Add advanced example

Signed-off-by: Jakub Scholz <[email protected]>

Author: scholzj

README.md

@@ -1,4 +1,4 @@
-# Demo: Strimzi with Open Policy Agent used for Kafka authorization
+# Strimzi with Open Policy Agent used for Kafka authorization
 
 This repository contains the example files for using Open Policy Agent (OPA) for Apache Kafka authorization.
 This demo is related to the blog post published on [Strimzi website](https://strimzi.io).
@@ -34,6 +34,9 @@ kubectl apply -f opa-deployment.yaml
 
 ## Basic example
 
+The basic example had the groups hardcoded inside the OPA policy.
+Any changes to the groups (adding or removing users) would require change fo the policy.
+
 ### Deploy Kafka cluster
 
 Deploy the Kafka cluster from the [`basic-example-kafka.yaml`](./basic-example-kafka.yaml) file.
@@ -61,4 +64,39 @@ In the file [`basic-example-clients-denied.yaml`](./basic-example-clients-denied
 kubectl apply -f ./basic-example-clients-denied.yaml
 ```
 
+When you deploy them, you should see that the are allowed to use the Kafka cluster.
+
+## Advanced example
+
+The advanced example is using groups configured as annotations on the `KafkaTopic` and `KafkaUser` resources.
+The resources are loaded into OPA using the kube-mgmt sidecar and are used by the policy.
+That way, changing the rights, adding or removing users etc. can be done without any changes to the policy.
+
+### Deploy Kafka cluster
+
+Deploy the Kafka cluster from the [`advanced-example-kafka.yaml`](./advanced-example-kafka.yaml) file.
+This example is also configured to use the basic example policy.
+
+```
+kubectl apply -f advanced-example-kafka.yaml
+```
+
+### Deploy allowed clients
+
+In the file [`advanced-example-clients-allowed.yaml`](./advanced-example-clients-allowed.yaml) you can find example consumer and producer which are using users allowed to produce and consumer messages.
+
+```
+kubectl apply -f ./advanced-example-clients-allowed.yaml
+```
+
+When you deploy them, you should see that the are allowed to run.
+
+### Deploy not allowed clients
+
+In the file [`advanced-example-clients-denied.yaml`](./advanced-example-clients-denied.yaml) you can find example consumer and producer which are using users not allowed to produce and consumer messages.
+
+```
+kubectl apply -f ./advanced-example-clients-denied.yaml
+```
+
 When you deploy them, you should see that the are allowed to use the Kafka cluster.

advanced-example-clients-allowed.yaml

@@ -0,0 +1,128 @@
+apiVersion: kafka.strimzi.io/v1alpha1
+kind: KafkaTopic
+metadata:
+  name: my-topic
+  annotations:
+    consumer-groups: '["consumers1", "consumers2"]'
+    producer-groups: '["producers1", "producers2"]'
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  replicas: 3
+  partitions: 12
+---
+apiVersion: kafka.strimzi.io/v1beta1
+kind: KafkaUser
+metadata:
+  name: john
+  annotations:
+    groups: '["producers1"]'
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  authentication:
+    type: tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: johns-producer
+  name: johns-producer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: johns-producer
+  template:
+    metadata:
+      labels:
+        app: johns-producer
+    spec:
+      containers:
+      - name: johns-producer
+        image: strimzi/hello-world-producer:latest
+        env:
+          - name: CA_CRT
+            valueFrom:
+              secretKeyRef:
+                name: my-cluster-cluster-ca-cert
+                key: ca.crt
+          - name: USER_CRT
+            valueFrom:
+              secretKeyRef:
+                name: john
+                key: user.crt
+          - name: USER_KEY
+            valueFrom:
+              secretKeyRef:
+                name: john
+                key: user.key
+          - name: BOOTSTRAP_SERVERS
+            value: my-cluster-kafka-bootstrap:9093
+          - name: TOPIC
+            value: my-topic
+          - name: DELAY_MS
+            value: "1000"
+          - name: LOG_LEVEL
+            value: "INFO"
+          - name: MESSAGE_COUNT
+            value: "1000000"
+---
+apiVersion: kafka.strimzi.io/v1beta1
+kind: KafkaUser
+metadata:
+  name: matt
+  annotations:
+    groups: '["consumers2"]'
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  authentication:
+    type: tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: matts-consumer
+  name: matts-consumer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matts-consumer
+  template:
+    metadata:
+      labels:
+        app: matts-consumer
+    spec:
+      containers:
+      - name: matts-consumer
+        image: strimzi/hello-world-consumer:latest
+        env:
+          - name: CA_CRT
+            valueFrom:
+              secretKeyRef:
+                name: my-cluster-cluster-ca-cert
+                key: ca.crt
+          - name: USER_CRT
+            valueFrom:
+              secretKeyRef:
+                name: matt
+                key: user.crt
