Merge pull request #3 from lsdopen/feature/001-rbac

Merge RBAC Worker
lsdopen · Apr 16, 2024 · 2ba113f · 2ba113f
2 parents b736076 + 5e465fb
commit 2ba113f
Show file tree

Hide file tree

Showing 42 changed files with 1,089 additions and 172 deletions.
diff --git a/README.md b/README.md
@@ -1,3 +1,3 @@
-# LSD MESP Charts
-
-LSD Managed Event Streaming Platform (MESP) Charts for Confluent (CfK) and Strimzi
+# LSD MESP Charts
+
+LSD Managed Event Streaming Platform (MESP) Charts for Confluent (CfK) and Strimzi
diff --git a/assets/credentials/README.md b/assets/credentials/README.md
@@ -0,0 +1,106 @@
+
+## Create the secret files and cert files
+
+### For the mds pem key pair:
+
+- https://docs.confluent.io/platform/current/kafka/configure-mds/index.html
+
+```
+openssl genrsa -out ./credentials/mds-tokenkeypair.pem 2048
+
+openssl rsa -in ./credentials/mds-tokenkeypair.pem -outform PEM -pubout -out ./credentials/mds-publickey.pem
+```
+
+### For the ca-key.pem and ca.pem files:
+
+```
+openssl genrsa -out ./credentials/ca-key.pem 2048
+
+openssl req -new -key ./credentials/ca-key.pem -x509 \
+-days 3650 \
+-out ./credentials/ca.pem \
+-subj "/C=US/ST=CA/L=MountainView/O=Confluent/OU=Operator/CN=LocalCA"
+```
+
+### For others
+
+For all these:
+
+connect.txt
+controlcenter.txt
+kafka.txt
+kafkarestclass.txt
+kafkarestproxy.txt
+ksqldb.txt
+ldap-user.txt
+schemaregistry.txt
+
+Generate a fresh password and replace the password in the file and in the ldap values.yaml
+
+## Create the secrets from the generated password and cert files
+
+```
+kubectl create secret tls ca-pair-sslcerts \
+  --cert=./credentials/ca.pem \   
+  --key=./credentials/ca-key.pem \
+  --dry-run=client -oyaml >./templates/000.ca-pair-sslcerts.yaml
+```
+
+```
+kubectl create secret generic mds-token \
+  --from-file=mdsPublicKey.pem=./credentials/mds-publickey.pem \
+  --from-file=mdsTokenKeyPair.pem=./credentials/mds-tokenkeypair.pem \
+  --dry-run=client -oyaml >./templates/000.mds-token.yaml
+```
+
+```
+kubectl create secret generic mds-login \
+  --from-file=ldap.txt=./credentials/ldap-user.txt \
+  --dry-run=client -oyaml >./templates/000.mds-login.yaml
+```
+
+```
+kubectl create secret generic connect-login \
+  --from-file=bearer.txt=./credentials/connect.txt \
+  --from-file=basic.txt=./credentials/connect.txt \
+  --dry-run=client -oyaml >./templates/000.connect-login.yaml
+```
+
+```
+kubectl create secret generic controlcenter-login \
+  --from-file=bearer.txt=./credentials/controlcenter.txt \
+  --dry-run=client -oyaml >./templates/000.controlcenter-login.yaml
+```
+
+```
+kubectl create secret generic kafka-login \
