ok

Mongey · Dec 29, 2019 · 0e0486b · 0e0486b
1 parent 547bd81
commit 0e0486b
Show file tree

Hide file tree

Showing 11 changed files with 139 additions and 17 deletions.
diff --git a/bin/build-and-add-plugin b/bin/build-and-add-plugin
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -e
+
+export VAULT_ADDR=http://localhost:8200
+PLUGIN_NAME="vault-plugin-secrets-kafka"
+MNT_PATH="kafka"
+
+echo "---> Building"
+GOOS=linux GOARCH=amd64 go build -o "docker/plugins/$PLUGIN_NAME"
+SHASUM=$(shasum -a 256 "docker/plugins/$PLUGIN_NAME" | cut -d " " -f1)
+
+echo "---->Registering plugin"
+vault write sys/plugins/catalog/$PLUGIN_NAME \
+  sha_256="$SHASUM" \
+  command="$PLUGIN_NAME"
+
+echo "    Mouting plugin"
+vault secrets enable -path=$MNT_PATH -plugin-name=$PLUGIN_NAME plugin
diff --git a/bin/dev b/bin/dev
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -e
+set -ex
 
 MNT_PATH="kafka"
 PLUGIN_NAME="vault-plugin-secrets-kafka"
@@ -45,8 +45,9 @@ function cleanup {
 }
 trap cleanup EXIT
 
+echo "waaaaaaaaaaat"
 echo "    Authing"
-vault auth root &>/dev/null
+#vault auth root
 
 echo "--> Building"
 go build -o "$SCRATCH/plugins/$PLUGIN_NAME"

diff --git a/bin/quick-test b/bin/quick-test
@@ -4,7 +4,7 @@ set -e
 export VAULT_ADDR=http://localhost:8200
 
 TTL=1000
-ADMINNAME="ConorAdmin"
+ADMINNAME="VaultKafkaPlugin"
 DATA=$(vault write -format=json pki/issue/kafka-clients common_name="$ADMINNAME" ttl=$TTL | jq -r .data)
 
 echo "Hello $NAME"

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -0,0 +1,54 @@
+---
+version: '2'
+services:
+  vault:
+    image: vault:1.3.0
+    ports:
+      - "8200:8200"
+    command: vault server -dev -config="/vault/vault.hcl"
+    volumes:
+      - ./docker:/vault
+    environment:
+      VAULT_DEV_ROOT_TOKEN_ID: "root"
+      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
+
+  zookeeper:
+    image: confluentinc/cp-zookeeper:latest
+    ports:
+      - "2181:2181"
+    environment:
+      ZOOKEEPER_CLIENT_PORT: 2181
+      ZOOKEEPER_TICK_TIME: 2000
+    extra_hosts:
+      - "moby:127.0.0.1"
+
+  kafka:
+    image: confluentinc/cp-kafka:5.0.1
+    ports:
+      - "9092:9092"
+    depends_on:
+      - zookeeper
+    environment:
+      KAFKA_BROKER_ID: 1
+      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+      KAFKA_ADVERTISED_LISTENERS: SSL://localhost:9092
+      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
+
+      KAFKA_SSL_KEYSTORE_FILENAME: kafka.broker0.keystore.jks
+      KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.broker0.truststore.jks
+
+      KAFKA_SSL_KEY_CREDENTIALS: broker0_sslkey_creds
+
+      KAFKA_SSL_KEYSTORE_CREDENTIALS: broker0_keystore_creds
+      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: broker0_truststore_creds
+
+      KAFKA_SECURITY_INTER_BROKER_PROTOCOL: SSL
+      KAFKA_SSL_CLIENT_AUTH: required
+      KAFKA_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: ""
+      KAFKA_LISTENER_NAME_INTERNAL_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM: 
+      KAFKA_ALLOW_EVERYONE_IF_NO_ACL_FOUND: "false"
+      KAFKA_AUTHORIZER_CLASS_NAME: kafka.security.auth.SimpleAclAuthorizer
+    volumes:
+      - ./tmp/secrets:/etc/kafka/secrets
+    extra_hosts:
+      - "moby:127.0.0.1"
diff --git a/docker/vault.hcl b/docker/vault.hcl
@@ -0,0 +1 @@
+plugin_directory = "/vault/plugins"
diff --git a/kafka-helper-scripts/broker0.conf b/kafka-helper-scripts/broker0.conf
@@ -8,4 +8,4 @@ security.inter.broker.protocol=SSL
 ssl.endpoint.identification.algorithm=
 ssl.client.auth=required
 authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
-super.users=User:CN=ConorAdmin;User:CN=broker0;
+super.users=User:CN=VaultKafkaPlugin;User:CN=broker0;
diff --git a/kafka-helper-scripts/enable-pki b/kafka-helper-scripts/enable-pki
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+export VAULT_ADDR=http://localhost:8200
+
+echo "PKI Enable"
+vault secrets enable pki
+vault write pki/root/generate/internal common_name=kafka-cluster
+echo "Kafka role"
+vault write pki/roles/kafka-clients allow_any_name=true
+echo "==> Ready!"
diff --git a/kafka-helper-scripts/generate-broker-keystore.sh b/kafka-helper-scripts/generate-broker-keystore.sh
@@ -1,4 +1,6 @@
+#!/bin/bash
 set -e
+
 export VAULT_ADDR=http://localhost:8200
 
