Merge pull request #19 from osodevops/multi-tenacy

Multi tenacy

Author: sionsmith

examples/multi-tenacy/README.md

@@ -0,0 +1,32 @@
+# Multi tenancy Kafka (NICE!)
+A multi tenant RBAC enabled production Confluent Platform install. This example showcases how large highly regulated enterprises can leverage CFK to securely deploy Kafka As A Service (KAAS)
+
+### Deploy CRDs
+Deploy the CRDS using the standard way:
+```shell
+kubectl apply -k ../../kustomize/crds
+```
+
+### Deploy Confluent Operator, Confluent Services, two namespaces with tenant topics
+Deploy the confluent operator and services:
+```shell
+kubectl apply -k .
+```
+
+### Using KafkaRestClass in multiple namespaces
+KafkaRestClass is an abstraction that contains information about address and credentials to enable something to talk to a Kafka REST MDS endpoint. We can use this per tenant to authenticate different users in different namespaces.
+- You can create default KafkaRestClass object with a user that has cluster access to create rolebindings / topics for Confluent Platform RBAC.
+- You can configure multiple KafkaRestClass CRs to manage topics and role bindings across different Kafka clusters.
+- Supports basic / bearer authentication methods
+- TLS client configuration. Required when MDS is running in the HTTPS mode. (does not support MTLS)
+- We can specify the endpoint if kafka cluster is in different namespace to Topic. Two options, directly inline in the Topic CRD or via secretRef which will contain credentials also
+
+#### Notes
+Currently working through these example:
+
+- https://medium.com/@hiroyuki.osaki/illustration-open-policy-agent-aaf05bb0de8f
+- https://elastisys.com/enforcing-policy-as-code-using-opa-and-gatekeeper-in-kubernetes/
+- https://github.com/digiwhite1980/flux/tree/master/bases/open-policy-agent
+- https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/
+
+

examples/multi-tenacy/confluent/control-centre.yaml

@@ -0,0 +1,42 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: ControlCenter
+metadata:
+  name: controlcenter
+spec:
+  authorization:
+    type: rbac
+  tls:
+    secretRef: tls-group1
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-connect
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.sandbox.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-c3
+      tls:
+        enabled: true
+    connect:
+      - name: connect
+        url:  https://connect.sandbox.svc.cluster.local:8083
+        tls:
+          enabled: true
+    ksqldb:
+      - name: ksqldb
+        url:  https://ksqldb.sandbox.svc.cluster.local:8088
+        tls:
+          enabled: true
+    schemaRegistry:
+      url: https://schemaregistry.sandbox.svc.cluster.local:8081
+      tls:
+        enabled: true

examples/multi-tenacy/confluent/kafka.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Kafka
+metadata:
+  name: kafka
+spec:
+  configOverrides:
+    server:
+      - confluent.schema.registry.url=https://schemaregistry.sandbox.svc.cluster.local:8081
+      - listener.name.internal.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - listener.name.external.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - listener.name.replication.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
+      - confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
+    log4j:
+      - log4j.logger.io.confluent.security.auth.provider.ldap.LdapGroupManager=DEBUG
+  tls:
+    secretRef: tls-group1
+  metricReporter:
+    enabled: true
+    authentication:
+      type: plain
+      jaasConfigPassThrough:
+        secretRef: broker-credential
+    tls:
+      enabled: true
+  listeners:
+    internal:
+      authentication:
+        type: plain
+        jaasConfigPassThrough:
+          secretRef: broker-credential
+      tls:
+        enabled: true
+    external:
+      authentication:
+        type: plain
+        jaasConfigPassThrough:
+          secretRef: broker-credential
+      tls:
+        enabled: true
+  authorization:
+    type: rbac
+    superUsers:
+      - User:kafka
+  services:
+    mds:
+      tls:
+        enabled: true
+      tokenKeyPair:
+        secretRef: broker-credential
+      provider:
+        type: ldap
+        ldap:
+          address: ldap://ldap.sandbox.svc.cluster.local:389
+          authentication:
+            type: simple
+            simple:
+              secretRef: broker-credential
+          tls:
+            enabled: true
+          configurations:
+            groupNameAttribute: cn
+            groupObjectClass: groupOfNames
+            groupMemberAttribute: member
+            groupMemberAttributePattern: cn=(.*),ou=users,dc=test,dc=com
+            groupSearchBase: ou=groups,dc=test,dc=com
+            userNameAttribute: cn
+            userMemberOfAttributePattern: cn=(.*),ou=users,dc=test,dc=com
+            userObjectClass: organizationalRole
+            userSearchBase: ou=users,dc=test,dc=com
+  dependencies:
+    kafkaRest:
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: broker-credential
+    zookeeper:
+      endpoint: zookeeper.sandbox.svc.cluster.local:2182
+      authentication:
+        type: digest
+        jaasConfig:
+          secretRef: broker-credential
+      tls:
+        enabled: true

examples/multi-tenacy/confluent/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: sandbox
+resources:
+  - ldap.yaml
+  - ../../../kustomize/base/confluent
+  - ../../../kustomize/base/secrets-tls
+  - ../../../kustomize/base/secrets-user
+patchesStrategicMerge:
+  - zookeeper.yaml
+  - kafka.yaml
+  - rest-class.yaml
+  - control-centre.yaml
+  - schema-registry.yaml

