example for mds, kafkaRest, schema-registry and ksqldb separate certs example (#220)

Author: zhaochun-ma

security/separate-listener-tls-rbac/README.rst

@@ -0,0 +1,2 @@
+username=kafka
+password=kafka-secret

security/separate-listener-tls-rbac/bearer.txt

@@ -0,0 +1,2 @@
+username=c3
+password=c3-secret

security/separate-listener-tls-rbac/c3-mds-client.txt

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuAQ98+MtD+Nncd9EszvDONGpCDdt4DpaU6MRMJS3LDcas2nf
+AN7Jo3yov4nRszE7mvCTGOmdEspcYV4kDgveTNxIQVqoIQ9m9MUyHnYG5KpBqRDd
+epW4g8FhIWV5wC57NcENOWvZaFRN9KEcAhnQbjQ0C81BKzbDwiEgU2QhtOYPyBQh
+9yzZ5Sl1ahYzHMBgqbuoscfX+52EFkse7PSv3AQ6wEGRNS5NrX2Tsc3YN/6g7rup
+dVQfq2jovs7cq5zKs0/lrfd83Q2Qyxy2giHvkjDA8D48H0csdnjhjEmHv9C5QipY
+aCTmJFdUhkOQtY65xMwHoxDbpbdhgFSprvt/KQIDAQABAoIBACVa9xijbWpkR4Oe
+R1v7Lc5DAYVhezSho+SGnd620dhv90OkoliS4WwGylrXp3Iw9GCnpbTQ98nwuoAp
+lDglwKLptOFPfgH4FnZp8ZqtawjQZzPi8JMKAcL9ZrJY3zZcOTbYUc7uTdwYARs/
++WeTxfQZNNeQe0JCg8rM3rsPAKiwEwdKB5SFoBTxGmiJhKRQd50LIdQfUGH7xHiD
+HfqVM78XZ0AqifdMHvKrsHmftGBoyc8pcjYs6vlIfGqUW4Uc8wL5/he+/C8PM6TX
+62pn20Qj0bM0LGTPFs8Bs0vn9OkmrnMpR5jwvsZWphcXrmTwvyUtXNeYJu0YqODF
+b4R1QWECgYEA51AIWDXol0CSvPXuhRHPCtqLEVJL/Jj7IbwFAz5jMP5v0pQ1icd/
+Bj64sjFeLaVrG8b6NSMtme1HjB+j+6U7qPwh7mDFnNQ2iFqgIUK4dWRQzRkWrc4n
+lNGqkomPK29Zc4Exn4E8ydYLS18OhJ+GPGWlbKp4/cfEnyJKwmFHvg8CgYEAy6f6
+QsdS8ylC1iHgTn0RH/qMNN3YcP0b3x1Sc8dx+GT8MYg4yL12M5kNK+fhKFaYP+JE
+Rpu/+ieqaVb0k0Hx1ObN40GNPTR+T/FrLtVwcwVoE2qrLmTqGyTfgWUIPOO3UZJV
+VxuzeBIoFTQuUoBEcntjhrWwEEIEMXvIAyFGp0cCgYBENgef65XBNJuQ+Xzy5MOH
+Udb8rqYVwQ8dbZKU2Err4bwb/vSiwp+kuc5BTemV0Ff7gvu5u7vwzlXw7kuvI5Sq
+Sl+/Ke5cRwAlyYO7Cy/V/lUNhj531nk5m3KPb902U8mvFAQMI1JHusTt3wQq+9fb
+66WSm9q+C7DhtH0TQRik5QKBgQCxpXow7AvYXiKWBQDTllbszTGmH+ngTXkVe09j
+/RLWeMhgMJJP0Kydv6D0rpUCCd9OwoGKEew5OoZ00swO89QOQbJQzOp1/Cc+drln
+Jfmr64hof4CIvLBVMynfhhDUhFJxTjMxA9HeKABc1qKdhpOuRSGA7VWCKQPdYjsL
+N+iYmwKBgD67+49A4fh6aOCSuo2S10e7T38io1aHobR/Kdx23wyW9gMHGO6fwX3X
+lDPq2a6gJelXTbsdoA3snZ93eIxbO9ovpx31Ab+rSVyNEzuI46zJU4NhBMzi7QO6
+BsvtrvwxIlx1KZ/4YMCq3YxKesIDBg6TZGgO+tEyM1ej5NyVGo3d
+-----END RSA PRIVATE KEY-----

