Skip to content

kcp migration execute

kcp migration execute

Execute an initialized migration

Synopsis

Execute an initialized migration through its remaining workflow steps.

This command resumes a migration from its current state, progressing through: lag checking, gateway fencing, pausing consumer offset sync (opt-in), fence verification (opt-in), topic promotion, and gateway switchover.

The migration must first be created with 'kcp migration init'. If execution is interrupted, re-running this command will resume from the last completed step.

Credentials (cluster-api-key, cluster-api-secret) are intentionally not stored in the migration state file and must be provided each time.

kcp migration execute [flags]

Examples

  # MSK source with IAM auth
  kcp migration execute \
      --migration-id migration-a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
      --lag-threshold 0 \
      --cluster-api-key ABCDEFGHIJKLMNOP \
      --cluster-api-secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
      --use-sasl-iam --aws-region us-east-1

  # Apache Kafka source with TLS
  kcp migration execute \
      --migration-id migration-a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
      --lag-threshold 0 \
      --cluster-api-key ABCDEFGHIJKLMNOP \
      --cluster-api-secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
      --use-tls --tls-ca-cert ca.pem --tls-client-cert client.pem --tls-client-key client.key

Options

      --aws-region string                              AWS region of the source MSK cluster (e.g. us-east-1).
      --cluster-api-key string                         API key for authenticating with the destination cluster.
      --cluster-api-secret string                      API secret for authenticating with the destination cluster.
      --consumer-offset-sync-drain-duration duration   How long to wait after fencing before disabling the cluster link's consumer.offset.sync.enable. The fence freezes source consumer offsets, so this drain lets the link propagate the final offsets to the destination, reducing (best-effort, not guaranteed) messages reprocessed after switchover. Has no effect unless the migration was initialised with --pause-consumer-offset-sync. 0 (the default) disables the wait.
  -h, --help                                           help for execute
      --insecure-skip-tls-verify                       Skip TLS certificate verification for REST endpoint and Kafka connections.
      --lag-threshold int                              Total topic replication lag threshold (sum of all partition lags) before proceeding with migration.
      --migration-id string                            ID of the migration to execute (from 'kcp migration list').
      --migration-state-file string                    Path to the migration state file. (default "migration-state.json")
      --promote-batch-size int                         Maximum number of mirror topics to promote per batch. 0 (the default) promotes all topics at once. When set (>0), each batch is promoted and confirmed STOPPED before the next batch is submitted.
      --rollout-timeout duration                       Maximum time to wait for the Confluent operator to report the gateway as Ready during fence and switchover. 0 (the default) means no deadline — the wait runs until the operator converges or the user cancels.
      --sasl-plain-password string                     SASL/PLAIN password for the source cluster.
      --sasl-plain-username string                     SASL/PLAIN username for the source cluster.
      --sasl-scram-mechanism string                    SASL/SCRAM mechanism (SHA256 or SHA512). Defaults to SHA512 for MSK compatibility. (default "SHA512")
      --sasl-scram-password string                     SASL/SCRAM password for the source MSK cluster.
      --sasl-scram-username string                     SASL/SCRAM username for the source MSK cluster.
      --tls-ca-cert string                             Path to the TLS CA certificate for the source MSK cluster.
      --tls-client-cert string                         Path to the TLS client certificate for the source MSK cluster.
      --tls-client-key string                          Path to the TLS client key for the source MSK cluster.
      --use-sasl-iam                                   Use IAM authentication for the source MSK cluster.
      --use-sasl-plain                                 Use SASL/PLAIN authentication for the source cluster.
      --use-sasl-scram                                 Use SASL/SCRAM authentication for the source MSK cluster.
      --use-tls                                        Use TLS authentication for the source MSK cluster.
      --use-unauthenticated-plaintext                  Use unauthenticated (plaintext) for the source MSK cluster.
      --use-unauthenticated-tls                        Use unauthenticated (TLS encryption) for the source MSK cluster.

Options inherited from parent commands

      --verbose   Enable verbose logging to console

SEE ALSO