Merge pull request #57 from k-wall/publish_060_docs

Publish v0.6.0 docs

Author: k-wall

_data/kroxylicious.yml

@@ -1,6 +1,8 @@
 versions:
   - title: 'Development'
     url: '/kroxylicious'
+  - title: 'v0.6.0'
+    url: '/docs/v0.6.0/'
   - title: 'v0.5.1'
     url: '/docs/v0.5.1/'
   - title: 'v0.5.0'
@@ -10,4 +12,4 @@ versions:
   - title: 'v0.4.0'
     url: '/docs/v0.4.0/'
   - title: 'v0.3.0'
-    url: '/docs/v0.3.0/'
+    url: '/docs/v0.3.0/'

docs/v0.6.0/_files/available-filters.adoc

@@ -0,0 +1,15 @@
+= Filters
+
+== Built-in filters
+
+The following filters are provided built-in as part of the distribution.
+
+include::available-filters/record-encryption/record-encryption.adoc[leveloffset=2]
+include::available-filters/multi-tenancy/multi-tenancy.adoc[leveloffset=2]
+include::available-filters//schema-validation/schema-validation.adoc[leveloffset=2]
+include::available-filters/oauthbearer/oauthbearer.adoc[leveloffset=2]
+
+== Community filters
+
+Community contributed filters are showcased in the
+https://github.com/kroxylicious/kroxylicious-community-gallery[Community Gallery].

docs/v0.6.0/_files/available-filters/multi-tenancy/multi-tenancy.adoc

@@ -0,0 +1,63 @@
+:github: https://github.com/kroxylicious/kroxylicious
+= Multi-tenancy
+
+== What is it?
+
+Multi-tenancy filter enables isolation prefixing each metadata transiting through virtual cluster to target cluster.
+See https://kafka.apache.org/documentation/#multitenancy[Apache Kafka multi-tenancy documentation] for more information.
+
+== How to use the filter
+
+There are two steps to using the filter.
+
+1. <<Configuring virtual clusters>>
+2. Configuring the filter within Kroxylicious.
+
+=== Configuring the filter within Kroxylicious.
+
+[source, yaml]
+----
+filters:
+  - type: MultiTenantTransformationFilterFactory
+    config:
+      prefixResourceNameSeparator: "." #<1>
+----
+<1> `-` is the default separator if no config is provided
+
+If the virtual cluster name is `demo`, the created prefix will be `demo.`
+
+NOTE: Currently, only the prefix with separator is validated.
+
+=== Verifying that multi-tenancy is occurring
+
+Set up two virtual clusters `devenv1` & `devenv2`. See this {github}/blob/main/kubernetes-examples/multi-tenant/base/kroxylicious/kroxylicious-config.yaml[example].
+
+Create a topic on `devenv1`
+
+[source]
+----
+kafka-topics.sh --bootstrap-server devenv1:9392 --create --if-not-exists --topic first-topic
+----
+
+Create a topic on `devenv2`
+
+[source]
+----
+kafka-topics.sh --bootstrap-server devenv2:9392 --create --if-not-exists --topic second-topic
+----
+
+List topics from `devenv1`
+
+[source]
+----
+kafka-topics.sh --bootstrap-server devenv1:9392 --list
+----
+
+List topics from `devenv2`
+
+[source]
+----
+kafka-topics.sh --bootstrap-server devenv2:9392 --list
+----
+
+A full example with kubernetes is available {github}/blob/main/kubernetes-examples/multi-tenant/script.txt[here]

