【软件部署】用docker部署Apache Kafka 集群架构isolated模式带SSL

说明

带SSL,增强安全

配置

创建文件compose.yaml

bash 复制代码
# 有SSL

services:
  init-kafka-perms:
    image: busybox:latest
    command: sh -c "chown -R 1000:1000 /controller-1 /controller-2 /controller-3 /kafka1 /kafka2 /kafka3"
    volumes:
      - controller-1:/controller-1
      - controller-2:/controller-2
      - controller-3:/controller-3
      - kafka1-logs:/kafka1
      - kafka2-logs:/kafka2
      - kafka3-logs:/kafka3
    restart: "no"
    container_name: kafka-perms-fix
    networks:
      - kafka

  controller-1:
    image: apache/kafka:4.2.0
    hostname: controller-1
    container_name: kafka-controller-1
    restart: unless-stopped
    environment:
      KAFKA_NODE_ID: 1
      KAFKA_PROCESS_ROLES: 'controller'
      KAFKA_CONTROLLER_QUORUM_VOTERS: '1@controller-1:29092,2@controller-2:29092,3@controller-3:29092'
      KAFKA_CONTROLLER_LISTENER_NAMES: 'CONTROLLER'
      KAFKA_LISTENERS: 'CONTROLLER://:29092'
      CLUSTER_ID: '4L6g3nShT-eMCtK--X86sw'
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 2
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_MIN_ISR: 2
      KAFKA_LOG_DIRS: '/tmp/kraft-combined-logs'
    depends_on:
      init-kafka-perms:
        condition: service_completed_successfully
    networks:
      - kafka
    volumes:
      - controller-1:/tmp/kraft-combined-logs
    healthcheck:
      test: nc -z localhost 29092 || exit 1
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
  
  controller-2:
    image: apache/kafka:4.2.0
    hostname: controller-2
    container_name: kafka-controller-2
    restart: unless-stopped
    environment:
      KAFKA_NODE_ID: 2
      KAFKA_PROCESS_ROLES: 'controller'
      KAFKA_CONTROLLER_QUORUM_VOTERS: '1@controller-1:29092,2@controller-2:29092,3@controller-3:29092'
      KAFKA_CONTROLLER_LISTENER_NAMES: 'CONTROLLER'
      KAFKA_LISTENERS: 'CONTROLLER://:29092'
      CLUSTER_ID: '4L6g3nShT-eMCtK--X86sw'
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 2
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_MIN_ISR: 2
      KAFKA_LOG_DIRS: '/tmp/kraft-combined-logs'
    depends_on:
      init-kafka-perms:
        condition: service_completed_successfully
    networks:
      - kafka
    volumes:
      - controller-2:/tmp/kraft-combined-logs
    healthcheck:
      test: nc -z localhost 29092 || exit 1
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    
  controller-3:
    image: apache/kafka:4.2.0
    hostname: controller-3
    container_name: kafka-controller-3
    restart: unless-stopped
    environment:
      KAFKA_NODE_ID: 3
      KAFKA_PROCESS_ROLES: 'controller'
      KAFKA_CONTROLLER_QUORUM_VOTERS: '1@controller-1:29092,2@controller-2:29092,3@controller-3:29092'
      KAFKA_CONTROLLER_LISTENER_NAMES: 'CONTROLLER'
      KAFKA_LISTENERS: 'CONTROLLER://:29092'
      CLUSTER_ID: '4L6g3nShT-eMCtK--X86sw'
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 2
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_MIN_ISR: 2
      KAFKA_LOG_DIRS: '/tmp/kraft-combined-logs'
    depends_on:
      init-kafka-perms:
        condition: service_completed_successfully
    networks:
      - kafka
    volumes:
      - controller-3:/tmp/kraft-combined-logs
    healthcheck:
      test: nc -z localhost 29092 || exit 1
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