+  --from-file=bearer.txt=./credentials/kafka.txt \
+  --dry-run=client -oyaml >./templates/000.kafka-login.yaml
+```
+
+```
+kubectl create secret generic kafkarestclass-login \
+  --from-file=basic.txt=./credentials/kafkarestclass.txt \
+  --from-file=bearer.txt=./credentials/kafkarestclass.txt \
+  --dry-run=client -oyaml >./templates/000.kafkarestclass-login.yaml
+```
+
+```
+kubectl create secret generic kafkarestproxy-login \
+  --from-file=bearer.txt=./credentials/kafkarestproxy.txt \
+  --dry-run=client -oyaml >./templates/000.kafkarestproxy-login.yaml
+```
+
+```
+kubectl create secret generic ksqldb-login \
+  --from-file=bearer.txt=./credentials/ksqldb.txt \
+  --from-file=basic.txt=./credentials/ksqldb.txt \
+  --dry-run=client -oyaml >./templates/000.ksqldb-login.yaml
+```
+
+```
+kubectl create secret generic schemaregistry-login \
+  --from-file=bearer.txt=./credentials/schemaregistry.txt \
+  --from-file=basic.txt=./credentials/schemaregistry.txt \
+  --dry-run=client -oyaml >./templates/000.schemaregistry-login.yaml
+```
diff --git a/assets/credentials/ca-key.pem b/assets/credentials/ca-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1n/zPx4fsQ2yUu3Uxu/XNGPmX/CCmO78gL3kqKoK+yGjjoue
+nK0yZk7yY5SpQQCLKNK0xAmaF72gI2kOjoVAJP+KSZI+IjVPhWZkYsSulV6H+Rdr
+rtGFLaHJBpnssh3VVuBjdSQxFuvZKV6gmsHpBSTgBwTkxc939m+A0N39DY5ybPWa
+xhEFKR3DUzeMD58QCdCsvfbz3m47Ow4pK4iBDsEcS4NqXZQa82lQlGTUj+SM3fqR
+cxkI77C+fhkbwU1r6xfwcSLiBUKtToFM5R8mkvqj73TLOK2LqJoexHtHll3SfUsg
+nksq5sXdipNRjv2RYVm9UhJM0VeXgpMQ+GaqlwIDAQABAoIBAExgsxS+fTpmTiEJ
+XsKXlGGrUNTIpzgdoPuWol0Mb2yMxdh0Dr5rTY7wfY7H2Jy0vNiEbql/YcciVmtF
+dVF6USTbeTpJQKadpPszQnuI3UGCr5gaptVQ9cMR4KrhFE84IEcXD1Me1/v5bxI0
+B6wTcA3M25ikPXHSNj0h5xR4dyrj7wkGPtRYpgSB/aUmaY6pkaNKNfsHU+h0Mlgh
+6cGKMXy1ZawQq99iyM8BeQlv+oCVp8ITimoDlp7ZMtAllfZZaJUNHeksZPIDYPHN
+vAYeahn9EuZOhSNAn2t5pG3HAvjl/puia1G3lWfFx8/sCvcDxYedCKc0g2hmSYnA
+/f0xwgECgYEA842qKqoH7KJp3tbmKqby0xQz5WzTxxqIKJgtJ2B2rKU1ldY4vqCf
+HM/Lmz7D3TU1Zi4wJ8ImfPUyf4nD+PvvQ1j/Mq7G5f1GyaYfWvize7tkSovC1cw4
+r117rLbEC7vyAsGX8rIlIh7UqJWE5L5EDYWOKb9EIt3VO66arnqFNHcCgYEA4XYv
+tPlJqYoJnJ5TJmCm+BnnRimWJ2oHp5uMS+nrGAAn49H8Y2wORBC46fWbTmhJFLLT
+faPOHmzvnYvkYhdufmsRbK+6hi9ioBzEycY3tc7R+Sp1ioLFv0mHDuO6Yo6Vrdbl
+ChIHlzmO6yzUjwI8Z7zgBZ3k9AMGPioJU1QyYuECgYEA6FSKMFq0ZnpkDevn8mYB
+m3NZMhEHUJYxrq/D2x089+I9ZKrOxKHKRpy+eGB+TOU2BDwpObQOLQNl4Z3UsQ37
+Jr6d6oYpPDnIrhFnNcuqw2x19lquSG6g4ECH+rD6AMuPyCtOvHhNzeelKxA+jkol
+9tQhUhefcrc0ctNTwP8lVG8CgYEA1+6obExg92ZEJGMiQdxJrc6pSPJlY+RR5n28
+Vax4Q6lKixA/CD2iQCA/6ZsYHnUUoSVQFsG+lDdDGoGzvxqv8ZW7v3tiSkexzqUe
++BzGmHK3eUrn/juXBsh1+JW0mdXzluX8wLNZ38T5k1WBUmIS1kv3xoldkTIgVYNP
