Add KRaft broker deployment and augment README

confluentinc · Jul 24, 2024 · 2de53cb · 2de53cb
1 parent b741af7
commit 2de53cb
Show file tree

Hide file tree

Showing 2 changed files with 358 additions and 1 deletion.
diff --git a/security/production-secure-deploy-ldap-rbac-all/README.rst b/security/production-secure-deploy-ldap-rbac-all/README.rst
@@ -48,6 +48,12 @@ Note that it is assumed that your Kubernetes cluster has a ``confluent`` namespa
 
      helm upgrade --install operator confluentinc/confluent-for-kubernetes --namespace confluent
   
+  In case you choose to use KRaft brokers instead of zookeeper install the operator using:
+
+   ::
+
+     helm upgrade --install operator confluentinc/confluent-for-kubernetes -n confluent --set kRaftEnabled=true
+
 #. Check that the Confluent For Kubernetes pod comes up and is running:
 
    ::
@@ -137,7 +143,8 @@ Provide authentication credentials
 
    This secret object contains file based properties. These files are in the
    format that each respective Confluent component requires for authentication
-   credentials.
+   credentials. If a KRaft broker is desired instead of zookeeper the credential
+   files for zookeeper can still be used regardless.
 
    ::
    
@@ -253,6 +260,12 @@ Deploy Confluent Platform
 
      kubectl apply -f $TUTORIAL_HOME/confluent-platform-production.yaml --namespace confluent
 
+  If you choose a KRaft broker setup instead of zookeeper simply deploy:
+
+   ::
+
+     kubectl apply -f $TUTORIAL_HOME/confluent-platform-production-kraft.yaml --namespace confluent
+
 #. Check that all Confluent Platform resources are deployed:
 
    ::

