From 327bac495914d45a083f02d679cf723ee1d68768 Mon Sep 17 00:00:00 2001 From: Anatoly Zelenin Date: Mon, 24 Jun 2019 13:31:43 +0200 Subject: [PATCH] Added templates for Kubernetes deployments --- README.md | 24 ++++++++- .../toolbox-mutual-tls-zookeeper-sidecar.yaml | 52 +++++++++++++++++++ assets/toolbox-mutual-tls.yaml | 36 +++++++++++++ .../toolbox-plaintext-zookeeper-sidecar.yaml | 36 +++++++++++++ assets/toolbox-plaintext.yaml | 16 ++++++ 5 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 assets/toolbox-mutual-tls-zookeeper-sidecar.yaml create mode 100644 assets/toolbox-mutual-tls.yaml create mode 100644 assets/toolbox-plaintext-zookeeper-sidecar.yaml create mode 100644 assets/toolbox-plaintext.yaml diff --git a/README.md b/README.md index ecf4eba..4d3023a 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,18 @@ are using Strimzi it is probably called `kafka-cluster-bootstrap`). #### No authentication, no transport encryption -No additional configuration is required +No additional configuration is required. + +For Kubernetes deployments you can use following templates: + + +* [./assets/toolbox-plaintext.yaml](./assets/toolbox-plaintext.yaml): + if connect to zookeeper without transport encryption +* [./assets/toolbox-plaintext-zookeeper-sidecar.yaml](./assets/toolbox-plaintext-zookeeper-sidecar.yaml): + if you use a sidecar to encrypt zookeeper traffic + +Do not forget to replace all values in `{{curly-brackets}}` by +appropriate values! #### Mutual TLS @@ -107,6 +118,17 @@ You need to provide following environment variables: * `KAFKA_USER_CERT_LOCATION` * `KAFKA_CA_CERT_LOCATION` +For Kubernetes deployments you can use following templates: + + +* [./assets/toolbox-mutual-tls.yaml](./assets/toolbox-mutual-tls.yaml) + if connect to zookeeper without transport encryption +* [./assets/toolbox-mutual-tls-zookeeper-sidecar.yaml](./assets/toolbox-mutual-tls-zookeeper-sidecar.yaml): + if you use a sidecar to encrypt zookeeper traffic + +Do not forget to replace all values in `{{curly-brackets}}` by +appropriate values! + #### Other Authentication methods currently not supported. If you need it, open a ticket or provide a diff --git a/assets/toolbox-mutual-tls-zookeeper-sidecar.yaml b/assets/toolbox-mutual-tls-zookeeper-sidecar.yaml new file mode 100644 index 0000000..79905c6 --- /dev/null +++ b/assets/toolbox-mutual-tls-zookeeper-sidecar.yaml @@ -0,0 +1,52 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kafka-toolbox +spec: + containers: + - name: kafka-toolbox + image: azapps/kafka-toolbox:latest + env: + - name: KAFKA_USER_KEY_LOCATION + value: /var/private/ssl/kafka-client-ca-certs/user.key + - name: KAFKA_USER_CERT_LOCATION + value: /var/private/ssl/kafka-client-ca-certs/user.crt + - name: KAFKA_CA_CERT_LOCATION + value: /var/private/ssl/kafka-cluster-ca-certs/ca.crt + - name: KAFKA_BOOTSTRAP_SERVERS + value: "{{kafka-url}}" + - name: KAFKA_ZOOKEEPER + value: "localhost:2181" + volumeMounts: + - name: client-ca-certs + mountPath: "/var/private/ssl/kafka-client-ca-certs" + readOnly: true + - name: cluster-ca-cert + mountPath: "/var/private/ssl/kafka-cluster-ca-certs" + readOnly: true + command: + - sleep + - infinity + - name: tls-sidecar + image: 'strimzi/entity-operator-stunnel:0.11.3' + env: + - name: STRIMZI_ZOOKEEPER_CONNECT + value: '{{zookeeper-url}}' + - name: TLS_SIDECAR_LOG_LEVEL + value: notice + volumeMounts: + # For Zookeeper connet + - mountPath: "/etc/tls-sidecar/cluster-ca-certs" + name: cluster-ca-cert + - mountPath: "/etc/tls-sidecar/eo-certs" + name: zk-client-cert + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka-cluster-ca-cert + - name: client-ca-certs + secret: + secretName: {{kafka-user}} + - name: zk-client-cert + secret: + secretName: kafka-entity-operator-certs diff --git a/assets/toolbox-mutual-tls.yaml b/assets/toolbox-mutual-tls.yaml new file mode 100644 index 0000000..b21bbb0 --- /dev/null +++ b/assets/toolbox-mutual-tls.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kafka-toolbox +spec: + containers: + - name: kafka-toolbox + image: azapps/kafka-toolbox:latest + env: + - name: KAFKA_USER_KEY_LOCATION + value: /var/private/ssl/kafka-client-ca-certs/user.key + - name: KAFKA_USER_CERT_LOCATION + value: /var/private/ssl/kafka-client-ca-certs/user.crt + - name: KAFKA_CA_CERT_LOCATION + value: /var/private/ssl/kafka-cluster-ca-certs/ca.crt + - name: KAFKA_BOOTSTRAP_SERVERS + value: "{{kafka-url}}" + - name: KAFKA_ZOOKEEPER + value: "{{zookeeper-url}}" + volumeMounts: + - name: client-ca-certs + mountPath: "/var/private/ssl/kafka-client-ca-certs" + readOnly: true + - name: cluster-ca-cert + mountPath: "/var/private/ssl/kafka-cluster-ca-certs" + readOnly: true + command: + - sleep + - infinity + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka-cluster-ca-cert + - name: client-ca-certs + secret: + secretName: {{kafka-user}} diff --git a/assets/toolbox-plaintext-zookeeper-sidecar.yaml b/assets/toolbox-plaintext-zookeeper-sidecar.yaml new file mode 100644 index 0000000..d8c9fac --- /dev/null +++ b/assets/toolbox-plaintext-zookeeper-sidecar.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kafka-toolbox +spec: + containers: + - name: kafka-toolbox + image: azapps/kafka-toolbox:latest + env: + - name: KAFKA_BOOTSTRAP_SERVERS + value: "{{kafka-url}}" + - name: KAFKA_ZOOKEEPER + # Do not change! This is the sidecar connection URL + value: "localhost:2181" + command: + - sleep + - infinity + - name: tls-sidecar + image: 'strimzi/entity-operator-stunnel:0.11.3' + env: + - name: STRIMZI_ZOOKEEPER_CONNECT + value: '{{zookeeper-url}}' + - name: TLS_SIDECAR_LOG_LEVEL + value: notice + volumeMounts: + - mountPath: "/etc/tls-sidecar/cluster-ca-certs" + name: cluster-ca-cert + - mountPath: "/etc/tls-sidecar/eo-certs" + name: zk-client-cert + volumes: + - name: cluster-ca-cert + secret: + secretName: kafka-cluster-ca-cert + - name: zk-client-cert + secret: + secretName: kafka-entity-operator-certs diff --git a/assets/toolbox-plaintext.yaml b/assets/toolbox-plaintext.yaml new file mode 100644 index 0000000..b5cb54d --- /dev/null +++ b/assets/toolbox-plaintext.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kafka-toolbox +spec: + containers: + - name: kafka-toolbox + image: azapps/kafka-toolbox:latest + env: + - name: KAFKA_BOOTSTRAP_SERVERS + value: "{{kafka-url}}" + - name: KAFKA_ZOOKEEPER + value: "{{zookeeper-url}}" + command: + - sleep + - infinity