diff --git a/security/production-secure-deploy-ldap-rbac-all/README.rst b/security/production-secure-deploy-ldap-rbac-all/README.rst index 56d676da..e708f335 100644 --- a/security/production-secure-deploy-ldap-rbac-all/README.rst +++ b/security/production-secure-deploy-ldap-rbac-all/README.rst @@ -48,6 +48,12 @@ Note that it is assumed that your Kubernetes cluster has a ``confluent`` namespa helm upgrade --install operator confluentinc/confluent-for-kubernetes --namespace confluent + In case you choose to use KRaft brokers instead of zookeeper install the operator using: + + :: + + helm upgrade --install operator confluentinc/confluent-for-kubernetes -n confluent --set kRaftEnabled=true + #. Check that the Confluent For Kubernetes pod comes up and is running: :: @@ -137,7 +143,8 @@ Provide authentication credentials This secret object contains file based properties. These files are in the format that each respective Confluent component requires for authentication - credentials. + credentials. If a KRaft broker is desired instead of zookeeper the credential + files for zookeeper can still be used regardless. :: @@ -253,6 +260,12 @@ Deploy Confluent Platform kubectl apply -f $TUTORIAL_HOME/confluent-platform-production.yaml --namespace confluent + If you choose a KRaft broker setup instead of zookeeper simply deploy: + + :: + + kubectl apply -f $TUTORIAL_HOME/confluent-platform-production-kraft.yaml --namespace confluent + #. Check that all Confluent Platform resources are deployed: :: diff --git a/security/production-secure-deploy-ldap-rbac-all/confluent-platform-production-kraft.yaml b/security/production-secure-deploy-ldap-rbac-all/confluent-platform-production-kraft.yaml new file mode 100644 index 00000000..05029179 --- /dev/null +++ b/security/production-secure-deploy-ldap-rbac-all/confluent-platform-production-kraft.yaml @@ -0,0 +1,344 @@ +apiVersion: platform.confluent.io/v1beta1 +kind: KRaftController +metadata: + name: kraftcontroller + namespace: confluent +spec: + replicas: 3 + image: + application: confluentinc/cp-server:7.6.0 + init: confluentinc/confluent-init-container:2.8.0 + listeners: + controller: + tls: + enabled: true + authentication: + type: plain + jaasConfig: + secretRef: credential + tls: + secretRef: tls-group1 + dataVolumeCapacity: 10G +--- +apiVersion: platform.confluent.io/v1beta1 +kind: Kafka +metadata: + name: kafka + namespace: confluent +spec: + replicas: 3 + image: + application: confluentinc/cp-server:7.6.0 + init: confluentinc/confluent-init-container:2.8.0 + dataVolumeCapacity: 10Gi + tls: + secretRef: tls-group1 + listeners: + internal: + authentication: + type: ldap + jaasConfig: + secretRef: credential + tls: + enabled: true + external: + externalAccess: + type: nodePort + nodePort: + host: localhost + nodePortOffset: 30000 + authentication: + type: ldap + jaasConfig: + secretRef: credential + tls: + enabled: true + authorization: + type: rbac + superUsers: + - User:kafka + services: + kafkaRest: + externalAccess: + type: nodePort + nodePort: + host: localhost + nodePortOffset: 30100 + mds: + tls: + enabled: true + tokenKeyPair: + secretRef: mds-token + externalAccess: + type: nodePort + nodePort: + host: localhost + nodePortOffset: 30200 + provider: + type: ldap + ldap: + address: ldap://ldap.confluent.svc.cluster.local:389 + authentication: + type: simple + simple: + secretRef: credential + configurations: + groupNameAttribute: cn + groupObjectClass: group + groupMemberAttribute: member + groupMemberAttributePattern: CN=(.*),DC=test,DC=com + groupSearchBase: dc=test,dc=com + userNameAttribute: cn + userMemberOfAttributePattern: CN=(.*),DC=test,DC=com + userObjectClass: organizationalRole + userSearchBase: dc=test,dc=com + dependencies: + kafkaRest: + authentication: + type: bearer + bearer: + secretRef: mds-client + kRaftController: + controllerListener: + tls: + enabled: true + authentication: + type: ldap + jaasConfig: + secretRef: credential + clusterRef: + name: kraftcontroller + namespace: confluent +--- +apiVersion: platform.confluent.io/v1beta1 +kind: Connect +metadata: + name: connect + namespace: confluent +spec: + replicas: 2 + image: + application: confluentinc/cp-server-connect:7.6.0 + init: confluentinc/confluent-init-container:2.8.0 + tls: + secretRef: tls-group1 + externalAccess: + type: nodePort + nodePort: + host: localhost + nodePortOffset: 30300 + authorization: + type: rbac + dependencies: + kafka: + bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071 + authentication: + type: plain + jaasConfig: + secretRef: credential + tls: + enabled: true + mds: + endpoint: https://kafka.confluent.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token + authentication: + type: bearer + bearer: + secretRef: connect-mds-client + tls: + enabled: true +--- +apiVersion: platform.confluent.io/v1beta1 +kind: SchemaRegistry +metadata: + name: schemaregistry + namespace: confluent +spec: + replicas: 1 + image: + application: confluentinc/cp-schema-registry:7.6.0 + init: confluentinc/confluent-init-container:2.8.0 + tls: + secretRef: tls-group1 + externalAccess: + type: nodePort + nodePort: + host: localhost + nodePortOffset: 30400 + authorization: + type: rbac + dependencies: + kafka: + bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071 + authentication: + type: plain + jaasConfig: + secretRef: credential + tls: + enabled: true + mds: + endpoint: https://kafka.confluent.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token + authentication: + type: bearer + bearer: + secretRef: sr-mds-client + tls: + enabled: true +--- +apiVersion: platform.confluent.io/v1beta1 +kind: KafkaRestProxy +metadata: + name: kafkarestproxy + namespace: confluent +spec: + replicas: 1 + image: + application: confluentinc/cp-kafka-rest:7.6.0 + init: confluentinc/confluent-init-container:2.8.0 + tls: + secretRef: tls-group1 + externalAccess: + type: nodePort + nodePort: + host: localhost + nodePortOffset: 30500 + authorization: + type: rbac + dependencies: + kafka: + bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071 + authentication: + type: plain + jaasConfig: + secretRef: credential + tls: + enabled: true + mds: + endpoint: https://kafka.confluent.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token + authentication: + type: bearer + bearer: + secretRef: krp-mds-client + tls: + enabled: true + schemaRegistry: + url: https://schemaregistry.confluent.svc.cluster.local:8081 + tls: + enabled: true +--- +apiVersion: platform.confluent.io/v1beta1 +kind: KsqlDB +metadata: + name: ksqldb + namespace: confluent +spec: + replicas: 2 + image: + application: confluentinc/cp-ksqldb-server:7.6.0 + init: confluentinc/confluent-init-container:2.8.0 + dataVolumeCapacity: 10Gi + authorization: + type: rbac + externalAccess: + type: nodePort + nodePort: + host: localhost + nodePortOffset: 30600 + tls: + secretRef: tls-group1 + dependencies: + kafka: + bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071 + authentication: + type: plain + jaasConfig: + secretRef: credential + tls: + enabled: true + mds: + endpoint: https://kafka.confluent.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token + authentication: + type: bearer + bearer: + secretRef: ksqldb-mds-client + tls: + enabled: true +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ControlCenter +metadata: + name: controlcenter + namespace: confluent +spec: + replicas: 1 + podTemplate: + probe: + liveness: + periodSeconds: 10 + failureThreshold: 5 + timeoutSeconds: 500 + image: + application: confluentinc/cp-enterprise-control-center:7.6.0 + init: confluentinc/confluent-init-container:2.8.0 + dataVolumeCapacity: 10Gi + authorization: + type: rbac + externalAccess: + type: nodePort + nodePort: + host: localhost + nodePortOffset: 30700 + tls: + secretRef: tls-group1 + dependencies: + kafka: + bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071 + authentication: + type: plain + jaasConfig: + secretRef: credential + tls: + enabled: true + mds: + endpoint: https://kafka.confluent.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token + authentication: + type: bearer + bearer: + secretRef: c3-mds-client + tls: + enabled: true + connect: + - name: connect + url: https://connect.confluent.svc.cluster.local:8083 + tls: + enabled: true + ksqldb: + - name: ksqldb + url: https://ksqldb.confluent.svc.cluster.local:8088 + tls: + enabled: true + schemaRegistry: + url: https://schemaregistry.confluent.svc.cluster.local:8081 + tls: + enabled: true +--- +apiVersion: platform.confluent.io/v1beta1 +kind: KafkaRestClass +metadata: + name: default + namespace: confluent +spec: + kafkaRest: + authentication: + type: bearer + bearer: + secretRef: rest-credential