liveness/readiness probe for Kraft controllers (#108)

Author: hvan

api/assets/assets.go

@@ -25,4 +25,7 @@ var (
 
 	//go:embed kafka/jmx-exporter.yml
 	KafkaJmxExporterYaml string
+
+	//go:embed kafka/kraft-controller-healthcheck.sh
+	KraftControllerHealthcheckSh string
 )

api/assets/kafka/jmx-exporter.yml

@@ -1,6 +1,11 @@
 lowercaseOutputName: true
 rules:
   # Special cases and very specific rules
+    # Export kraft current state metrics
+  - pattern: 'kafka.server<type=raft-metrics><>current-state: (.+)'
+    name: kafka_server_raft_metrics_current_state_$1
+    type: GAUGE
+    value: 1
   - pattern: 'kafka.server<type=(app-info), id=(\d+)><>(Version): ([-.~+\w\d]+)'
     name: kafka_server_$1_$3
     type: COUNTER

api/assets/kafka/kraft-controller-healthcheck.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+# Copyright 2025 Cisco Systems, Inc. and/or its affiliates
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# This script returns a successful exit code (0) if the controller is a follower or leader.  For any other state, it returns a failure exit code (1).
+# In addition, if the environment variable KRAFT_HEALTH_CHECK_SKIP is set to "true" (case insensitive), the script will exit successfully without performing any checks.
+
+skip_check=$(echo "$KRAFT_HEALTH_CHECK_SKIP" | tr '[:upper:]' '[:lower:]')
+
+if [ "$skip_check" = "true" ]; then
+    echo "KRAFT_HEALTH_CHECK_SKIP is set to TRUE. Exiting health check."
+    exit 0
+fi
+
+JMX_ENDPOINT="http://localhost:9020/metrics"
+METRIC_PREFIX="kafka_server_raft_metrics_current_state_"
+
+# Fetch the matching current-state metric with value of 1.0 from the JMX endpoint
+MATCHING_METRIC=$(curl -s "$JMX_ENDPOINT" | grep "^${METRIC_PREFIX}" | awk '$2 == 1.0 {print $1}')
+
+# If it's not empty, it means we found a metric with a value of 1.0.
+if [ -n "$MATCHING_METRIC" ]; then
+    # Determine the state of the controller using the last field name of the metric 
+    # Possible values are leader, candidate, voted, follower, unattached, observer
+    STATE=$(echo "$MATCHING_METRIC" | rev | cut -d'_' -f1 | rev)
+
+    # Check if the extracted state is 'leader' or 'follower'
+    if [ "$STATE" == "leader" ] || [ "$STATE" == "follower" ]; then
+        echo "The controller is in a healthy quorum state."
+        exit 0
+    else
+        # Any other state (e.g., 'candidate', 'unattached', 'observer') is not considered healthy
+        echo "Failure: The controller is in an unexpected state: $STATE. Expecting 'leader' or 'follower'."
+        exit 1
+    fi
+else
+    echo "JMX Exporter endpoint is not avaiable or kafka_server_raft_metrics_current_state_ was not found."
+    exit 0
+fi

controllers/tests/kafkacluster_controller_kafka_test.go

@@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/banzaicloud/koperator/api/assets"
 	"github.com/banzaicloud/koperator/api/v1beta1"
 	"github.com/banzaicloud/koperator/pkg/resources/kafkamonitoring"
 	"github.com/banzaicloud/koperator/pkg/util"
@@ -386,6 +387,17 @@ func expectKafkaBrokerPod(ctx context.Context, kafkaCluster *v1beta1.KafkaCluste
 	Expect(container.Image).To(Equal("ghcr.io/banzaicloud/kafka:2.13-3.4.1"))
 	Expect(container.Lifecycle).NotTo(BeNil())
 	Expect(container.Lifecycle.PreStop).NotTo(BeNil())
+	if kafkaCluster.Spec.KRaftMode && broker.BrokerConfig.IsControllerNode() {
+		Expect(container.LivenessProbe).NotTo(BeNil())
+		Expect(container.LivenessProbe.Exec.Command).NotTo(BeEmpty())
+		Expect(container.LivenessProbe.Exec.Command[0]).To(Equal("/bin/bash"))
+		Expect(container.LivenessProbe.Exec.Command[1]).To(Equal("-c"))
+		Expect(container.LivenessProbe.Exec.Command[2]).To(Equal(assets.KraftControllerHealthcheckSh))
+		Expect(container.ReadinessProbe).NotTo(BeNil())
+	} else {
+		Expect(container.LivenessProbe).To(BeNil())
+		Expect(container.ReadinessProbe).To(BeNil())
+	}
 	getEnvName := func(c corev1.EnvVar) string { return c.Name }
 
