valid</strong>.</li> <li>Go to the <strong>Details</strong> tab → Click <strong>Export…</strong>.</li> <li>Save the certificate as <code>gitlab-selfsigned.crt</code> in a permanent location:</li> </ol> <ul> <li>Windows: <code>C:\certs\gitlab-selfsigned.crt</code> </li> <li>Linux/macOS: <code>/home/username/certs/gitlab-selfsigned.crt</code> </li> </ul> <h3> Option B: Export via Firefox </h3> <p>Firefox doesn’t always allow direct export from the page, but here are two reliable ways:</p> <h4> Method 1: Using Firefox Preferences </h4> <ol> <li>Open Firefox and go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>about:preferences#privacy </code></pre> </div> <ol> <li>Scroll down to <strong>Certificates</strong> → Click <strong>View Certificates</strong>.</li> <li>Go to the <strong>Servers</strong> tab, find your GitLab domain (<code>gitlab.example.com</code>), select it → <strong>Export…</strong> </li> <li>Save as <code>gitlab-selfsigned.crt</code>.</li> </ol> <h4> Method 2: Using OpenSSL (cross-platform, recommended) </h4> <p>Open a terminal (Linux, macOS, or Git Bash on Windows) and run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> | openssl s_client <span class="nt">-connect</span> gitlab.example.com:443 <span class="nt">-showcerts</span> 2&gt;/dev/null | openssl x509 <span class="nt">-outform</span> PEM <span class="o">&gt;</span> gitlab-selfsigned.crt </code></pre> </div> <ul> <li>This fetches the certificate directly from GitLab.</li> <li>Saves it as <code>gitlab-selfsigned.crt</code> in the current directory.</li> </ul> <h2> 3. Configure Git to Trust the Certificate </h2> <p>Once you have the <code>.crt</code> file:</p> <h4> Windows: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslCAInfo <span class="s2">"C:/certs/gitlab-selfsigned.crt"</span> </code></pre> </div> <h4> Linux / macOS: </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslCAInfo <span class="s2">"/home/username/certs/gitlab-selfsigned.crt"</span> </code></pre> </div> <p>Verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> <span class="nt">--get</span> http.sslCAInfo </code></pre> </div> <h2> 4. Clone the Repository </h2> <p>Now, you can securely clone your repository over HTTPS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://gitlab.example.com/group/project.git </code></pre> </div> <h2> 5. Alternative: Use SSH Instead of HTTPS </h2> <p>SSH avoids all certificate issues:</p> <ol> <li>Generate an SSH key if you don’t have one: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ssh-keygen <span class="nt">-t</span> ed25519 <span class="nt">-C</span> <span class="s2">"your_email@example.com"</span> </code></pre> </div> <ol> <li><p>Copy the public key (<code>~/.ssh/id_ed25519.pub</code>) and add it to GitLab:<br> <strong>User Settings → SSH Keys → Add Key</strong></p></li> <li><p>Clone via SSH:<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone git@gitlab.example.com:group/project.git </code></pre> </div> <p>No SSL certificate issues occur using SSH.</p> <h2> 6. Quick &amp; Unsafe Workaround (Testing Only) </h2> <p>You can temporarily disable SSL verification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git config <span class="nt">--global</span> http.sslVerify <span class="nb">false</span> </code></pre> </div> <p>⚠️ <strong>Warning:</strong> This is insecure. It allows MITM attacks and should <strong>never</strong> be used permanently.</p> <h2> 7. PyCharm Considerations </h2> <p>PyCharm may use a separate Git executable. To ensure it works:</p> <ol> <li>Go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>File → Settings → Version Control → Git </code></pre> </div> <ol> <li>Check the <strong>Path to Git executable</strong>.</li> <li>Click <strong>Test</strong>.</li> <li>Make sure this Git has the <code>http.sslCAInfo</code> configuration set (or use SSH instead).</li> </ol> <h2> 8. Summary </h2> <p><strong>Recommended workflow for self-signed GitLab:</strong></p> <ol> <li>Export the self-signed certificate (Chrome or Firefox/OpenSSL).</li> <li>Configure Git to trust the certificate.</li> <li>Clone via HTTPS.</li> </ol> <p><strong>Alternative:</strong> Use SSH to avoid certificate issues entirely.</p> <p><strong>Avoid:</strong> disabling SSL verification permanently — it is insecure.</p> devops git security tutorial Running TeamCity Agents on Bare Metal Linux giveitatry Sat, 24 Jan 2026 21:54:16 +0000 https://dev.to/giveitatry/running-teamcity-agents-on-bare-metal-linux-205b https://dev.to/giveitatry/running-teamcity-agents-on-bare-metal-linux-205b <p>This article describes how to install and configure a <strong>TeamCity Build Agent on bare-metal Linux</strong>, with <strong>Java</strong> and <strong>Docker</strong> support, so the agent can run Docker-based builds reliably.</p> <p>The guide assumes:</p> <ul> <li>Linux (Ubuntu/Debian-based)</li> <li>Root or sudo access</li> <li>TeamCity Server already running</li> </ul> <h2> 1. System Requirements </h2> <h3> Hardware </h3> <ul> <li>CPU: 2 cores minimum (4+ recommended)</li> <li>RAM: 4 GB minimum (8+ recommended for Docker builds)</li> <li>Disk: ≥ 20 GB free</li> </ul> <h3> Software </h3> <ul> <li>Linux (Ubuntu 20.04+ recommended)</li> <li>Java Runtime Environment</li> <li>Docker Engine</li> <li>TeamCity Build Agent</li> </ul> <h2> 2. Update the System </h2> <p>Before installing anything, update the package index:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt update <span class="nb">sudo </span>apt upgrade <span class="nt">-y</span> </code></pre> </div> <h2> 3. Install Java (Required by TeamCity Agent) </h2> <p>TeamCity agents require Java to run.