docs/v0.6.0/_files/available-filters/oauthbearer/oauthbearer.adoc

@@ -0,0 +1,101 @@
+= OAUTHBEARER validation
+
+== What is it?
+
+OauthBearerValidation filter enables a validation on the JWT token received from client before forwarding it to cluster.
+
+If the token is not validated, then the request is short-circuited.
+It reduces resource consumption on the cluster when a client sends too many invalid SASL requests.
+
+[a2s, format="svg"]
+....
+.----------------------------------------------------------------------------------------.
+|                                                                                        |
+|    '---------'                  '---------------'                  '----------'        |
+|    |         |                  |               |                  |          |        |
+|    | Client  |                  | Kroxylicious  |                  | Cluster  |        |
+|    |         |                  |               |                  |          |        |
+|    '---------'                  '---------------'                  '----------'        |
+|         |                               |                                |             |
+|         |      Handshake request        |                                |             |
+|         |==============================>|   Forward handshake request    |             |
+|         |                               |===============================>|             |
+|         |                               |       Handshake response       |             |
+|         |      Handshake response       |<===============================|             |
+|         |<==============================|                                |             |
+|         |                               |                                |             |
+|         |                               |                                |             |
+|         |   Authenticate request        |                                |             |
+|         |==============================>|                                |             |
+|         |                               |==+                             |             |
+|         |                               |  : Validate Token              |             |
+|         |                               |<=+                             |             |
+|         |                               |                                |             |
+| '=======|===============================|=='                             |             |
+| :if     | [Validation fails]            |  :                             |             |
+| :       |                               |  :                             |             |
+| :       |       Invalid token           |  :                             |             |
+| :       |<==============================|  :                             |             |
+| :       |                               |  :                             |             |
+| '=======|===============================|=='                             |             |
+|         |                               |                                |             |
+| '=======|===============================|================================|=='          |
+| :if     | [Validation succeeds]         |                                |  :          |
+| :       |                               |  Forward authenticate request  |  :          |
+| :       |                               |===============================>|  :          |
+| :       |                               |     Authenticate response      |  :          |
+| :       |                               |<===============================|  :          |
+| :       |   Authenticate response       |                                |  :          |
+| :       |<==============================|                                |  :          |
+| :       |                               |                                |  :          |
+| '=======|===============================|================================|=='          |
+|         |                               |                                |             |
+|         |                               |                                |             |
+|    '---------'                  '---------------'                  '----------'        |
+|    |         |                  |               |                  |          |        |
+|    | Client  |                  | Kroxylicious  |                  | Cluster  |        |
+|    |         |                  |               |                  |          |        |
+|    '---------'                  '---------------'                  '----------'        |
+|                                                                                        |
+.----------------------------------------------------------------------------------------.
+[0,0]: {"fill":"#99d","a2s:delref":1}
+....
+
+== How to use the filter
+
+There are two steps to using the filter.
+
+1. <<Configuring virtual clusters>>
+2. Configuring the filter within Kroxylicious.
+
+=== Configuring the filter within Kroxylicious.
+
+[source, yaml]
+----
+filters:
+  - type: OauthBearerValidation
+    config:
+      jwksEndpointUrl: https://oauth/JWKS   #<1>
+      jwksEndpointRefreshMs: 3600000        #<2>
+      jwksEndpointRetryBackoffMs: 100       #<3>
+      jwksEndpointRetryBackoffMaxMs: 10000  #<4>
+      scopeClaimName: scope                 #<5>
+      subClaimName: sub                     #<6>
+      authenticateBackOffMaxMs: 60000       #<7>
+      authenticateCacheMaxSize: 1000        #<8>
+      expectedAudience: https://first.audience, https//second.audience #<9>
+      expectedIssuer: https://your-domain.auth/ #<10>
+----
+
+<1> The OAuth/OIDC provider URL from which the provider's JWKS (JSON Web Key Set) can be retrieved.
+<2> The (optional) value in milliseconds for the broker to wait between refreshing its JWKS (JSON Web Key Set) cache that contains the keys to verify the signature of the JWT.
+<3> The (optional) value in milliseconds for the initial wait between JWKS (JSON Web Key Set) retrieval attempts from the external authentication provider.
+<4> The (optional) value in milliseconds for the maximum wait between attempts to retrieve the JWKS (JSON Web Key Set) from the external authentication provider.
+<5> This (optional) setting can provide a different name to use for the scope included in the JWT payload's claims.
+<6> This (optional) setting can provide a different name to use for the subject included in the JWT payload's claims.
+<7> The (optional) maximum value in milliseconds to limit the client sending authenticate request. Setting 0 will never limit the client. Otherwise, an exponential delay is added to each authenticate request until the authenticateBackOffMaxMs has been reached.
+<8> The (optional) maximum number of failed tokens kept in cache.
+<9> The (optional) comma-delimited setting for the broker to use to verify that the JWT was issued for one of the expected audiences.
+<10> The (optional) setting for the broker to use to verify that the JWT was created by the expected issuer.
+
+Note: OauthBearer config follows https://kafka.apache.org/documentation/#security_ssl[kafka's properties]

docs/v0.6.0/_files/available-filters/record-encryption/aws-kms/creating_keys.adoc

