From ce72e6b2e62debd44d2bda59a2ea75d17a7bd8ae Mon Sep 17 00:00:00 2001 From: Hunter Madison Date: Thu, 27 Jul 2023 08:26:29 -0400 Subject: [PATCH] Add an example making use of the new configuration option. Signed-off-by: Hunter Madison --- examples/kubernetes/README.md | 6 ++ ...a-oauth-single-authz-service-accounts.yaml | 78 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 examples/kubernetes/kafka-oauth-single-authz-service-accounts.yaml diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md index 9b3b2218..3bada872 100644 --- a/examples/kubernetes/README.md +++ b/examples/kubernetes/README.md @@ -35,6 +35,12 @@ They assume Keycloak is used as an authorization server, with properly configure A single node Kafka cluster with OAuth 2 authentication with OAuth metrics enabled. See [README-metrics.md]() for how to setup this example. +* `kafka-oauth-single-authz-service-accounts.yaml` + + A single node Kafka cluster using [service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) for authorization and the `simple` authorizer. + It requires that the `kube-root-ca.crt` be copied from its ConfigMap to a Secret: + + kubectl get configmap/kube-root-ca.crt -o=json | jq -r '.data."ca.crt"' | kubectl create secret generic kube-root-ca --from-file=ca.crt=/dev/stdin ### Deploying Keycloak and accessing the Keycloak Admin Console diff --git a/examples/kubernetes/kafka-oauth-single-authz-service-accounts.yaml b/examples/kubernetes/kafka-oauth-single-authz-service-accounts.yaml new file mode 100644 index 00000000..6a8c6871 --- /dev/null +++ b/examples/kubernetes/kafka-oauth-single-authz-service-accounts.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: oidc-reader + annotations: + kubernetes.io/description: | + A cluster role which allows access to the OpenID Connect endpoints on + the API Server. +rules: + - nonResourceURLs: ["/.well-known/openid-configuration", "/openid/v1/jwks"] + verbs: ["get", "post"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-reader-binding + annotations: + kubernetes.io/description: | + A role binding which allows for anonymous access to those endpoints + from consuming applications. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: oidc-reader +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: "system:anonymous" +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: Kafka +metadata: + name: my-cluster +spec: + kafka: + version: 3.5.0 + replicas: 1 + listeners: + - name: plain + port: 9092 + type: internal + tls: false + authentication: + type: oauth + enablePlain: true + checkAccessTokenType: false + validIssuerUri: https://kubernetes.default.svc.cluster.local + jwksEndpointUri: https://kubernetes.default.svc.cluster.local/openid/v1/jwks + userNameClaim: sub + tlsTrustedCertificates: + - secretName: kube-root-ca + certificate: ca.crt + authorization: + type: simple + superUsers: + - system:serviceaccount:default:default + config: + offsets.topic.replication.factor: 1 + transaction.state.log.replication.factor: 1 + transaction.state.log.min.isr: 1 + jvmOptions: + javaSystemProperties: + - name: "oauth.include.accept.header" + value: "false" + logging: + type: inline + loggers: + log4j.logger.io.strimzi: DEBUG + storage: + type: ephemeral + zookeeper: + replicas: 1 + storage: + type: ephemeral + entityOperator: + topicOperator: {} + userOperator: {}