Add an example making use of the new configuration option.

Signed-off-by: Hunter Madison <[email protected]>
strimzi · Jul 27, 2023 · ce72e6b · ce72e6b
1 parent 3f50793
commit ce72e6b
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 0 deletions.
diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md
@@ -35,6 +35,12 @@ They assume Keycloak is used as an authorization server, with properly configure
   A single node Kafka cluster with OAuth 2 authentication with OAuth metrics enabled.
   See [README-metrics.md]() for how to setup this example.
 
+* `kafka-oauth-single-authz-service-accounts.yaml`
+
+  A single node Kafka cluster using [service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) for authorization and the `simple` authorizer.
+  It requires that the `kube-root-ca.crt` be copied from its ConfigMap to a Secret:
+
+      kubectl get configmap/kube-root-ca.crt -o=json | jq -r '.data."ca.crt"' | kubectl create secret generic kube-root-ca --from-file=ca.crt=/dev/stdin
 
 ### Deploying Keycloak and accessing the Keycloak Admin Console
 

diff --git a/examples/kubernetes/kafka-oauth-single-authz-service-accounts.yaml b/examples/kubernetes/kafka-oauth-single-authz-service-accounts.yaml
@@ -0,0 +1,78 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: oidc-reader
+  annotations:
+    kubernetes.io/description: |
+      A cluster role which allows access to the OpenID Connect endpoints on
+      the API Server.
+rules:
+  - nonResourceURLs: ["/.well-known/openid-configuration", "/openid/v1/jwks"]
+    verbs: ["get", "post"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: oidc-reader-binding
+  annotations:
+  kubernetes.io/description: |
+    A role binding which allows for anonymous access to those endpoints
+    from consuming applications.
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: oidc-reader
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: "system:anonymous"
+---
+apiVersion: kafka.strimzi.io/v1beta2
+kind: Kafka
+metadata:
+  name: my-cluster
+spec:
+  kafka:
+    version: 3.5.0
+    replicas: 1
+    listeners:
+      - name: plain
+        port: 9092
+        type: internal
+        tls: false
+        authentication:
+          type: oauth
+          enablePlain: true
+          checkAccessTokenType: false
+          validIssuerUri: https://kubernetes.default.svc.cluster.local
+          jwksEndpointUri: https://kubernetes.default.svc.cluster.local/openid/v1/jwks
+          userNameClaim: sub
+          tlsTrustedCertificates:
+            - secretName: kube-root-ca
+              certificate: ca.crt
+    authorization:
+      type: simple
+      superUsers:
+        - system:serviceaccount:default:default
+    config:
+      offsets.topic.replication.factor: 1
+      transaction.state.log.replication.factor: 1
+      transaction.state.log.min.isr: 1
+    jvmOptions:
+      javaSystemProperties:
+        - name: "oauth.include.accept.header"
+          value: "false"
+    logging:
+      type: inline
+      loggers:
+        log4j.logger.io.strimzi: DEBUG
+    storage:
+      type: ephemeral
+  zookeeper:
+    replicas: 1
+    storage:
+      type: ephemeral
+  entityOperator:
+    topicOperator: {}
+    userOperator: {}