# Strimzi Kafka 集群示例
# 前提：已安装 Strimzi Operator，且 Operator 具备对本命名空间的 watch 权限。
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: juwan-kafka
  namespace: juwan # 示例业务命名空间
spec:
  kafka:
    version: 3.9.0 # Kafka Broker 版本
    replicas: 1 # 开发环境可用；生产环境建议 >= 3
    listeners:
      - name: plain
        port: 9092
        type: internal # 仅集群内部访问
        tls: false # 明文 listener，内网调试方便
      - name: tls
        port: 9093
        type: internal
        tls: true # TLS listener，推荐业务接入使用
    config:
      # 单副本容错参数（仅适合开发环境）
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      default.replication.factor: 1
      min.insync.replicas: 1
    storage:
      type: ephemeral # 临时存储，Pod 重建会丢数据；生产建议 persistent-claim
  zookeeper:
    replicas: 1 # 开发环境可用；生产环境建议 >= 3
    storage:
      type: ephemeral
  # 开启 Topic/User Operator，便于声明式管理 Topic 和账号
  entityOperator:
    topicOperator: {}
    userOperator: {}
---
# 业务 Topic 示例
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaTopic
metadata:
  name: user-events # 用户事件主题
  namespace: juwan
  labels:
    strimzi.io/cluster: juwan-kafka # 关联 Kafka 集群名
spec:
  partitions: 3 # 分区数，决定并行消费能力
  replicas: 1 # 副本数，开发环境示例
  config:
    retention.ms: 604800000 # 7 天
    segment.bytes: 1073741824 # 1GiB
---
# Kafka 用户与 ACL 示例
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: app-producer # 应用侧生产者账号
  namespace: juwan
  labels:
    strimzi.io/cluster: juwan-kafka
spec:
  authentication:
    type: tls # 生成 TLS 证书凭据 Secret
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: user-events
          patternType: literal
        operations:
          - Read
          - Write
      - resource:
          type: group
          name: app-consumer-group
          patternType: literal
        operations:
          - Read