 TTL=1000
@@ -48,4 +50,7 @@ keytool -importkeystore \
 
 rm ca.crt server.key server.crt server.p12
 
+echo $PASSWORD > tmp/secrets/broker0_keystore_creds
+mv $OUTPUT_FILE tmp/secrets/kafka.broker0.keystore.jks
+
 echo "Done!"
diff --git a/kafka-helper-scripts/generate-client-certs.sh b/kafka-helper-scripts/generate-client-certs.sh
@@ -7,7 +7,7 @@ NAME=${PARAM:-"unknown client"}
 DATA=$(vault write -format=json pki/issue/kafka-clients common_name="$NAME" ttl=$TTL | jq -r .data)
 
 echo "Hello $NAME"
-printf "%s" "$DATA" | jq -r .private_key > private.key
-printf "%s" "$DATA" | jq -r .issuing_ca > ca.cert
-printf "%s" "$DATA" | jq -r .certificate > client.cert
+printf "%s" "$DATA" | jq -r .private_key > sample-app/private.key
+printf "%s" "$DATA" | jq -r .issuing_ca > sample-app/ca.cert
+printf "%s" "$DATA" | jq -r .certificate > sample-app/client.cert
 echo "Done!"
diff --git a/kafka-helper-scripts/generate-truststore.sh b/kafka-helper-scripts/generate-truststore.sh
@@ -23,4 +23,5 @@ echo "Cleaning up"
 set +e
 rm issuing_ca.cer
 set -e
-
+echo $PASSWORD > tmp/secrets/broker0_truststore_creds
+mv $OUTPUT_FILE tmp/secrets/kafka.broker0.truststore.jks
diff --git a/sample-app/main.go b/sample-app/main.go
@@ -1,27 +1,58 @@
 package main
 
 import (
+	"io/ioutil"
 	"log"
-	"os"
 
+	"github.com/Mongey/terraform-provider-kafka/kafka"
 	"github.com/Shopify/sarama"
 )
 
 const topic = "my-topic"
 
 func main() {
-	bootstrapServers := []string{"localhost:9092"}
-	cfg, err := newTLSConfig("client.cert", "private.key", "ca.cert")
+	_client, err := client("localhost:9092", "client.cert", "private.key", "ca.cert")
 	if err != nil {
 		log.Fatalf("%s", err)
 	}
-	kafkaConfig := sarama.NewConfig()
-	kafkaConfig.Version = sarama.V2_0_0_0
-	kafkaConfig.ClientID = "terraform-provider-kafka"
-	kafkaConfig.Net.TLS.Enable = true
-	kafkaConfig.Net.TLS.Config = cfg
-	sarama.Logger = log.New(os.Stderr, "", log.LstdFlags)
 
 	consumeAllMessages(topic, bootstrapServers, kafkaConfig)
 	produce(topic, bootstrapServers, kafkaConfig)
 }
+
+func client(broker, caLocation, clientCertLocation, clientKeyLocation string) (*sarama.Client, error) {
+	brokers := []string{broker}
+	caCert, err := ioutil.ReadFile(caLocation)
+	if err != nil {
+		return nil, err
+	}
+
+	clientCert, err := ioutil.ReadFile(clientCertLocation)
+	if err != nil {
+		return nil, err
+	}
+
+	clientKey, err := ioutil.ReadFile(clientKeyLocation)
+	if err != nil {
+		return nil, err
+	}
+
+	config := &kafka.Config{
+		BootstrapServers: &brokers,
+		CACert:           string(caCert),
+		ClientCert:       string(clientCert),
+		ClientCertKey:    string(clientKey),
+		SkipTLSVerify:    false,
+		TLSEnabled:       true,
+		Timeout:          100,
+	}
+
+	client, err := kafka.NewClient(config)
+	if err != nil {
+		return nil, err
+	}
+
+	c := client.SaramaClient()
+
+	return &c, nil
+}