Seldon recommends a managed Kafka for production installation. You can integrate and secure your managed Kafka with Seldon Enterprise Platform and Seldon Core 2.
Integrating managed Kafka services
These instructions outline the necessary configurations to integrate managed Kafka services with Seldon Core 2.
In production settings, always set up TLS encryption with Kafka. This ensures that neither the credentials nor the payloads are transported in plaintext.
Note: TLS encryption involves only single-sided TLS. This means that the contents are encrypted and sent to the server, but the client won’t send any form of certificate. Therefore, it does not take care of authenticating the client. Client authentication can be configured through mutual TLS (mTLS) or SASL mechanism, which are covered in the Kafka Authentication section .
When TLS is enabled, the client needs to know the root CA certificate used to create the server’s certificate. This is used to validate the certificate sent back by the Kafka server.
Create a certificate named ca.crt that is encoded as a PEM certificate. It is important that the certificate is saved as ca.crt. Otherwise, Seldon Core 2 may not be able to find the certificate. Within the cluster, you can provide the server’s root CA certificate through a secret. For example, a secret named kafka-broker-tls with a certificate.
In production environments, Kafka clusters often require authentication, especially when using managed Kafka solutions. Therefore, when installing Seldon Core 2 components, it is crucial to provide the correct credentials for a secure connection to Kafka.
The type of authentication used with Kafka varies depending on the setup but typically includes one of the following:
Simple Authentication and Security Layer (SASL): Requires a username and password.
Mutual TLS (mTLS): Involves using SSL certificates as credentials.
OAuth 2.0: Uses the client credential flow to acquire a JWT token.
These credentials are stored as Kubernetes secrets within the cluster. When setting up Seldon Core 2, and Seldon Enterprise Platform you must create the appropriate secret in the correct format and update the components-values.yaml, and install-values files respectively.
When you use SASL as the authentication mechanism for Kafka, the credentials consist of a username and password pair. The password is supplied through a secret.
Note:
Ensure that the field used for the password within the secret is named password. Otherwise, Seldon Core 2 may not be able to find the correct password.
This password must be present in seldon-logs namespace and every namespace containing Seldon Core 2 runtime.
Create a password for Seldon Core 2 in the namespace seldon.
security.kafka.sasl.client.secret - Created secret with password
security.kafka.ssl.client.brokerValidationSecret - Certificate Authority of Kafka Brokers
The resulting set of values to include in components-values.yaml is similar to:
security:
kafka:
protocol: SASL_SSL
sasl:
mechanism: SCRAM-SHA-512
client:
username: <kafka-username> # TODO: Replace with your Kafka username
secret: kafka-sasl-secret # NOTE: Secret name from previous step
ssl:
client:
secret: # NOTE: Leave empty
brokerValidationSecret: kafka-broker-tls # NOTE: Optional
The security.kafka.ssl.client.brokerValidationSecret field is optional. Leave it empty if your brokers use well known Certificate Authority such as Let’s Encrypt.
Values in Seldon Core 2 Seldon Enterprise Platform
In Seldon Enterprise Platform, the updates to install-values.yaml are almost exactly the same. The only difference is that corresponding entries are underrequestLogger.kafka_consumer.
The resulting set of values to include in install-values.yamlis similar to:
requestLogger:
kafka_consumer:
protocol: SASL_SSL
sasl:
mechanism: SCRAM-SHA-512
client:
username: <kafka-username> # TODO: Replace with your Kafka username
secret: kafka-sasl-secret # NOTE: Secret name from earlier step
ssl:
client:
secret: # NOTE: Leave empty
brokerValidationSecret: kafka-broker-tls # NOTE: Optional
When you use OAuth 2.0 as the authentication mechanism for Kafka, the credentials consist of a Client ID and Client Secret, which are used with your Identity Provider to obtain JWT tokens for authenticating with Kafka brokers.
The security.kafka.ssl.client.brokerValidationSecret field is optional. Leave it empty if your brokers use well known Certificate Authority such as Let’s Encrypt.
Values for Seldon Enterprise Platform
In Seldon Enterprise Platform, the updates to install-values.yaml are almost exactly the same. The only difference is that corresponding entries are underrequestLogger.kafka_consumer.
The resulting set of values to include in install-values.yaml should be similar to:
This secret must be present in seldon-logs namespace and every namespace containing Seldon Core 2 runtime.
Ensure that the field used within the secret follow the same naming convention: tls.crt, tls.key and ca.crt. Otherwise, Seldon Core 2 may not be able to find the correct set of certificates.
Reference these certificates it within the corresponding Helm values for both Seldon Core 2 and Seldon Enterprise Platform installation.
Values for Seldon Core 2 In Seldon Core 2 you need to specify these values:
security.kafka.ssl.client.secret - Secret name containing client certificates
security.kafka.ssl.client.brokerValidationSecret - Certificate Authority of Kafka Brokers
The resulting set of values to include in components-values.yaml is similar to:
security:
kafka:
protocol: SSL
ssl:
client:
secret: kafka-client-tls # NOTE: Secret name from earlier step
brokerValidationSecret: kafka-broker-tls # NOTE: Optional
The security.kafka.ssl.client.brokerValidationSecret field is optional. Leave it empty if your brokers use well known Certificate Authority such as Let’s Encrypt.