</p> <p>Install the default JRE:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> default-jre </code></pre> </div> <p>Verify installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>java <span class="nt">-version</span> </code></pre> </div> <p>Expected output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>openjdk version "11.x" or newer </code></pre> </div> <h2> 4. Install Docker Engine </h2> <p>Docker is required if the agent will run Docker builds.</p> <h3> Install Docker from Ubuntu repositories: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>apt <span class="nb">install</span> <span class="nt">-y</span> docker.io </code></pre> </div> <p>Enable and start Docker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl <span class="nb">enable </span>docker <span class="nb">sudo </span>systemctl start docker </code></pre> </div> <p>Verify Docker is running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>docker ps </code></pre> </div> <h2> 5. Allow the Agent User to Run Docker </h2> <p>Docker access is controlled via the Unix socket:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/var/run/docker.sock </code></pre> </div> <p>Only users in the <code>docker</code> group can access it.</p> <h3> Add the agent user to the docker group </h3> <p>Example (agent user = <code>risto</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker risto </code></pre> </div> <p>⚠️ <strong>Important:</strong><br> Group membership changes apply only after logout/login.</p> <p>➡️ Log out and log back in (or reboot the machine).</p> <p>Verify:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">groups</span> </code></pre> </div> <p>You must see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker </code></pre> </div> <p>Test Docker access <strong>without sudo</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker ps </code></pre> </div> <h2> 6. Install the TeamCity Build Agent </h2> <h3> 6.1 Download the Agent Package </h3> <p>On the agent machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> /opt/teamcity-agent <span class="nb">cd</span> /opt/teamcity-agent </code></pre> </div> <p>Download from your TeamCity server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>wget http://&lt;TEAMCITY_SERVER&gt;:8111/update/buildAgent.zip </code></pre> </div> <p>Unpack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>unzip buildAgent.zip </code></pre> </div> <h2> 7. Configure the Build Agent </h2> <h3> 7.1 Configure Server Connection </h3> <p>Edit the agent configuration file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nano conf/buildAgent.properties </code></pre> </div> <p>Set the TeamCity server URL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">serverUrl</span><span class="p">=</span><span class="s">http://&lt;TEAMCITY_SERVER&gt;:8111</span> </code></pre> </div> <p>(Optional but recommended)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">name</span><span class="p">=</span><span class="s">baremetal-agent-01</span> <span class="py">workDir</span><span class="p">=</span><span class="s">../work</span> <span class="py">tempDir</span><span class="p">=</span><span class="s">../temp</span> <span class="py">systemDir</span><span class="p">=</span><span class="s">../system</span> </code></pre> </div> <h3> 7.2 Docker Detection (Important) </h3> <p>TeamCity automatically detects Docker <strong>at agent startup</strong>.</p> <p>Requirements:</p> <ul> <li>Docker installed</li> <li>Docker daemon running</li> <li>Agent user can run <code>docker ps</code> </li> </ul> <p>No extra Docker configuration is required if permissions are correct.</p> <h2> 8. Start the Agent </h2> <p>Run the agent manually the first time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bin/agent.sh start </code></pre> </div> <p>Check logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">tail</span> <span class="nt">-f</span> logs/teamcity-agent.log </code></pre> </div> <h2> 9. Authorize the Agent in TeamCity </h2> <p>In the TeamCity web UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Agents → Unauthorized </code></pre> </div> <p>Authorize the new agent.</p> <p>Once authorized, verify agent parameters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Agents → &lt;agent&gt; → Parameters → System Properties </code></pre> </div> <p>You should see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker.server.osType = linux docker.server.version = 26.x docker.client.version = 26.x java.runtime.version = 11.x </code></pre> </div> <h2> 10. Common Problems and Fixes </h2> <h3> ❌ Docker not detected by TeamCity </h3> <p><strong>Cause:</strong> Agent started before Docker was installed or permissions fixed.</p> <p><strong>Fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>systemctl restart docker bin/agent.sh restart </code></pre> </div> <h3> ❌ <code>permission denied /var/run/docker.sock</code> </h3> <p><strong>Cause:</strong> Agent user not in docker group or session not refreshed.</p> <p><strong>Fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>usermod <span class="nt">-aG</span> docker &lt;agent-user&gt; <span class="c"># logout + login</span> bin/agent.sh restart </code></pre> </div> <h3> ❌ Agent runs but Docker builds never start </h3> <p>Check unmet requirements:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker.server.version exists docker.server.osType contains linux </code></pre> </div> <p>If missing → Docker not visible to agent.