  kafka-1:
    image: apache/kafka:4.2.0
    hostname: kafka-1
    container_name: kafka-1
    ports:
      - 29093:9093
    volumes:
      - ./secrets:/etc/kafka/secrets
      - kafka1-logs:/tmp/kraft-combined-logs
    environment:
      KAFKA_NODE_ID: 4
      KAFKA_PROCESS_ROLES: 'broker'
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: 'SSL:SSL,CONTROLLER:PLAINTEXT,SSL-INTERNAL:SSL'
      KAFKA_LISTENERS: 'SSL-INTERNAL://:19093,SSL://:9093'
      KAFKA_CONTROLLER_QUORUM_VOTERS: '1@controller-1:29092,2@controller-2:29092,3@controller-3:29092'
      KAFKA_INTER_BROKER_LISTENER_NAME: 'SSL-INTERNAL'
      KAFKA_SECURITY_PROTOCOL: SSL
      KAFKA_ADVERTISED_LISTENERS: SSL-INTERNAL://kafka-1:19093,SSL://localhost:29093
      KAFKA_CONTROLLER_LISTENER_NAMES: 'CONTROLLER'
      CLUSTER_ID: '4L6g3nShT-eMCtK--X86sw'
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 2
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_MIN_ISR: 2
      KAFKA_LOG_DIRS: '/tmp/kraft-combined-logs'
      KAFKA_SSL_KEYSTORE_FILENAME: 'kafka01.keystore.jks'
      KAFKA_SSL_KEYSTORE_CREDENTIALS: 'kafka_keystore_creds'
      KAFKA_SSL_KEY_CREDENTIALS: 'kafka_ssl_key_creds'
      KAFKA_SSL_TRUSTSTORE_FILENAME: 'kafka.truststore.jks'
      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: 'kafka_truststore_creds'
      KAFKA_SSL_CLIENT_AUTH: 'required'
      KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
    depends_on:
      controller-1: { condition: service_healthy }
      controller-2: { condition: service_healthy }
      controller-3: { condition: service_healthy }
    restart: unless-stopped
    networks:
      - kafka
    healthcheck:
      test: nc -z localhost 9093 || exit 1
      interval: 60s
      timeout: 5s
      retries: 2
      start_period: 30s

  kafka-2:
    image: apache/kafka:4.2.0
    hostname: kafka-2
    container_name: kafka-2
    ports:
      - 39093:9093
    volumes:
      - ./secrets:/etc/kafka/secrets
      - kafka2-logs:/tmp/kraft-combined-logs
    environment:
      KAFKA_NODE_ID: 5
      KAFKA_PROCESS_ROLES: 'broker'
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: 'SSL:SSL,CONTROLLER:PLAINTEXT,SSL-INTERNAL:SSL'
      KAFKA_CONTROLLER_QUORUM_VOTERS: '1@controller-1:29092,2@controller-2:29092,3@controller-3:29092'
      KAFKA_LISTENERS: 'SSL-INTERNAL://:19093,SSL://:9093'
      KAFKA_INTER_BROKER_LISTENER_NAME: 'SSL-INTERNAL'
      KAFKA_SECURITY_PROTOCOL: SSL
      KAFKA_ADVERTISED_LISTENERS: SSL-INTERNAL://kafka-2:19093,SSL://localhost:39093
      KAFKA_CONTROLLER_LISTENER_NAMES: 'CONTROLLER'
      CLUSTER_ID: '4L6g3nShT-eMCtK--X86sw'
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 2
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_MIN_ISR: 2
      KAFKA_LOG_DIRS: '/tmp/kraft-combined-logs'
      KAFKA_SSL_KEYSTORE_FILENAME: 'kafka01.keystore.jks'
      KAFKA_SSL_KEYSTORE_CREDENTIALS: 'kafka_keystore_creds'
      KAFKA_SSL_KEY_CREDENTIALS: 'kafka_ssl_key_creds'
      KAFKA_SSL_TRUSTSTORE_FILENAME: 'kafka.truststore.jks'
      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: 'kafka_truststore_creds'
      KAFKA_SSL_CLIENT_AUTH: 'required'
      KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
    depends_on:
      controller-1: { condition: service_healthy }
      controller-2: { condition: service_healthy }
      controller-3: { condition: service_healthy }
    restart: unless-stopped
    networks:
      - kafka
    healthcheck:
      test: nc -z localhost 9093 || exit 1
      interval: 60s
      timeout: 5s
      retries: 2
      start_period: 30s