examples/multi-tenacy/confluent/ldap.yaml

@@ -0,0 +1,170 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ldap
+  labels:
+    role: ldap
+    app: ldap
+spec:
+  containers:
+    - name: ldap
+      args:
+      - --copy-service
+      - --loglevel=debug
+      image: osixia/openldap:1.3.0
+      ports:
+        - name: ldap
+          containerPort: 389
+        - name: ldaps
+          containerPort: 636
+      livenessProbe:
+        tcpSocket:
+          port: 389
+        initialDelaySeconds: 15
+        periodSeconds: 20
+      env:
+        - name: LDAP_ORGANISATION
+          value: "Test Inc."
+        - name: LDAP_DOMAIN
+          value: "test.com"
+        - name: LDAP_ADMIN_PASSWORD
+          value: "confluentrox"
+        - name: LDAP_CONFIG_PASSWORD
+          value: "confluentconfigrox"
+        - name: LDAP_READONLY_USER
+          value: "True"
+        - name: LDAP_READONLY_USER_USERNAME
+          value: "mds"
+        - name: LDAP_READONLY_USER_PASSWORD
+          value: "Developer!"
+        - name: LDAP_TLS
+          value: "False"
+      volumeMounts:
+      - mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
+        name: customldif
+      - mountPath: /var/lib/ldap
+        name: ldap-data
+      - mountPath: /etc/ldap/slapd.d
+        name: ldap-config
+  volumes:
+    - name: customldif
+      configMap:
+        defaultMode: 420
+        name: ldap-ldifs
+    - name: ldap-data
+      emptyDir: {}
+    - name: ldap-config
+      emptyDir: {}
+  restartPolicy: Always
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ldap-ldifs
+data:
+  0_groups.ldif: |-
+    dn: ou=groups,dc=test,dc=com
+    objectClass: organizationalUnit
+    objectClass: top
+    ou: groups
+  0_users.ldif: |-
+    dn: ou=users,dc=test,dc=com
+    objectClass: organizationalUnit
+    objectClass: top
+    ou: users
+  1_emmy.ldif: |-
+    dn: cn=emmy,ou=users,dc=test,dc=com
+    userPassword: emmy-secret
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    description: Interested in action and conservation. If you like it, you should put a Noetherian Ring on it.
+    cn: emmy
+  1_alice.ldif: |-
+    dn: cn=alice,ou=users,dc=test,dc=com
+    userPassword: alice-secret
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    description: Alice is great at changing perspectives, but sometimes chases down rabbit holes
+    cn: alice
+  1_developers.ldif: |-
+    dn: cn=developers,ou=groups,dc=test,dc=com
+    objectClass: top
+    objectClass: groupOfNames
+    description: A group of software developers and the apps they are responsible for
+    cn: developers
+    member: cn=alice,ou=users,dc=test,dc=com
+  1_kafka.ldif: |-
+    dn: cn=kafka,ou=users,dc=test,dc=com
+    userPassword: kafka-secret
+    description: kafka user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: kafka
+  1_erp.ldif: |-
+    dn: cn=erp,ou=users,dc=test,dc=com
+    userPassword: erp-secret
+    description: erp user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: erp
+  1_sr.ldif: |-
+    dn: cn=sr,ou=users,dc=test,dc=com
+    userPassword: sr-secret
+    description: schema registry user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: sr
+  1_c3.ldif: |-
+    dn: cn=c3,ou=users,dc=test,dc=com
+    userPassword: c3-secret
+    description: control center user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: c3
+  1_ksql.ldif: |-
+    dn: cn=ksql,ou=users,dc=test,dc=com
+    userPassword: ksql-secret
+    description: ksql user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: ksql
+  1_connect.ldif: |-
+    dn: cn=connect,ou=users,dc=test,dc=com
+    userPassword: connect-secret
+    description: connect user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: connect
+  1_replicator.ldif: |-
+    dn: cn=replicator,ou=users,dc=test,dc=com
+    userPassword: replicator-secret
+    description: replicator user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: replicator
+  1_c3-test.ldif: |-
+    dn: cn=testadmin,ou=users,dc=test,dc=com
+    userPassword: testadmin
+    description: testadmin user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: testadmin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap
+  labels:
+    app: ldap
+spec:
+  ports:
+    - port: 389
+      name: ldap
+    - port: 636
+      name: ldaps
+  clusterIP: None
+  selector:
+    app: ldap
+
+
+

examples/multi-tenacy/confluent/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sandbox

examples/multi-tenacy/confluent/rest-class.yaml

@@ -0,0 +1,10 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: KafkaRestClass
+metadata:
+  name: default
+spec:
+  kafkaRest:
+    authentication:
+      type: bearer
+      bearer:
+        secretRef: rest-credential

examples/multi-tenacy/confluent/schema-registry.yaml

@@ -0,0 +1,28 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: SchemaRegistry
+metadata:
+  name: schemaregistry
+spec:
+  authorization:
+    type: rbac
+  tls:
+    secretRef: tls-group1
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-sr
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.sandbox.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-sr
+      tls:
+        enabled: true