</p> <h2> 11. Security Notes </h2> <ul> <li>Adding a user to the <code>docker</code> group grants <strong>root-equivalent access</strong> </li> <li>Use dedicated agent users</li> <li>Restrict agent responsibilities when possible</li> </ul> <h2> 12. Summary </h2> <p>To run TeamCity agents on bare metal with Docker:</p> <ol> <li>Install Java (<code>default-jre</code>)</li> <li>Install Docker (<code>docker.io</code>)</li> <li>Add agent user to <code>docker</code> group</li> <li>Log out and back in</li> <li>Configure <code>buildAgent.properties</code> </li> <li>Start and authorize the agent</li> </ol> cicd devops docker linux Complete Guide: Let's Encrypt SSL with cert-manager and Hetzner DNS on Kubernetes giveitatry Fri, 23 Jan 2026 21:32:35 +0000 https://dev.to/giveitatry/complete-guide-lets-encrypt-ssl-with-cert-manager-and-hetzner-dns-on-kubernetes-5be8 https://dev.to/giveitatry/complete-guide-lets-encrypt-ssl-with-cert-manager-and-hetzner-dns-on-kubernetes-5be8 <h2> Introduction </h2> <p>This guide walks you through setting up automatic SSL certificates from Let's Encrypt on a Kubernetes cluster using cert-manager with Hetzner DNS for DNS-01 challenge validation. This is the most reliable method for issuing and renewing SSL certificates automatically, especially if you have multiple domains or subdomains.</p> <p>By the end of this guide, you'll have:</p> <ul> <li>Automatic SSL certificate issuance via Let's Encrypt</li> <li>DNS-based validation (no need to expose HTTP validation endpoints)</li> <li>Automatic certificate renewal before expiration</li> <li>HTTPS redirect middleware in Traefik</li> </ul> <h2> Prerequisites </h2> <ul> <li>A Kubernetes cluster (k3s, kubeadm, EKS, etc.)</li> <li>kubectl configured to access your cluster</li> <li>A domain with DNS hosted at Hetzner DNS</li> <li>Helm installed on your local machine</li> <li>Traefik ingress controller (this guide uses Traefik)</li> </ul> <h2> Architecture Overview </h2> <p>Here's how the process works:</p> <ol> <li>You create a Certificate resource in Kubernetes</li> <li>cert-manager reads this and contacts Let's Encrypt</li> <li>Let's Encrypt returns a DNS challenge token</li> <li>cert-manager calls the Hetzner webhook with this token</li> <li>The Hetzner webhook uses the Hetzner DNS API to create a TXT record</li> <li>Let's Encrypt queries the DNS and validates the TXT record</li> <li>Let's Encrypt issues the certificate</li> <li>cert-manager stores it in a Kubernetes Secret</li> <li>Your Ingress uses this Secret for HTTPS</li> </ol> <h2> Step 1: Install cert-manager </h2> <p>cert-manager is the core component that manages certificate lifecycle.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> https://github.com/cert-manager/cert-manager/releases/download/v1.19.2/cert-manager.yaml </code></pre> </div> <p>Wait for it to be ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nb">wait</span> <span class="nt">--for</span><span class="o">=</span><span class="nv">condition</span><span class="o">=</span>ready pod <span class="nt">-l</span> app.kubernetes.io/instance<span class="o">=</span>cert-manager <span class="nt">-n</span> cert-manager <span class="nt">--timeout</span><span class="o">=</span>300s </code></pre> </div> <p>Verify installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> cert-manager </code></pre> </div> <p>You should see three pods running:</p> <ul> <li>cert-manager</li> <li>cert-manager-cainjector</li> <li>cert-manager-webhook</li> </ul> <h2> Step 2: Create Hetzner DNS API Token </h2> <ol> <li>Log in to <a href="https://dns.hetzner.com" rel="noopener noreferrer">Hetzner DNS Control Panel</a> </li> <li>Navigate to "API Tokens" (usually under account settings)</li> <li>Click "Create new token"</li> <li>Give it a name like "cert-manager"</li> <li>Copy the token immediately (you won't see it again)</li> </ol> <p><strong>Important:</strong> Keep this token secret. Anyone with this token can modify your DNS records.</p> <h2> Step 3: Install the Hetzner Webhook for cert-manager </h2> <p>The Hetzner webhook is a cert-manager extension that knows how to talk to the Hetzner DNS API.</p> <p>Add the Helm repository:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm repo add cert-manager-webhook-hetzner https://vadimkim.github.io/cert-manager-webhook-hetzner helm repo update </code></pre> </div> <p>Install the webhook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>helm <span class="nb">install </span>cert-manager-webhook-hetzner <span class="se">\</span> <span class="nt">--namespace</span> cert-manager <span class="se">\</span> cert-manager-webhook-hetzner/cert-manager-webhook-hetzner </code></pre> </div> <p>Verify the webhook pod is running:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> cert-manager | <span class="nb">grep </span>hetzner </code></pre> </div> <h2> Step 4: Create the Hetzner API Secret </h2> <p>Create a file called <code>hetzner-secret.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hcloud-api-token-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">api-key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">your-hetzner-api-token-here"</span> </code></pre> </div> <p><strong>Important:</strong> The key must be named <code>api-key</code> (not <code>token</code>). This is what the webhook expects.</p> <p>Apply it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> hetzner-secret.yaml </code></pre> </div> <p>Verify the secret was created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret hcloud-api-token-secret <span class="nt">-n</span> cert-manager </code></pre> </div> <h2> Step 5: Verify the Webhook's API Group Registration </h2> <p>Before creating the ClusterIssuer, you need to know the exact API group name that the webhook registered. This is crucial and often a source of problems.