 	// when passing a slice to ConsistOf(), the slice needs to be the only argument, which is not applicable here,

pkg/resources/kafka/configmap.go

@@ -442,12 +442,7 @@ func generateListenerSpecificConfig(kcs *v1beta1.KafkaClusterSpec, serverPasses
 		b := broker.ReadOnlyConfig
 		trimmedConfig := strings.TrimSpace(b)
 
-		if strings.Contains(trimmedConfig, kafkautils.KafkaConfigSecurityInterBrokerProtocol+"=") {
-			log.Info("Security InterBrokerProtocol is set for this broker, skipping config update", "broker", broker)
-		} else {
-			log.Info("Security InterBrokerProtocol NOT found for broker, setting inter.broker.listener.name",
-				"interBrokerListenerName", interBrokerListenerName, "broker", broker)
-
+		if !strings.Contains(trimmedConfig, kafkautils.KafkaConfigSecurityInterBrokerProtocol+"=") {
 			if err := brokerConfig.Set(kafkautils.KafkaConfigInterBrokerListenerName, interBrokerListenerName); err != nil {
 				log.Error(err, fmt.Sprintf("setting '%s' parameter in broker configuration resulted in an error",
 					kafkautils.KafkaConfigInterBrokerListenerName))

pkg/resources/kafka/pod.go

@@ -25,7 +25,9 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/intstr"
 
+	"github.com/banzaicloud/koperator/api/assets"
 	apiutil "github.com/banzaicloud/koperator/api/util"
 	"github.com/banzaicloud/koperator/api/v1beta1"
 	"github.com/banzaicloud/koperator/pkg/k8sutil"
@@ -55,6 +57,86 @@ func (r *Reconciler) pod(id int32, brokerConfig *v1beta1.BrokerConfig, pvcs []co
 		podname = fmt.Sprintf("%s-controller-%d-", r.KafkaCluster.Name, id)
 	}
 
