Multi tenancy example

Author: sionsmith

examples/multi-tenacy/README.md

@@ -1,5 +1,5 @@
 # Multi tenancy Kafka (NICE!)
-Todo.
+A multi tenant RBAC enabled production Confluent Platform install. This example showcases how large highly regulated enterprises can leverage CFK to securely deploy Kafka As A Service (KAAS)
 
 ### Deploy CRDs
 Deploy the CRDS using the standard way:
@@ -13,9 +13,16 @@ Deploy the confluent operator and services:
 kubectl apply -k .
 ```
 
+### Using KafkaRestClass in multiple namespaces
+KafkaRestClass is an abstraction that contains information about address and credentials to enable something to talk to a Kafka REST MDS endpoint. We can use this per tenant to authenticate different users in different namespaces.
+- You can create default KafkaRestClass object with a user that has cluster access to create rolebindings / topics for Confluent Platform RBAC.
+- You can configure multiple KafkaRestClass CRs to manage topics and role bindings across different Kafka clusters.
+- Supports basic / bearer authentication methods
+- TLS client configuration. Required when MDS is running in the HTTPS mode. (does not support MTLS)
+- We can specify the endpoint if kafka cluster is in different namespace to Topic. Two options, directly inline in the Topic CRD or via secretRef which will contain credentials also
 
 #### Notes
-currently working through thsese example: 
+Currently working through these example: 
 
 - https://medium.com/@hiroyuki.osaki/illustration-open-policy-agent-aaf05bb0de8f
 - https://elastisys.com/enforcing-policy-as-code-using-opa-and-gatekeeper-in-kubernetes/

examples/multi-tenacy/confluent/control-centre.yaml

@@ -1,14 +1,29 @@
----
 apiVersion: platform.confluent.io/v1beta1
 kind: ControlCenter
 metadata:
   name: controlcenter
 spec:
+  authorization:
+    type: rbac
   tls:
-    autoGeneratedCerts: true
+    secretRef: tls-group1
   dependencies:
     kafka:
       bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-connect
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.sandbox.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-c3
       tls:
         enabled: true
     connect:
@@ -24,4 +39,4 @@ spec:
     schemaRegistry:
       url: https://schemaregistry.sandbox.svc.cluster.local:8081
       tls:
-        enabled: true
+        enabled: true

examples/multi-tenacy/confluent/kafka.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: platform.confluent.io/v1beta1
 kind: Kafka
 metadata:
@@ -6,17 +7,79 @@ spec:
   configOverrides:
     server:
       - confluent.schema.registry.url=https://schemaregistry.sandbox.svc.cluster.local:8081
+      - listener.name.internal.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - listener.name.external.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - listener.name.replication.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
+      - confluent.authorizer.access.rule.providers=ZK_ACL,CONFLUENT
+    log4j:
+      - log4j.logger.io.confluent.security.auth.provider.ldap.LdapGroupManager=DEBUG
   tls:
-    autoGeneratedCerts: true
+    secretRef: tls-group1
+  metricReporter:
+    enabled: true
+    authentication:
+      type: plain
+      jaasConfigPassThrough:
+        secretRef: broker-credential
+    tls:
+      enabled: true
   listeners:
     internal:
+      authentication:
+        type: plain
+        jaasConfigPassThrough:
+          secretRef: broker-credential
       tls:
         enabled: true
     external:
+      authentication:
+        type: plain
+        jaasConfigPassThrough:
+          secretRef: broker-credential
       tls:
         enabled: true
+  authorization:
+    type: rbac
+    superUsers:
+      - User:kafka
+  services:
+    mds:
+      tls:
+        enabled: true
+      tokenKeyPair:
+        secretRef: broker-credential
+      provider:
+        type: ldap
+        ldap:
+          address: ldap://ldap.sandbox.svc.cluster.local:389
+          authentication:
+            type: simple
+            simple:
+              secretRef: broker-credential
+          tls:
+            enabled: true
+          configurations:
+            groupNameAttribute: cn
+            groupObjectClass: groupOfNames
+            groupMemberAttribute: member
+            groupMemberAttributePattern: cn=(.*),ou=users,dc=test,dc=com
+            groupSearchBase: ou=groups,dc=test,dc=com
+            userNameAttribute: cn
+            userMemberOfAttributePattern: cn=(.*),ou=users,dc=test,dc=com
+            userObjectClass: organizationalRole
+            userSearchBase: ou=users,dc=test,dc=com
   dependencies:
+    kafkaRest:
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: broker-credential
     zookeeper:
       endpoint: zookeeper.sandbox.svc.cluster.local:2182
+      authentication:
+        type: digest
+        jaasConfig:
+          secretRef: broker-credential
       tls:
         enabled: true

examples/multi-tenacy/confluent/kustomization.yaml

@@ -2,11 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: sandbox
 resources:
-- namespace.yaml
-- ../../../kustomize/base/confluent
-- ../../../kustomize/base/secrets-tls
+  - ldap.yaml
+  - ../../../kustomize/base/confluent
+  - ../../../kustomize/base/secrets-tls
+  - ../../../kustomize/base/secrets-user
 patchesStrategicMerge:
   - zookeeper.yaml
   - kafka.yaml
+  - rest-class.yaml
   - control-centre.yaml
   - schema-registry.yaml

examples/multi-tenacy/confluent/ldap.yaml