</p> <p>Run this command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl api-resources | <span class="nb">grep </span>hetzner </code></pre> </div> <p>You should see output like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>hetzner hetzner.cert-mananger-webhook.noshoes.xyz/v1alpha1 false ChallengePayload </code></pre> </div> <p><strong>Note the exact API group name</strong> - in this example it's <code>hetzner.cert-mananger-webhook.noshoes.xyz</code>. This is what you'll use in your ClusterIssuer. Pay attention to the spelling - some versions have a typo: "mananger" instead of "manager".</p> <h2> Step 6: Set Up RBAC Permissions </h2> <p>cert-manager needs permission to call the webhook, and the webhook needs permission to read the Hetzner API secret.</p> <p>Create a file called <code>rbac.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Allow webhook to read the Hetzner API token</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-hetzner-secret-access</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">secrets"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">hcloud-api-token-secret"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">]</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-hetzner-secret-access</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-hetzner-secret-access</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-hetzner</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="nn">---</span> <span class="c1"># Allow cert-manager to call the webhook</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-hetzner</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hetzner.cert-mananger-webhook.noshoes.xyz</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">hetzner</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">create</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-hetzner</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager-webhook-hetzner</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> </code></pre> </div> <p><strong>Important:</strong> Replace <code>hetzner.cert-mananger-webhook.noshoes.xyz</code> in the ClusterRole with whatever <code>kubectl api-resources | grep hetzner</code> showed you.</p> <p>Apply it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> rbac.yaml </code></pre> </div> <h2> Step 7: Create the ClusterIssuer </h2> <p>The ClusterIssuer tells cert-manager how to request certificates from Let's Encrypt using Hetzner DNS.</p> <p>Create a file called <code>cluster-issuer.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-dns-hetzner</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">acme</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://acme-v02.api.letsencrypt.org/directory</span> <span class="na">email</span><span class="pi">:</span> <span class="s">admin@example.com</span> <span class="na">privateKeySecretRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-dns-hetzner-key</span> <span class="na">solvers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">dns01</span><span class="pi">:</span> <span class="na">webhook</span><span class="pi">:</span> <span class="na">groupName</span><span class="pi">:</span> <span class="s">hetzner.cert-mananger-webhook.noshoes.xyz</span> <span class="na">solverName</span><span class="pi">:</span> <span class="s">hetzner</span> <span class="na">config</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">hcloud-api-token-secret</span> <span class="na">zoneName</span><span class="pi">:</span> <span class="s">example.com</span> <span class="na">apiUrl</span><span class="pi">:</span> <span class="s">https://dns.hetzner.com/api/v1</span> </code></pre> </div> <p><strong>Replace:</strong></p> <ul> <li> <code>admin@example.com</code> with your email</li> <li> <code>groupName</code> with the exact value from <code>kubectl api-resources | grep hetzner</code> </li> <li> <code>zoneName</code> with your root domain (e.g., <code>example.com</code>)</li> </ul> <p>For testing/staging (to avoid Let's Encrypt rate limits), use this server instead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="s">https://acme-staging-v02.api.letsencrypt.org/directory</span> </code></pre> </div> <p>Apply it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> cluster-issuer.yaml </code></pre> </div> <p>Verify the issuer is ready:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe clusterissuer letsencrypt-dns-hetzner </code></pre> </div> <p>Look for <code>Status: True</code> in the conditions.</p> <h2> Step 8: Create Certificate Resources </h2> <p>Now create a Certificate resource for each domain you want to secure.</p> <p>Create a file called <code>certificates.yaml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Certificate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">example-tls</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">example-tls</span> <span class="na">issuerRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-dns-hetzner</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">commonName</span><span class="pi">:</span> <span class="s">example.com</span> <span class="na">dnsNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">example.com</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">*.example.com"</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">cert-manager.