Page MenuHomePhabricator
Create Task
Maniphest T428053

Deploy a kafka web UI for all internal clusters
Open, In Progress, MediumPublic
Actions

Description

Observing kafka (listing topics, consumer groups, etc) is done using the kafka command on kafka hosts. Few people are familiar with the tooling, which slows down incident response.

We'd like to be able to observe our kafka clusters using one available off-the-self 3rd party UIs, and make it available behind CAS login.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
dse-k8s-aux: migrate internal kafka-ui disc and svc records to k8s-auxoperations/dnsmaster+3 -3
dse-k8s: remove kafka-ui kubeconfigsoperations/puppetproduction+0 -4
aux-k8s: define the kafka-ui kubeconfigsoperations/puppetproduction+4 -0
dse-k8s: remove the kafka-ui helmfile and valuesoperations/deployment-chartsmaster+0 -87
dse-k8s: remove the kafka-ui namespaceoperations/deployment-chartsmaster+0 -3
aux-k8s: define the kafka-ui helmfile and valuesoperations/deployment-chartsmaster+87 -0
aux-k8s: define the kafka-ui namespace in both clustersoperations/deployment-chartsmaster+3 -0
CI: add aux-k8s-codfw to the list of environmentsoperations/deployment-chartsmaster+1 -1
Cleanup kafka-ui records pointing to the dse-k8s ingressoperations/dnsmaster+1 -3
kafka-ui: disable latest-available version checkoperations/deployment-chartsmaster+3 -2
kafka-ui: connect to all kafka clustersoperations/deployment-chartsmaster+5 -0
trafficserver: enable access to kafka.w.ooperations/puppetproduction+5 -0
idp: add the kafka-ui serviceoperations/puppetproduction+7 -0
Define the kafka-ui multi-cluster helmfileoperations/deployment-chartsmaster+82 -0
Define the kafka-ui chartoperations/deployment-chartsmaster+2 K -0
dse-k8s: define the kafka-ui namespaceoperations/deployment-chartsmaster+3 -0
kubernetes/dse-k8s: Define a kafka-ui kubeconfigoperations/puppetproduction+4 -0
Define the kafka.w.o public recordoperations/dnsmaster+1 -0
Define the kafka-ui internal DNS recordsoperations/dnsmaster+4 -0
Show related patches Customize query in gerrit

Event Timeline

brouberol created this task.Wed, Jun 3, 1:00 PM
brouberol triaged this task as Medium priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptWed, Jun 3, 1:00 PM
brouberol claimed this task.Wed, Jun 3, 1:01 PM
gerritbot added a comment.Wed, Jun 3, 2:01 PM

Change #1297144 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] kubernetes/dse-k8s-eqiad: Define a kafka-ui kubeconfig

https://gerrit.wikimedia.org/r/1297144

gerritbot added a project: Patch-For-Review.Wed, Jun 3, 2:01 PM
gerritbot added a comment.Wed, Jun 3, 2:06 PM

Change #1297146 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/dns@master] Define the kafka-ui internal DNS records

https://gerrit.wikimedia.org/r/1297146

gerritbot added a comment.Wed, Jun 3, 2:09 PM

Change #1297148 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/dns@master] Define the kafka.w.o public record

https://gerrit.wikimedia.org/r/1297148

gerritbot added a comment.Wed, Jun 3, 2:10 PM

Change #1297150 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s-eqiad: define the kafka-ui namespace

https://gerrit.wikimedia.org/r/1297150

gerritbot added a comment.Wed, Jun 3, 3:16 PM

Change #1297146 merged by Brouberol:

[operations/dns@master] Define the kafka-ui internal DNS records

https://gerrit.wikimedia.org/r/1297146

gerritbot added a comment.Wed, Jun 3, 3:16 PM

Change #1297148 merged by Brouberol:

[operations/dns@master] Define the kafka.w.o public record

https://gerrit.wikimedia.org/r/1297148

gerritbot added a comment.Wed, Jun 3, 3:18 PM

Change #1297150 merged by Brouberol:

[operations/deployment-charts@master] dse-k8s: define the kafka-ui namespace

https://gerrit.wikimedia.org/r/1297150

gerritbot added a comment.Wed, Jun 3, 3:19 PM

Change #1297144 merged by Brouberol:

[operations/puppet@production] kubernetes/dse-k8s: Define a kafka-ui kubeconfig

https://gerrit.wikimedia.org/r/1297144

Maintenance_bot removed a project: Patch-For-Review.Wed, Jun 3, 3:31 PM
gerritbot added a comment.Thu, Jun 4, 7:41 AM

Change #1297563 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] idp: add the kafka-ui service

https://gerrit.wikimedia.org/r/1297563

gerritbot added a project: Patch-For-Review.Thu, Jun 4, 7:41 AM

Change #1297564 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] trafficserver: enable access to kafka.w.o

https://gerrit.wikimedia.org/r/1297564

gerritbot added a comment.Thu, Jun 4, 7:41 AM

Change #1297565 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Define the kafka-ui chart

https://gerrit.wikimedia.org/r/1297565

gerritbot added a comment.Thu, Jun 4, 7:41 AM

Change #1297566 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Define the kafka-ui multi-cluster helmfile

https://gerrit.wikimedia.org/r/1297566

brouberol changed the task status from Open to In Progress.Thu, Jun 4, 7:53 AM
brouberol moved this task from Backlog - project to Needs Review on the Data-Platform-SRE (2026-04-24 - 2026-05-15) board.
brouberol added a project: Data-Platform-SRE (2026-04-24 - 2026-05-15).
gerritbot added a comment.Thu, Jun 4, 9:30 AM

Change #1297565 merged by jenkins-bot:

[operations/deployment-charts@master] Define the kafka-ui chart

https://gerrit.wikimedia.org/r/1297565

gerritbot added a comment.Thu, Jun 4, 9:30 AM

Change #1297566 merged by jenkins-bot:

[operations/deployment-charts@master] Define the kafka-ui multi-cluster helmfile

https://gerrit.wikimedia.org/r/1297566

gerritbot added a comment.Thu, Jun 4, 10:04 AM

Change #1297563 merged by Brouberol:

[operations/puppet@production] idp: add the kafka-ui service

https://gerrit.wikimedia.org/r/1297563

gerritbot added a comment.Thu, Jun 4, 10:04 AM

Change #1297564 merged by Brouberol:

[operations/puppet@production] trafficserver: enable access to kafka.w.o

https://gerrit.wikimedia.org/r/1297564

Maintenance_bot removed a project: Patch-For-Review.Thu, Jun 4, 10:31 AM
brouberol added a subscriber: JMonton-WMF.Thu, Jun 4, 2:48 PM

https://kafka.wikimedia.org has been deployed! I can't load the UI reliably due to some unrelated issues in drmrs having to do with piling VCLs.

@JMonton-WMF mentioned

Everything looks good on the UI, I can see and filter messages, topics, consumers...

About the read-only, I'd say it's fine:


- "Produce" button is disabled
- Settings on topics is disabled too
- "Add topic" button doesn't appear
- The buttons to clean or remove topics are disabled. 
- "Delete offsets" on a consumer group returns 405 This cluster is in read-only mode
- "Remove ACL" button is there, but it fails with "not authorized"
- Changing broker properties is there in the UI, but it fails with Cluster authorization
brouberol added a comment.EditedThu, Jun 4, 2:50 PM

We can't list ACLs though, because kafka-ui is connecting to kafka over port 9092 w.o any authentication.

gerritbot added a comment.Thu, Jun 4, 8:01 PM

Change #1297775 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] kafka-ui: connect to all kafka clusters

https://gerrit.wikimedia.org/r/1297775

gerritbot added a project: Patch-For-Review.Thu, Jun 4, 8:01 PM
gerritbot added a comment.Fri, Jun 5, 7:14 AM

Change #1297775 merged by Brouberol:

[operations/deployment-charts@master] kafka-ui: connect to all kafka clusters

https://gerrit.wikimedia.org/r/1297775

brouberol added a comment.Fri, Jun 5, 7:18 AM

Actually, listing ACLs does work, it was just that there was none in kafka-test-eqiad.

brouberol added a comment.Fri, Jun 5, 7:21 AM

Screenshot 2026-06-05 at 09.21.18.png (1×1 px, 176 KB)
I'm calling this done!

brouberol closed this task as Resolved.Fri, Jun 5, 7:21 AM
brouberol moved this task from Needs Review to Done on the Data-Platform-SRE (2026-04-24 - 2026-05-15) board.
Maintenance_bot removed a project: Patch-For-Review.Fri, Jun 5, 7:31 AM
gerritbot added a comment.Fri, Jun 5, 7:59 AM

Change #1298093 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] kafka-ui: disable latest-available version check

https://gerrit.wikimedia.org/r/1298093

gerritbot added a project: Patch-For-Review.Fri, Jun 5, 7:59 AM
gerritbot added a comment.Fri, Jun 5, 8:04 AM

Change #1298093 merged by Brouberol:

[operations/deployment-charts@master] kafka-ui: disable latest-available version check

https://gerrit.wikimedia.org/r/1298093

Gehel moved this task from Done to Reported on the Data-Platform-SRE (2026-04-24 - 2026-05-15) board.Fri, Jun 5, 8:07 AM
Maintenance_bot removed a project: Patch-For-Review.Fri, Jun 5, 8:31 AM
brouberol added a subscriber: JMeybohm.Fri, Jun 5, 1:17 PM

@JMeybohm pointed out that the aux clusters might be a better fit than dse for this kind of workload. I'm going to redeploy it over there.

brouberol reopened this task as In Progress.Fri, Jun 5, 1:17 PM
brouberol moved this task from Reported to In Progress on the Data-Platform-SRE (2026-04-24 - 2026-05-15) board.
Gehel edited projects, added Data-Platform-SRE (2026-06-05 - 2026-06-26); removed Data-Platform-SRE (2026-04-24 - 2026-05-15).Fri, Jun 5, 1:27 PM
Gehel moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2026-06-05 - 2026-06-26) board.
gerritbot added a comment.Fri, Jun 5, 1:38 PM

Change #1298262 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/dns@master] dse-k8s-aux: define internal kafka-ui disc and svc records

https://gerrit.wikimedia.org/r/1298262

gerritbot added a project: Patch-For-Review.Fri, Jun 5, 1:38 PM

Change #1298263 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/dns@master] Cleanup kafka-ui records pointing to the dse-k8s ingress

https://gerrit.wikimedia.org/r/1298263

gerritbot added a comment.Fri, Jun 5, 1:38 PM

Change #1298266 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] aux-k8s: define the kafka-ui namespace in both clusters

https://gerrit.wikimedia.org/r/1298266

gerritbot added a comment.Fri, Jun 5, 1:38 PM

Change #1298267 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] aux-k8s: define the kafka-ui helmfile and values

https://gerrit.wikimedia.org/r/1298267

gerritbot added a comment.Fri, Jun 5, 1:38 PM

Change #1298264 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] aux-k8s: define the kafka-ui kubeconfigs

https://gerrit.wikimedia.org/r/1298264

gerritbot added a comment.Fri, Jun 5, 1:38 PM

Change #1298268 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s: remove the kafka-ui namespace

https://gerrit.wikimedia.org/r/1298268

gerritbot added a comment.Fri, Jun 5, 1:38 PM

Change #1298265 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] dse-k8s: remove kafka-ui kubeconfigs

https://gerrit.wikimedia.org/r/1298265

gerritbot added a comment.Fri, Jun 5, 1:38 PM

Change #1298269 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] dse-k8s: remove the kafka-ui helmfile and values

https://gerrit.wikimedia.org/r/1298269

gerritbot added a comment.Fri, Jun 5, 2:18 PM

Change #1298283 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] CI: add aux-k8s-codfw to the list of environments

https://gerrit.wikimedia.org/r/1298283

gerritbot added a comment.Fri, Jun 5, 3:01 PM

Change #1298263 abandoned by Brouberol:

[operations/dns@master] Cleanup kafka-ui records pointing to the dse-k8s ingress

https://gerrit.wikimedia.org/r/1298263

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits