Initial commit

Signed-off-by: Jakub Scholz <[email protected]>

Author: scholzj

README.md

@@ -0,0 +1,64 @@
+# Demo: Strimzi with Open Policy Agent used for Kafka authorization
+
+This repository contains the example files for using Open Policy Agent (OPA) for Apache Kafka authorization.
+This demo is related to the blog post published on [Strimzi website](https://strimzi.io).
+
+## Prerequisites
+
+### Namespace
+
+Create a namespace `myproject` and set it as default.
+If you use different namespace, change the `.metadata.namespace` field in the YAML files in this repository
+
+### Install Strimzi 0.19.0
+
+Install Strimzi 0.19.0 and make sure it is watching the `myproject` namespace.
+You can use any of the available methods.
+
+## Deploy OPA
+
+The OPA policies used for both examples mentioned int he blog post are deployed using a ConfigMap [`opa-policies.yaml`](./opa-policies.yaml).
+You can create them using `kubectl`:
+
+```
+kubectl apply -f opa-policies.yaml
+```
+
+The [`opa-deployment.yaml`](./opa-deployment.yaml) contains the deployment of the OPA server.
+This is just example deployment which is not production ready.
+You can install it using `kubectl`:
+
+```
+kubectl apply -f opa-deployment.yaml
+```
+
+## Basic example
+
+### Deploy Kafka cluster
+
+Deploy the Kafka cluster from the [`basic-example-kafka.yaml`](./basic-example-kafka.yaml) file.
+This example is also configured to use the basic example policy.
+
+```
+kubectl apply -f basic-example-kafka.yaml
+```
+
+### Deploy allowed clients
+
+In the file [`basic-example-clients-allowed.yaml`](./basic-example-clients-allowed.yaml) you can find example consumer and producer which are using users allowed to produce and consumer messages.
+
+```
+kubectl apply -f ./basic-example-clients-allowed.yaml
+```
+
+When you deploy them, you should see that the are allowed to run.
+
+### Deploy not allowed clients
+
+In the file [`basic-example-clients-denied.yaml`](./basic-example-clients-denied.yaml) you can find example consumer and producer which are using users not allowed to produce and consumer messages.
+
+```
+kubectl apply -f ./basic-example-clients-denied.yaml
+```
+
+When you deploy them, you should see that the are allowed to use the Kafka cluster.

basic-example-clients-allowed.yaml

@@ -0,0 +1,121 @@
+apiVersion: kafka.strimzi.io/v1alpha1
+kind: KafkaTopic
+metadata:
+  name: my-topic
+  labels:
+      strimzi.io/cluster: my-cluster
+spec:
+  replicas: 3
+  partitions: 12
+---
+apiVersion: kafka.strimzi.io/v1beta1
+kind: KafkaUser
+metadata:
+  name: john
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  authentication:
+    type: tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: johns-producer
+  name: johns-producer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: johns-producer
+  template:
+    metadata:
+      labels:
+        app: johns-producer
+    spec:
+      containers:
+      - name: johns-producer
+        image: strimzi/hello-world-producer:latest
+        env:
+          - name: CA_CRT
+            valueFrom:
+              secretKeyRef:
+                name: my-cluster-cluster-ca-cert
+                key: ca.crt
+          - name: USER_CRT
+            valueFrom:
+              secretKeyRef:
+                name: john
+                key: user.crt
+          - name: USER_KEY
+            valueFrom:
+              secretKeyRef:
+                name: john
+                key: user.key
+          - name: BOOTSTRAP_SERVERS
+            value: my-cluster-kafka-bootstrap:9093
+          - name: TOPIC
+            value: my-topic
+          - name: DELAY_MS
+            value: "1000"
+          - name: LOG_LEVEL
+            value: "INFO"
+          - name: MESSAGE_COUNT
+            value: "1000000"
+---
+apiVersion: kafka.strimzi.io/v1beta1
+kind: KafkaUser
+metadata:
+  name: matt
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  authentication:
+    type: tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: matts-consumer
+  name: matts-consumer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matts-consumer
+  template:
+    metadata:
+      labels:
+        app: matts-consumer
+    spec:
+      containers:
+      - name: matts-consumer
+        image: strimzi/hello-world-consumer:latest
+        env:
+          - name: CA_CRT
+            valueFrom:
+              secretKeyRef:
+                name: my-cluster-cluster-ca-cert
+                key: ca.crt
+          - name: USER_CRT
+            valueFrom:
+              secretKeyRef:
+                name: matt
+                key: user.crt
+          - name: USER_KEY
+            valueFrom:
+              secretKeyRef:
+                name: matt
+                key: user.key
+          - name: BOOTSTRAP_SERVERS
+            value: my-cluster-kafka-bootstrap:9093
+          - name: TOPIC
+            value: my-topic
+          - name: GROUP_ID
+            value: matts-group
+          - name: LOG_LEVEL
+            value: "INFO"
+          - name: MESSAGE_COUNT
+            value: "1000000"