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Certificate</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">api-tls</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">api-tls</span> <span class="na">issuerRef</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">letsencrypt-dns-hetzner</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterIssuer</span> <span class="na">commonName</span><span class="pi">:</span> <span class="s">api.example.com</span> <span class="na">dnsNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">api.example.com</span> </code></pre> </div> <p><strong>Replace:</strong></p> <ul> <li>Namespace with your application's namespace</li> <li>Domain names with your actual domains</li> <li>Certificate names as appropriate</li> </ul> <p>Apply it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> certificates.yaml </code></pre> </div> <h2> Step 9: Monitor Certificate Creation </h2> <p>Watch the certificates being created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get certificate <span class="nt">-A</span> <span class="nt">-w</span> </code></pre> </div> <p>Check detailed status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe certificate example-tls <span class="nt">-n</span> default </code></pre> </div> <p>Watch the challenges:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get challenge <span class="nt">-n</span> default <span class="nt">-w</span> </code></pre> </div> <p>Check the webhook logs to see DNS records being created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> cert-manager <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>cert-manager-webhook-hetzner <span class="nt">-f</span> <span class="nt">--tail</span><span class="o">=</span>50 </code></pre> </div> <p>You should see messages like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Added TXT record result: {"record":{"id":"...","type":"TXT","name":"_acme-challenge.example",...}} Presented txt record _acme-challenge.example.com. Delete TXT record result: {"error":{}} </code></pre> </div> <p>Once the certificate shows <code>Ready: True</code>, the secret is ready to use.</p> <h2> Step 10: Use Certificates in Traefik Ingress </h2> <p>For standard Ingress with Traefik:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">example-ingress</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">cert-manager.io/cluster-issuer</span><span class="pi">:</span> <span class="s">letsencrypt-dns-hetzner</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">traefik</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">example.com</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">example-tls</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s">example.com</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-service</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <p>For Traefik IngressRoute with HTTP-to-HTTPS redirect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Middleware</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redirect-https</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">redirectScheme</span><span class="pi">:</span> <span class="na">scheme</span><span class="pi">:</span> <span class="s">https</span> <span class="na">permanent</span><span class="pi">:</span> <span class="kc">true</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">example-http</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">web</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">Host(`example.com`)</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rule</span> <span class="na">middlewares</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">redirect-https</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-service</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">traefik.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">IngressRoute</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">example-https</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">entryPoints</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">websecure</span> <span class="na">routes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">match</span><span class="pi">:</span> <span class="s">Host(`example.com`)</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Rule</span> <span class="na">services</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-service</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">tls</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">example-tls</span> </code></pre> </div> <h2> Troubleshooting Guide </h2> <h3> Problem 1: Certificate Stuck in "Pending" State </h3> <p><strong>Symptom:</strong> <code>kubectl get certificate</code> shows <code>READY: False</code> for hours</p> <p><strong>Solution:</strong></p> <p>Check the certificate details:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe certificate example-tls <span class="nt">-n</span> default </code></pre> </div> <p>Look at the events section. The most common causes are listed below.</p> <h3> Problem 2: "Unable to get secret" Error </h3> <p><strong>Error message:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>unable to get secret `hcloud-api-token-secret/cert-manager`; secrets "hcloud-api-token-secret" is forbidden </code></pre> </div> <p><strong>Cause:</strong> The RBAC permissions are not set up correctly. The webhook's service account can't read the Hetzner API token secret.</p> <p><strong>Solution:</strong></p> <ol> <li>Verify the secret exists: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret hcloud-api-token-secret <span class="nt">-n</span> cert-manager </code></pre> </div> <ol> <li>Reapply the RBAC rules: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> rbac.yaml </code></pre> </div> <ol> <li>Make sure the Role has the correct secret name: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">secrets"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">hcloud-api-token-secret"</span><span class="pi">]</span> <span class="c1"># Exact match required</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">]</span> </code></pre> </div> <h3> Problem 3: "Key 'api-key' not found in secret" </h3> <p><strong>Error message:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>unable to get api-key from secret `hcloud-api-token-secret`; key "api-key" not found in secret data </code></pre> </div> <p><strong>Cause:</strong> The secret key is named wrong. The webhook expects exactly <code>api-key</code>.