diff --git a/security/production-secure-deploy-ldap-rbac-all/confluent-platform-production-kraft.yaml b/security/production-secure-deploy-ldap-rbac-all/confluent-platform-production-kraft.yaml
@@ -0,0 +1,344 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: KRaftController
+metadata:
+  name: kraftcontroller
+  namespace: confluent
+spec:
+  replicas: 3
+  image:
+    application: confluentinc/cp-server:7.6.0
+    init: confluentinc/confluent-init-container:2.8.0
+  listeners:
+    controller:
+      tls:
+        enabled: true
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+  tls:
+    secretRef: tls-group1
+  dataVolumeCapacity: 10G
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Kafka
+metadata:
+  name: kafka
+  namespace: confluent
+spec:
+  replicas: 3
+  image:
+    application: confluentinc/cp-server:7.6.0
+    init: confluentinc/confluent-init-container:2.8.0
+  dataVolumeCapacity: 10Gi
+  tls:
+    secretRef: tls-group1
+  listeners:
+    internal:
+      authentication:
+        type: ldap
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    external:
+      externalAccess:
+        type: nodePort
+        nodePort:
+          host: localhost
+          nodePortOffset: 30000
+      authentication:
+        type: ldap
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+  authorization:
+    type: rbac
+    superUsers:
+    - User:kafka
+  services:
+    kafkaRest:
+      externalAccess:
+        type: nodePort
+        nodePort:
+          host: localhost
+          nodePortOffset: 30100
+    mds:
+      tls:
+        enabled: true
+      tokenKeyPair:
+        secretRef: mds-token
+      externalAccess:
+        type: nodePort
+        nodePort:
+          host: localhost
+          nodePortOffset: 30200
+      provider:
+        type: ldap
+        ldap:
+          address: ldap://ldap.confluent.svc.cluster.local:389
+          authentication:
+            type: simple
+            simple:
+              secretRef: credential
+          configurations:
+            groupNameAttribute: cn
+            groupObjectClass: group
+            groupMemberAttribute: member
+            groupMemberAttributePattern: CN=(.*),DC=test,DC=com
+            groupSearchBase: dc=test,dc=com
+            userNameAttribute: cn
+            userMemberOfAttributePattern: CN=(.*),DC=test,DC=com
+            userObjectClass: organizationalRole
+            userSearchBase: dc=test,dc=com
+  dependencies:
+    kafkaRest:
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client
+    kRaftController:
+      controllerListener:
+        tls:
+          enabled: true
+        authentication:
+          type: ldap
+          jaasConfig:
+            secretRef: credential
+      clusterRef:
+        name: kraftcontroller
+        namespace: confluent
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Connect
+metadata:
+  name: connect
+  namespace: confluent
+spec:
+  replicas: 2
+  image:
+    application: confluentinc/cp-server-connect:7.6.0
+    init: confluentinc/confluent-init-container:2.8.0
+  tls:
+    secretRef: tls-group1
+  externalAccess:
+    type: nodePort
+    nodePort:
+      host: localhost
+      nodePortOffset: 30300
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: connect-mds-client
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: SchemaRegistry
+metadata:
+  name: schemaregistry
+  namespace: confluent
+spec:
+  replicas: 1
+  image:
+    application: confluentinc/cp-schema-registry:7.6.0
+    init: confluentinc/confluent-init-container:2.8.0
+  tls:
+    secretRef: tls-group1
+  externalAccess:
+    type: nodePort
+    nodePort:
+      host: localhost
+      nodePortOffset: 30400
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: sr-mds-client
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: KafkaRestProxy
+metadata:
+  name: kafkarestproxy
+  namespace: confluent
+spec:
+  replicas: 1
+  image:
+    application: confluentinc/cp-kafka-rest:7.6.0
+    init: confluentinc/confluent-init-container:2.8.0
+  tls:
+    secretRef: tls-group1
+  externalAccess:
+    type: nodePort
+    nodePort:
+      host: localhost
+      nodePortOffset: 30500
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: krp-mds-client
+      tls:
+        enabled: true
+    schemaRegistry:
+      url: https://schemaregistry.confluent.svc.cluster.local:8081
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: KsqlDB
+metadata:
+  name: ksqldb
+  namespace: confluent
+spec:
+  replicas: 2
+  image:
+    application: confluentinc/cp-ksqldb-server:7.6.0
+    init: confluentinc/confluent-init-container:2.8.0
+  dataVolumeCapacity: 10Gi
+  authorization:
+    type: rbac
+  externalAccess:
+    type: nodePort
+    nodePort:
+      host: localhost
+      nodePortOffset: 30600
+  tls:
+    secretRef: tls-group1
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: ksqldb-mds-client
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: ControlCenter
+metadata:
+  name: controlcenter
+  namespace: confluent
+spec:
+  replicas: 1
+  podTemplate:
+    probe:
+      liveness:
+        periodSeconds: 10
+        failureThreshold: 5
+        timeoutSeconds: 500
+  image:
+    application: confluentinc/cp-enterprise-control-center:7.6.0
+    init: confluentinc/confluent-init-container:2.8.0
+  dataVolumeCapacity: 10Gi
+  authorization:
+    type: rbac
+  externalAccess:
+    type: nodePort
+    nodePort:
+      host: localhost
+      nodePortOffset: 30700
+  tls:
+    secretRef: tls-group1
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: c3-mds-client
+      tls:
+        enabled: true
+    connect:
+      - name: connect
+        url:  https://connect.confluent.svc.cluster.local:8083
+        tls:
+          enabled: true
+    ksqldb:
+      - name: ksqldb
+        url:  https://ksqldb.confluent.svc.cluster.local:8088
+        tls:
+          enabled: true
+    schemaRegistry:
+      url: https://schemaregistry.confluent.svc.cluster.local:8081
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: KafkaRestClass
+metadata:
+  name: default
+  namespace: confluent
+spec:
+  kafkaRest:
+    authentication:
+      type: bearer
+      bearer:
+        secretRef: rest-credential