+ISa/hyECgYEAhYwdqItVJb8OlA4pOCHrbvz3L5Sbl0mheFizlcDgNny48NWnE5+V
++SvxoYTf6P9a7Ib/HYLcJKvxfK4zBZFD+s2h6adeRBHcomLUvawyISPk3VyxXR0x
+RnIUPg5l3RQFf2U/kaoCv1OmX3ow8bbRHpJxzGRfNub4/p9cgYtFs3s=
+-----END RSA PRIVATE KEY-----
diff --git a/assets/credentials/ca.pem b/assets/credentials/ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIURKf14IbdFgMjlkU+UhTqUWR3asgwDQYJKoZIhvcNAQEL
+BQAwaTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxNb3VudGFp
+blZpZXcxEjAQBgNVBAoMCUNvbmZsdWVudDERMA8GA1UECwwIT3BlcmF0b3IxDzAN
+BgNVBAMMBlRlc3RDQTAeFw0yMzEwMDYxMjAxNDZaFw0yNjA3MDIxMjAxNDZaMGkx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMTW91bnRhaW5WaWV3
+MRIwEAYDVQQKDAlDb25mbHVlbnQxETAPBgNVBAsMCE9wZXJhdG9yMQ8wDQYDVQQD
+DAZUZXN0Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWf/M/Hh+x
+DbJS7dTG79c0Y+Zf8IKY7vyAveSoqgr7IaOOi56crTJmTvJjlKlBAIso0rTECZoX
+vaAjaQ6OhUAk/4pJkj4iNU+FZmRixK6VXof5F2uu0YUtockGmeyyHdVW4GN1JDEW
+69kpXqCawekFJOAHBOTFz3f2b4DQ3f0NjnJs9ZrGEQUpHcNTN4wPnxAJ0Ky99vPe
+bjs7DikriIEOwRxLg2pdlBrzaVCUZNSP5Izd+pFzGQjvsL5+GRvBTWvrF/BxIuIF
+Qq1OgUzlHyaS+qPvdMs4rYuomh7Ee0eWXdJ9SyCeSyrmxd2Kk1GO/ZFhWb1SEkzR
+V5eCkxD4ZqqXAgMBAAGjUzBRMB0GA1UdDgQWBBR2VhZUSw0OvlDpSCMJru8g8OO9
+4zAfBgNVHSMEGDAWgBR2VhZUSw0OvlDpSCMJru8g8OO94zAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB4aENWTNuAUfBPB8wiMwNVV/74vkk82BRA
+DZ61s6Eh9oK0HbnLWfU1qcWNiQLi2KItNLPs8+FFo44fegaxV2viCxtIxerzkuN0
+YaIHO+tPML+YstrO0yk2n4/7bSi6I52uPFbp//ktJUS1PG/nwYdymMz3MEzNgQ5F
+aBJpd5s1nZtIDZvy0FzbqilxWyB7sW8aNM56BL4LcZPB8Ld7J3rD7gGBVBe4HVuq
+nV1VlTgB81MsWs2+M91yVV2oxz4RcC2yerIDe49+2YxIoWbgP4lHCRPa6mmyln7I
+UJs6Mrhigo2HmjLpIXeXa+OOM96zpxgXUILjet8PJ7q79I1WkqNw
+-----END CERTIFICATE-----
diff --git a/assets/credentials/connect.txt b/assets/credentials/connect.txt
@@ -0,0 +1,2 @@
+username=cf_connect
+password=y3ACj694swkZ
diff --git a/assets/credentials/controlcenter.txt b/assets/credentials/controlcenter.txt
@@ -0,0 +1,2 @@
+username=cf_controlcenter
+password=PqKfw3HMDn4C
diff --git a/assets/credentials/kafka.txt b/assets/credentials/kafka.txt
@@ -0,0 +1,2 @@
+username=cf_kafka
+password=uiGQ8i6gHvGt
diff --git a/assets/credentials/kafkarestclass.txt b/assets/credentials/kafkarestclass.txt
@@ -0,0 +1,2 @@
+username=cf_kafka
+password=uiGQ8i6gHvGt
diff --git a/assets/credentials/kafkarestproxy.txt b/assets/credentials/kafkarestproxy.txt
@@ -0,0 +1,2 @@
+username=cf_restproxy
+password=MZGknPvdL6ye
diff --git a/assets/credentials/ksqldb.txt b/assets/credentials/ksqldb.txt
@@ -0,0 +1,2 @@
+username=cf_ksqldb
+password=pF5Gw5fdYtPi
diff --git a/assets/credentials/ldap-user.txt b/assets/credentials/ldap-user.txt
@@ -0,0 +1,2 @@
+username=cn=mds,dc=test,dc=com
+password=Developer!
diff --git a/assets/credentials/mds-publickey.pem b/assets/credentials/mds-publickey.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMyjnP4qfdTKhCS5sPbV
+qiXVyQ15wreVAsEqEsnMFt2JtML13ELOQ2szWn57Wzu782byEtYFlF3ToVW3cl4d
+OJRzaSEQ6xe10R/i7TneItEQfpJr/2L4bubuQRGNe/KrLME0ivr9u4IEbbRS+ltu
+6A9ggzGcaDSxV/eyKMNPadHQ/AN4BZijAeKZcDTjz6bHjJ6EQ3YNgqyn846reQk9
+ToHZl8bGHOhz5C7yoIfsxZgYHlnx6JGsiUZ5P36WGc38ZIB/m45o8cv4ifUVPUB0
+IQQ9AhYI5ZuMrxDsRPDX2GG6E5bW2vqDWyqXOY7cSoI7AikFdwATW4Rv7euEJUyz
+NwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/assets/credentials/mds-tokenkeypair.pem b/assets/credentials/mds-tokenkeypair.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwMyjnP4qfdTKhCS5sPbVqiXVyQ15wreVAsEqEsnMFt2JtML1
+3ELOQ2szWn57Wzu782byEtYFlF3ToVW3cl4dOJRzaSEQ6xe10R/i7TneItEQfpJr
+/2L4bubuQRGNe/KrLME0ivr9u4IEbbRS+ltu6A9ggzGcaDSxV/eyKMNPadHQ/AN4
+BZijAeKZcDTjz6bHjJ6EQ3YNgqyn846reQk9ToHZl8bGHOhz5C7yoIfsxZgYHlnx
+6JGsiUZ5P36WGc38ZIB/m45o8cv4ifUVPUB0IQQ9AhYI5ZuMrxDsRPDX2GG6E5bW
+2vqDWyqXOY7cSoI7AikFdwATW4Rv7euEJUyzNwIDAQABAoIBAQCKzIhZhI14q1Hk
+kj/wy7ME3FotdPscmGe5ZPDyN78rEvCJZvXzTVELLkj5NCeAhd+ImqtZriS0LFwo
+QPphZqnoys7Pd5OjfB1T4X3QRSHLtPEH/kerw0eRJ8WMqKNQAWMERE+cYpd6f17K
+z9ARFvQgMrnLmVK9nnmyF8t2Fy27wqUVBmYXX/m+ne/+2S4PO8ZsPd3wY2Y9R8LV
+ufbHC+H2ExA8nE4ztefg9zPyn1wMi/GMUg1WiCT3B2u3CZsWaZJzVItT6t7qnAZJ
+XzkgNpIHn9mWuwh8kxgMd6sxDRAOD5iPd6a9i0oLSaS3/0LDezULC0VhTPy3G2oR
+A0AJeOnRAoGBAPV1uz1pPJAtemr8wLiKhQOe8jAsxtnSzV8Fqd11qJYgnihwai+Y
+k44hOJ/02/6wyq49FhMGmkyFWv5dUDERGV7McXP6bEfY5c1P+PdRUAm5H5nef37z
+NR9f7oifV3j+49uy2VfUQCr/h+T+ywzAoc0iZyYGaI1wjKXQr3+1o55vAoGBAMkU
+Bq2IaIDwomBgQCKQjCy/ANjQ32yMAGHf/mE32RTFpu5SZELe9yrGQr3xHFtQ9aQL
+Vv5P09wZfb4IOdp/3wwHMqFjNjNdG8sw7RyNS+wfQGu8v1GfYssuBuXi9v0XGXFH
+WenNQEUPbibRbocJ92OJTJK4P/s5vv132HDR/pu5AoGBAJ+Y8Sm45zwHlfVCajyT
+NHFqQ6a3NoQi4I3MLOplujwC8VLx5NkVp7teNmcq2m/7m403AsdUH7dpbgS9v4pn
+x8svuwTh6s28ZY7dVM/Z+uSXjciKNvPgRsYjpgEHOeTeNmF/JHpK834Br+ZhFL0x
+8wJiQBclS43LhGe8DKBJBh3ZAoGAN5bHudXKPktIOKijUmrvtbcgPtCP0+xodqZ8
+JthPtURnP9+bRDlrz3F8JhKwKjaZkj5oUGo1QdXyQ0T26YcMXMDoqGFLLKwC8QuX
+oZsWcDK7lo1ZvvD3WQBie89hRNrL99sn6lEKAY2ggC7KBZ8lu2jLuIwjdAqk2GH3
+fkkvwFECgYAyXj5z6COPIDJ1E1VLrJiw1YBXaa7ZLk5Epw3QvCM7hTKSFbuSNwsp
+EuLmM7g8wMPZAbzs/RQOaf9IhE/x53dO2Imk5PARaoEsSFjND4dpVHaKem2cBomt
+x5q0SqUVq6xv42213glBQMDJ4qQXTrsEBdpNynv7oVeXXwcaOTUaBw==
+-----END RSA PRIVATE KEY-----
diff --git a/assets/credentials/schemaregistry.txt b/assets/credentials/schemaregistry.txt
@@ -0,0 +1,2 @@
+username=cf_schemaregistry
+password=KqUP8PyDd8ge
diff --git a/assets/openldap/Chart.yaml b/assets/openldap/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+name: openldap
+home: https://www.openldap.org
+version: 1.0.0
+appVersion: 1.0.0
+keywords:
+  - ldap
+  - openldap
+maintainers:
+  - name: Confluent Cloud
+    email: [email protected]
diff --git a/assets/openldap/templates/NOTES.txt b/assets/openldap/templates/NOTES.txt
@@ -0,0 +1,6 @@
+OpenLdap Helm charts based on the osixia/openldap
+
+{{- if .Values.tls.enabled }}
+TLS Address: ldaps://{{ .Values.name }}.{{ .Release.Namespace }}.svc.cluster.local:636
+{{- end }}
+Address: ldap://{{ .Values.name}}.{{ .Release.Namespace }}.svc.cluster.local:389
diff --git a/assets/openldap/templates/configmaps.yaml b/assets/openldap/templates/configmaps.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.ldifs }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.name }}-ldifs
+data:
+{{- range $key, $val := .Values.ldifs }}
+  {{ $key }}: |-
+{{ $val | indent 4 }}
+{{- end }}
+{{- end }}
diff --git a/assets/openldap/templates/service.yaml b/assets/openldap/templates/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap
+  labels:
+    app: ldap
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - port: 389
+    name: ldap
+  - port: 636
+    name: ldaps
+  clusterIP: None
+  selector:
+    app: ldap
+
diff --git a/assets/openldap/templates/statefulset.yaml b/assets/openldap/templates/statefulset.yaml
@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: ldap
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: ldap
+  serviceName: "ldap"
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: ldap
+    spec:
+      containers:
+      - name: ldap
+        args:
+        - --copy-service
+        - --loglevel=debug
+        imagePullPolicy: IfNotPresent
+        image: {{ .Values.image }}
+        ports:
+        - containerPort: 389
+          name: ldap
+        - containerPort: 636
+          name: ldaps
+        env:
+        {{- if .Values.tls.enabled }}
+        - name: LDAP_TLS_VERIFY_CLIENT
+          value: try
+        - name: LDAP_TLS_CRT_FILENAME
+          value: tls.crt
+        - name: LDAP_TLS_KEY_FILENAME
+          value: tls.key
+        - name: LDAP_TLS_CA_CRT_FILENAME
+          value: ca.crt
+        - name: LDAP_TLS
+          value: "true"
+        {{- end }}
+        {{- range $key, $val := .Values.env }}
+        {{ printf "- name: %s" $key }}
+        {{ printf "  value: \"%s\"" $val }}
+        {{- end }}
+        volumeMounts:
+        {{- if .Values.tls.enabled }}
+        - mountPath: /container/service/slapd/assets/certs
+          name: sslcerts-volume
+        {{- end }}
+        - mountPath: /var/lib/ldap
+          name: ldap-data
+        - mountPath: /etc/ldap/slapd.d
+          name: ldap-config
+       {{- if .Values.ldifs }}
+        - mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
+          name: customldif
+       {{- end }}
+      volumes:
+      {{- if .Values.tls.enabled }}
+      - name: sslcerts-volume
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.name }}-sslcerts
+      {{- end }}
+      {{- if .Values.ldifs }}
+      - name: customldif
+        configMap:
+          defaultMode: 420
+          name: {{ .Values.name }}-ldifs
+      {{- end }}
+  volumeClaimTemplates:
+  - metadata:
+      name: ldap-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 500Mi
+  - metadata:
+      name: ldap-config
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 500Mi