@@ -0,0 +1,170 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ldap
+  labels:
+    role: ldap
+    app: ldap
+spec:
+  containers:
+    - name: ldap
+      args:
+      - --copy-service
+      - --loglevel=debug
+      image: osixia/openldap:1.3.0
+      ports:
+        - name: ldap
+          containerPort: 389
+        - name: ldaps
+          containerPort: 636
+      livenessProbe:
+        tcpSocket:
+          port: 389
+        initialDelaySeconds: 15
+        periodSeconds: 20
+      env:
+        - name: LDAP_ORGANISATION
+          value: "Test Inc."
+        - name: LDAP_DOMAIN
+          value: "test.com"
+        - name: LDAP_ADMIN_PASSWORD
+          value: "confluentrox"
+        - name: LDAP_CONFIG_PASSWORD
+          value: "confluentconfigrox"
+        - name: LDAP_READONLY_USER
+          value: "True"
+        - name: LDAP_READONLY_USER_USERNAME
+          value: "mds"
+        - name: LDAP_READONLY_USER_PASSWORD
+          value: "Developer!"
+        - name: LDAP_TLS
+          value: "False"
+      volumeMounts:
+      - mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
+        name: customldif
+      - mountPath: /var/lib/ldap
+        name: ldap-data
+      - mountPath: /etc/ldap/slapd.d
+        name: ldap-config
+  volumes:
+    - name: customldif
+      configMap:
+        defaultMode: 420
+        name: ldap-ldifs
+    - name: ldap-data
+      emptyDir: {}
+    - name: ldap-config
+      emptyDir: {}
+  restartPolicy: Always
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ldap-ldifs
+data:
+  0_groups.ldif: |-
+    dn: ou=groups,dc=test,dc=com
+    objectClass: organizationalUnit
+    objectClass: top
+    ou: groups
+  0_users.ldif: |-
+    dn: ou=users,dc=test,dc=com
+    objectClass: organizationalUnit
+    objectClass: top
+    ou: users
+  1_emmy.ldif: |-
+    dn: cn=emmy,ou=users,dc=test,dc=com
+    userPassword: emmy-secret
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    description: Interested in action and conservation. If you like it, you should put a Noetherian Ring on it.
+    cn: emmy
+  1_alice.ldif: |-
+    dn: cn=alice,ou=users,dc=test,dc=com
+    userPassword: alice-secret
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    description: Alice is great at changing perspectives, but sometimes chases down rabbit holes
+    cn: alice
+  1_developers.ldif: |-
+    dn: cn=developers,ou=groups,dc=test,dc=com
+    objectClass: top
+    objectClass: groupOfNames
+    description: A group of software developers and the apps they are responsible for
+    cn: developers
+    member: cn=alice,ou=users,dc=test,dc=com
+  1_kafka.ldif: |-
+    dn: cn=kafka,ou=users,dc=test,dc=com
+    userPassword: kafka-secret
+    description: kafka user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: kafka
+  1_erp.ldif: |-
+    dn: cn=erp,ou=users,dc=test,dc=com
+    userPassword: erp-secret
+    description: erp user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: erp
+  1_sr.ldif: |-
+    dn: cn=sr,ou=users,dc=test,dc=com
+    userPassword: sr-secret
+    description: schema registry user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: sr
+  1_c3.ldif: |-
+    dn: cn=c3,ou=users,dc=test,dc=com
+    userPassword: c3-secret
+    description: control center user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: c3
+  1_ksql.ldif: |-
+    dn: cn=ksql,ou=users,dc=test,dc=com
+    userPassword: ksql-secret
+    description: ksql user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: ksql
+  1_connect.ldif: |-
+    dn: cn=connect,ou=users,dc=test,dc=com
+    userPassword: connect-secret
+    description: connect user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: connect
+  1_replicator.ldif: |-
+    dn: cn=replicator,ou=users,dc=test,dc=com
+    userPassword: replicator-secret
+    description: replicator user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: replicator
+  1_c3-test.ldif: |-
+    dn: cn=testadmin,ou=users,dc=test,dc=com
+    userPassword: testadmin
+    description: testadmin user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: testadmin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap
+  labels:
+    app: ldap
+spec:
+  ports:
+    - port: 389
+      name: ldap
+    - port: 636
+      name: ldaps
+  clusterIP: None
+  selector:
+    app: ldap
+
+
+

examples/multi-tenacy/confluent/rest-class.yaml

@@ -0,0 +1,10 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: KafkaRestClass
+metadata:
+  name: default
+spec:
+  kafkaRest:
+    authentication:
+      type: bearer
+      bearer:
+        secretRef: rest-credential

examples/multi-tenacy/confluent/schema-registry.yaml

@@ -3,10 +3,26 @@ kind: SchemaRegistry
 metadata:
   name: schemaregistry
 spec:
+  authorization:
+    type: rbac
   tls:
-    autoGeneratedCerts: true
+    secretRef: tls-group1
   dependencies:
     kafka:
       bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-sr
       tls:
         enabled: true
+    mds:
+      endpoint: https://kafka.sandbox.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-sr
+      tls:
+        enabled: true

examples/multi-tenacy/confluent/zookeeper.yaml

@@ -3,5 +3,9 @@ kind: Zookeeper
 metadata:
   name: zookeeper
 spec:
+  authentication:
+    type: digest
+    jaasConfig:
+      secretRef: zk-credential
   tls:
-    autoGeneratedCerts: true
+    secretRef: tls-group1

examples/multi-tenacy/kustomization.yaml

@@ -1,3 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
   - open-policy-agent
   - confluent