@@ -0,0 +1,28 @@
+:aws:  https://docs.aws.amazon.com/
+
+= AWS Key Management Service
+
+As the Administrator, use either the AWS Console or CLI to
+{aws}/kms/latest/developerguide/create-keys.html#create-symmetric-cmk[create] a *Symmetric key* with *Encrypt and decrypt*
+usage.  Multi-region keys are supported.  It is not possible to make use of keys from other AWS accountsfootnote:[https://github.com/kroxylicious/kroxylicious/issues/1217].
+
+Give the key an alias following the link:setup.adoc#_establish_an_aliasing_convention_for_keys_within_aws_kms[alias naming convention] established above.
+
+If using the CLI, this can be done with commands like this:
+
+[source,shell]
+----
+KEY_ALIAS="KEK_<name>"
+KEY_ID=$(aws kms create-key | jq -r '.KeyMetadata.KeyId')
+# the create key command will produce JSON output including the KeyId
+aws kms create-alias --alias-name alias/${KEY_ALIAS} --target-key-id ${KEY_ID}
+----
+
+Once the key is created, it is recommended to use a key rotation policy.
+
+[source,shell]
+----
+aws kms enable-key-rotation --key-id ${KEY_ID} --rotation-period-in-days 180
+----
+
+

docs/v0.6.0/_files/available-filters/record-encryption/aws-kms/service.adoc

@@ -0,0 +1,27 @@
+:aws:  https://docs.aws.amazon.com/
+
+= AWS Key Management Service
+
+For AWS KMS, the KMS configuration looks like this.
+
+[source, yaml]
+----
+kms: AwsKmsService                                            # <1>
+kmsConfig:
+  endpointUrl: https://kms.<region>.amazonaws.com             # <2>
+  tls:                                                        # <3>
+  accessKey:
+    passwordFile: /opt/aws/accessKey                          # <4>
+  secretKey:
+    passwordFile: /opt/aws/secretKey                          # <5>
+  region: <region>                                            # <6>
+----
+<1> Name of the KMS provider. This must be `AwsKmsService`.
+<2> AWS Endpoint URL.  This must include the `https://` scheme part.
+<3> (Optional) TLS trust configuration.
+<4> File containing the AWS Access Key
+<5> File containing the AWS Secret Key
+<6> AWS region identifier (e.g. `us-east-1`)
+
+For TLS trust and TLS client authentication configuration, the filter accepts the same TLS parameters as link:../../deploying.adoc#_upstream_tls[Upstream TLS]
+except the `PEM` store type is currently https://github.com/kroxylicious/kroxylicious/issues/933[not supported].