</p> <p><strong>Solution:</strong></p> <p>Delete and recreate the secret with the correct key name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete secret hcloud-api-token-secret <span class="nt">-n</span> cert-manager </code></pre> </div> <p>Create it again with <code>api-key</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Secret</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">hcloud-api-token-secret</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">cert-manager</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Opaque</span> <span class="na">stringData</span><span class="pi">:</span> <span class="na">api-key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">your-token-here"</span> </code></pre> </div> <h3> Problem 4: "cannot create resource 'hetzner' is forbidden" </h3> <p><strong>Error message:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User "system:serviceaccount:cert-manager:cert-manager" cannot create resource "hetzner" in API group "hetzner.cert-manager-webhook.noshoes.xyz" </code></pre> </div> <p><strong>Cause:</strong> cert-manager service account doesn't have permission to call the webhook.</p> <p><strong>Solution:</strong></p> <p>Reapply the ClusterRole and ClusterRoleBinding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl apply <span class="nt">-f</span> rbac.yaml </code></pre> </div> <p>Verify the ClusterRoleBinding exists:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get clusterrolebinding | <span class="nb">grep </span>hetzner </code></pre> </div> <h3> Problem 5: "the server could not find the requested resource" </h3> <p><strong>Error message:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>the server could not find the requested resource (post hetzner.cert-manager-webhook.noshoes.xyz) </code></pre> </div> <p><strong>Cause:</strong> The <code>groupName</code> in your ClusterIssuer doesn't match what the webhook registered.</p> <p><strong>Solution:</strong></p> <p>Check the actual API group:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl api-resources | <span class="nb">grep </span>hetzner </code></pre> </div> <p>This outputs something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>hetzner hetzner.cert-mananger-webhook.noshoes.xyz/v1alpha1 false ChallengePayload </code></pre> </div> <p>Copy the exact API group (e.g., <code>hetzner.cert-mananger-webhook.noshoes.xyz</code>) and update your ClusterIssuer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">solvers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">dns01</span><span class="pi">:</span> <span class="na">webhook</span><span class="pi">:</span> <span class="na">groupName</span><span class="pi">:</span> <span class="s">hetzner.cert-mananger-webhook.noshoes.xyz</span> <span class="c1"># Use exact match</span> <span class="na">solverName</span><span class="pi">:</span> <span class="s">hetzner</span> </code></pre> </div> <h3> Problem 6: The Webhook Has a Typo in the API Group Name </h3> <p><strong>Issue:</strong> The webhook registers as <code>hetzner.cert-mananger-webhook.noshoes.xyz</code> (with "mananger" - missing 'e')</p> <p><strong>Cause:</strong> This is a known issue in some versions of the Hetzner webhook Helm chart.</p> <p><strong>Solution:</strong></p> <p>You have two options:</p> <p><strong>Option A (Quickest):</strong> Just use the misspelled group name in your ClusterIssuer. It works fine despite the typo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">groupName</span><span class="pi">:</span> <span class="s">hetzner.cert-mananger-webhook.noshoes.xyz</span> </code></pre> </div> <p><strong>Option B (Proper fix):</strong> Reinstall the webhook with a corrected version or use a different webhook implementation that doesn't have this typo.</p> <h3> Problem 7: Challenge Not Being Presented </h3> <p><strong>Symptom:</strong> Challenge status shows <code>Presented: false</code> but no errors in logs</p> <p><strong>Cause:</strong> Webhook pod might have crashed or become unhealthy</p> <p><strong>Solution:</strong></p> <p>Check webhook health:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">-n</span> cert-manager | <span class="nb">grep </span>hetzner </code></pre> </div> <p>Check pod logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> cert-manager <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>cert-manager-webhook-hetzner </code></pre> </div> <p>Restart the webhook:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl rollout restart deployment/cert-manager-webhook-hetzner <span class="nt">-n</span> cert-manager </code></pre> </div> <p>Delete the challenge to trigger a retry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete challenge <span class="nt">-n</span> default <span class="nt">--all</span> </code></pre> </div> <h3> Problem 8: DNS Record Not Being Created in Hetzner </h3> <p><strong>Symptom:</strong> No TXT record appears in Hetzner DNS console</p> <p><strong>Cause:</strong> Usually an invalid API token or zone name mismatch</p> <p><strong>Solution:</strong></p> <ol> <li>Verify the API token is correct: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret hcloud-api-token-secret <span class="nt">-n</span> cert-manager <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.api-key}'</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <ol> <li>Verify