Skip to content

Commit f43c68c

Browse files
ptyagiiptyagii
authored
mtls config without rbac (#148)
1 parent 99210f9 commit f43c68c

File tree

2 files changed

+403
-0
lines changed

2 files changed

+403
-0
lines changed

security/mtls-without-rbac/README.md

Lines changed: 170 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,170 @@
1+
# Security setup
2+
3+
In this workflow scenario, you'll set up a Confluent Platform cluster with the following security:
4+
- Full TLS network encryption with user provided certificates
5+
- mTLS authentication
6+
7+
Before continuing with the scenario, ensure that you have set up the [prerequisites](https://github.com/confluentinc/confluent-kubernetes-examples/blob/master/README.md#prerequisites).
8+
9+
## Set the current tutorial directory
10+
11+
Set the tutorial directory for this tutorial under the directory you downloaded the tutorial files:
12+
13+
```
14+
export TUTORIAL_HOME=<Tutorial directory>/security/mtls-without-rbac
15+
```
16+
17+
## Deploy Confluent for Kubernetes
18+
19+
Set up the Helm Chart:
20+
21+
```
22+
helm repo add confluentinc https://packages.confluent.io/helm
23+
```
24+
25+
Install Confluent For Kubernetes using Helm:
26+
27+
```
28+
helm upgrade --install operator confluentinc/confluent-for-kubernetes --namespace confluent
29+
```
30+
31+
Check that the Confluent For Kubernetes pod comes up and is running:
32+
33+
```
34+
kubectl get pods --namespace confluent
35+
```
36+
37+
## Create TLS certificates
38+
39+
In this scenario, you'll configure authentication using the mTLS mechanism. With mTLS, Confluent components and clients use TLS certificates for authentication. The certificate has a CN that identifies the principal name.
40+
41+
Each Confluent component service should have it's own TLS certificate. In this scenario, you'll
42+
generate a server certificate for each Confluent component service. Follow [these instructions](../../assets/certs/component-certs/README.md) to generate these certificates.
43+
44+
## Deploy configuration secrets
45+
46+
You'll use Kubernetes secrets to provide credential configurations.
47+
48+
With Kubernetes secrets, credential management (defining, configuring, updating)
49+
can be done outside of the Confluent For Kubernetes. You define the configuration
50+
secret, and then tell Confluent For Kubernetes where to find the configuration.
51+
52+
To support the above deployment scenario, you need to provide the following
53+
credentials:
54+
55+
* Component TLS Certificates
56+
57+
* Authentication credentials for Zookeeper, Kafka, Control Center, remaining CP components
58+
59+
### Provide component TLS certificates
60+
61+
Set the tutorial directory for this tutorial under the directory you downloaded the tutorial files:
62+
63+
```
64+
export TUTORIAL_HOME=<Tutorial directory>/security/mtls-without-rbac
65+
```
66+
67+
In this step, you will create secrets for each Confluent component TLS certificates.
68+
69+
```
70+
kubectl create secret generic tls-zookeeper \
71+
--from-file=fullchain.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/zookeeper-server.pem \
72+
--from-file=cacerts.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/cacerts.pem \
73+
--from-file=privkey.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/zookeeper-server-key.pem \
74+
--namespace confluent
75+
76+
kubectl create secret generic tls-kafka \
77+
--from-file=fullchain.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/kafka-server.pem \
78+
--from-file=cacerts.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/cacerts.pem \
79+
--from-file=privkey.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/kafka-server-key.pem \
80+
--namespace confluent
81+
82+
kubectl create secret generic tls-controlcenter \
83+
--from-file=fullchain.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/controlcenter-server.pem \
84+
--from-file=cacerts.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/cacerts.pem \
85+
--from-file=privkey.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/controlcenter-server-key.pem \
86+
--namespace confluent
87+
88+
kubectl create secret generic tls-schemaregistry \
89+
--from-file=fullchain.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/schemaregistry-server.pem \
90+
--from-file=cacerts.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/cacerts.pem \
91+
--from-file=privkey.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/schemaregistry-server-key.pem \
92+
--namespace confluent
93+
94+
kubectl create secret generic tls-connect \
95+
--from-file=fullchain.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/connect-server.pem \
96+
--from-file=cacerts.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/cacerts.pem \
97+
--from-file=privkey.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/connect-server-key.pem \
98+
--namespace confluent
99+
100+
kubectl create secret generic tls-kafkarestproxy \
101+
--from-file=fullchain.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/kafkarestproxy-server.pem \
102+
--from-file=cacerts.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/cacerts.pem \
103+
--from-file=privkey.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/kafkarestproxy-server-key.pem \
104+
--namespace confluent
105+
106+
kubectl create secret generic tls-ksqldb \
107+
--from-file=fullchain.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/ksqldb-server.pem \
108+
--from-file=cacerts.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/cacerts.pem \
109+
--from-file=privkey.pem=$TUTORIAL_HOME/../../assets/certs/component-certs/generated/ksqldb-server-key.pem \
110+
--namespace confluent
111+
```
112+
113+
## Deploy Confluent Platform
114+
115+
Deploy Confluent Platform:
116+
117+
```
118+
kubectl apply -f $TUTORIAL_HOME/confluent-platform-mtls.yaml --namespace confluent
119+
```
120+
121+
Check that all Confluent Platform resources are deployed:
122+
123+
```
124+
kubectl get pods --namespace confluent
125+
```
126+
127+
## Validate
128+
129+
### Validate in Control Center
130+
131+
Use Control Center to monitor the Confluent Platform, and see the created topic
132+
and data. You can visit the external URL you set up for Control Center, or visit the URL
133+
through a local port forwarding like below:
134+
135+
Set up port forwarding to Control Center web UI from local machine:
136+
137+
```
138+
kubectl port-forward controlcenter-0 9021:9021 --namespace confluent
139+
```
140+
141+
Browse to Control Center:
142+
```
143+
https://localhost:9021
144+
```
145+
146+
## Tear down
147+
148+
```
149+
kubectl delete -f $TUTORIAL_HOME/confluent-platform-mtls.yaml --namespace confluent
150+
151+
kubectl delete secret tls-zookeeper tls-kafka tls-connect tls-schemaregistry tls-kafkarestproxy tls-ksqldb tls-controlcenter --namespace confluent
152+
153+
helm delete operator --namespace confluent
154+
```
155+
156+
## Appendix: Troubleshooting
157+
158+
### Gather data to troubleshoot
159+
160+
```
161+
# Check for any error messages in events
162+
kubectl get events --namespace confluent
163+
164+
# Check for any pod failures
165+
kubectl get pods --namespace confluent
166+
167+
# For pod failures, check logs
168+
kubectl logs <pod-name> --namespace confluent
169+
```
170+

0 commit comments

Comments
 (0)