security/separate-listener-tls-rbac/ca-key.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTjCCAjYCCQDJPjAdif7VsTANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJV
+UzELMAkGA1UECAwCQ0ExFTATBgNVBAcMDE1vdW50YWluVmlldzESMBAGA1UECgwJ
+Q29uZmx1ZW50MREwDwYDVQQLDAhPcGVyYXRvcjEPMA0GA1UEAwwGVGVzdENBMB4X
+DTIxMDQxOTE0MzcyOVoXDTI0MDExNDE0MzcyOVowaTELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgMAkNBMRUwEwYDVQQHDAxNb3VudGFpblZpZXcxEjAQBgNVBAoMCUNvbmZs
+dWVudDERMA8GA1UECwwIT3BlcmF0b3IxDzANBgNVBAMMBlRlc3RDQTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBALgEPfPjLQ/jZ3HfRLM7wzjRqQg3beA6
+WlOjETCUtyw3GrNp3wDeyaN8qL+J0bMxO5rwkxjpnRLKXGFeJA4L3kzcSEFaqCEP
+ZvTFMh52BuSqQakQ3XqVuIPBYSFlecAuezXBDTlr2WhUTfShHAIZ0G40NAvNQSs2
+w8IhIFNkIbTmD8gUIfcs2eUpdWoWMxzAYKm7qLHH1/udhBZLHuz0r9wEOsBBkTUu
+Ta19k7HN2Df+oO67qXVUH6to6L7O3KucyrNP5a33fN0NkMsctoIh75IwwPA+PB9H
+LHZ44YxJh7/QuUIqWGgk5iRXVIZDkLWOucTMB6MQ26W3YYBUqa77fykCAwEAATAN
+BgkqhkiG9w0BAQsFAAOCAQEAEBzR8yhMM3w0zfOObXqoEfTNJcAQ/naMfdb4qH5V
+IWFqY5cbru65rc66+kNpfliDyWsivh5UACahLnewTbiIp55a9WYzqXhChuw1TMfm
+J8Bm/fqcqtxT6thJX/wGsss+EZVZwbzid54tw2fC7wOUv76XUxa5OHYuWmSShaA9
+S83GjOh5yAdWvVStKM9KtxVty9uU1tJ95ouM4I8FvHMUbVrBlw/Zx0yBlaaVVuEZ
+b/m7I6kp/8dePDUlIR8OScDfQr5W0fFAcUO8n0/if6ZfGsIcuPm0gnhdCv61zZ8c
+QetbxfeQyAu/Hu9RmiPeOwHxMuIxChOnm2dYabYe1N2XeQ==
+-----END CERTIFICATE-----