the zone name matches your domain: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">zoneName</span><span class="pi">:</span> <span class="s">example.com</span> <span class="c1"># Must match your actual domain</span> </code></pre> </div> <ol> <li>Check the webhook logs for errors: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> cert-manager <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>cert-manager-webhook-hetzner <span class="nt">-f</span> | <span class="nb">grep</span> <span class="nt">-i</span> error </code></pre> </div> <ol> <li>Test the API token manually: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"Auth-API-Token: your-token"</span> https://dns.hetzner.com/api/v1/zones </code></pre> </div> <h3> Problem 9: Certificate Ready but HTTPS Still Shows Old/Invalid Certificate </h3> <p><strong>Cause:</strong> Ingress is not using the new secret or old ingress resource is still active</p> <p><strong>Solution:</strong></p> <ol> <li>Verify the secret exists: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get secret example-tls <span class="nt">-n</span> default </code></pre> </div> <ol> <li>Check the Ingress is referencing it: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe ingress example-ingress <span class="nt">-n</span> default </code></pre> </div> <ol> <li>If using both Ingress and IngressRoute, delete the old Ingress: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl delete ingress example-ingress <span class="nt">-n</span> default </code></pre> </div> <ol> <li>Wait for the load balancer to update (usually 30 seconds to 2 minutes)</li> </ol> <h2> Verification Checklist </h2> <p>Once everything is set up, verify with this checklist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. cert-manager is running</span> kubectl get pods <span class="nt">-n</span> cert-manager <span class="c"># 2. Webhook is running</span> kubectl get pods <span class="nt">-n</span> cert-manager | <span class="nb">grep </span>hetzner <span class="c"># 3. ClusterIssuer is ready</span> kubectl describe clusterissuer letsencrypt-dns-hetzner <span class="c"># 4. Certificate is ready</span> kubectl get certificate <span class="nt">-A</span> <span class="c"># 5. Secret is created</span> kubectl get secret example-tls <span class="nt">-n</span> default <span class="c"># 6. Ingress/IngressRoute is configured</span> kubectl get ingress,ingressroute <span class="nt">-A</span> <span class="c"># 7. DNS records exist</span> nslookup _acme-challenge.example.com <span class="c"># 8. HTTPS works</span> curl <span class="nt">-I</span> https://example.com </code></pre> </div> <h2> Automatic Renewal </h2> <p>cert-manager automatically renews certificates 30 days before expiration. You don't need to do anything.</p> <p>Monitor renewal status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl describe certificate example-tls <span class="nt">-n</span> default </code></pre> </div> <p>Check cert-manager logs for renewal activity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs <span class="nt">-n</span> cert-manager <span class="nt">-l</span> <span class="nv">app</span><span class="o">=</span>cert-manager | <span class="nb">grep</span> <span class="nt">-i</span> renew </code></pre> </div> <h2> Best Practices </h2> <ol> <li> <strong>Use ClusterIssuer, not Issuer</strong> - ClusterIssuer is namespace-agnostic and reusable</li> <li> <strong>Use production Let's Encrypt</strong> - Only use staging for testing to avoid rate limits</li> <li> <strong>Keep API token secret</strong> - Don't commit it to git, use sealed secrets or external secret management</li> <li> <strong>Monitor certificate expiration</strong> - Set up alerts for certificates not renewing</li> <li> <strong>Use separate secrets per domain</strong> - Makes it easier to rotate certs individually</li> <li> <strong>Test in staging first</strong> - Use the Let's Encrypt staging server before production</li> <li> <strong>Keep webhook updated</strong> - Regularly update the webhook Helm chart for security patches</li> </ol> <h2> Conclusion </h2> <p>You now have a fully automated SSL certificate system that:</p> <ul> <li>Issues certificates automatically from Let's Encrypt</li> <li>Validates using DNS (no need for HTTP validation)</li> <li>Renews certificates automatically before expiration</li> <li>Works across all your subdomains under one root domain</li> <li>Integrates seamlessly with Traefik</li> </ul> <p>If you encounter issues, the troubleshooting guide above covers the most common problems and their solutions.</p> devops kubernetes security tutorial Running TeamCity with a Docker-Capable Agent Using Docker Compose giveitatry Thu, 18 Dec 2025 09:00:51 +0000 https://dev.to/giveitatry/running-teamcity-with-a-docker-capable-agent-using-docker-compose-1g76 https://dev.to/giveitatry/running-teamcity-with-a-docker-capable-agent-using-docker-compose-1g76 <p>TeamCity is a powerful CI/CD server from JetBrains, and running it inside Docker simplifies setup, upgrades, and isolation. This guide shows how to set up <strong>TeamCity Server</strong> and a <strong>TeamCity Agent capable of building Docker images</strong>.