+	kafkaContainer := corev1.Container{
+		Name:  kafkaContainerName,
+		Image: util.GetBrokerImage(brokerConfig, r.KafkaCluster.Spec.GetClusterImage()),
+		Lifecycle: &corev1.Lifecycle{
+			PreStop: &corev1.LifecycleHandler{
+				Exec: &corev1.ExecAction{
+					Command: []string{"bash", "-c", `
+if [[ -n "$ENVOY_SIDECAR_STATUS" ]]; then
+HEALTHYSTATUSCODE="200"
+SC=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:15000/ready)
+if [[ "$SC" == "$HEALTHYSTATUSCODE" ]]; then
+kill -s TERM $(pidof java)
+else
+kill -s KILL $(pidof java)
+fi
+else
+kill -s TERM $(pidof java)
+fi`},
+				},
+			},
+		},
+		SecurityContext: brokerConfig.SecurityContext,
+		Env: generateEnvConfig(brokerConfig, []corev1.EnvVar{
+			{
+				Name:  "CLASSPATH",
+				Value: "/opt/kafka/libs/extensions/*",
+			},
+			{
+				Name:  "KAFKA_OPTS",
+				Value: "-javaagent:/opt/jmx-exporter/jmx_prometheus.jar=9020:/etc/jmx-exporter/config.yaml",
+			},
+			{
+				Name: "ENVOY_SIDECAR_STATUS",
+				ValueFrom: &corev1.EnvVarSource{
+					FieldRef: &corev1.ObjectFieldSelector{
+						FieldPath: `metadata.annotations['sidecar.istio.io/status']`,
+					},
+				},
+			},
+		}),
+
+		Command:      command,
+		Ports:        r.generateKafkaContainerPorts(log),
+		VolumeMounts: getVolumeMounts(brokerConfig.VolumeMounts, dataVolumeMount, r.KafkaCluster.Spec, r.KafkaCluster.Name),
+		Resources:    *brokerConfig.GetResources(),
+	}
+
+	if r.KafkaCluster.Spec.KRaftMode && brokerConfig.IsControllerNode() {
+		controllerlistenerPort, err := findControllerListenerPort(r.KafkaCluster)
+		if err != nil {
+			log.Error(err, "failed to find controller listener port")
+		} else {
+			kafkaContainer.ReadinessProbe = &corev1.Probe{
+				ProbeHandler: corev1.ProbeHandler{
+					TCPSocket: &corev1.TCPSocketAction{
+						Port: intstr.IntOrString{
+							Type:   intstr.Int,
+							IntVal: controllerlistenerPort,
+						},
+					},
+				},
+				InitialDelaySeconds: 0,
+				PeriodSeconds:       5,
+				TimeoutSeconds:      5,
+				FailureThreshold:    20,
+			}
+		}
+		kafkaContainer.LivenessProbe = &corev1.Probe{
+			ProbeHandler: corev1.ProbeHandler{
+				Exec: &corev1.ExecAction{
+					Command: []string{"/bin/bash", "-c", assets.KraftControllerHealthcheckSh},
+				},
+			},
+			InitialDelaySeconds: 30,
+			PeriodSeconds:       10,
+			TimeoutSeconds:      5,
+			FailureThreshold:    6,
+		}
+	}
+
 	pod := &corev1.Pod{
 		ObjectMeta: templates.ObjectMetaWithGeneratedNameAndAnnotations(
 			podname,
@@ -63,57 +145,10 @@ func (r *Reconciler) pod(id int32, brokerConfig *v1beta1.BrokerConfig, pvcs []co
 			r.KafkaCluster,
 		),
 		Spec: corev1.PodSpec{
-			SecurityContext: brokerConfig.PodSecurityContext,
-			InitContainers:  getInitContainers(brokerConfig, r.KafkaCluster.Spec),
-			Affinity:        getAffinity(brokerConfig, r.KafkaCluster),
-			Containers: append([]corev1.Container{
-				{
-					Name:  kafkaContainerName,
-					Image: util.GetBrokerImage(brokerConfig, r.KafkaCluster.Spec.GetClusterImage()),
-					Lifecycle: &corev1.Lifecycle{
-						PreStop: &corev1.LifecycleHandler{
-							Exec: &corev1.ExecAction{
-								Command: []string{"bash", "-c", `
-if [[ -n "$ENVOY_SIDECAR_STATUS" ]]; then
-  HEALTHYSTATUSCODE="200"
-  SC=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:15000/ready)
-  if [[ "$SC" == "$HEALTHYSTATUSCODE" ]]; then
-    kill -s TERM $(pidof java)
-  else
-    kill -s KILL $(pidof java)
-  fi
-else
-  kill -s TERM $(pidof java)
-fi`},
-							},
-						},
-					},
-					SecurityContext: brokerConfig.SecurityContext,
-					Env: generateEnvConfig(brokerConfig, []corev1.EnvVar{
-						{
-							Name:  "CLASSPATH",
-							Value: "/opt/kafka/libs/extensions/*",
-						},
-						{
-							Name:  "KAFKA_OPTS",
-							Value: "-javaagent:/opt/jmx-exporter/jmx_prometheus.jar=9020:/etc/jmx-exporter/config.yaml",
-						},
-						{
-							Name: "ENVOY_SIDECAR_STATUS",
-							ValueFrom: &corev1.EnvVarSource{
-								FieldRef: &corev1.ObjectFieldSelector{
-									FieldPath: `metadata.annotations['sidecar.istio.io/status']`,
-								},
-							},
-						},
-					}),
-
-					Command:      command,
-					Ports:        r.generateKafkaContainerPorts(log),
-					VolumeMounts: getVolumeMounts(brokerConfig.VolumeMounts, dataVolumeMount, r.KafkaCluster.Spec, r.KafkaCluster.Name),
-					Resources:    *brokerConfig.GetResources(),
-				},
-			}, brokerConfig.Containers...),
+			SecurityContext:               brokerConfig.PodSecurityContext,
+			InitContainers:                getInitContainers(brokerConfig, r.KafkaCluster.Spec),
+			Affinity:                      getAffinity(brokerConfig, r.KafkaCluster),
+			Containers:                    append([]corev1.Container{kafkaContainer}, brokerConfig.Containers...),
 			Volumes:                       getVolumes(brokerConfig.Volumes, dataVolume, r.KafkaCluster.Spec, r.KafkaCluster.Name, id),
 			RestartPolicy:                 corev1.RestartPolicyNever,
 			TerminationGracePeriodSeconds: util.Int64Pointer(brokerConfig.GetTerminationGracePeriod()),
@@ -605,3 +640,14 @@ func generateEnvConfig(brokerConfig *v1beta1.BrokerConfig, defaultEnvVars []core
 
