working tenant namespaced topics with bare opa

Author: sionsmith

examples/multi-tenacy/confluent/control-centre.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: ControlCenter
+metadata:
+  name: controlcenter
+spec:
+  tls:
+    autoGeneratedCerts: true
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      tls:
+        enabled: true
+    connect:
+      - name: connect
+        url:  https://connect.sandbox.svc.cluster.local:8083
+        tls:
+          enabled: true
+    ksqldb:
+      - name: ksqldb
+        url:  https://ksqldb.sandbox.svc.cluster.local:8088
+        tls:
+          enabled: true
+    schemaRegistry:
+      url: https://schemaregistry.sandbox.svc.cluster.local:8081
+      tls:
+        enabled: true

examples/multi-tenacy/confluent/kafka.yaml

@@ -0,0 +1,22 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: Kafka
+metadata:
+  name: kafka
+spec:
+  configOverrides:
+    server:
+      - confluent.schema.registry.url=https://schemaregistry.sandbox.svc.cluster.local:8081
+  tls:
+    autoGeneratedCerts: true
+  listeners:
+    internal:
+      tls:
+        enabled: true
+    external:
+      tls:
+        enabled: true
+  dependencies:
+    zookeeper:
+      endpoint: zookeeper.sandbox.svc.cluster.local:2182
+      tls:
+        enabled: true

examples/multi-tenacy/confluent/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: sandbox
+resources:
+- namespace.yaml
+- ../../../kustomize/base/confluent
+- ../../../kustomize/base/secrets-tls
+patchesStrategicMerge:
+  - zookeeper.yaml
+  - kafka.yaml
+  - control-centre.yaml
+  - schema-registry.yaml

examples/multi-tenacy/confluent/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sandbox

examples/multi-tenacy/confluent/schema-registry.yaml

@@ -0,0 +1,12 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: SchemaRegistry
+metadata:
+  name: schemaregistry
+spec:
+  tls:
+    autoGeneratedCerts: true
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      tls:
+        enabled: true

examples/multi-tenacy/confluent/zookeeper.yaml

@@ -0,0 +1,7 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: Zookeeper
+metadata:
+  name: zookeeper
+spec:
+  tls:
+    autoGeneratedCerts: true

examples/multi-tenacy/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+  - open-policy-agent
+  - confluent
+  - operator
+  - tenant-a
+  - tenant-b

examples/multi-tenacy/open-policy-agent/deployment.yaml

@@ -0,0 +1,79 @@
+---
+# Source: opa/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: opa
+  labels:
+    app: opa
+    chart: "opa-2.0.0"
+    release: "RELEASE-NAME"
+    heritage: "Helm"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: opa
+  template:
+    metadata:
+      annotations:
+        checksum/certs: 8b0af3ffc1e4a45847580d3650728057e5aba2869d5bf9f51780777916e801f7
+      labels:
+        app: opa
+      name: opa
+    spec:
+      containers:
+        - name: opa
+          ports:
+          - name: https
+            containerPort: 443
+          image: openpolicyagent/opa:0.32.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            {}
+          args:
+            - "run"
+            - "--server"
+            - "--tls-cert-file=/certs/tls.crt"
+            - "--tls-private-key-file=/certs/tls.key"
+            - "--addr=0.0.0.0:443"
+            - "--log-level=info"
+            - "--log-format=json"
+          volumeMounts:
+            - name: certs
+              readOnly: true
+              mountPath: /certs
+          readinessProbe:
+            httpGet:
+              path: /health
+              scheme: HTTPS
+              port: 443
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              scheme: HTTPS
+              port: 443
+            initialDelaySeconds: 10
+            periodSeconds: 15
+        - name: sarproxy
+          image: lachlanevenson/k8s-kubectl:latest
+          imagePullPolicy: IfNotPresent
+          resources:
+            {}
+          command:
+            - kubectl
+            - proxy
+            - --accept-paths=^/apis/authorization.k8s.io/v1/subjectaccessreviews$
+      serviceAccountName: opa
+      volumes:
+        - name: certs
+          secret:
+            secretName: opa-cert
+      affinity:
+        {}
+      nodeSelector:
+        {}
+      tolerations:
+        []

examples/multi-tenacy/open-policy-agent/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: opa
+resources:
+  - namespace.yaml
+  - sar-clusterrole.yaml
+  - sar-clusterrolebinding.yaml
+  - serviceaccount.yaml
+  - service.yaml
+  - webhookconfiguration.yaml
+  - deployment.yaml

examples/multi-tenacy/open-policy-agent/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: opa