Values for Seldon Enterprise Platform
In Seldon Enterprise Platform, the updates to install-values.yaml are almost exactly the same. The only difference is that corresponding entries are underrequestLogger.kafka_consumer.
The resulting set of values in install-values.yaml is similar to:
requestLogger:
kafka_consumer:
protocol: SSL
ssl:
client:
secret: kafka-client-tls # NOTE: Secret name from earlier step
brokerValidationSecret: kafka-broker-tls # NOTE: Optional
Example configurations for managed Kafka services
Here are some examples to create secrets for managed Kafka services such as Azure Event Hub, Confluent Cloud(SASL), Confluent Cloud(OAuth2.0).
Prerequisites:
You must use at least the Standard tier for your Event Hub namespace because the Basic tier does not support the Kafka protocol.
Seldon Core 2 creates two Kafka topics for each model and pipeline, plus one global topic for errors. This results in a total number of topics calculated as: 2 x (number of models + number of pipelines) + 1. This topic count is likely to exceed the limit of the Standard tier in Azure Event Hub. For more information, see quota information.
Creating a namespace and obtaining the connection string
These are the steps that you need to perform in Azure Portal.
Create an Azure Event Hub namespace. You need to have an Azure Event Hub namespace. Follow the Azure quickstart documentation to create one. Note: You do not need to create individual Event Hubs (topics) as Seldon Core 2 automatically creates all necessary topics.
Connection string for Kafka Integration. To connect to the Azure Event Hub using the Kafka API, you need to obtain Kafka endpoint and Connection string. For more information, see Get an Event Hubs connection string
Note: Ensure you get the Connection string at the namespace level, as it is needed to dynamically create new topics. The format of the Connection string should be:
Creating secrets for Seldon Core 2 and Seldon Enterprise Platform These are the steps that you need to perform in the Kubernetes cluster that run Seldon Core 2 and Seldon Enteprise Platform to store the SASL password.
Create a secret named azure-kafka-secret for Seldon Core 2 in the namespace seldon. In the following command make sure to replace <password> with a password of your choice and <namespace> with the namespace form Azure Event Hub.
Create a secret named azure-kafka-secret for Seldon Enterprise Platform in the namespace seldon-system. In the following command make sure to replace <password> with a password of your choice and <namespace> with the namespace form Azure Event Hub.
These are the steps that you need to perform in Confluent Cloud.
Navigate to Clients > New client and choose a client, for example GO and generate new Kafka cluster API key. For more information, see Confluent documentation.
Confluent generates a configuration file with the details.
Save the values of Key, Secret, and bootstrap.servers from the configuration file.
Creating secrets for Seldon Core 2 and Seldon Enterprise Platform
These are the steps that you need to perform in the Kubernetes cluster that run Seldon Core 2 and Seldon Enteprise Platform to store the SASL password.
Create a secret named confluent-kafka-sasl for Seldon Core 2 in the namespace seldon. In the following command make sure to replace <password> with with the value of Secret that you generated in Confluent cloud.
Create a secret named confluent-kafka-sasl for Seldon Enterprise Platform in the namespace seldon-system. In the following command make sure to replace <password> with the value of Secret that you generated in Confluent cloud.
Obtain these details from your identity providers such as Keycloak or Azure AD.
Client ID
Client secret
Token Endpoint URL
If you are using Azure AD you may will need to set scope: api://<client id>/.default.
Creating Kubernetes secret
Create Kubernetes secrets to store the required client credentials. For example, create a kafka-secret.yaml file by replacing the values of <client id>, <client secret>, <token endpoint url>, <cluster id>,<identity pool id> with the values that you obtained from Confluent Cloud and your identity provider.
to tweak the values for replicationFactor and numPartitions that best suits your cluster configuration.
set the value for username as $ConnectionString this is not a variable.
replace <namespace> with the namespace in Azure Event Hub.
Update the initial configuration for Seldon Core 2 in the components-values.yaml file. Use your preferred text editor to update and save the file with the following content:
to tweak the values for replicationFactor and numPartitions that best suits your cluster configuration.
replace <username> with thevalue of Key that you generated in Confluent Cloud.
replace <confluent-endpoints> with the value of bootstrap.server that you generated in Confluent Cloud.
Update the initial configuration for Seldon Core 2 Operator in the components-values.yaml file. Use your preferred text editor to update and save the file with the following content:
to tweak the values for replicationFactor and numPartitions that best suits your cluster configuration.
replace <confluent-endpoints> with the value of bootstrap.server that you generated in Confluent Cloud.
Update the initial configuration for Seldon Core 2 Operator in the components-values.yaml file. Use your preferred text editor to update and save the file with the following content:
To enable Kafka Encryption (TLS) you need to reference the secret that you created in the security.kafka.ssl.client.secret field of the Helm chart values. The resulting set of values to include in components-values.yaml is similar to:
