diff --git a/README.md b/README.md index 6d48fa6..f67fc93 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,3 @@ -# LSD MESP Charts - -LSD Managed Event Streaming Platform (MESP) Charts for Confluent (CfK) and Strimzi +# LSD MESP Charts + +LSD Managed Event Streaming Platform (MESP) Charts for Confluent (CfK) and Strimzi diff --git a/assets/credentials/README.md b/assets/credentials/README.md new file mode 100644 index 0000000..b52264d --- /dev/null +++ b/assets/credentials/README.md @@ -0,0 +1,106 @@ + +## Create the secret files and cert files + +### For the mds pem key pair: + +- https://docs.confluent.io/platform/current/kafka/configure-mds/index.html + +``` +openssl genrsa -out ./credentials/mds-tokenkeypair.pem 2048 + +openssl rsa -in ./credentials/mds-tokenkeypair.pem -outform PEM -pubout -out ./credentials/mds-publickey.pem +``` + +### For the ca-key.pem and ca.pem files: + +``` +openssl genrsa -out ./credentials/ca-key.pem 2048 + +openssl req -new -key ./credentials/ca-key.pem -x509 \ +-days 3650 \ +-out ./credentials/ca.pem \ +-subj "/C=US/ST=CA/L=MountainView/O=Confluent/OU=Operator/CN=LocalCA" +``` + +### For others + +For all these: + +connect.txt +controlcenter.txt +kafka.txt +kafkarestclass.txt +kafkarestproxy.txt +ksqldb.txt +ldap-user.txt +schemaregistry.txt + +Generate a fresh password and replace the password in the file and in the ldap values.yaml + +## Create the secrets from the generated password and cert files + +``` +kubectl create secret tls ca-pair-sslcerts \ + --cert=./credentials/ca.pem \ + --key=./credentials/ca-key.pem \ + --dry-run=client -oyaml >./templates/000.ca-pair-sslcerts.yaml +``` + +``` +kubectl create secret generic mds-token \ + --from-file=mdsPublicKey.pem=./credentials/mds-publickey.pem \ + --from-file=mdsTokenKeyPair.pem=./credentials/mds-tokenkeypair.pem \ + --dry-run=client -oyaml >./templates/000.mds-token.yaml +``` + +``` +kubectl create secret generic mds-login \ + --from-file=ldap.txt=./credentials/ldap-user.txt \ + --dry-run=client -oyaml >./templates/000.mds-login.yaml +``` + +``` +kubectl create secret generic connect-login \ + --from-file=bearer.txt=./credentials/connect.txt \ + --from-file=basic.txt=./credentials/connect.txt \ + --dry-run=client -oyaml >./templates/000.connect-login.yaml +``` + +``` +kubectl create secret generic controlcenter-login \ + --from-file=bearer.txt=./credentials/controlcenter.txt \ + --dry-run=client -oyaml >./templates/000.controlcenter-login.yaml +``` + +``` +kubectl create secret generic kafka-login \ + --from-file=bearer.txt=./credentials/kafka.txt \ + --dry-run=client -oyaml >./templates/000.kafka-login.yaml +``` + +``` +kubectl create secret generic kafkarestclass-login \ + --from-file=basic.txt=./credentials/kafkarestclass.txt \ + --from-file=bearer.txt=./credentials/kafkarestclass.txt \ + --dry-run=client -oyaml >./templates/000.kafkarestclass-login.yaml +``` + +``` +kubectl create secret generic kafkarestproxy-login \ + --from-file=bearer.txt=./credentials/kafkarestproxy.txt \ + --dry-run=client -oyaml >./templates/000.kafkarestproxy-login.yaml +``` + +``` +kubectl create secret generic ksqldb-login \ + --from-file=bearer.txt=./credentials/ksqldb.txt \ + --from-file=basic.txt=./credentials/ksqldb.txt \ + --dry-run=client -oyaml >./templates/000.ksqldb-login.yaml +``` + +``` +kubectl create secret generic schemaregistry-login \ + --from-file=bearer.txt=./credentials/schemaregistry.txt \ + --from-file=basic.txt=./credentials/schemaregistry.txt \ + --dry-run=client -oyaml >./templates/000.schemaregistry-login.yaml +``` diff --git a/assets/credentials/ca-key.pem b/assets/credentials/ca-key.pem new file mode 100644 index 0000000..32c1a42 --- /dev/null +++ b/assets/credentials/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA1n/zPx4fsQ2yUu3Uxu/XNGPmX/CCmO78gL3kqKoK+yGjjoue +nK0yZk7yY5SpQQCLKNK0xAmaF72gI2kOjoVAJP+KSZI+IjVPhWZkYsSulV6H+Rdr +rtGFLaHJBpnssh3VVuBjdSQxFuvZKV6gmsHpBSTgBwTkxc939m+A0N39DY5ybPWa +xhEFKR3DUzeMD58QCdCsvfbz3m47Ow4pK4iBDsEcS4NqXZQa82lQlGTUj+SM3fqR +cxkI77C+fhkbwU1r6xfwcSLiBUKtToFM5R8mkvqj73TLOK2LqJoexHtHll3SfUsg +nksq5sXdipNRjv2RYVm9UhJM0VeXgpMQ+GaqlwIDAQABAoIBAExgsxS+fTpmTiEJ +XsKXlGGrUNTIpzgdoPuWol0Mb2yMxdh0Dr5rTY7wfY7H2Jy0vNiEbql/YcciVmtF +dVF6USTbeTpJQKadpPszQnuI3UGCr5gaptVQ9cMR4KrhFE84IEcXD1Me1/v5bxI0 +B6wTcA3M25ikPXHSNj0h5xR4dyrj7wkGPtRYpgSB/aUmaY6pkaNKNfsHU+h0Mlgh +6cGKMXy1ZawQq99iyM8BeQlv+oCVp8ITimoDlp7ZMtAllfZZaJUNHeksZPIDYPHN +vAYeahn9EuZOhSNAn2t5pG3HAvjl/puia1G3lWfFx8/sCvcDxYedCKc0g2hmSYnA +/f0xwgECgYEA842qKqoH7KJp3tbmKqby0xQz5WzTxxqIKJgtJ2B2rKU1ldY4vqCf +HM/Lmz7D3TU1Zi4wJ8ImfPUyf4nD+PvvQ1j/Mq7G5f1GyaYfWvize7tkSovC1cw4 +r117rLbEC7vyAsGX8rIlIh7UqJWE5L5EDYWOKb9EIt3VO66arnqFNHcCgYEA4XYv +tPlJqYoJnJ5TJmCm+BnnRimWJ2oHp5uMS+nrGAAn49H8Y2wORBC46fWbTmhJFLLT +faPOHmzvnYvkYhdufmsRbK+6hi9ioBzEycY3tc7R+Sp1ioLFv0mHDuO6Yo6Vrdbl +ChIHlzmO6yzUjwI8Z7zgBZ3k9AMGPioJU1QyYuECgYEA6FSKMFq0ZnpkDevn8mYB +m3NZMhEHUJYxrq/D2x089+I9ZKrOxKHKRpy+eGB+TOU2BDwpObQOLQNl4Z3UsQ37 +Jr6d6oYpPDnIrhFnNcuqw2x19lquSG6g4ECH+rD6AMuPyCtOvHhNzeelKxA+jkol +9tQhUhefcrc0ctNTwP8lVG8CgYEA1+6obExg92ZEJGMiQdxJrc6pSPJlY+RR5n28 +Vax4Q6lKixA/CD2iQCA/6ZsYHnUUoSVQFsG+lDdDGoGzvxqv8ZW7v3tiSkexzqUe ++BzGmHK3eUrn/juXBsh1+JW0mdXzluX8wLNZ38T5k1WBUmIS1kv3xoldkTIgVYNP +ISa/hyECgYEAhYwdqItVJb8OlA4pOCHrbvz3L5Sbl0mheFizlcDgNny48NWnE5+V ++SvxoYTf6P9a7Ib/HYLcJKvxfK4zBZFD+s2h6adeRBHcomLUvawyISPk3VyxXR0x +RnIUPg5l3RQFf2U/kaoCv1OmX3ow8bbRHpJxzGRfNub4/p9cgYtFs3s= +-----END RSA PRIVATE KEY----- diff --git a/assets/credentials/ca.pem b/assets/credentials/ca.pem new file mode 100644 index 0000000..2a9096d --- /dev/null +++ b/assets/credentials/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCApugAwIBAgIURKf14IbdFgMjlkU+UhTqUWR3asgwDQYJKoZIhvcNAQEL +BQAwaTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxNb3VudGFp +blZpZXcxEjAQBgNVBAoMCUNvbmZsdWVudDERMA8GA1UECwwIT3BlcmF0b3IxDzAN +BgNVBAMMBlRlc3RDQTAeFw0yMzEwMDYxMjAxNDZaFw0yNjA3MDIxMjAxNDZaMGkx +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMTW91bnRhaW5WaWV3 +MRIwEAYDVQQKDAlDb25mbHVlbnQxETAPBgNVBAsMCE9wZXJhdG9yMQ8wDQYDVQQD +DAZUZXN0Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWf/M/Hh+x +DbJS7dTG79c0Y+Zf8IKY7vyAveSoqgr7IaOOi56crTJmTvJjlKlBAIso0rTECZoX +vaAjaQ6OhUAk/4pJkj4iNU+FZmRixK6VXof5F2uu0YUtockGmeyyHdVW4GN1JDEW +69kpXqCawekFJOAHBOTFz3f2b4DQ3f0NjnJs9ZrGEQUpHcNTN4wPnxAJ0Ky99vPe +bjs7DikriIEOwRxLg2pdlBrzaVCUZNSP5Izd+pFzGQjvsL5+GRvBTWvrF/BxIuIF +Qq1OgUzlHyaS+qPvdMs4rYuomh7Ee0eWXdJ9SyCeSyrmxd2Kk1GO/ZFhWb1SEkzR +V5eCkxD4ZqqXAgMBAAGjUzBRMB0GA1UdDgQWBBR2VhZUSw0OvlDpSCMJru8g8OO9 +4zAfBgNVHSMEGDAWgBR2VhZUSw0OvlDpSCMJru8g8OO94zAPBgNVHRMBAf8EBTAD +AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB4aENWTNuAUfBPB8wiMwNVV/74vkk82BRA +DZ61s6Eh9oK0HbnLWfU1qcWNiQLi2KItNLPs8+FFo44fegaxV2viCxtIxerzkuN0 +YaIHO+tPML+YstrO0yk2n4/7bSi6I52uPFbp//ktJUS1PG/nwYdymMz3MEzNgQ5F +aBJpd5s1nZtIDZvy0FzbqilxWyB7sW8aNM56BL4LcZPB8Ld7J3rD7gGBVBe4HVuq +nV1VlTgB81MsWs2+M91yVV2oxz4RcC2yerIDe49+2YxIoWbgP4lHCRPa6mmyln7I +UJs6Mrhigo2HmjLpIXeXa+OOM96zpxgXUILjet8PJ7q79I1WkqNw +-----END CERTIFICATE----- diff --git a/assets/credentials/connect.txt b/assets/credentials/connect.txt new file mode 100644 index 0000000..5d063ee --- /dev/null +++ b/assets/credentials/connect.txt @@ -0,0 +1,2 @@ +username=cf_connect +password=y3ACj694swkZ \ No newline at end of file diff --git a/assets/credentials/controlcenter.txt b/assets/credentials/controlcenter.txt new file mode 100644 index 0000000..7096c6e --- /dev/null +++ b/assets/credentials/controlcenter.txt @@ -0,0 +1,2 @@ +username=cf_controlcenter +password=PqKfw3HMDn4C \ No newline at end of file diff --git a/assets/credentials/kafka.txt b/assets/credentials/kafka.txt new file mode 100644 index 0000000..1795cd3 --- /dev/null +++ b/assets/credentials/kafka.txt @@ -0,0 +1,2 @@ +username=cf_kafka +password=uiGQ8i6gHvGt \ No newline at end of file diff --git a/assets/credentials/kafkarestclass.txt b/assets/credentials/kafkarestclass.txt new file mode 100644 index 0000000..1795cd3 --- /dev/null +++ b/assets/credentials/kafkarestclass.txt @@ -0,0 +1,2 @@ +username=cf_kafka +password=uiGQ8i6gHvGt \ No newline at end of file diff --git a/assets/credentials/kafkarestproxy.txt b/assets/credentials/kafkarestproxy.txt new file mode 100644 index 0000000..293eb4d --- /dev/null +++ b/assets/credentials/kafkarestproxy.txt @@ -0,0 +1,2 @@ +username=cf_restproxy +password=MZGknPvdL6ye \ No newline at end of file diff --git a/assets/credentials/ksqldb.txt b/assets/credentials/ksqldb.txt new file mode 100644 index 0000000..ace131d --- /dev/null +++ b/assets/credentials/ksqldb.txt @@ -0,0 +1,2 @@ +username=cf_ksqldb +password=pF5Gw5fdYtPi \ No newline at end of file diff --git a/assets/credentials/ldap-user.txt b/assets/credentials/ldap-user.txt new file mode 100644 index 0000000..9004163 --- /dev/null +++ b/assets/credentials/ldap-user.txt @@ -0,0 +1,2 @@ +username=cn=mds,dc=test,dc=com +password=Developer! \ No newline at end of file diff --git a/assets/credentials/mds-publickey.pem b/assets/credentials/mds-publickey.pem new file mode 100644 index 0000000..fadcb74 --- /dev/null +++ b/assets/credentials/mds-publickey.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMyjnP4qfdTKhCS5sPbV +qiXVyQ15wreVAsEqEsnMFt2JtML13ELOQ2szWn57Wzu782byEtYFlF3ToVW3cl4d +OJRzaSEQ6xe10R/i7TneItEQfpJr/2L4bubuQRGNe/KrLME0ivr9u4IEbbRS+ltu +6A9ggzGcaDSxV/eyKMNPadHQ/AN4BZijAeKZcDTjz6bHjJ6EQ3YNgqyn846reQk9 +ToHZl8bGHOhz5C7yoIfsxZgYHlnx6JGsiUZ5P36WGc38ZIB/m45o8cv4ifUVPUB0 +IQQ9AhYI5ZuMrxDsRPDX2GG6E5bW2vqDWyqXOY7cSoI7AikFdwATW4Rv7euEJUyz +NwIDAQAB +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/assets/credentials/mds-tokenkeypair.pem b/assets/credentials/mds-tokenkeypair.pem new file mode 100644 index 0000000..5e4c415 --- /dev/null +++ b/assets/credentials/mds-tokenkeypair.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwMyjnP4qfdTKhCS5sPbVqiXVyQ15wreVAsEqEsnMFt2JtML1 +3ELOQ2szWn57Wzu782byEtYFlF3ToVW3cl4dOJRzaSEQ6xe10R/i7TneItEQfpJr +/2L4bubuQRGNe/KrLME0ivr9u4IEbbRS+ltu6A9ggzGcaDSxV/eyKMNPadHQ/AN4 +BZijAeKZcDTjz6bHjJ6EQ3YNgqyn846reQk9ToHZl8bGHOhz5C7yoIfsxZgYHlnx +6JGsiUZ5P36WGc38ZIB/m45o8cv4ifUVPUB0IQQ9AhYI5ZuMrxDsRPDX2GG6E5bW +2vqDWyqXOY7cSoI7AikFdwATW4Rv7euEJUyzNwIDAQABAoIBAQCKzIhZhI14q1Hk +kj/wy7ME3FotdPscmGe5ZPDyN78rEvCJZvXzTVELLkj5NCeAhd+ImqtZriS0LFwo +QPphZqnoys7Pd5OjfB1T4X3QRSHLtPEH/kerw0eRJ8WMqKNQAWMERE+cYpd6f17K +z9ARFvQgMrnLmVK9nnmyF8t2Fy27wqUVBmYXX/m+ne/+2S4PO8ZsPd3wY2Y9R8LV +ufbHC+H2ExA8nE4ztefg9zPyn1wMi/GMUg1WiCT3B2u3CZsWaZJzVItT6t7qnAZJ +XzkgNpIHn9mWuwh8kxgMd6sxDRAOD5iPd6a9i0oLSaS3/0LDezULC0VhTPy3G2oR +A0AJeOnRAoGBAPV1uz1pPJAtemr8wLiKhQOe8jAsxtnSzV8Fqd11qJYgnihwai+Y +k44hOJ/02/6wyq49FhMGmkyFWv5dUDERGV7McXP6bEfY5c1P+PdRUAm5H5nef37z +NR9f7oifV3j+49uy2VfUQCr/h+T+ywzAoc0iZyYGaI1wjKXQr3+1o55vAoGBAMkU +Bq2IaIDwomBgQCKQjCy/ANjQ32yMAGHf/mE32RTFpu5SZELe9yrGQr3xHFtQ9aQL +Vv5P09wZfb4IOdp/3wwHMqFjNjNdG8sw7RyNS+wfQGu8v1GfYssuBuXi9v0XGXFH +WenNQEUPbibRbocJ92OJTJK4P/s5vv132HDR/pu5AoGBAJ+Y8Sm45zwHlfVCajyT +NHFqQ6a3NoQi4I3MLOplujwC8VLx5NkVp7teNmcq2m/7m403AsdUH7dpbgS9v4pn +x8svuwTh6s28ZY7dVM/Z+uSXjciKNvPgRsYjpgEHOeTeNmF/JHpK834Br+ZhFL0x +8wJiQBclS43LhGe8DKBJBh3ZAoGAN5bHudXKPktIOKijUmrvtbcgPtCP0+xodqZ8 +JthPtURnP9+bRDlrz3F8JhKwKjaZkj5oUGo1QdXyQ0T26YcMXMDoqGFLLKwC8QuX +oZsWcDK7lo1ZvvD3WQBie89hRNrL99sn6lEKAY2ggC7KBZ8lu2jLuIwjdAqk2GH3 +fkkvwFECgYAyXj5z6COPIDJ1E1VLrJiw1YBXaa7ZLk5Epw3QvCM7hTKSFbuSNwsp +EuLmM7g8wMPZAbzs/RQOaf9IhE/x53dO2Imk5PARaoEsSFjND4dpVHaKem2cBomt +x5q0SqUVq6xv42213glBQMDJ4qQXTrsEBdpNynv7oVeXXwcaOTUaBw== +-----END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/assets/credentials/schemaregistry.txt b/assets/credentials/schemaregistry.txt new file mode 100644 index 0000000..415cbb6 --- /dev/null +++ b/assets/credentials/schemaregistry.txt @@ -0,0 +1,2 @@ +username=cf_schemaregistry +password=KqUP8PyDd8ge \ No newline at end of file diff --git a/assets/openldap/Chart.yaml b/assets/openldap/Chart.yaml new file mode 100644 index 0000000..cc774d0 --- /dev/null +++ b/assets/openldap/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +name: openldap +home: https://www.openldap.org +version: 1.0.0 +appVersion: 1.0.0 +keywords: + - ldap + - openldap +maintainers: + - name: Confluent Cloud + email: operator@confluent.io \ No newline at end of file diff --git a/assets/openldap/templates/NOTES.txt b/assets/openldap/templates/NOTES.txt new file mode 100644 index 0000000..ec8bcda --- /dev/null +++ b/assets/openldap/templates/NOTES.txt @@ -0,0 +1,6 @@ +OpenLdap Helm charts based on the osixia/openldap + +{{- if .Values.tls.enabled }} +TLS Address: ldaps://{{ .Values.name }}.{{ .Release.Namespace }}.svc.cluster.local:636 +{{- end }} +Address: ldap://{{ .Values.name}}.{{ .Release.Namespace }}.svc.cluster.local:389 \ No newline at end of file diff --git a/assets/openldap/templates/configmaps.yaml b/assets/openldap/templates/configmaps.yaml new file mode 100644 index 0000000..4a9b887 --- /dev/null +++ b/assets/openldap/templates/configmaps.yaml @@ -0,0 +1,11 @@ +{{- if .Values.ldifs }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.name }}-ldifs +data: +{{- range $key, $val := .Values.ldifs }} + {{ $key }}: |- +{{ $val | indent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/assets/openldap/templates/service.yaml b/assets/openldap/templates/service.yaml new file mode 100644 index 0000000..5efba70 --- /dev/null +++ b/assets/openldap/templates/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: ldap + labels: + app: ldap + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 389 + name: ldap + - port: 636 + name: ldaps + clusterIP: None + selector: + app: ldap + diff --git a/assets/openldap/templates/statefulset.yaml b/assets/openldap/templates/statefulset.yaml new file mode 100644 index 0000000..c092caa --- /dev/null +++ b/assets/openldap/templates/statefulset.yaml @@ -0,0 +1,86 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: ldap + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: ldap + serviceName: "ldap" + replicas: 1 + template: + metadata: + labels: + app: ldap + spec: + containers: + - name: ldap + args: + - --copy-service + - --loglevel=debug + imagePullPolicy: IfNotPresent + image: {{ .Values.image }} + ports: + - containerPort: 389 + name: ldap + - containerPort: 636 + name: ldaps + env: + {{- if .Values.tls.enabled }} + - name: LDAP_TLS_VERIFY_CLIENT + value: try + - name: LDAP_TLS_CRT_FILENAME + value: tls.crt + - name: LDAP_TLS_KEY_FILENAME + value: tls.key + - name: LDAP_TLS_CA_CRT_FILENAME + value: ca.crt + - name: LDAP_TLS + value: "true" + {{- end }} + {{- range $key, $val := .Values.env }} + {{ printf "- name: %s" $key }} + {{ printf " value: \"%s\"" $val }} + {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - mountPath: /container/service/slapd/assets/certs + name: sslcerts-volume + {{- end }} + - mountPath: /var/lib/ldap + name: ldap-data + - mountPath: /etc/ldap/slapd.d + name: ldap-config + {{- if .Values.ldifs }} + - mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom + name: customldif + {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: sslcerts-volume + secret: + defaultMode: 420 + secretName: {{ .Values.name }}-sslcerts + {{- end }} + {{- if .Values.ldifs }} + - name: customldif + configMap: + defaultMode: 420 + name: {{ .Values.name }}-ldifs + {{- end }} + volumeClaimTemplates: + - metadata: + name: ldap-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 500Mi + - metadata: + name: ldap-config + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 500Mi diff --git a/assets/openldap/values.yaml b/assets/openldap/values.yaml new file mode 100644 index 0000000..a29a296 --- /dev/null +++ b/assets/openldap/values.yaml @@ -0,0 +1,71 @@ +name: ldap +image: osixia/openldap:1.5.0 +tls: + enabled: false + fullchain: |- + privkey: |- + cacerts: |- + +env: + LDAP_ORGANISATION: "Test Inc." + LDAP_DOMAIN: "test.com" + LDAP_ADMIN_PASSWORD: "confluentrox" + LDAP_CONFIG_PASSWORD: "confluentconfigrox" + LDAP_READONLY_USER: "true" + LDAP_READONLY_USER_USERNAME: "mds" + LDAP_READONLY_USER_PASSWORD: "Developer!" + LDAP_BASE_DN: "dc=test,dc=com" + LDAP_TLS: "false" + +# Adding integer before ldif name to allow sequence order. +ldifs: + 00_cf_connect.ldif: |- + dn: cn=cf_connect,{{ LDAP_BASE_DN }} + userPassword: y3ACj694swkZ + description: Confluent Connect user + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: cf_connect + 01_cf_controlcenter.ldif: |- + dn: cn=cf_controlcenter,{{ LDAP_BASE_DN }} + userPassword: PqKfw3HMDn4C + description: Confluent Control Center user + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: cf_controlcenter + 02_cf_kafka.ldif: |- + dn: cn=cf_kafka,{{ LDAP_BASE_DN }} + userPassword: uiGQ8i6gHvGt + description: Confluent Kafka user + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: cf_kafka + 03_cf_restproxy.ldif: |- + dn: cn=cf_restproxy,{{ LDAP_BASE_DN }} + userPassword: MZGknPvdL6ye + description: Confluent REST Proxy user + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: cf_restproxy + 04_cf_ksqldb.ldif: |- + dn: cn=cf_ksqldb,{{ LDAP_BASE_DN }} + userPassword: pF5Gw5fdYtPi + description: Confluent ksqlDB user + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: cf_ksqldb + 05_cf_schemaregistry.ldif: |- + dn: cn=cf_schemaregistry,{{ LDAP_BASE_DN }} + userPassword: KqUP8PyDd8ge + description: Confluent Schema Registry user + objectClass: simpleSecurityObject + objectClass: organizationalRole + cn: cf_schemaregistry + 06_cf_groupou.ldif: |- + dn: ou=users,{{ LDAP_BASE_DN }} + objectClass: organizationalUnit + ou: Users + + dn: ou=groups,{{ LDAP_BASE_DN }} + objectClass: organizationalUnit + ou: Groups diff --git a/charts/confluent/Chart.yaml b/charts/confluent/Chart.yaml index 83da116..f056554 100644 --- a/charts/confluent/Chart.yaml +++ b/charts/confluent/Chart.yaml @@ -26,5 +26,5 @@ maintainers: deprecated: false dependencies: - name: confluent-for-kubernetes - version: "0.824.40" + version: "0.921.2" repository: https://packages.confluent.io/helm diff --git a/charts/confluent/README.md b/charts/confluent/README.md index 83c1a62..6b787b4 100644 --- a/charts/confluent/README.md +++ b/charts/confluent/README.md @@ -2,6 +2,16 @@ LSD Managed Event Streaming Platform (MESP) Charts for Confluent (CfK) +## Helm setup + +Prepare for offline install + +``` +helm dependency update . +``` + +## Deploy LSDMESP with Confluent for Kubernetes + Create the namespaces ``` kubectl create ns lsdmesp-confluent @@ -12,29 +22,31 @@ Set PROJECT_HOME env var to project directory PROJECT_HOME=$PWD ``` -Create certs -``` -openssl genrsa -out $PROJECT_HOME/certs/ca-key.pem 2048 -``` +### Create secrets with random passwords and certs + +TODO + +### Deploy: +`(Optional)` Deploy OpenLDAP for RBAC (if no external LDAP server is available): ``` -openssl req -new -key $PROJECT_HOME/certs/ca-key.pem -x509 \ - -days 3650 \ - -out $PROJECT_HOME/certs/ca.pem \ - -subj "/C=US/ST=CA/L=MountainView/O=Confluent/OU=Operator/CN=LocalCA" +LDAP_CHART_HOME=$PROJECT_HOME/assets/openldap +helm upgrade --install ldap-dev $LDAP_CHART_HOME --namespace lsdmesp-confluent ``` +Test OpenLDAP: ``` -kubectl create secret tls ca-pair-sslcerts \ - --cert=$PROJECT_HOME/certs/ca.pem \ - --key=$PROJECT_HOME/certs/ca-key.pem -n lsdmesp-confluent +kubectl --namespace lsdmesp-confluent exec -it ldap-0 -- bash +ldapsearch -LLL -x -H ldap://ldap.lsdmesp-confluent.svc.cluster.local:389 -b 'dc=test,dc=com' -D "cn=mds,dc=test,dc=com" -w 'Developer!' ``` -Deploy: +### Deploy LSDMESP: ``` helm install lsdmesp-confluent . -f values.yaml -n lsdmesp-confluent ``` +## Uninstall LSDMESP + Tear down: ``` helm uninstall lsdmesp-confluent -n lsdmesp-confluent @@ -42,7 +54,4 @@ kubectl patch controlcenter controlcenter -p '{"metadata":{"finalizers":[]}}' -- kubectl -n lsdmesp-confluent delete secret ca-pair-sslcerts for crd in $(kubectl get crd --no-headers -ojsonpath='{.items[*].metadata.name}' | grep confluent); do kubectl delete crd $crd; done kubectl delete ns lsdmesp-confluent -``` - -TODO: security context -TODO: ingress for kafka, kafka-0-internal, kafka-1-internal, kafka-2-internal, kafka-3-internal services (port 9092) \ No newline at end of file +``` \ No newline at end of file diff --git a/charts/confluent/templates/000.ca-pair-sslcerts.yaml b/charts/confluent/templates/000.ca-pair-sslcerts.yaml new file mode 100644 index 0000000..e015393 --- /dev/null +++ b/charts/confluent/templates/000.ca-pair-sslcerts.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzekNDQXB1Z0F3SUJBZ0lVUktmMTRJYmRGZ01qbGtVK1VoVHFVV1IzYXNnd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1SVXdFd1lEVlFRSERBeE5iM1Z1ZEdGcApibFpwWlhjeEVqQVFCZ05WQkFvTUNVTnZibVpzZFdWdWRERVJNQThHQTFVRUN3d0lUM0JsY21GMGIzSXhEekFOCkJnTlZCQU1NQmxSbGMzUkRRVEFlRncweU16RXdNRFl4TWpBeE5EWmFGdzB5TmpBM01ESXhNakF4TkRaYU1Ha3gKQ3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVWTUJNR0ExVUVCd3dNVFc5MWJuUmhhVzVXYVdWMwpNUkl3RUFZRFZRUUtEQWxEYjI1bWJIVmxiblF4RVRBUEJnTlZCQXNNQ0U5d1pYSmhkRzl5TVE4d0RRWURWUVFECkRBWlVaWE4wUTBFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURXZi9NL0hoK3gKRGJKUzdkVEc3OWMwWStaZjhJS1k3dnlBdmVTb3FncjdJYU9PaTU2Y3JUSm1UdkpqbEtsQkFJc28wclRFQ1pvWAp2YUFqYVE2T2hVQWsvNHBKa2o0aU5VK0ZabVJpeEs2VlhvZjVGMnV1MFlVdG9ja0dtZXl5SGRWVzRHTjFKREVXCjY5a3BYcUNhd2VrRkpPQUhCT1RGejNmMmI0RFEzZjBOam5KczlackdFUVVwSGNOVE40d1BueEFKMEt5OTl2UGUKYmpzN0Rpa3JpSUVPd1J4TGcycGRsQnJ6YVZDVVpOU1A1SXpkK3BGekdRanZzTDUrR1J2QlRXdnJGL0J4SXVJRgpRcTFPZ1V6bEh5YVMrcVB2ZE1zNHJZdW9taDdFZTBlV1hkSjlTeUNlU3lybXhkMktrMUdPL1pGaFdiMVNFa3pSClY1ZUNreEQ0WnFxWEFnTUJBQUdqVXpCUk1CMEdBMVVkRGdRV0JCUjJWaFpVU3cwT3ZsRHBTQ01KcnU4ZzhPTzkKNHpBZkJnTlZIU01FR0RBV2dCUjJWaFpVU3cwT3ZsRHBTQ01KcnU4ZzhPTzk0ekFQQmdOVkhSTUJBZjhFQlRBRApBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCNGFFTldUTnVBVWZCUEI4d2lNd05WVi83NHZrazgyQlJBCkRaNjFzNkVoOW9LMEhibkxXZlUxcWNXTmlRTGkyS0l0TkxQczgrRkZvNDRmZWdheFYydmlDeHRJeGVyemt1TjAKWWFJSE8rdFBNTCtZc3RyTzB5azJuNC83YlNpNkk1MnVQRmJwLy9rdEpVUzFQRy9ud1lkeW1NejNNRXpOZ1E1RgphQkpwZDVzMW5adElEWnZ5MEZ6YnFpbHhXeUI3c1c4YU5NNTZCTDRMY1pQQjhMZDdKM3JEN2dHQlZCZTRIVnVxCm5WMVZsVGdCODFNc1dzMitNOTF5VlYyb3h6NFJjQzJ5ZXJJRGU0OSsyWXhJb1diZ1A0bEhDUlBhNm1teWxuN0kKVUpzNk1yaGlnbzJIbWpMcElYZVhhK09PTTk2enB4Z1hVSUxqZXQ4UEo3cTc5STFXa3FOdwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBMW4velB4NGZzUTJ5VXUzVXh1L1hOR1BtWC9DQ21PNzhnTDNrcUtvSyt5R2pqb3VlCm5LMHlaazd5WTVTcFFRQ0xLTksweEFtYUY3MmdJMmtPam9WQUpQK0tTWkkrSWpWUGhXWmtZc1N1bFY2SCtSZHIKcnRHRkxhSEpCcG5zc2gzVlZ1QmpkU1F4RnV2WktWNmdtc0hwQlNUZ0J3VGt4YzkzOW0rQTBOMzlEWTV5YlBXYQp4aEVGS1IzRFV6ZU1ENThRQ2RDc3ZmYnozbTQ3T3c0cEs0aUJEc0VjUzROcVhaUWE4MmxRbEdUVWorU00zZnFSCmN4a0k3N0MrZmhrYndVMXI2eGZ3Y1NMaUJVS3RUb0ZNNVI4bWt2cWo3M1RMT0syTHFKb2V4SHRIbGwzU2ZVc2cKbmtzcTVzWGRpcE5SanYyUllWbTlVaEpNMFZlWGdwTVErR2FxbHdJREFRQUJBb0lCQUV4Z3N4UytmVHBtVGlFSgpYc0tYbEdHclVOVElwemdkb1B1V29sME1iMnlNeGRoMERyNXJUWTd3Zlk3SDJKeTB2TmlFYnFsL1ljY2lWbXRGCmRWRjZVU1RiZVRwSlFLYWRwUHN6UW51STNVR0NyNWdhcHRWUTljTVI0S3JoRkU4NElFY1hEMU1lMS92NWJ4STAKQjZ3VGNBM00yNWlrUFhIU05qMGg1eFI0ZHlyajd3a0dQdFJZcGdTQi9hVW1hWTZwa2FOS05mc0hVK2gwTWxnaAo2Y0dLTVh5MVphd1FxOTlpeU04QmVRbHYrb0NWcDhJVGltb0RscDdaTXRBbGxmWlphSlVOSGVrc1pQSURZUEhOCnZBWWVhaG45RXVaT2hTTkFuMnQ1cEczSEF2amwvcHVpYTFHM2xXZkZ4OC9zQ3ZjRHhZZWRDS2MwZzJobVNZbkEKL2YweHdnRUNnWUVBODQycUtxb0g3S0pwM3RibUtxYnkweFF6NVd6VHh4cUlLSmd0SjJCMnJLVTFsZFk0dnFDZgpITS9MbXo3RDNUVTFaaTR3SjhJbWZQVXlmNG5EK1B2dlExai9NcTdHNWYxR3lhWWZXdml6ZTd0a1NvdkMxY3c0CnIxMTdyTGJFQzd2eUFzR1g4cklsSWg3VXFKV0U1TDVFRFlXT0tiOUVJdDNWTzY2YXJucUZOSGNDZ1lFQTRYWXYKdFBsSnFZb0puSjVUSm1DbStCbm5SaW1XSjJvSHA1dU1TK25yR0FBbjQ5SDhZMndPUkJDNDZmV2JUbWhKRkxMVApmYVBPSG16dm5ZdmtZaGR1Zm1zUmJLKzZoaTlpb0J6RXljWTN0YzdSK1NwMWlvTEZ2MG1IRHVPNllvNlZyZGJsCkNoSUhsem1PNnl6VWp3SThaN3pnQlozazlBTUdQaW9KVTFReVl1RUNnWUVBNkZTS01GcTBabnBrRGV2bjhtWUIKbTNOWk1oRUhVSll4cnEvRDJ4MDg5K0k5WktyT3hLSEtScHkrZUdCK1RPVTJCRHdwT2JRT0xRTmw0WjNVc1EzNwpKcjZkNm9ZcFBEbklyaEZuTmN1cXcyeDE5bHF1U0c2ZzRFQ0grckQ2QU11UHlDdE92SGhOemVlbEt4QStqa29sCjl0UWhVaGVmY3JjMGN0TlR3UDhsVkc4Q2dZRUExKzZvYkV4ZzkyWkVKR01pUWR4SnJjNnBTUEpsWStSUjVuMjgKVmF4NFE2bEtpeEEvQ0QyaVFDQS82WnNZSG5VVW9TVlFGc0crbERkREdvR3p2eHF2OFpXN3YzdGlTa2V4enFVZQorQnpHbUhLM2VVcm4vanVYQnNoMStKVzBtZFh6bHVYOHdMTlozOFQ1azFXQlVtSVMxa3YzeG9sZGtUSWdWWU5QCklTYS9oeUVDZ1lFQWhZd2RxSXRWSmI4T2xBNHBPQ0hyYnZ6M0w1U2JsMG1oZUZpemxjRGdObnk0OE5XbkU1K1YKK1N2eG9ZVGY2UDlhN0liL0hZTGNKS3Z4Zks0ekJaRkQrczJoNmFkZVJCSGNvbUxVdmF3eUlTUGszVnl4WFIweApSbklVUGc1bDNSUUZmMlUva2FvQ3YxT21YM293OGJiUkhwSnh6R1JmTnViNC9wOWNnWXRGczNzPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= +kind: Secret +metadata: + creationTimestamp: null + name: ca-pair-sslcerts +type: kubernetes.io/tls diff --git a/charts/confluent/templates/000.connect-login.yaml b/charts/confluent/templates/000.connect-login.yaml new file mode 100644 index 0000000..befb952 --- /dev/null +++ b/charts/confluent/templates/000.connect-login.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + basic.txt: dXNlcm5hbWU9Y2ZfY29ubmVjdApwYXNzd29yZD15M0FDajY5NHN3a1o= + bearer.txt: dXNlcm5hbWU9Y2ZfY29ubmVjdApwYXNzd29yZD15M0FDajY5NHN3a1o= +kind: Secret +metadata: + creationTimestamp: null + name: connect-login diff --git a/charts/confluent/templates/000.controlcenter-login.yaml b/charts/confluent/templates/000.controlcenter-login.yaml new file mode 100644 index 0000000..eb5d5f3 --- /dev/null +++ b/charts/confluent/templates/000.controlcenter-login.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + bearer.txt: dXNlcm5hbWU9Y2ZfY29udHJvbGNlbnRlcgpwYXNzd29yZD1QcUtmdzNITURuNEM= +kind: Secret +metadata: + creationTimestamp: null + name: controlcenter-login diff --git a/charts/confluent/templates/000.kafka-login.yaml b/charts/confluent/templates/000.kafka-login.yaml new file mode 100644 index 0000000..8df6cd5 --- /dev/null +++ b/charts/confluent/templates/000.kafka-login.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + bearer.txt: dXNlcm5hbWU9Y2Zfa2Fma2EKcGFzc3dvcmQ9dWlHUThpNmdIdkd0 +kind: Secret +metadata: + creationTimestamp: null + name: kafka-login diff --git a/charts/confluent/templates/000.kafkarestclass-login.yaml b/charts/confluent/templates/000.kafkarestclass-login.yaml new file mode 100644 index 0000000..5e0abeb --- /dev/null +++ b/charts/confluent/templates/000.kafkarestclass-login.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + basic.txt: dXNlcm5hbWU9Y2Zfa2Fma2EKcGFzc3dvcmQ9dWlHUThpNmdIdkd0 + bearer.txt: dXNlcm5hbWU9Y2Zfa2Fma2EKcGFzc3dvcmQ9dWlHUThpNmdIdkd0 +kind: Secret +metadata: + creationTimestamp: null + name: kafkarestclass-login diff --git a/charts/confluent/templates/000.kafkarestproxy-login.yaml b/charts/confluent/templates/000.kafkarestproxy-login.yaml new file mode 100644 index 0000000..3cdf37f --- /dev/null +++ b/charts/confluent/templates/000.kafkarestproxy-login.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + bearer.txt: dXNlcm5hbWU9Y2ZfcmVzdHByb3h5CnBhc3N3b3JkPU1aR2tuUHZkTDZ5ZQ== +kind: Secret +metadata: + creationTimestamp: null + name: kafkarestproxy-login diff --git a/charts/confluent/templates/000.ksqldb-login.yaml b/charts/confluent/templates/000.ksqldb-login.yaml new file mode 100644 index 0000000..a8b94c6 --- /dev/null +++ b/charts/confluent/templates/000.ksqldb-login.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + basic.txt: dXNlcm5hbWU9Y2Zfa3NxbGRiCnBhc3N3b3JkPXBGNUd3NWZkWXRQaQ== + bearer.txt: dXNlcm5hbWU9Y2Zfa3NxbGRiCnBhc3N3b3JkPXBGNUd3NWZkWXRQaQ== +kind: Secret +metadata: + creationTimestamp: null + name: ksqldb-login diff --git a/charts/confluent/templates/000.mds-login.yaml b/charts/confluent/templates/000.mds-login.yaml new file mode 100644 index 0000000..1e3a4bc --- /dev/null +++ b/charts/confluent/templates/000.mds-login.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + ldap.txt: dXNlcm5hbWU9Y249bWRzLGRjPXRlc3QsZGM9Y29tCnBhc3N3b3JkPURldmVsb3BlciE= +kind: Secret +metadata: + creationTimestamp: null + name: mds-login diff --git a/charts/confluent/templates/000.mds-token.yaml b/charts/confluent/templates/000.mds-token.yaml new file mode 100644 index 0000000..ae87e43 --- /dev/null +++ b/charts/confluent/templates/000.mds-token.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + mdsPublicKey.pem: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF3TXlqblA0cWZkVEtoQ1M1c1BiVgpxaVhWeVExNXdyZVZBc0VxRXNuTUZ0Mkp0TUwxM0VMT1Eyc3pXbjU3V3p1NzgyYnlFdFlGbEYzVG9WVzNjbDRkCk9KUnphU0VRNnhlMTBSL2k3VG5lSXRFUWZwSnIvMkw0YnVidVFSR05lL0tyTE1FMGl2cjl1NElFYmJSUytsdHUKNkE5Z2d6R2NhRFN4Vi9leUtNTlBhZEhRL0FONEJaaWpBZUtaY0RUano2YkhqSjZFUTNZTmdxeW44NDZyZVFrOQpUb0habDhiR0hPaHo1Qzd5b0lmc3haZ1lIbG54NkpHc2lVWjVQMzZXR2MzOFpJQi9tNDVvOGN2NGlmVVZQVUIwCklRUTlBaFlJNVp1TXJ4RHNSUERYMkdHNkU1YlcydnFEV3lxWE9ZN2NTb0k3QWlrRmR3QVRXNFJ2N2V1RUpVeXoKTndJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t + mdsTokenKeyPair.pem: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBd015am5QNHFmZFRLaENTNXNQYlZxaVhWeVExNXdyZVZBc0VxRXNuTUZ0Mkp0TUwxCjNFTE9RMnN6V241N1d6dTc4MmJ5RXRZRmxGM1RvVlczY2w0ZE9KUnphU0VRNnhlMTBSL2k3VG5lSXRFUWZwSnIKLzJMNGJ1YnVRUkdOZS9LckxNRTBpdnI5dTRJRWJiUlMrbHR1NkE5Z2d6R2NhRFN4Vi9leUtNTlBhZEhRL0FONApCWmlqQWVLWmNEVGp6NmJIako2RVEzWU5ncXluODQ2cmVRazlUb0habDhiR0hPaHo1Qzd5b0lmc3haZ1lIbG54CjZKR3NpVVo1UDM2V0djMzhaSUIvbTQ1bzhjdjRpZlVWUFVCMElRUTlBaFlJNVp1TXJ4RHNSUERYMkdHNkU1YlcKMnZxRFd5cVhPWTdjU29JN0Fpa0Zkd0FUVzRSdjdldUVKVXl6TndJREFRQUJBb0lCQVFDS3pJaFpoSTE0cTFIawprai93eTdNRTNGb3RkUHNjbUdlNVpQRHlONzhyRXZDSlp2WHpUVkVMTGtqNU5DZUFoZCtJbXF0WnJpUzBMRndvClFQcGhacW5veXM3UGQ1T2pmQjFUNFgzUVJTSEx0UEVIL2tlcncwZVJKOFdNcUtOUUFXTUVSRStjWXBkNmYxN0sKejlBUkZ2UWdNcm5MbVZLOW5ubXlGOHQyRnkyN3dxVVZCbVlYWC9tK25lLysyUzRQTzhac1BkM3dZMlk5UjhMVgp1ZmJIQytIMkV4QThuRTR6dGVmZzl6UHluMXdNaS9HTVVnMVdpQ1QzQjJ1M0Nac1dhWkp6Vkl0VDZ0N3FuQVpKClh6a2dOcElIbjltV3V3aDhreGdNZDZzeERSQU9ENWlQZDZhOWkwb0xTYVMzLzBMRGV6VUxDMFZoVFB5M0cyb1IKQTBBSmVPblJBb0dCQVBWMXV6MXBQSkF0ZW1yOHdMaUtoUU9lOGpBc3h0blN6VjhGcWQxMXFKWWduaWh3YWkrWQprNDRoT0ovMDIvNnd5cTQ5RmhNR21reUZXdjVkVURFUkdWN01jWFA2YkVmWTVjMVArUGRSVUFtNUg1bmVmMzd6Ck5SOWY3b2lmVjNqKzQ5dXkyVmZVUUNyL2grVCt5d3pBb2MwaVp5WUdhSTF3aktYUXIzKzFvNTV2QW9HQkFNa1UKQnEySWFJRHdvbUJnUUNLUWpDeS9BTmpRMzJ5TUFHSGYvbUUzMlJURnB1NVNaRUxlOXlyR1FyM3hIRnRROWFRTApWdjVQMDl3WmZiNElPZHAvM3d3SE1xRmpOak5kRzhzdzdSeU5TK3dmUUd1OHYxR2ZZc3N1QnVYaTl2MFhHWEZICldlbk5RRVVQYmliUmJvY0o5Mk9KVEpLNFAvczV2djEzMkhEUi9wdTVBb0dCQUorWThTbTQ1endIbGZWQ2FqeVQKTkhGcVE2YTNOb1FpNEkzTUxPcGx1andDOFZMeDVOa1ZwN3RlTm1jcTJtLzdtNDAzQXNkVUg3ZHBiZ1M5djRwbgp4OHN2dXdUaDZzMjhaWTdkVk0vWit1U1hqY2lLTnZQZ1JzWWpwZ0VIT2VUZU5tRi9KSHBLODM0QnIrWmhGTDB4Cjh3SmlRQmNsUzQzTGhHZThES0JKQmgzWkFvR0FONWJIdWRYS1BrdElPS2lqVW1ydnRiY2dQdENQMCt4b2RxWjgKSnRoUHRVUm5QOStiUkRscnozRjhKaEt3S2phWmtqNW9VR28xUWRYeVEwVDI2WWNNWE1Eb3FHRkxMS3dDOFF1WApvWnNXY0RLN2xvMVp2dkQzV1FCaWU4OWhSTnJMOTlzbjZsRUtBWTJnZ0M3S0JaOGx1MmpMdUl3amRBcWsyR0gzCmZra3Z3RkVDZ1lBeVhqNXo2Q09QSURKMUUxVkxySml3MVlCWGFhN1pMazVFcHczUXZDTTdoVEtTRmJ1U053c3AKRXVMbU03Zzh3TVBaQWJ6cy9SUU9hZjlJaEUveDUzZE8ySW1rNVBBUmFvRXNTRmpORDRkcFZIYUtlbTJjQm9tdAp4NXEwU3FVVnE2eHY0MjIxM2dsQlFNREo0cVFYVHJzRUJkcE55bnY3b1ZlWFh3Y2FPVFVhQnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQ== +kind: Secret +metadata: + creationTimestamp: null + name: mds-token diff --git a/charts/confluent/templates/000.schemaregistry-login.yaml b/charts/confluent/templates/000.schemaregistry-login.yaml new file mode 100644 index 0000000..0b3a663 --- /dev/null +++ b/charts/confluent/templates/000.schemaregistry-login.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + basic.txt: dXNlcm5hbWU9Y2Zfc2NoZW1hcmVnaXN0cnkKcGFzc3dvcmQ9S3FVUDhQeURkOGdl + bearer.txt: dXNlcm5hbWU9Y2Zfc2NoZW1hcmVnaXN0cnkKcGFzc3dvcmQ9S3FVUDhQeURkOGdl +kind: Secret +metadata: + creationTimestamp: null + name: schemaregistry-login diff --git a/charts/confluent/templates/010.kraftcontroller.yaml b/charts/confluent/templates/010.kraftcontroller.yaml index 381c934..513c259 100644 --- a/charts/confluent/templates/010.kraftcontroller.yaml +++ b/charts/confluent/templates/010.kraftcontroller.yaml @@ -1,12 +1,18 @@ +{{- $kraftcontroller := .Values.lsdmesp.confluent.kraftcontroller -}} +{{- if $kraftcontroller.enabled -}} apiVersion: platform.confluent.io/v1beta1 kind: KRaftController metadata: name: kraftcontroller spec: - dataVolumeCapacity: 1Gi + configOverrides: + jvm: + - -Xms{{ $kraftcontroller.jvm.Xms }} + - -Xmx{{ $kraftcontroller.jvm.Xmx }} + dataVolumeCapacity: {{ $kraftcontroller.dataVolumeCapacity }} image: - application: docker.io/confluentinc/cp-server:7.5.3 - init: confluentinc/confluent-init-container:2.7.3 + application: docker.io/confluentinc/cp-server:{{ .Values.lsdmesp.cpVersion }} + init: confluentinc/confluent-init-container:{{ .Values.lsdmesp.cpOperatorVersion }} listeners: controller: tls: @@ -16,19 +22,17 @@ spec: - RULE:.*CN[\s]?=[\s]?([a-zA-Z0-9.]*)?.*/$1/ type: mtls oneReplicaPerNode: true - configOverrides: - jvm: - - -Xms384m - - -Xmx384m podTemplate: - podSecurityContext: {} + podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 50m - memory: 500Mi + {{- toYaml $kraftcontroller.resources | nindent 6 }} + replicas: {{ $kraftcontroller.replicas }} + storageClass: + name: {{ .Values.lsdmesp.storageClass }} tls: autoGeneratedCerts: true - replicas: 3 \ No newline at end of file +{{- end -}} diff --git a/charts/confluent/templates/011.kafka.yaml b/charts/confluent/templates/011.kafka.yaml index 0704ace..fe66eba 100644 --- a/charts/confluent/templates/011.kafka.yaml +++ b/charts/confluent/templates/011.kafka.yaml @@ -1,26 +1,45 @@ +{{- $kafka := .Values.lsdmesp.confluent.kafka -}} +{{- if $kafka.enabled -}} apiVersion: platform.confluent.io/v1beta1 kind: Kafka metadata: name: kafka spec: + authorization: + type: rbac + superUsers: + - User:kafka + - User:cf_kafka configOverrides: jvm: - - -Xms1g - - -Xmx1g + - -Xms{{ $kafka.jvm.Xms }} + - -Xmx{{ $kafka.jvm.Xmx }} server: - - auto.create.topics.enable=false + - auto.create.topics.enable=true - delete.topic.enable=true - - default.replication.factor=3 - - num.partitions=6 - - min.insync.replicas=2 - - offsets.topic.replication.factor=3 - - transaction.state.log.replication.factor=3 - - transaction.state.log.min.isr=2 - - log.message.format.version=3.5 - - inter.broker.protocol.version=3.5 + - num.partitions={{ .Values.lsdmesp.defaultNumPartitions }} + - min.insync.replicas={{ .Values.lsdmesp.defaultMinInSyncReplicas }} + - default.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + - confluent.license.topic.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + - confluent.license.topic.min.isr={{ .Values.lsdmesp.defaultMinInSyncReplicas }} + - offsets.topic.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + - offsets.topic.min.isr={{ .Values.lsdmesp.defaultMinInSyncReplicas }} + - transaction.state.log.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + - transaction.state.log.min.isr={{ .Values.lsdmesp.defaultMinInSyncReplicas }} + - confluent.cluster.link.metadata.topic.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + - confluent.tier.metadata.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + - confluent.balancer.topic.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + - confluent.metadata.topic.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + - confluent.metrics.reporter.topic.min.isr={{ .Values.lsdmesp.defaultMinInSyncReplicas }} + - confluent.security.event.logger.exporter.kafka.topic.replicas={{ .Values.lsdmesp.defaultReplicationFactor }} - log.retention.ms=86400000 - dataVolumeCapacity: 10Gi + dataVolumeCapacity: {{ $kafka.dataVolumeCapacity }} dependencies: + kafkaRest: + authentication: + type: bearer + bearer: + secretRef: kafka-login kRaftController: clusterRef: name: kraftcontroller @@ -32,10 +51,8 @@ spec: - RULE:.*CN[\s]?=[\s]?([a-zA-Z0-9.]*)?.*/$1/ type: mtls image: - application: confluentinc/cp-server:7.5.3 - init: confluentinc/confluent-init-container:2.7.3 - tls: - autoGeneratedCerts: true + application: confluentinc/cp-server:{{ .Values.lsdmesp.cpVersion }} + init: confluentinc/confluent-init-container:{{ .Values.lsdmesp.cpOperatorVersion }} listeners: internal: authentication: @@ -44,20 +61,66 @@ spec: type: mtls tls: enabled: true - oneReplicaPerNode: true + replication: + authentication: + principalMappingRules: + - RULE:.*CN[\s]?=[\s]?([a-zA-Z0-9.]*)?.*/$1/ + type: mtls + tls: + enabled: true + external: + # externalAccess: {} // TODO: Needs to be added + authentication: + type: ldap + tls: + enabled: true metricReporter: - enabled: true authentication: type: mtls + enabled: true + replicationFactor: {{ .Values.lsdmesp.defaultReplicationFactor }} tls: - enabled: true + enabled: true + oneReplicaPerNode: true podTemplate: - podSecurityContext: {} + podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true resources: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 1 - memory: 3Gi - replicas: 3 + {{- toYaml $kafka.resources | nindent 6 }} + replicas: {{ $kafka.replicas }} + services: + mds: + # Configure this with TLS encryption, but not with external access through a load balancer. + # For external access to MDS, an ingress controller can be used. + tls: + enabled: true + tokenKeyPair: + secretRef: mds-token + provider: + type: ldap + ldap: + address: ldap://ldap.{{ .Release.Namespace }}.svc.cluster.local:389 + authentication: + type: simple + simple: + secretRef: mds-login + configurations: + groupNameAttribute: cn + groupObjectClass: group + groupMemberAttribute: member + groupMemberAttributePattern: CN=(.*),DC=test,DC=com + groupSearchBase: dc=test,dc=com + groupSearchScope: 1 + userNameAttribute: cn + userMemberOfAttributePattern: CN=(.*),DC=test,DC=com + userObjectClass: organizationalRole + userSearchBase: dc=test,dc=com + userSearchScope: 1 + storageClass: + name: {{ .Values.lsdmesp.storageClass }} + tls: + autoGeneratedCerts: true +{{- end -}} diff --git a/charts/confluent/templates/012.kafkarestclass.yaml b/charts/confluent/templates/012.kafkarestclass.yaml new file mode 100644 index 0000000..3a16acc --- /dev/null +++ b/charts/confluent/templates/012.kafkarestclass.yaml @@ -0,0 +1,13 @@ +{{- $kafkarestclass := .Values.lsdmesp.confluent.kafkarestclass -}} +{{- if $kafkarestclass.enabled -}} +apiVersion: platform.confluent.io/v1beta1 +kind: KafkaRestClass +metadata: + name: default +spec: + kafkaRest: + authentication: + bearer: + secretRef: kafkarestclass-login + type: bearer +{{- end -}} diff --git a/charts/confluent/templates/020.schemaregistry.yaml b/charts/confluent/templates/020.schemaregistry.yaml index 3a95c24..fa21db8 100644 --- a/charts/confluent/templates/020.schemaregistry.yaml +++ b/charts/confluent/templates/020.schemaregistry.yaml @@ -1,30 +1,46 @@ +{{- $schemaregistry := .Values.lsdmesp.confluent.schemaregistry -}} +{{- if $schemaregistry.enabled -}} apiVersion: platform.confluent.io/v1beta1 kind: SchemaRegistry metadata: name: schemaregistry spec: + authorization: + type: rbac + configOverrides: + jvm: + - -Xms{{ $schemaregistry.jvm.Xms }} + - -Xmx{{ $schemaregistry.jvm.Xmx }} dependencies: kafka: authentication: type: mtls - bootstrapEndpoint: kafka.lsdmesp-confluent.svc.cluster.local:9071 + bootstrapEndpoint: kafka.{{ .Release.Namespace }}.svc.cluster.local:9071 + tls: + enabled: true + mds: + endpoint: https://kafka.{{ .Release.Namespace }}.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token + authentication: + type: bearer + bearer: + secretRef: schemaregistry-login tls: enabled: true - tls: - autoGeneratedCerts: true image: - application: confluentinc/cp-schema-registry:7.5.3 - init: confluentinc/confluent-init-container:2.7.3 + application: confluentinc/cp-schema-registry:{{ .Values.lsdmesp.cpVersion }} + init: confluentinc/confluent-init-container:{{ .Values.lsdmesp.cpOperatorVersion }} + internalTopicReplicatorFactor: {{ .Values.lsdmesp.defaultReplicationFactor }} oneReplicaPerNode: true - authentication: - type: mtls podTemplate: - podSecurityContext: {} + podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true resources: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 200m - memory: 512Mi - replicas: 1 + {{- toYaml $schemaregistry.resources | nindent 6 }} + replicas: {{ $schemaregistry.replicas }} + tls: + autoGeneratedCerts: true +{{- end -}} diff --git a/charts/confluent/templates/030.connect.yaml b/charts/confluent/templates/030.connect.yaml index ae150a1..c1985d3 100644 --- a/charts/confluent/templates/030.connect.yaml +++ b/charts/confluent/templates/030.connect.yaml @@ -1,8 +1,12 @@ +{{- $connect := .Values.lsdmesp.confluent.connect -}} +{{- if $connect.enabled -}} apiVersion: platform.confluent.io/v1beta1 kind: Connect metadata: name: connect spec: + authorization: + type: rbac build: onDemand: plugins: @@ -33,34 +37,44 @@ spec: version: 1.5.5 locationType: confluentHub type: onDemand + configOverrides: + jvm: + - -Xms{{ $connect.jvm.Xms }} + - -Xmx{{ $connect.jvm.Xmx }} dependencies: kafka: - bootstrapEndpoint: kafka.lsdmesp-confluent.svc.cluster.local:9071 + bootstrapEndpoint: kafka.{{ .Release.Namespace }}.svc.cluster.local:9071 authentication: type: mtls tls: enabled: true - schemaRegistry: + mds: + endpoint: https://kafka.{{ .Release.Namespace }}.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token authentication: - type: mtls + type: bearer + bearer: + secretRef: connect-login tls: enabled: true - url: https://schemaregistry.lsdmesp-confluent.svc.cluster.local:8081 - tls: - autoGeneratedCerts: true + schemaRegistry: + tls: + enabled: true + url: https://schemaregistry.{{ .Release.Namespace }}.svc.cluster.local:8081 image: - application: confluentinc/cp-server-connect:7.5.3 - init: confluentinc/confluent-init-container:2.7.3 + application: confluentinc/cp-server-connect:{{ .Values.lsdmesp.cpVersion }} + init: confluentinc/confluent-init-container:{{ .Values.lsdmesp.cpOperatorVersion }} + internalTopicReplicationFactor: {{ .Values.lsdmesp.defaultReplicationFactor }} oneReplicaPerNode: true - authentication: - type: mtls podTemplate: - podSecurityContext: {} + podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true resources: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 500m - memory: 500Mi - replicas: 1 + {{- toYaml $connect.resources | nindent 6 }} + replicas: {{ $connect.replicas }} + tls: + autoGeneratedCerts: true +{{- end -}} diff --git a/charts/confluent/templates/031.ksqldb.yaml b/charts/confluent/templates/031.ksqldb.yaml index eb37d1a..4f67b9c 100644 --- a/charts/confluent/templates/031.ksqldb.yaml +++ b/charts/confluent/templates/031.ksqldb.yaml @@ -1,40 +1,56 @@ +{{- $ksqldb := .Values.lsdmesp.confluent.ksqldb -}} +{{- if $ksqldb.enabled -}} apiVersion: platform.confluent.io/v1beta1 kind: KsqlDB metadata: name: ksqldb spec: + authorization: + type: rbac configOverrides: + jvm: + - -Xms{{ $ksqldb.jvm.Xms }} + - -Xmx{{ $ksqldb.jvm.Xmx }} server: - - ksql.internal.topic.replicas=3 - dataVolumeCapacity: 2Gi + - ksql.internal.topic.replicas={{ .Values.lsdmesp.defaultReplicationFactor }} + - ksql.logging.processing.topic.replication.factor={{ .Values.lsdmesp.defaultReplicationFactor }} + dataVolumeCapacity: {{ $ksqldb.dataVolumeCapacity }} dependencies: kafka: - bootstrapEndpoint: kafka.lsdmesp-confluent.svc.cluster.local:9071 + bootstrapEndpoint: kafka.{{ .Release.Namespace }}.svc.cluster.local:9071 authentication: type: mtls tls: enabled: true - schemaRegistry: + mds: + endpoint: https://kafka.{{ .Release.Namespace }}.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token authentication: - type: mtls + type: bearer + bearer: + secretRef: ksqldb-login tls: enabled: true - url: https://schemaregistry.lsdmesp-confluent.svc.cluster.local:8081 - tls: - autoGeneratedCerts: true + schemaRegistry: + tls: + enabled: true + url: https://schemaregistry.{{ .Release.Namespace }}.svc.cluster.local:8081 image: - application: confluentinc/cp-ksqldb-server:7.5.3 - init: confluentinc/confluent-init-container:2.7.3 + application: confluentinc/cp-ksqldb-server:{{ .Values.lsdmesp.cpVersion }} + init: confluentinc/confluent-init-container:{{ .Values.lsdmesp.cpOperatorVersion }} + internalTopicReplicationFactor: {{ .Values.lsdmesp.defaultReplicationFactor }} oneReplicaPerNode: true - authentication: - type: mtls podTemplate: - podSecurityContext: {} + podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true resources: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 500m - memory: 1Gi - replicas: 1 + {{- toYaml $ksqldb.resources | nindent 6 }} + replicas: {{ $ksqldb.replicas }} + storageClass: + name: {{ .Values.lsdmesp.storageClass }} + tls: + autoGeneratedCerts: true +{{- end -}} diff --git a/charts/confluent/templates/040.kafkarestproxy.yaml b/charts/confluent/templates/040.kafkarestproxy.yaml index 906e4da..322a92a 100644 --- a/charts/confluent/templates/040.kafkarestproxy.yaml +++ b/charts/confluent/templates/040.kafkarestproxy.yaml @@ -1,36 +1,49 @@ +{{- $kafkarestproxy := .Values.lsdmesp.confluent.kafkarestproxy -}} +{{- if $kafkarestproxy.enabled -}} apiVersion: platform.confluent.io/v1beta1 kind: KafkaRestProxy metadata: name: kafkarestproxy spec: + authorization: + type: rbac + configOverrides: + jvm: + - -Xms{{ $kafkarestproxy.jvm.Xms }} + - -Xmx{{ $kafkarestproxy.jvm.Xmx }} dependencies: kafka: - bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071 + bootstrapEndpoint: kafka.{{ .Release.Namespace }}.svc.cluster.local:9071 authentication: type: mtls tls: enabled: true - schemaRegistry: - url: https://schemaregistry.confluent.svc.cluster.local:8081 + mds: + endpoint: https://kafka.{{ .Release.Namespace }}.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token authentication: - type: mtls + type: bearer + bearer: + secretRef: kafkarestproxy-login + tls: + enabled: true + schemaRegistry: + url: https://schemaregistry.{{ .Release.Namespace }}.svc.cluster.local:8081 tls: enabled: true - tls: - autoGeneratedCerts: true image: - application: confluentinc/cp-kafka-rest:7.5.3 - init: confluentinc/confluent-init-container:2.7.3 + application: confluentinc/cp-kafka-rest:{{ .Values.lsdmesp.cpVersion }} + init: confluentinc/confluent-init-container:{{ .Values.lsdmesp.cpOperatorVersion }} oneReplicaPerNode: true - authentication: - type: mtls podTemplate: - podSecurityContext: {} + podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true resources: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 200m - memory: 256Mi - replicas: 1 + {{- toYaml $kafkarestproxy.resources | nindent 6 }} + replicas: {{ $kafkarestproxy.replicas }} + tls: + autoGeneratedCerts: true +{{- end -}} diff --git a/charts/confluent/templates/050.controlcenter.yaml b/charts/confluent/templates/050.controlcenter.yaml index 5a28d9d..c01e145 100644 --- a/charts/confluent/templates/050.controlcenter.yaml +++ b/charts/confluent/templates/050.controlcenter.yaml @@ -1,65 +1,73 @@ +{{- $controlcenter := .Values.lsdmesp.confluent.controlcenter -}} +{{- if $controlcenter.enabled -}} apiVersion: platform.confluent.io/v1beta1 kind: ControlCenter metadata: name: controlcenter spec: + authorization: + type: rbac configOverrides: + jvm: + - -Xms{{ $controlcenter.jvm.Xms }} + - -Xmx{{ $controlcenter.jvm.Xmx }} server: - - confluent.controlcenter.internal.topics.retention.ms=21600000 - - confluent.metrics.topic.retention.ms=21600000 - - confluent.monitoring.interceptor.topic.retention.ms=21600000 - # - confluent.controlcenter.rest.advertised.url=https://controlcenter.some.domain - dataVolumeCapacity: 10Gi + - confluent.controlcenter.internal.topics.retention.ms=21600000 + - confluent.metrics.topic.retention.ms=21600000 + - confluent.monitoring.interceptor.topic.retention.ms=21600000 + # - confluent.controlcenter.rest.advertised.url=https://controlcenter.some.domain + dataVolumeCapacity: {{ $controlcenter.dataVolumeCapacity }} dependencies: kafka: - bootstrapEndpoint: kafka.lsdmesp-confluent.svc.cluster.local:9071 + bootstrapEndpoint: kafka.{{ .Release.Namespace }}.svc.cluster.local:9071 authentication: type: mtls tls: enabled: true - schemaRegistry: + mds: + endpoint: https://kafka.{{ .Release.Namespace }}.svc.cluster.local:8090 + tokenKeyPair: + secretRef: mds-token authentication: - type: mtls + type: bearer + bearer: + secretRef: controlcenter-login tls: enabled: true - url: https://schemaregistry.lsdmesp-confluent.svc.cluster.local:8081 + schemaRegistry: + tls: + enabled: true + url: https://schemaregistry.{{ .Release.Namespace }}.svc.cluster.local:8081 connect: - name: connect - authentication: - type: mtls tls: enabled: true - url: https://connect.lsdmesp-confluent.svc.cluster.local:8083 + url: https://connect.{{ .Release.Namespace }}.svc.cluster.local:8083 ksqldb: - name: ksqldb - # Is this needed? advertisedUrl: https://ksqldb.lsdmesp-confluent.apps.some.domain:443 - authentication: - type: mtls + # Is this needed? advertisedUrl: https://ksqldb.{{ .Release.Namespace }}.apps.some.domain:443 tls: enabled: true - url: https://ksqldb.lsdmesp-confluent.svc.cluster.local:8088 - tls: - autoGeneratedCerts: true + url: https://ksqldb.