search

confluentinc / confluent-kubernetes-examples

Example scenario workflows for Confluent for Kubernetes
Apache License 2.0
47 stars 178 forks source link

Security examples missing KRaft setup #307

Open pneff93 opened 5 months ago

pneff93 commented 5 months ago

The examples in https://github.com/confluentinc/confluent-kubernetes-examples/tree/master/security are a great way to point to a concrete setup. However, all examples are still using ZK.

We should also have them with KRaft Controllers.

pkleindl commented 4 months ago

We are just working on a setup with KRaft for a customer project based on security/production-secure-deploy-ldap-rbac-all

It only took the following changes: Replace ZK with KRaft controller

apiVersion: platform.confluent.io/v1beta1
kind: KRaftController
metadata:
  name: kraftcontroller
  namespace: confluent
spec:
  replicas: 3
  image:
    application: confluentinc/cp-server:7.6.0
    init: confluentinc/confluent-init-container:2.8.0
  listeners:
    controller:
      tls:
        enabled: true
      authentication:
        type: plain
        jaasConfig:
          secretRef: credential
  tls:
    secretRef: tls-group1
  dataVolumeCapacity: 10G
---

Replace dependency in Kafka resource with KRaft controller

    kRaftController:
      controllerListener:
        tls:
          enabled: true
        authentication:
          type: ldap
          jaasConfig:
            secretRef: credential
      clusterRef:
        name: kraftcontroller
        namespace: confluent

What would be nice to know is, why is the authentication type "plain" in KRaft controller definition, but "ldap" in the dependency? Because with plain in both locations it did not work for us.

pkleindl commented 4 months ago

Correction: we seem to be missing the MDS configuration for KRaft, but trying anything from the documentation under https://docs.confluent.io/operator/current/co-rbac.html#enable-rbac-for-kraft-controller leads to crash loops of the operator.