somewhat working monitoring commit

Author: mccullya

examples/monitoring/README.md

@@ -0,0 +1,22 @@
+# Basic Deployment
+This example deploys a basic deployment.  No RBAC/LDAP.  Just a single topic 'foobar' is added as part of the pipeline.
+### Deploy CRDs
+Deploy the CRDS using the standard way:
+```shell
+kubectl apply -k ../../kustomize/crds
+```
+### Deploy Confluent Operator and Confluent Services
+Deploy the confluent operator and services:
+```shell
+kubectl apply -k .
+```
+
+
+Portforward Grafana
+Login with admin/password
+
+opensofttools/kafka_exporter:latest
+
+kubectl port-forward \
+$(kubectl get pods -n default -l app.kubernetes.io/name=grafana,app.kubernetes.io/instance=grafana -o name) \
+3000 --namespace default

examples/monitoring/confluent/control-centre.yaml

@@ -0,0 +1,42 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: ControlCenter
+metadata:
+  name: controlcenter
+spec:
+  authorization:
+    type: rbac
+  tls:
+    secretRef: tls-group1
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-connect
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.sandbox.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-c3
+      tls:
+        enabled: true
+    connect:
+      - name: connect
+        url:  https://connect.sandbox.svc.cluster.local:8083
+        tls:
+          enabled: true
+    ksqldb:
+      - name: ksqldb
+        url:  https://ksqldb.sandbox.svc.cluster.local:8088
+        tls:
+          enabled: true
+    schemaRegistry:
+      url: https://schemaregistry.sandbox.svc.cluster.local:8081
+      tls:
+        enabled: true

examples/monitoring/confluent/kafka-connect.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Connect
+metadata:
+  name: connect
+spec:
+  tls:
+    secretRef: tls-group1
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-connect
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.sandbox.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-connect

examples/monitoring/confluent/kafka.yaml

@@ -0,0 +1,81 @@
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Kafka
+metadata:
+  name: kafka
+spec:
+  configOverrides:
+    server:
+      - confluent.schema.registry.url=https://schemaregistry.sandbox.svc.cluster.local:8081
+      - listener.name.internal.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - listener.name.external.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - listener.name.replication.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+  tls:
+    secretRef: tls-group1
+  metricReporter:
+    enabled: true
+    authentication:
+      type: plain
+      jaasConfigPassThrough:
+        secretRef: broker-credential
+    tls:
+      enabled: true
+  listeners:
+    internal:
+      authentication:
+        type: plain
+        jaasConfigPassThrough:
+          secretRef: broker-credential
+      tls:
+        enabled: true
+    external:
+      authentication:
+        type: plain
+        jaasConfigPassThrough:
+          secretRef: broker-credential
+      tls:
+        enabled: true
+  authorization:
+    type: rbac
+    superUsers:
+      - User:kafka
+  services:
+    mds:
+      tls:
+        enabled: true
+      tokenKeyPair:
+        secretRef: broker-credential
+      provider:
+        type: ldap
+        ldap:
+          address: ldap://ldap.sandbox.svc.cluster.local:389
+          authentication:
+            type: simple
+            simple:
+              secretRef: broker-credential
+          tls:
+            enabled: true
+          configurations:
+            groupNameAttribute: cn
+            groupObjectClass: groupOfNames
+            groupMemberAttribute: member
+            groupMemberAttributePattern: cn=(.*),ou=users,dc=test,dc=com
+            groupSearchBase: ou=groups,dc=test,dc=com
+            userNameAttribute: cn
+            userMemberOfAttributePattern: cn=(.*),ou=users,dc=test,dc=com
+            userObjectClass: organizationalRole
+            userSearchBase: ou=users,dc=test,dc=com
+  dependencies:
+    kafkaRest:
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: broker-credential
+    zookeeper:
+      endpoint: zookeeper.sandbox.svc.cluster.local:2182
+      authentication:
+        type: digest
+        jaasConfig:
+          secretRef: broker-credential
+      tls:
+        enabled: true

examples/monitoring/confluent/ksqldb.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: KsqlDB
+metadata:
+  name: ksqldb
+spec:
+  authorization:
+    type: rbac
+  tls:
+    secretRef: tls-group1
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.sandbox.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-connect
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.sandbox.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-ksqldb
+      tls:
+        enabled: true

examples/monitoring/confluent/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: sandbox
+resources:
+- ldap.yaml
+- namespace.yaml
+- ../../../kustomize/base/confluent
+- ../../../kustomize/base/secrets-tls
+- ../../../kustomize/base/secrets-user
+patchesStrategicMerge:
+  - zookeeper.yaml
+  - kafka.yaml
+  - rest-class.yaml
+  - control-centre.yaml
+  - kafka-connect.yaml
+  - ksqldb.yaml
+  - schema-registry.yaml