  kafka-3:
    image: apache/kafka:4.2.0
    hostname: kafka-3
    container_name: kafka-3
    ports:
      - 49093:9093
    volumes:
      - ./secrets:/etc/kafka/secrets
      - kafka3-logs:/tmp/kraft-combined-logs
    environment:
      KAFKA_NODE_ID: 6
      KAFKA_PROCESS_ROLES: 'broker'
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: 'SSL:SSL,CONTROLLER:PLAINTEXT,SSL-INTERNAL:SSL'
      KAFKA_CONTROLLER_QUORUM_VOTERS: '1@controller-1:29092,2@controller-2:29092,3@controller-3:29092'
      KAFKA_LISTENERS: 'SSL-INTERNAL://:19093,SSL://:9093'
      KAFKA_INTER_BROKER_LISTENER_NAME: 'SSL-INTERNAL'
      KAFKA_SECURITY_PROTOCOL: SSL
      KAFKA_ADVERTISED_LISTENERS: SSL-INTERNAL://kafka-3:19093,SSL://localhost:49093
      KAFKA_CONTROLLER_LISTENER_NAMES: 'CONTROLLER'
      CLUSTER_ID: '4L6g3nShT-eMCtK--X86sw'
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 2
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_REPLICATION_FACTOR: 3
      KAFKA_SHARE_COORDINATOR_STATE_TOPIC_MIN_ISR: 2
      KAFKA_LOG_DIRS: '/tmp/kraft-combined-logs'
      KAFKA_SSL_KEYSTORE_FILENAME: 'kafka01.keystore.jks'
      KAFKA_SSL_KEYSTORE_CREDENTIALS: 'kafka_keystore_creds'
      KAFKA_SSL_KEY_CREDENTIALS: 'kafka_ssl_key_creds'
      KAFKA_SSL_TRUSTSTORE_FILENAME: 'kafka.truststore.jks'
      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: 'kafka_truststore_creds'
      KAFKA_SSL_CLIENT_AUTH: 'required'
      KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
    depends_on:
      controller-1: { condition: service_healthy }
      controller-2: { condition: service_healthy }
      controller-3: { condition: service_healthy }
    restart: unless-stopped
    networks:
      - kafka
    healthcheck:
      test: nc -z localhost 9093 || exit 1
      interval: 60s
      timeout: 5s
      retries: 2
      start_period: 30s

volumes:
  controller-1:
    name: kafka-controller-1
  controller-2:
    name: kafka-controller-2
  controller-3:
    name: kafka-controller-3
  kafka1-logs:
    name: kafka1-logs
  kafka2-logs:
    name: kafka2-logs
  kafka3-logs:
    name: kafka3-logs

networks:
  kafka:
    name: kafka

创建目录secrets

自己生成文件或下载SSL模板文件https://github.com/apache/kafka/tree/trunk/docker/examples/fixtures/secrets

部署

bash 复制代码
docker compose up -d

测试

确认容器健康

功能测试待更新。

相关推荐
辉的技术笔记3 小时前
Dify 自部署为什么跑不动?6 层瓶颈诊断法教你定位
docker
程序员老赵1 天前
Docker 部署 Redmine:老牌开源项目管理部署实测记录
docker·开源·团队管理
程序员老赵1 天前
服务器文件不想 SFTP 上传?Docker 跑个 File Browser,浏览器就能管理
服务器·docker·开源
lichenyang4533 天前
Docker 学习笔记(五):Docker Compose,用一个 YAML 启动前端、后端和 MongoDB
docker
lichenyang4533 天前
Docker 学习笔记(四):Dockerfile,把项目打成自己的镜像
docker·容器
lichenyang4533 天前
Docker 学习笔记(三):Docker 网络、bridge、子网和容器互通
docker·容器
lichenyang4533 天前
Docker 学习笔记(二):docker run 的参数到底在控制什么?
docker·容器
阿里云云原生4 天前
数据链路再精简:Kafka 如何做到“零 ETL”一键写入 Apache Iceberg?
kafka
Patrick_Wilson8 天前
从「改个端口」到 502:Next.js on k8s 的容器端口、Service 映射与 env 覆盖
docker·kubernetes·next.js
Suroy8 天前
DockerView-Go:用 Go 写一个终端 Docker 监控工具,顺便做了个 Web 仪表盘
docker