+          - name: USER_KEY
+            valueFrom:
+              secretKeyRef:
+                name: matt
+                key: user.key
+          - name: BOOTSTRAP_SERVERS
+            value: my-cluster-kafka-bootstrap:9093
+          - name: TOPIC
+            value: my-topic
+          - name: GROUP_ID
+            value: matts-group
+          - name: LOG_LEVEL
+            value: "INFO"
+          - name: MESSAGE_COUNT
+            value: "1000000"

advanced-example-clients-denied.yaml

@@ -0,0 +1,128 @@
+apiVersion: kafka.strimzi.io/v1alpha1
+kind: KafkaTopic
+metadata:
+  name: my-topic
+  annotations:
+    consumer-groups: '["consumers1", "consumers2"]'
+    producer-groups: '["producers1", "producers2"]'
+  labels:
+      strimzi.io/cluster: my-cluster
+spec:
+  replicas: 3
+  partitions: 12
+---
+apiVersion: kafka.strimzi.io/v1beta1
+kind: KafkaUser
+metadata:
+  name: joe
+  annotations:
+    groups: '["other-producers"]'
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  authentication:
+    type: tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: joes-producer
+  name: joes-producer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: joes-producer
+  template:
+    metadata:
+      labels:
+        app: joes-producer
+    spec:
+      containers:
+      - name: joes-producer
+        image: strimzi/hello-world-producer:latest
+        env:
+          - name: CA_CRT
+            valueFrom:
+              secretKeyRef:
+                name: my-cluster-cluster-ca-cert
+                key: ca.crt
+          - name: USER_CRT
+            valueFrom:
+              secretKeyRef:
+                name: joe
+                key: user.crt
+          - name: USER_KEY
+            valueFrom:
+              secretKeyRef:
+                name: joe
+                key: user.key
+          - name: BOOTSTRAP_SERVERS
+            value: my-cluster-kafka-bootstrap:9093
+          - name: TOPIC
+            value: my-topic
+          - name: DELAY_MS
+            value: "1000"
+          - name: LOG_LEVEL
+            value: "INFO"
+          - name: MESSAGE_COUNT
+            value: "1000000"
+---
+apiVersion: kafka.strimzi.io/v1beta1
+kind: KafkaUser
+metadata:
+  name: conor
+  annotations:
+    groups: '["other-consumers"]'
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  authentication:
+    type: tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: conors-consumer
+  name: conors-consumer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: conors-consumer
+  template:
+    metadata:
+      labels:
+        app: conors-consumer
+    spec:
+      containers:
+      - name: conors-consumer
+        image: strimzi/hello-world-consumer:latest
+        env:
+          - name: CA_CRT
+            valueFrom:
+              secretKeyRef:
+                name: my-cluster-cluster-ca-cert
+                key: ca.crt
+          - name: USER_CRT
+            valueFrom:
+              secretKeyRef:
+                name: conor
+                key: user.crt
+          - name: USER_KEY
+            valueFrom:
+              secretKeyRef:
+                name: conor
+                key: user.key
+          - name: BOOTSTRAP_SERVERS
+            value: my-cluster-kafka-bootstrap:9093
+          - name: TOPIC
+            value: my-topic
+          - name: GROUP_ID
+            value: conors-group
+          - name: LOG_LEVEL
+            value: "INFO"
+          - name: MESSAGE_COUNT
+            value: "1000000"

advanced-example-kafka.yaml

@@ -0,0 +1,68 @@
+apiVersion: kafka.strimzi.io/v1beta1
+kind: Kafka
+metadata:
+  name: my-cluster
+  labels:
+    app: my-cluster
+spec:
+  kafka:
+    replicas: 3
+    resources:
+      requests:
+        memory: 2Gi
+        cpu: 500m
+      limits:
+        memory: 2Gi
+        cpu: "1"
+    jvmOptions:
+      -Xms: 1024m
+      -Xmx: 1024m
+    listeners:
+      tls:
+        authentication:
+          type: tls
+    authorization:
+      type: opa
+      url: http://opa:8181/v1/data/kafka/authz/example/crds/allow
+      expireAfterMs: 60000
+    config:
+      offsets.topic.replication.factor: 3
+      transaction.state.log.replication.factor: 3
+      transaction.state.log.min.isr: 2
+    storage:
+      type: jbod
+      volumes:
+      - id: 0
+        type: persistent-claim
+        size: 100Gi
+        deleteClaim: false
+  zookeeper:
+    replicas: 3
+    resources:
+      requests:
+        memory: 1Gi
+        cpu: "0.3"
+      limits:
+        memory: 1Gi
+        cpu: "0.5"
+    storage:
+      type: persistent-claim
+      size: 100Gi
+      deleteClaim: false
+  entityOperator:
+    topicOperator:
+      resources:
+        requests:
+          memory: 256Mi
+          cpu: "0.1"
+        limits:
+          memory: 256Mi
+          cpu: "0.5"
+    userOperator:
+      resources:
+        requests:
+          memory: 256Mi
+          cpu: "0.1"
+        limits:
+          memory: 256Mi
+          cpu: "0.5"