examples/monitoring/confluent/ldap.yaml

@@ -0,0 +1,171 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ldap
+  labels:
+    role: ldap
+    app: ldap
+spec:
+  containers:
+    - name: ldap
+      args:
+      - --copy-service
+      - --loglevel=debug
+      image: osixia/openldap:1.3.0
+      ports:
+        - name: ldap
+          containerPort: 389
+        - name: ldaps
+          containerPort: 636
+      livenessProbe:
+        tcpSocket:
+          port: 389
+        initialDelaySeconds: 15
+        periodSeconds: 20
+      env:
+        - name: LDAP_ORGANISATION
+          value: "Test Inc."
+        - name: LDAP_DOMAIN
+          value: "test.com"
+        - name: LDAP_ADMIN_PASSWORD
+          value: "confluentrox"
+        - name: LDAP_CONFIG_PASSWORD
+          value: "confluentconfigrox"
+        - name: LDAP_READONLY_USER
+          value: "True"
+        - name: LDAP_READONLY_USER_USERNAME
+          value: "mds"
+        - name: LDAP_READONLY_USER_PASSWORD
+          value: "Developer!"
+        - name: LDAP_TLS
+          value: "False"
+      volumeMounts:
+      - mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
+        name: customldif
+      - mountPath: /var/lib/ldap
+        name: ldap-data
+      - mountPath: /etc/ldap/slapd.d
+        name: ldap-config
+  volumes:
+    - name: customldif
+      configMap:
+        defaultMode: 420
+        name: ldap-ldifs
+    - name: ldap-data
+      emptyDir: {}
+    - name: ldap-config
+      emptyDir: {}
+  restartPolicy: Always
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ldap-ldifs
+data:
+  0_groups.ldif: |-
+    dn: ou=groups,dc=test,dc=com
+    objectClass: organizationalUnit
+    objectClass: top
+    ou: groups
+  0_users.ldif: |-
+    dn: ou=users,dc=test,dc=com
+    objectClass: organizationalUnit
+    objectClass: top
+    ou: users
+  1_emmy.ldif: |-
+    dn: cn=emmy,ou=users,dc=test,dc=com
+    userPassword: emmy-secret
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    description: Interested in action and conservation. If you like it, you should put a Noetherian Ring on it.
+    cn: emmy
+  1_alice.ldif: |-
+    dn: cn=alice,ou=users,dc=test,dc=com
+    userPassword: alice-secret
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    description: Alice is great at changing perspectives, but sometimes chases down rabbit holes
+    cn: alice
+  1_developers.ldif: |-
+    dn: cn=developers,ou=groups,dc=test,dc=com
+    objectClass: top
+    objectClass: groupOfNames
+    description: A group of software developers and the apps they are responsible for
+    cn: developers
+    member: cn=emmy,ou=users,dc=test,dc=com
+    member: cn=alice,ou=users,dc=test,dc=com
+  1_kafka.ldif: |-
+    dn: cn=kafka,ou=users,dc=test,dc=com
+    userPassword: kafka-secret
+    description: kafka user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: kafka
+  1_erp.ldif: |-
+    dn: cn=erp,ou=users,dc=test,dc=com
+    userPassword: erp-secret
+    description: erp user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: erp
+  1_sr.ldif: |-
+    dn: cn=sr,ou=users,dc=test,dc=com
+    userPassword: sr-secret
+    description: schema registry user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: sr
+  1_c3.ldif: |-
+    dn: cn=c3,ou=users,dc=test,dc=com
+    userPassword: c3-secret
+    description: control center user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: c3
+  1_ksql.ldif: |-
+    dn: cn=ksql,ou=users,dc=test,dc=com
+    userPassword: ksql-secret
+    description: ksql user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: ksql
+  1_connect.ldif: |-
+    dn: cn=connect,ou=users,dc=test,dc=com
+    userPassword: connect-secret
+    description: connect user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: connect
+  1_replicator.ldif: |-
+    dn: cn=replicator,ou=users,dc=test,dc=com
+    userPassword: replicator-secret
+    description: replicator user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: replicator
+  1_c3-test.ldif: |-
+    dn: cn=testadmin,ou=users,dc=test,dc=com
+    userPassword: testadmin
+    description: testadmin user
+    objectClass: simpleSecurityObject
+    objectClass: organizationalRole
+    cn: testadmin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap
+  labels:
+    app: ldap
+spec:
+  ports:
+    - port: 389
+      name: ldap
+    - port: 636
+      name: ldaps
+  clusterIP: None
+  selector:
+    app: ldap
+
+
+