docs/v0.6.0/_files/available-filters/record-encryption/aws-kms/setup.adoc

@@ -0,0 +1,108 @@
+:aws:  https://docs.aws.amazon.com/
+
+= AWS Key Management Service
+
+The filter is able to integrate with {aws}/kms/latest/developerguide/overview.html[AWS Key Management Service].
+
+Follow the instructions below to prepare your AWS account.  You'll need a privileged AWS user
+that is capable of creating users and policies to perform the set-up.
+
+[#_establish_an_aliasing_convention_for_keys_within_aws_kms]
+== Establish an aliasing convention for keys within AWS KMS
+
+The filter references KEKs within AWS via an {aws}/kms/latest/developerguide/alias-about.html[AWS key alias].
+
+It is necessary to establish a naming convention for the alias names. This will allow the keys used by the
+filter to be kept separate from any keys used by other systems. This document assumes that the naming convention
+will be to prefix the alias used by the filter with the word `KEK_`. If a different naming convention is used, adapt
+the instructions accordingly.
+
+== Administrator Actor
+
+To use the filter, there must be an administrative identity established within AWS IAM.  This user, which is likely to be a human,
+has the responsibility to manage keys and aliases within AWS KMS for use by the filter.
+
+Use AWS IAM to create a `kroxylicious-admin` user. Attach the policies `AWSKeyManagementServicePowerUser` and `IAMUserChangePassword`
+to the user. You may wish to attach policy `AWSCloudShellFullAccess` so the Administrator can use the AWS CloudShell to
+use CLI to manage the KEKs. Grant the user access to the Console.
+
+If using the CLI, the following commands can be used to establish the Administrator user.  This example illustrates using the
+user-name `kroxylicious-admin`.  The choice of name is not significant.  If a different user-name is used, adapt the
+instructions accordingly.
+
+[source,shell]
+----
+ADMIN=kroxylicious-admin
+INITIAL_PASSWORD=$(tr -dc 'A-Za-z0-9!?%=' < /dev/urandom | head -c 10)
+CONSOLE_URL=https://$(aws sts get-caller-identity --query Account --output text).signin.aws.amazon.com/console
+aws iam create-user --user-name ${ADMIN}
+aws iam attach-user-policy --user-name ${ADMIN} --policy-arn arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
+aws iam attach-user-policy --user-name ${ADMIN} --policy-arn arn:aws:iam::aws:policy/IAMUserChangePassword
+aws iam attach-user-policy --user-name ${ADMIN} --policy-arn arn:aws:iam::aws:policy/AWSCloudShellFullAccess
+aws iam create-login-profile --user-name ${ADMIN} --password ${INITIAL_PASSWORD} --password-reset-required
+echo Now log in at ${CONSOLE_URL}  with user name ${ADMIN} password ${INITIAL_PASSWORD} and change the password.
+----
+
+== Filter Actor
+
+The Record Encryption Filter needs to be able to log in to AWS itself.  For this there needs to be service account
+identity established within AWS IAM.
+
+Use AWS IAM to create the `kroxylicious` user. Create an *Access Key* for this user. The Access Key/Secret Key pair
+will be used by the Filter. Do not enable the Console for this user.
+
+If using the CLI, these commands can be used to establish the Filter Actor.  This example illustrates using the user-name
+`kroxylicious`. The choice of name is not significant.  If a different user-name is used, adapt the
+instructions accordingly.
+
+[source,shell]
+----
+aws iam create-user --user-name kroxylicious
+aws iam create-access-key --user-name kroxylicious
+----
+
+== Create Alias Based Policy
+
+Create an alias based policy granting permissions to use keys aliased by the established alias naming convention.
+
+[source,shell]
+----
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+cat > /tmp/policy << EOF
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Sid": "AliasBasedIAMPolicy",
+			"Effect": "Allow",
+			"Action": [
+				"kms:Encrypt",
+				"kms:Decrypt",
+				"kms:GenerateDataKey*",
+				"kms:DescribeKey"
+			],
+			"Resource": [
+                "arn:aws:kms:*:${AWS_ACCOUNT_ID}:key/*"
+			],
+			"Condition": {
+				"ForAnyValue:StringLike": {
+					"kms:ResourceAliases": "alias/KEK_*"
+				}
+			}
+		}
+	]
+}
+EOF
+aws iam create-policy --policy-name KroxyliciousRecordEncryption --policy-document file:///tmp/policy
+----
+
+== Apply Alias Based Policy to Filter Actor
+
+Attach the alias policy to the Filter Actor user.  This will allow the Filter actor to invoke the
+necessary key operations on all KEKs with aliases of the prescribed form.
+
+[source,shell]
+----
+AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+aws iam attach-user-policy --user-name kroxylicious --policy-arn "arn:aws:iam::${AWS_ACCOUNT_ID}:policy/KroxyliciousRecordEncryption"
+----

docs/v0.6.0/_files/available-filters/record-encryption/hashicorp-vault/creating_keys.adoc

@@ -0,0 +1,14 @@
+
+= HashiCorp Vault
+
+Using the Administrator actor, use either the HashiCorp UI or CLI to create AES-256 symmetric keys following your
+key naming convention. The key type must be `aes256-gcm96`, which is Vault's default key type.
+
+TIP: It is recommended to use a key rotation policy.
+
+If using the Vault CLI, the command will look like:
+
+[source, shell]
+----
+vault write -f transit/keys/KEK_trades type=aes256-gcm96 auto_rotate_period=90d
+----