Confluent Platform 7.7 and CFK 2.9.0 released C3 SSO without any LDAP requirement. This repository sets up a basic CP cluster via CFK running on Azure Kubernetes Service (AKS) enabling users to log in via Azure AD (Entra ID) as an SSO.
In technical detail it deploys:
- 1 KraftController / 3 ZK nodes
- 3 Kafka brokers (including MDS)
- 1 KafkaRestClass
- 1 Control Center
Warning
There is a bug in CP 7.7: The JTI claim is required within the JWT token which should be originally optional. In Azure, you cannot easily update the claims. Therefore, we need to wait for CP 7.7.1.
General resources:
- Quickstart: Deploy an Azure Kubernetes Service (AKS) cluster using Azure portal
- Confluent for Kubernetes Quick Start
- Single sign-on authentication for Confluent Control Center
For the later configuration we need to set the token_endpoint, the jwks_uri, and the issuer.
We can obtain all information via
curl https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration | jqGenerally, those are
token_endpoint = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
jwks_uri = https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys
issuer = https://login.microsoftonline.com/<tenant-id>/v2.0
To retrieve the JWT token, CP is using the client credentials grant flow. So, we need to register an application in Azure AD and create a secret. We can get a JWT token via:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-d 'client_id=[client_id]&client_secret=[client_secret value]&grant_type=client_credentials' \
https://login.microsoftonline.com/[tenant_id]/oauth2/token
We need to configure CFK with RBAC to enable SSO. This includes configuring MDS using OAuth.
Create OAuth secret
kubectl create -n confluent secret generic oauth-jass \
--from-file=oidcClientSecret.txt=oidcClientSecret.txt \
--from-file=oauth.txt=oidcClientSecret.txtWe configure MDS with OAuth and SSO.
Create MDS Token (evtl. not needed) !!
kubectl create secret generic mds-token \
--from-file=mdsPublicKey.pem=./MDS/mds-publickey.txt \
--from-file=mdsTokenKeyPair.pem=./MDS/mds-tokenkeypair.txt \
-n confluentAdd to Kafka CRWe need to set the authentication to OAuth.
Add KafkaRestClass CRWe need to set the authentication to OAuth and to specify SSO
Add ControlCenter CRI am not sure if that is needed
Create certificates
https://github.com/confluentinc/confluent-kubernetes-examples/tree/master/assets/certs
openssl genrsa -out ./TLS/rootCAkey.pem 2048
openssl req -x509 -new -nodes \
-key ./TLS/rootCAkey.pem \
-days 3650 \
-out ./TLS/cacerts.pem \
-subj "/C=US/ST=CA/L=MVT/O=TestOrg/OU=Cloud/CN=TestCA"
cfssl gencert -ca=./TLS/cacerts.pem \
-ca-key=./TLS/rootCAkey.pem \
-config=./TLS/ca-config.json \
-profile=server ./TLS/server-domain.json | cfssljson -bare ./TLS/server
Create secret with certificates
kubectl create secret generic tls-group1 \
--from-file=fullchain.pem=./TLS/server.pem \
--from-file=cacerts.pem=./TLS/cacerts.pem \
--from-file=privkey.pem=./TLS/server-key.pem \
-n confluentREST Credentials
kubectl create secret generic rest-credential \
--from-file=bearer.txt=./MDS/bearer.txt \
-n confluent
kubectl create secret generic mds-client \
--from-file=bearer.txt=./MDS/bearer.txt \
-n confluent
Redirect callback URL to C3 added in the client app.
C3 Redirect URL format:
https://<c3-host-name>:<c3-port-number>/api/metadata/security/1.0/oidc/authorization-code/callback