security/separate-listener-tls-rbac/ca.pem

@@ -0,0 +1,339 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: Zookeeper
+metadata:
+  name: zookeeper
+  namespace: confluent
+spec:
+  replicas: 1
+  image:
+    application: confluentinc/cp-zookeeper:7.4.0
+    init: confluentinc/confluent-init-container:2.6.0
+  dataVolumeCapacity: 10Gi
+  logVolumeCapacity: 10Gi
+  authentication:
+    type: digest
+    jaasConfig:
+      secretRef: credential
+  tls:
+    autoGeneratedCerts: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Kafka
+metadata:
+  name: kafka
+  namespace: confluent
+spec:
+  replicas: 1
+  image:
+    application: confluentinc/cp-server:7.4.0
+    init: confluentinc/confluent-init-container:2.6.0
+  dataVolumeCapacity: 10Gi
+  tls:
+    autoGeneratedCerts: true
+  listeners:
+    internal:
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    external:
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      externalAccess:
+        type: loadBalancer
+        loadBalancer:
+          domain: my.domain
+          brokerPrefix: rb
+          bootstrapPrefix: rb
+      tls:
+        enabled: true
+  authorization:
+    type: rbac
+    superUsers:
+    - User:kafka
+  services:
+    mds:
+      tls:
+        enabled: true
+      tokenKeyPair:
+        secretRef: mds-token
+      listeners:
+        internal:
+          # Since no secretRef is specified, the mds internal listener
+          # tls will piggyback mds.tls which also has no secretRef is specified,
+          # so the Kafka auto-generated tls configuration will be used for this listener.
+          tls:
+            enabled: true
+        external:
+          tls:
+            enabled: true
+            secretRef: tls-mds
+      externalAccess:
+        type: loadBalancer
+        loadBalancer:
+          domain: my.domain
+          prefix: rb-mds
+      provider: 
+        type: ldap
+        ldap:
+          address: ldap://ldap.confluent.svc.cluster.local:389
+          authentication:
+            type: simple
+            simple:
+              secretRef: credential
+          configurations:
+            groupNameAttribute: cn
+            groupObjectClass: group
+            groupMemberAttribute: member
+            groupMemberAttributePattern: CN=(.*),DC=test,DC=com
+            groupSearchBase: dc=test,dc=com
+            userNameAttribute: cn
+            userMemberOfAttributePattern: CN=(.*),DC=test,DC=com
+            userObjectClass: organizationalRole
+            userSearchBase: dc=test,dc=com
+  dependencies:
+    kafkaRest:
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client
+    zookeeper:
+      endpoint: zookeeper.confluent.svc.cluster.local:2182
+      authentication:
+        type: digest
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Connect
+metadata:
+  name: connect
+  namespace: confluent
+spec:
+  replicas: 1
+  image:
+    application: confluentinc/cp-server-connect:7.4.0
+    init: confluentinc/confluent-init-container:2.6.0
+  tls:
+    autoGeneratedCerts: true
+  externalAccess:
+    type: loadBalancer
+    loadBalancer:
+      domain: my.domain
+      prefix: rb-connect
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:9090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: connect-mds-client
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: SchemaRegistry
+metadata:
+  name: schemaregistry
+  namespace: confluent
+spec:
+  replicas: 1
+  image:
+    application: confluentinc/cp-schema-registry:7.4.0
+    init: confluentinc/confluent-init-container:2.6.0
+  tls:
+    autoGeneratedCerts: true
+  externalAccess:
+    type: loadBalancer
+    loadBalancer:
+      domain: my.domain
+      prefix: rb-sr
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:9090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: sr-mds-client
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: KafkaRestProxy
+metadata:
+  name: kafkarestproxy
+  namespace: confluent
+spec:
+  replicas: 1
+  image:
+    application: confluentinc/cp-kafka-rest:7.4.0
+    init: confluentinc/confluent-init-container:2.6.0
+  tls:
+    autoGeneratedCerts: true
+  externalAccess:
+    type: loadBalancer
+    loadBalancer:
+      domain: my.domain
+      prefix: rb-krp
+  authorization:
+    type: rbac
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:9090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: krp-mds-client
+      tls:
+        enabled: true
+    schemaRegistry:
+      url: https://schemaregistry.confluent.svc.cluster.local:8081
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: KsqlDB
+metadata:
+  name: ksqldb
+  namespace: confluent
+spec:
+  replicas: 1
+  image:
+    application: confluentinc/cp-ksqldb-server:7.4.0
+    init: confluentinc/confluent-init-container:2.6.0
+  dataVolumeCapacity: 10Gi
+  authorization:
+    type: rbac
+  externalAccess:
+    type: loadBalancer
+    loadBalancer:
+      domain: my.domain
+      prefix: rb-ksql
+  tls:
+    autoGeneratedCerts: true
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:9090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: ksqldb-mds-client
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: ControlCenter
+metadata:
+  name: controlcenter
+  namespace: confluent
+spec:
+  replicas: 1
+  podTemplate:
+    probe:
+      liveness:
+        periodSeconds: 10
+        failureThreshold: 1
+        timeoutSeconds: 5 
+  image:
+    application: confluentinc/cp-enterprise-control-center:7.4.0
+    init: confluentinc/confluent-init-container:2.6.0
+  dataVolumeCapacity: 10Gi
+  authorization:
+    type: rbac
+  tls:
+    autoGeneratedCerts: true
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.confluent.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: credential
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.confluent.svc.cluster.local:9090
+      tokenKeyPair:
+        secretRef: mds-token
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: c3-mds-client
+      tls:
+        enabled: true
+    connect:
+      - name: connect
+        url:  https://connect.confluent.svc.cluster.local:8083
+        tls:
+          enabled: true
+    ksqldb:
+      - name: ksqldb
+        url:  https://ksqldb.confluent.svc.cluster.local:8088
+        tls:
+          enabled: true
+    schemaRegistry:
+      url: https://schemaregistry.confluent.svc.cluster.local:8081
+      tls:
+        enabled: true
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: KafkaRestClass
+metadata:
+  name: default
+  namespace: confluent
+spec:
+  kafkaRest:
+    authentication:
+      type: bearer
+      bearer:
+        secretRef: rest-credential

security/separate-listener-tls-rbac/confluent-platform-mds-separate-listener.yaml

@@ -0,0 +1,2 @@
+username=connect
+password=connect-secret