 	return mergedEnv
 }
+
+func findControllerListenerPort(kc *v1beta1.KafkaCluster) (int32, error) {
+	for _, listener := range kc.Spec.ListenersConfig.InternalListeners {
+		if listener.UsedForControllerCommunication {
+			return listener.ContainerPort, nil
+		}
+	}
+
+	// If no controller listener is found, return an error
+	return 0, fmt.Errorf("no controller listener found")
+}

tests/e2e/const.go

@@ -68,6 +68,11 @@ const (
 	zookeeperClusterTemplate = "templates/zookeeper_cluster.yaml.tmpl"
 
 	kubectlNotFoundErrorMsg = "NotFound"
+
+	kafkaLabelSelectorBrokers     = "app=kafka,isControllerNode=false"
+	kafkaLabelSelectorControllers = "app=kafka,isControllerNode=true"
+	kafkaLabelSelectorAll         = "app=kafka"
+	jmxExporterPort               = "9020"
 )
 
 func apiGroupKoperatorDependencies() map[string]string {

tests/e2e/go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.13.1
 	github.com/onsi/gomega v1.30.0
 	github.com/twmb/franz-go v1.15.2
+	k8s.io/api v0.28.4
 	k8s.io/apiextensions-apiserver v0.28.4
 	k8s.io/apimachinery v0.28.4
 	sigs.k8s.io/yaml v1.4.0
@@ -118,7 +119,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.28.4 // indirect
 	k8s.io/client-go v0.28.4 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20231113174909-778a5567bc1e // indirect

tests/e2e/koperator_suite_test.go

@@ -60,13 +60,16 @@ var _ = When("Testing e2e test altogether", Ordered, func() {
 	testInstallZookeeperCluster()
 	testInstallKafkaCluster("../../config/samples/simplekafkacluster.yaml")
 	testProduceConsumeInternal()
+	testJmxExporter()
 	testUninstallKafkaCluster()
 	testInstallKafkaCluster("../../config/samples/simplekafkacluster_ssl.yaml")
 	testProduceConsumeInternalSSL(defaultTLSSecretName)
+	testJmxExporter()
 	testUninstallKafkaCluster()
 	testUninstallZookeeperCluster()
 	testInstallKafkaCluster("../../config/samples/kraft/simplekafkacluster_kraft.yaml")
 	testProduceConsumeInternal()
+	testJmxExporter()
 	testUninstallKafkaCluster()
 	testUninstall()
 	snapshotClusterAndCompare(snapshottedInfo)