</p> <h2> Prerequisites </h2> <p>Before you start, ensure you have:</p> <ul> <li>Docker installed and running</li> <li>Docker Compose installed</li> <li>Sufficient permissions to run Docker commands on your host</li> <li>A terminal/command-line interface</li> </ul> <h2> Step 1: Create a directory structure </h2> <p>It’s best practice to separate your data, logs, and agent configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> teamcity/<span class="o">{</span>data,logs,agent<span class="o">}</span> <span class="nb">cd </span>teamcity </code></pre> </div> <p>Your directory structure should look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>teamcity/ ├── docker-compose.yml ├── data/ # Server persistent data ├── logs/ # TeamCity logs └── agent/ # Agent configuration </code></pre> </div> <h2> Step 2: Create the Docker Compose file </h2> <p>Create a file called <code>docker-compose.yml</code> with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.8"</span> <span class="na">services</span><span class="pi">:</span> <span class="na">teamcity-server</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">jetbrains/teamcity-server:2023.11.4</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">teamcity-server</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8111:8111"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./data:/data/teamcity_server/datadir</span> <span class="pi">-</span> <span class="s">./logs:/opt/teamcity/logs</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">teamcity-agent</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">jetbrains/teamcity-agent:2023.11.4</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">teamcity-agent</span> <span class="na">user</span><span class="pi">:</span> <span class="s">root</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">SERVER_URL=http://teamcity-server:8111</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./agent:/data/teamcity_agent/conf</span> <span class="pi">-</span> <span class="s">/var/run/docker.sock:/var/run/docker.sock</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">teamcity-server</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> </code></pre> </div> <h3> Key points: </h3> <ol> <li> <strong>Server volumes</strong>:</li> </ol> <ul> <li> <code>./data</code> stores TeamCity server data and build history.</li> <li> <code>./logs</code> keeps server logs persistent across container restarts.</li> </ul> <ol> <li> <strong>Agent setup</strong>:</li> </ol> <ul> <li>The agent runs as <code>root</code> to have permissions to use the host Docker socket.</li> <li> <code>/var/run/docker.sock</code> is mounted to allow the agent to access the host Docker daemon.</li> <li> <code>SERVER_URL</code> points the agent to the server.</li> </ul> <h2> Step 3: Start TeamCity </h2> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <ul> <li> <code>-d</code> runs containers in the background.</li> <li>The server will be available at <strong><a href="http://localhost:8111" rel="noopener noreferrer">http://localhost:8111</a></strong>.</li> <li>The agent container will automatically try to connect to the server.</li> </ul> <h2> Step 4: Initial TeamCity setup </h2> <ol> <li>Open your browser and go to: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>http://localhost:8111 </code></pre> </div> <ol> <li>Follow the <strong>web setup wizard</strong>:</li> </ol> <ul> <li>Confirm the data directory (mapped to <code>./data</code>)</li> <li>Choose a database (internal database is fine for testing)</li> <li>Accept the license</li> <li>Create the initial admin account</li> </ul> <h2> Step 5: Authorize the agent </h2> <ol> <li>Go to <strong>Agents → Unauthorized</strong> in the TeamCity UI.</li> <li>Click <strong>Authorize</strong> for your agent.</li> <li>Once authorized, the agent will show as <strong>Connected and Compatible</strong>.</li> </ol> <h2> Step 6: Verify Docker capability </h2> <p>Open a terminal inside the agent container:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec</span> <span class="nt">-it</span> teamcity-agent docker version </code></pre> </div> <p>You should see the Docker client and server versions. If so, the agent can now build Docker images.</p> <h2> Step 7: Configure a Docker build in TeamCity </h2> <p>You can use <strong>Command Line</strong> or <strong>Docker runner</strong> build steps.</p> <h3> Example Command Line step: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker build <span class="nt">-t</span> my-app:%build.number% <span class="nb">.</span> docker push my-app:%build.number% </code></pre> </div> <h3> Example Docker Runner step: </h3> <ol> <li>Add a <strong>Docker build step</strong> in the UI.</li> <li>Set the <strong>Dockerfile path</strong>.</li> <li>Set the <strong>image name</strong>.</li> <li>TeamCity will use the agent’s Docker access to build images.</li> </ol> <h2> Step 8: Recommended best practices </h2> <ul> <li>Keep your <code>/data</code> folder on fast, persistent storage.</li> <li>Backup your TeamCity server data regularly.</li> <li>Limit access to the TeamCity server and Docker socket, since running the agent as <code>root</code> gives it full control over Docker on the host.</li> <li>For production environments, consider a <strong>Docker-in-Docker setup</strong> or a remote Docker host for better isolation.</li> </ul> <h2> Step 9: Stopping and restarting </h2> <p>To stop:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose down </code></pre> </div> <p>To restart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker compose up <span class="nt">-d</span> </code></pre> </div> <p>The agent will reconnect automatically after restart.</p> <h2> ✅ Summary </h2> <p>With this setup:</p> <ul> <li>You have a <strong>fully functional TeamCity server</strong> running in Docker.</li> <li>Your <strong>TeamCity agent can build Docker images</strong> using the host Docker daemon.</li> <li>Data and logs persist across restarts, and you can expand with more agents if needed.</li> </ul> <p>This setup is <strong>ideal for testing, development, and small production environments</strong>.</p> docker teamcity