-
Notifications
You must be signed in to change notification settings - Fork 16
/
03-strimzi-auth.sh
executable file
·139 lines (123 loc) · 4.22 KB
/
03-strimzi-auth.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#!/usr/bin/env bash
set -e
# Turn colors in this script off by setting the NO_COLOR variable in your
# environment to any value:
#
# $ NO_COLOR=1 test.sh
NO_COLOR=${NO_COLOR:-""}
if [ -z "$NO_COLOR" ]; then
header=$'\e[1;33m'
reset=$'\e[0m'
else
header=''
reset=''
fi
strimzi_version=`curl https://github.com/strimzi/strimzi-kafka-operator/releases/latest | awk -F 'tag/' '{print $2}' | awk -F '"' '{print $1}' 2>/dev/null`
function header_text {
echo "$header$*$reset"
}
header_text "Using Strimzi Version: ${strimzi_version}"
header_text "Strimzi install"
kubectl create namespace kafka || true
kubectl -n kafka create --selector strimzi.io/crd-install=true -f https://github.com/strimzi/strimzi-kafka-operator/releases/download/${strimzi_version}/strimzi-cluster-operator-${strimzi_version}.yaml
curl -L "https://github.com/strimzi/strimzi-kafka-operator/releases/download/${strimzi_version}/strimzi-cluster-operator-${strimzi_version}.yaml" \
| sed 's/namespace: .*/namespace: kafka/' \
| kubectl -n kafka apply --selector strimzi.io/crd-install!=true -f -
# Wait for the CRD we need to actually be active
kubectl wait crd --timeout=-1s kafkas.kafka.strimzi.io --for=condition=Established
header_text "Applying Strimzi Cluster file"
cat <<-EOF | kubectl -n kafka apply -f -
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: my-cluster
spec:
kafka:
version: 2.7.0
replicas: 3
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
authentication:
type: tls
- name: sasl
port: 9094
type: internal
tls: true
authentication:
type: scram-sha-512
config:
offsets.topic.replication.factor: 3
transaction.state.log.replication.factor: 3
transaction.state.log.min.isr: 2
log.message.format.version: "2.7"
auto.create.topics.enable: "false"
storage:
type: jbod
volumes:
- id: 0
type: persistent-claim
size: 100Gi
deleteClaim: false
zookeeper:
replicas: 3
storage:
type: persistent-claim
size: 100Gi
deleteClaim: false
entityOperator:
topicOperator: {}
userOperator: {}
EOF
header_text "Waiting for Strimzi to become ready"
kubectl wait kafka --all --timeout=-1s --for=condition=Ready -n kafka
header_text "Applying Strimzi TLS Admin User"
cat <<-EOF | kubectl -n kafka apply -f -
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: my-tls-user
labels:
strimzi.io/cluster: my-cluster
spec:
authentication:
type: tls
EOF
header_text "Applying Strimzi SASL Admin User"
cat <<-EOF | kubectl -n kafka apply -f -
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
name: my-sasl-user
labels:
strimzi.io/cluster: my-cluster
spec:
authentication:
type: scram-sha-512
EOF
header_text "Waiting for Strimzi Users to become ready"
oc wait kafkauser --all --timeout=-1s --for=condition=Ready -n kafka
header_text "Deleting existing KafkaUser secrets"
kubectl delete secret --namespace default my-tls-secret || true
kubectl delete secret --namespace default my-sasl-secret || true
header_text "Creating a Secret, containing TLS from Strimzi"
STRIMZI_CRT=$(kubectl -n kafka get secret my-cluster-cluster-ca-cert --template='{{index .data "ca.crt"}}' | base64 --decode )
TLSUSER_CRT=$(kubectl -n kafka get secret my-tls-user --template='{{index .data "user.crt"}}' | base64 --decode )
TLSUSER_KEY=$(kubectl -n kafka get secret my-tls-user --template='{{index .data "user.key"}}' | base64 --decode )
kubectl create secret --namespace default generic my-tls-secret \
--from-literal=ca.crt="$STRIMZI_CRT" \
--from-literal=user.crt="$TLSUSER_CRT" \
--from-literal=user.key="$TLSUSER_KEY"
header_text "Creating a Secret, containing SASL from Strimzi"
SASL_PASSWD=$(kubectl -n kafka get secret my-sasl-user --template='{{index .data "password"}}' | base64 --decode )
kubectl create secret --namespace default generic my-sasl-secret \
--from-literal=password="$SASL_PASSWD" \
--from-literal=ca.crt="$STRIMZI_CRT" \
--from-literal=saslType="SCRAM-SHA-512" \
--from-literal=user="my-sasl-user"