basic-example-clients-denied.yaml

@@ -0,0 +1,121 @@
+apiVersion: kafka.strimzi.io/v1alpha1
+kind: KafkaTopic
+metadata:
+  name: my-topic
+  labels:
+      strimzi.io/cluster: my-cluster
+spec:
+  replicas: 3
+  partitions: 12
+---
+apiVersion: kafka.strimzi.io/v1beta1
+kind: KafkaUser
+metadata:
+  name: joe
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  authentication:
+    type: tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: joes-producer
+  name: joes-producer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: joes-producer
+  template:
+    metadata:
+      labels:
+        app: joes-producer
+    spec:
+      containers:
+      - name: joes-producer
+        image: strimzi/hello-world-producer:latest
+        env:
+          - name: CA_CRT
+            valueFrom:
+              secretKeyRef:
+                name: my-cluster-cluster-ca-cert
+                key: ca.crt
+          - name: USER_CRT
+            valueFrom:
+              secretKeyRef:
+                name: joe
+                key: user.crt
+          - name: USER_KEY
+            valueFrom:
+              secretKeyRef:
+                name: joe
+                key: user.key
+          - name: BOOTSTRAP_SERVERS
+            value: my-cluster-kafka-bootstrap:9093
+          - name: TOPIC
+            value: my-topic
+          - name: DELAY_MS
+            value: "1000"
+          - name: LOG_LEVEL
+            value: "INFO"
+          - name: MESSAGE_COUNT
+            value: "1000000"
+---
+apiVersion: kafka.strimzi.io/v1beta1
+kind: KafkaUser
+metadata:
+  name: conor
+  labels:
+    strimzi.io/cluster: my-cluster
+spec:
+  authentication:
+    type: tls
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: conors-consumer
+  name: conors-consumer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: conors-consumer
+  template:
+    metadata:
+      labels:
+        app: conors-consumer
+    spec:
+      containers:
+      - name: conors-consumer
+        image: strimzi/hello-world-consumer:latest
+        env:
+          - name: CA_CRT
+            valueFrom:
+              secretKeyRef:
+                name: my-cluster-cluster-ca-cert
+                key: ca.crt
+          - name: USER_CRT
+            valueFrom:
+              secretKeyRef:
+                name: conor
+                key: user.crt
+          - name: USER_KEY
+            valueFrom:
+              secretKeyRef:
+                name: conor
+                key: user.key
+          - name: BOOTSTRAP_SERVERS
+            value: my-cluster-kafka-bootstrap:9093
+          - name: TOPIC
+            value: my-topic
+          - name: GROUP_ID
+            value: conors-group
+          - name: LOG_LEVEL
+            value: "INFO"
+          - name: MESSAGE_COUNT
+            value: "1000000"

basic-example-kafka.yaml

@@ -0,0 +1,68 @@
+apiVersion: kafka.strimzi.io/v1beta1
+kind: Kafka
+metadata:
+  name: my-cluster
+  labels:
+    app: my-cluster
+spec:
+  kafka:
+    replicas: 3
+    resources:
+      requests:
+        memory: 2Gi
+        cpu: 500m
+      limits:
+        memory: 2Gi
+        cpu: "1"
+    jvmOptions:
+      -Xms: 1024m
+      -Xmx: 1024m
+    listeners:
+      tls:
+        authentication:
+          type: tls
+    authorization:
+      type: opa
+      url: http://opa:8181/v1/data/kafka/authz/example/basic/allow
+      expireAfterMs: 60000
+    config:
+      offsets.topic.replication.factor: 3
+      transaction.state.log.replication.factor: 3
+      transaction.state.log.min.isr: 2
+    storage:
+      type: jbod
+      volumes:
+      - id: 0
+        type: persistent-claim
+        size: 100Gi
+        deleteClaim: false
+  zookeeper:
+    replicas: 3
+    resources:
+      requests:
+        memory: 1Gi
+        cpu: "0.3"
+      limits:
+        memory: 1Gi
+        cpu: "0.5"
+    storage:
+      type: persistent-claim
+      size: 100Gi
+      deleteClaim: false
+  entityOperator:
+    topicOperator:
+      resources:
+        requests:
+          memory: 256Mi
+          cpu: "0.1"
+        limits:
+          memory: 256Mi
+          cpu: "0.5"
+    userOperator:
+      resources:
+        requests:
+          memory: 256Mi
+          cpu: "0.1"
+        limits:
+          memory: 256Mi
+          cpu: "0.5"