{{ .Release.Namespace }}.svc.cluster.local:8088 # externalAccess: # route: # domain: prd-confluent.apps.some.domain # prefix: controlcenter # type: route image: - application: confluentinc/cp-enterprise-control-center:7.5.3 - init: confluentinc/confluent-init-container:2.7.3 + application: confluentinc/cp-enterprise-control-center:{{ .Values.lsdmesp.cpVersion }} + init: confluentinc/confluent-init-container:{{ .Values.lsdmesp.cpOperatorVersion }} + internalTopicReplicatorFactor: {{ .Values.lsdmesp.defaultReplicationFactor }} podTemplate: - podSecurityContext: {} - probe: - liveness: - failureThreshold: 1 - periodSeconds: 10 - timeoutSeconds: 5 + podSecurityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true resources: - limits: - cpu: 4 - memory: 12Gi - requests: - cpu: 1 - memory: 4Gi - replicas: 1 + {{- toYaml $controlcenter.resources | nindent 6 }} + replicas: {{ $controlcenter.replicas }} + storageClass: + name: {{ .Values.lsdmesp.storageClass }} + tls: + autoGeneratedCerts: true +{{- end -}} diff --git a/charts/confluent/templates/090.lsdmesp-sysadmin-cfrb.yaml b/charts/confluent/templates/090.lsdmesp-sysadmin-cfrb.yaml new file mode 100644 index 0000000..abfa1ec --- /dev/null +++ b/charts/confluent/templates/090.lsdmesp-sysadmin-cfrb.yaml @@ -0,0 +1,149 @@ +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-0 +spec: + principal: + name: cf_kafka + type: user + role: SystemAdmin +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-1 +spec: + clustersScopeByIds: + connectClusterId: {{ .Release.Namespace }}.connect + principal: + name: cf_kafka + type: user + role: SystemAdmin +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-2 +spec: + clustersScopeByIds: + ksqlClusterId: {{ .Release.Namespace }}.ksqldb_ + principal: + name: cf_kafka + type: user + resourcePatterns: + - name: ksql-cluster + patternType: LITERAL + resourceType: KsqlCluster + role: ResourceOwner +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-3 +spec: + clustersScopeByIds: + schemaRegistryClusterId: id_schemaregistry_{{ .Release.Namespace }} + principal: + name: cf_kafka + type: user + role: SystemAdmin +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-4 +spec: + principal: + name: cf_ksqldb + type: user + role: SystemAdmin +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-5 +spec: + clustersScopeByIds: + connectClusterId: {{ .Release.Namespace }}.connect + principal: + name: cf_ksqldb + type: user + role: SystemAdmin +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-6 +spec: + clustersScopeByIds: + ksqlClusterId: {{ .Release.Namespace }}.ksqldb_ + principal: + name: cf_ksqldb + type: user + resourcePatterns: + - name: ksql-cluster + patternType: LITERAL + resourceType: KsqlCluster + role: ResourceOwner +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-7 +spec: + clustersScopeByIds: + schemaRegistryClusterId: id_schemaregistry_{{ .Release.Namespace }} + principal: + name: cf_ksqldb + type: user + role: SystemAdmin +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-8 +spec: + principal: + name: cf_connect + type: user + role: SystemAdmin +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-9 +spec: + clustersScopeByIds: + connectClusterId: {{ .Release.Namespace }}.connect + principal: + name: cf_connect + type: user + role: SystemAdmin +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-10 +spec: + clustersScopeByIds: + ksqlClusterId: {{ .Release.Namespace }}.ksqldb_ + principal: + name: cf_connect + type: user + resourcePatterns: + - name: ksql-cluster + patternType: LITERAL + resourceType: KsqlCluster + role: ResourceOwner +--- +apiVersion: platform.confluent.io/v1beta1 +kind: ConfluentRolebinding +metadata: + name: lsdmesp-sysadmin-11 +spec: + clustersScopeByIds: + schemaRegistryClusterId: id_schemaregistry_{{ .Release.Namespace }} + principal: + name: cf_connect + type: user + role: SystemAdmin diff --git a/charts/confluent/values.yaml b/charts/confluent/values.yaml index e92b254..dd7c096 100644 --- a/charts/confluent/values.yaml +++ b/charts/confluent/values.yaml @@ -1,23 +1,149 @@ lsdmesp: - clusterType: "rancher" - cpVersion: "7.5.3" + clusterType: "kind" + cpVersion: "7.6.0" + cpOperatorVersion: "2.8.0" + storageClass: standard + defaultReplicationFactor: 3 + defaultMinInSyncReplicas: 2 + defaultNumPartitions: 6 confluent: - zookeeper: - enabled: false kraftcontroller: + # if `true`, then will be provisioned enabled: true + # java memory sizes + jvm: + Xms: 384m + Xmx: 384m + # size of the pv needed + dataVolumeCapacity: 1Gi + # pod resource limits and request + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 20m + memory: 512Mi + # number of pod replicas + replicas: 3 + kafka: + # if `true`, then will be provisioned + enabled: true + # java memory sizes + jvm: + Xms: 1g + Xmx: 1g + # size of the pv needed + dataVolumeCapacity: 20Gi + # pod resource limits and request + resources: + limits: + cpu: 1 + memory: 8Gi + requests: + cpu: 50m + memory: 3Gi + # number of pod replicas + replicas: 3 + + kafkarestclass: + # if `true`, then will be provisioned enabled: true + schemaregistry: + # if `true`, then will be provisioned enabled: true + # java memory sizes + jvm: + Xms: 384m + Xmx: 384m + # pod resource limits and request + resources: + limits: + cpu: 200m + memory: 1Gi + requests: + cpu: 10m + memory: 512Mi + # number of pod replicas + replicas: 1 + connect: + # if `true`, then will be provisioned enabled: true + # java memory sizes + jvm: + Xms: 512m + Xmx: 512m + # pod resource limits and request + resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 20m + memory: 1Gi + # number of pod replicas + replicas: 1 + ksqldb: + # if `true`, then will be provisioned enabled: true + # java memory sizes + jvm: + Xms: 512m + Xmx: 512m + # size of the pv needed + dataVolumeCapacity: 5Gi + # pod resource limits and request + resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + # number of pod replicas + replicas: 1 + kafkarestproxy: - enabled: false + # if `true`, then will be provisioned + enabled: true + # java memory sizes + jvm: + Xms: 384m + Xmx: 384m + # pod resource limits and request + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 10m + memory: 512Mi + # number of pod replicas + replicas: 1 + controlcenter: + # if `true`, then will be provisioned enabled: true + # java memory sizes + jvm: + Xms: 2g + Xmx: 2g + # size of the pv needed + dataVolumeCapacity: 10Gi + # pod resource limits and request + resources: + limits: + cpu: 2 + memory: 12Gi + requests: + cpu: 200m + memory: 6Gi + # number of pod replicas + replicas: 1 confluent-for-kubernetes: name: confluent-operator @@ -38,7 +164,7 @@ confluent-for-kubernetes: registry: docker.io repository: confluentinc/confluent-operator pullPolicy: IfNotPresent - tag: "0.824.40" + tag: "0.921.2" priorityClassName: "" replicas: 1 namespaced: true