🚧 This guide is currently WIP 🚧
!!Currently, the Keycloak example is the only functional setup!!
- Docker capabilities*
- k8s cluster (for example minikube)
helm upgrade --install operator confluentinc/confluent-for-kubernetes --namespace confluent --version 0.1033.3
kubectl create -n confluent secret generic oauth-jass --from-file=oauth.txt=oauth_jass.txt
kubectl -n confluent create secret generic oauth-jass-oidc --from-file=oidcClientSecret.txt=oauth_jass.txt
kubectl apply -f keycloak_deploy.yaml
helm upgrade --install -f ldap/ldaps-rbac.yaml test-ldap ldap --namespace confluent
openssl genrsa -out ca-key.pem 2048
openssl req -new -key ca-key.pem -x509 \
-days 1000 \
-out ca.pem \
-subj "/C=US/ST=CA/L=MountainView/O=Confluent/OU=Operator/CN=TestCA"
kubectl create secret tls ca-pair-sslcerts \
--cert=ca.pem \
--key=ca-key.pem -n confluent
kubectl create secret generic tls-group1 \
--from-file=fullchain.pem=certs/generated/server.pem \
--from-file=cacerts.pem=certs/generated/ca.pem \
--from-file=privkey.pem=certs/generated/server-key.pem \
-n confluent
kubectl create secret generic rest-credential \
--from-file=bearer.txt=bearer.txt \
--from-file=basic.txt=bearer.txt \
-n confluent
kubectl create secret generic credential \
--from-file=plain-users.json=creds-kafka-sasl-users.json \
--from-file=plain.txt=creds-client-kafka-sasl-user.txt \
--from-file=digest.txt=digest.txt \
--from-file=digest-users.json=digest-users.json \
--from-file=oidcClientSecret.txt=oidcClientSecret.txt \
--from-file=ldap.txt=ldap.txt \
-n confluent
kubectl create secret generic credential \
--from-file=plain-users.json=creds-kafka-sasl-users.json \
--from-file=plain.txt=creds-client-kafka-sasl-user.txt \
--from-file=oidcClientSecret.txt=oidcClientSecret.txt \
-n confluent
kubectl create secret generic mds-token \
--from-file=mdsPublicKey.pem=mdsTokenPublic.pem \
--from-file=mdsTokenKeyPair.pem=mdsToken.pem \
-n confluent
kubectl apply -f cp_components_entra.yaml
or
kubectl apply -f cp_components_keycloak.yaml
kubectl apply -f rolebindings.yaml
kubectl apply -f topic-rolebindings.yaml
To be able to see the cluster in the Control Center, a user or group needs to have at least the "Operator" role. See the Confluent documentation for the complete set of roles. For example:
apiVersion: platform.confluent.io/v1beta1
kind: ConfluentRolebinding
metadata:
name: g1-operator-kafka
namespace: confluent
spec:
principal:
name: "/g1" # corresponding group from idp against testuser1
type: group
role: OperatorWith just the Operator role a user can not create or modify any topic they want. To be able to create or access a topic, the user needs to have access to the topic. The rolebinding displayed will give testuser1 the ResourceOwner role on the topic cloud.test.produce. This will allow testuser1 to create, modify, read and write to the given topic.
apiVersion: platform.confluent.io/v1beta1
kind: ConfluentRolebinding
metadata:
name: testuser1.resource-owner
namespace: confluent
spec:
principal:
type: user
name: 163ee8e8-04f8-4de2-ba22-daf394eea8f1
role: ResourceOwner
resourcePatterns:
- name: cloud.test.produce
patternType: PREFIXED
resourceType: TopicWIP