Skip to content

Commit 3e3107a

Browse files
claudio4jclaudio4j
authored
Add camel kafka oauth example (#149)
1 parent c738b10 commit 3e3107a

File tree

25 files changed

+1176
-0
lines changed

25 files changed

+1176
-0
lines changed

kafka-oauth/README.adoc

Lines changed: 126 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,126 @@
1+
== Camel Kafka with OAuth authentication example
2+
3+
=== Introduction
4+
5+
An example which shows how to integrate https://camel.apache.org/components/next/kafka-component.html[Camel with Kafka] with OAuth authentication using a client secret. The authentication is handled by Keycloak.
6+
7+
This example requires docker-compose as it will build and run a keycloak and kafka broker (setup with kraft mode).
8+
9+
On the Kafka side it uses https://github.com/strimzi/strimzi-kafka-oauth[Strimzi Oauth for Apache Kafka], this library must also be set on the client side.
10+
11+
The Kafka Oauth client side configuration is set in the `src/main/resources/application.properties`. You may want to learn from the Strimzi OAuth project the numerous configurations to have it working with your Kafka Broker, for example you may want to use OAuth Refresh tokens or use JWT tokens.
12+
13+
=== The Kafka Oauth configuration
14+
15+
The configuration is in `src/main/resources/application.properties`, you are welcome to learn more from the https://kafka.apache.org/documentation/#security[Kafka Security] and https://github.com/strimzi/strimzi-kafka-oauth[Strimzi OAuth] documentations.
16+
----
17+
camel.component.kafka.security-protocol = SASL_PLAINTEXT
18+
camel.component.kafka.sasl-mechanism = OAUTHBEARER
19+
camel.component.kafka.sasl-jaas-config = org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
20+
oauth.client.id="kafka-producer-client" \
21+
oauth.client.secret="kafka-producer-client-secret" \
22+
oauth.username.claim="preferred_username" \
23+
oauth.ssl.truststore.location="docker/certificates/ca-truststore.p12" \
24+
oauth.ssl.truststore.type="pkcs12" \
25+
oauth.ssl.truststore.password="changeit" \
26+
oauth.token.endpoint.uri="https://keycloak:8443/realms/demo/protocol/openid-connect/token" ;
27+
camel.component.kafka.additional-properties[sasl.login.callback.handler.class]=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
28+
----
29+
30+
=== Building and running Keycloak and Kafka
31+
32+
* Set the hosts in /etc/hosts
33+
34+
We have to set the IP addresses in /etc/hosts (check your OS how to do it), verify the current IP address and correctly set it as the example shows.
35+
----
36+
192.168.0.104 keycloak
37+
192.168.0.104 kafka
38+
----
39+
40+
* Build the project
41+
42+
This command will download the required Strimzi OAuth libraries for Kafka and add it to the Kafka Broker directory, it will also build the camel spring boot example.
43+
----
44+
mvn package
45+
----
46+
47+
* Launch the Keycloak server
48+
49+
----
50+
cd docker
51+
docker-compose -f keycloak/compose.yml up
52+
----
53+
54+
It must show the `demo` realm was imported successfully.
55+
----
56+
[org.keycloak.exportimport.dir.DirImportProvider] (main) Importing from directory /opt/keycloak/bin/../data/import
57+
[org.keycloak.exportimport.util.ImportUtils] (main) Realm 'demo' imported
58+
[org.keycloak.services] (main) KC-SERVICES0032: Import finished successfully
59+
----
60+
61+
It also shows the server started.
62+
----
63+
[io.quarkus] (main) Keycloak 26.0.8 on JVM (powered by Quarkus 3.15.1) started in 9.169s. Listening on: http://0.0.0.0:8080 and https://0.0.0.0:8443
64+
[io.quarkus] (main) Profile prod activated.
65+
[io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-h2, keycloak, narayana-jta, opentelemetry, reactive-routes, rest, rest-jackson, smallrye-context-propagation, vertx]
66+
----
67+
68+
* Launch the Kafka broker
69+
70+
Open another terminal console and go to the docker directory:
71+
----
72+
cd docker
73+
docker-compose -f kafka-oauth-strimzi/compose.yml up --build
74+
----
75+
76+
It should show the kafka broker authenticated to the keycloak server using the kafka-broker client id.
77+
----
78+
loginWithClientSecret() - tokenEndpointUrl: http://keycloak:8080/realms/demo/protocol/openid-connect/token, clientId: kafka-broker, clientSecret: k*********, scope: null, audience: null, connectTimeout: 20, readTimeout
79+
: 60, retries: 0, retryPauseMillis: 0 (io.strimzi.kafka.oauth.common.OAuthAuthenticator)
80+
----
81+
82+
It should show the kafka broker started
83+
----
84+
Kafka version: 3.9.0 (org.apache.kafka.common.utils.AppInfoParser)
85+
86+
[KafkaRaftServer nodeId=1] Kafka Server started (kafka.server.KafkaRaftServer)
87+
----
88+
89+
=== Run the camel example
90+
91+
As the project was already built, it's ready to run:
92+
93+
----
94+
mvn spring-boot:run
95+
----
96+
97+
It should display the kafka OAuth settings, example:
98+
----
99+
sasl.login.callback.handler.class = class io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
100+
sasl.mechanism = OAUTHBEARER
101+
security.protocol = SASL_PLAINTEXT
102+
----
103+
104+
It should show the producer message and the consumer message.
105+
----
106+
[a_Topic1]] route1 : >> Message sent: Hi from Camel - Wed Jan 15 12:11:42 WET 2025
107+
[a_Topic1]] route2 : << Message received: Hi from Camel - Wed Jan 15 12:11:42 WET 2025
108+
----
109+
110+
The kafka broker log should display the OAuth logging.
111+
----
112+
DEBUG Set validated token on callback: BearerTokenWithPayloadImpl (principalName: service-account-kafka-producer-client, groups: null, lifetimeMs: 1736978965000 [2025-01-15T22:09:25 UTC], startTimeMs: 1736942965000 [2025-01-15T12:09:25 UTC], scope: [profile, email], payload: {"exp":1736978965,"iat":1736942965,"jti":"43781656-a432-47f5-b0ae-c44e3224bb2b","iss":"https://keycloak:8443/realms/demo","sub":"f288b7db-a3e4-4cf4-80d3-2e5118bb2c9c","typ":"Bearer","azp":"kafka-producer-client","acr":"1","scope":"email profile","email_verified":false,"clientHost":"192.168.0.104","preferred_username":"service-account-kafka-producer-client","clientAddress":"192.168.0.104","email":"service-account-kafka-producer-client@placeholder.org","client_id":"kafka-producer-client"}, sessionId: 1893424185) (io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler)
113+
----
114+
115+
Press `Ctrl-C` to exit.
116+
117+
=== Help and contributions
118+
119+
If you hit any problem using Camel or have some feedback,
120+
then please https://camel.apache.org/community/support/[let us know].
121+
122+
We also love contributors,
123+
so https://camel.apache.org/community/contributing/[get involved] :-)
124+
125+
The Camel riders!
126+

kafka-oauth/docker/certificates/ca-truststore.p12

1.54 KB
Binary file not shown.

kafka-oauth/docker/certificates/ca.crt

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIFCzCCAvOgAwIBAgIUZ0kDv3zox1niOA1aqt1mgw5waSkwDQYJKoZIhvcNAQEL
3+
BQAwFTETMBEGA1UEAwwKc3RyaW16aS5pbzAeFw0yMTAzMjYwOTE4MTBaFw0zMTAz
4+
MjQwOTE4MTBaMBUxEzARBgNVBAMMCnN0cmltemkuaW8wggIiMA0GCSqGSIb3DQEB
5+
AQUAA4ICDwAwggIKAoICAQC7uFCvR4S6tSAFxAmzbjtGEV8XxA5iAZKL+TlMbs65
6+
riT1YYq0uU2JoXeWQUQRrwyPM5822klK0dVfTmrct0fVvPK7hQkAUatmmgczimxg
7+
ndmJPtnJaypG4v9C1Nn2Ahh02aCafKk1wjhfuELSC/pLwdF3r3qiQUZM04JZIC6y
8+
s9iqW7ehkTfaC5RV0nFXK0YfZI6rummXxIfrvv6oEzzcbmSkkB9vgKK1X7bJNTxR
9+
qfwto8/d3nV51ZAmMUi1tKsT7N51yNvBVv0/x7FRfx9VFLsGDNr4t6rWP41YG7xa
10+
yxlXDFSW5gJBBkt1lbrm2A+QfeaXKJGaApW3vJkCQdLo1JpNZP6qGnss+ctpMwTD
11+
Bxgigr9DAa9dCjkmoDq3Pew46svrmzDvFu/++f+OAcwFuqRYA1h8m5fgJ9pwhyfV
12+
r+KNR9yLs7ot1F9ntd4M2JaeiaFAePrQ0eCe3PlL1eGgrXQ54EwdPPt7lSbidCEO
13+
bWnkxLC95ErM+QJdx2nSYV98vRBrPyQwyaQHIXdHHC1jXAK8oxrmpzVDXo240emj
14+
1p/qxxMvfm97jrZbnOKs3LLEMT8iA2RrRClsWpm4MROZhwyi/tv9nBHEy/MsB8kt
15+
+4TkZlBDbZVV3XOwCuNvBEAU3MlNOw5Nb6ppcxtBjVLy8ekK1F53k1q576ncv2TV
16+
kQIDAQABo1MwUTAdBgNVHQ4EFgQU9hhGe0vri3zDq+hsZmuqTZzatiwwHwYDVR0j
17+
BBgwFoAU9hhGe0vri3zDq+hsZmuqTZzatiwwDwYDVR0TAQH/BAUwAwEB/zANBgkq
18+
hkiG9w0BAQsFAAOCAgEALmrWaYSPjoVryvjxH9ANXqRGdM/6BkcI/uP668K2AiS+
19+
IJY2V4kVl908hs24l6Rd1/wCenKz2WoTZ5495JFIqjfZtOuMzQ2HGHZMDp+SaPYz
20+
ZlzMP/yv5mNJ5HtPuaLGs+7oNR6QKWpvQNnVFfsb2qCTwsSCcbLNvRwAhYOHo1/V
21+
HAB1ho29BBkUXaweLbBEijQIxufcK2XIXn/KksbQB0Cr8uuscrZx4UixVKIz2vx5
22+
8iJERwc1ox7SdKKrx8KYFy/pX7ppA1z/wRBQunD3JmSHHMl0ffWDkNrfCHmtjsB5
23+
Z9JfbPHT6laMa6WAjpD+X64O24JwnzodqMqK1DFJOLkylPq+S2daYc3AAVuOLxQ3
24+
SwqxZwQsFQFnldSI2+HqYJuEFsZ5AZSioW+JS+ogH+xsRzENJUwAh12P+8nEGzZf
25+
pGBEbdBoEuGJ4GG2EbrbOPcZ2jHnQlrh247NDeNeqTbugVOVui+dlANBOQmyd2xw
26+
sJMSUuwN4MJTNqcWC8jVsPfLprxEdYa35lFiWI/ut35QnIn8nO0CMrZ/jSRc5j3a
27+
sN+FnLcsqY1bbKutzeGu/AmLXMm8PYOCaEKbMuJVp9qslhthv8Qz0XQg6g6mnxlM
28+
xugFfjB++LglJ+zVKzEtL2BCc21QpI7fQXqb7HJd2H1H1IgoMG6eyCgzHUUiCFg=
29+
-----END CERTIFICATE-----

kafka-oauth/docker/certificates/ca.key

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
-----BEGIN RSA PRIVATE KEY-----
2+
MIIJKQIBAAKCAgEAu7hQr0eEurUgBcQJs247RhFfF8QOYgGSi/k5TG7Oua4k9WGK
3+
tLlNiaF3lkFEEa8MjzOfNtpJStHVX05q3LdH1bzyu4UJAFGrZpoHM4psYJ3ZiT7Z
4+
yWsqRuL/QtTZ9gIYdNmgmnypNcI4X7hC0gv6S8HRd696okFGTNOCWSAusrPYqlu3
5+
oZE32guUVdJxVytGH2SOq7ppl8SH677+qBM83G5kpJAfb4CitV+2yTU8Uan8LaPP
6+
3d51edWQJjFItbSrE+zedcjbwVb9P8exUX8fVRS7Bgza+Leq1j+NWBu8WssZVwxU
7+
luYCQQZLdZW65tgPkH3mlyiRmgKVt7yZAkHS6NSaTWT+qhp7LPnLaTMEwwcYIoK/
8+
QwGvXQo5JqA6tz3sOOrL65sw7xbv/vn/jgHMBbqkWANYfJuX4CfacIcn1a/ijUfc
9+
i7O6LdRfZ7XeDNiWnomhQHj60NHgntz5S9XhoK10OeBMHTz7e5Um4nQhDm1p5MSw
10+
veRKzPkCXcdp0mFffL0Qaz8kMMmkByF3RxwtY1wCvKMa5qc1Q16NuNHpo9af6scT
11+
L35ve462W5zirNyyxDE/IgNka0QpbFqZuDETmYcMov7b/ZwRxMvzLAfJLfuE5GZQ
12+
Q22VVd1zsArjbwRAFNzJTTsOTW+qaXMbQY1S8vHpCtRed5Naue+p3L9k1ZECAwEA
13+
AQKCAgEAkPsxla5u3KS3LrzRoTspnFweTYSmdxsvy9uYXWfXUaEl+j5zmlDjicCj
14+
U/DkWaQQ1yjPdtXwdVDKsuklr4H+gR2Fez6sTQrGjl+34B6wxY4kTNO18NJLvKPk
15+
8gDithW4Pcc3Oxm8tkBiucreEMwfbBMtbHqjBF3VpdBVg/BPIMW2ORzNHoPB1y3K
16+
St5VmzVY2zYW2psGoqivMWw50iXJg5XfNRn6rWt0PxDFY3EyPQBEPBugl4MQyCAh
17+
TN4TggMffiwbRGz1DMXaoj/gu0irMlLofyu+kwmHcCF1UO9a8eSalZh4XHMYmo/6
18+
B760s0V7/+S9C1HR4ljMuTN4GT4tXUK8ZKueqMQmPzC/oNN2AGjfwiBEIMfjTvOh
19+
QjZqHC/9M7hj/1veYUBgXUJ8v0JZ8G+iQU3UhetPwedg2ZIdp+y2ZRP7FmVVaDpU
20+
Ch3hOhY2Eb/XQkV2Ph8ajw+Ws/e3dDarbnvKWwwnIXQ9aAO695V9lswjfB8KtvGA
21+
4KMEMtdCFj3gUEBkEAN/ZocrGo2N7+RcaH9cekV/aUD849ipiS0BROv45rr4x3C0
22+
j9V6Tdk1e5fjdJY+afDvfsth+yY71dzvGNfy9Ktk4ETAMK9fxsIOgEoiFmUn20S+
23+
YbiWPzYRKI+v0YJPCS2GzWjtO6Qr6zR9QpaaAbk7lC063ml8peECggEBAON2D6LI
24+
EtmEKqRnkUH0Og5oUYyl4S+AdV5HchyTnG+0gMY54jD0UqcS0qV70gG09MKmGT2A
25+
Nf138LG2bXRBdUcxvIiHNfZqY6ei8nqlAO1//C9A+2brStVq9w9Jmn/0ipPZMvho
26+
P+R2fb74wKWkZbQUETRCmqvfO7nKC2ZB9ejUgjbWEskBQQTsT3F6RGeX+iEd+6eF
27+
OORIAf0HwymQCaHlZkPJQ4B0u5EY22vW2fv6G3oYtUPIk7XBx2z7/wJOEyhM8dJc
28+
N5TquDxVTwllQ8WudkzCEQ/6Y5aAJHNz8Ip549tN17qyoxA/2P8bJQdW4WcZ3qY/
29+
mM/dAYcs77OKBd8CggEBANNFyW6FoWU5L/BSuGgRXXsiREbJyf02rfA9/GqBGSLQ
30+
zpIZ6GYpXa/8vr71bCJGJj5XlFk3dnwHBnKwAQknEHHspiEgw220Y6/kDBpFL2fp
31+
UUdaoo2gpAWkEvmjiUln/RBXeHw3v0pY0daCeQkueH3Ups4U/+J8XnykOMnDxTAh
32+
30s+CXoezrauMuZmmz3ysBEI3ISaSHns+n2IM3RpIVrUuhkMPq0Eu1SBnrrOjFXr
33+
5kVL1D2M3s1bD+TVAFAd8/n5e3x46YVid/AIvC5/J6l9kJHgQAFH6s8Yk0jRp5ps
34+
vOrcw0xSYde1XN22h38bwMdrE1E3yvYpnSxoUAiaMo8CggEAYc/lDWTn5i2VgLkg
35+
l7IEPSnS156FZT3iOraSdYNsZATE03kUsWR/HmVTu+Gw/xbnocR3WiEGFoc7M9B0
36+
5Oc5HXJf1n3+UIaTcAT8LI1EBt1gfpl9AlbwCTJEJ4jJLXjlForyBiwePYpOrI6f
37+
mRtGuNdgRo7VoE8QieY+XKzEqGipzhbkYRdu9EUCLJQdUkbiQtd33iPFwTTN1hc+
38+
b2MHIV1aSpADvPt1pQGBabAscNSueCSj3hAkpKY9sbnzgPQ9/LiJzKHnLNx6eUde
39+
A3ZOXHWXXY6ec7aCmLdl9VfH+mRL/YRN3nTu9g/eqmTr2Woc548SVX9HoSsyewRx
40+
10zlFQKCAQEAu4/rIimUfU7l1k8503oHKbfkMYwXvKr8hJojK1JtRFFn8qD5hykW
41+
OZUCqnkrhMoOTa5mz0XD9JwwB0VlxgBeQyW63xI9LXnGPnMQo4nkajXiqJw4T8/b
42+
jf55shKTYQ3mxslA99ZuBs0PjYbLeXE+G0fcxnwyJ5oOME2C9OzOdMq9eAkdVMNg
43+
9SF1osJY9AgucxEQ5NAro8LVJvjx5Vkn+YF9rZsHUYcv3/grOOECCY2iIscNJ4+W
44+
hW1gkODgpD/TR4tLK9gUSQyAOiMnHYhZZ8lHvZn+eKSmOzEwIKewShJbLY7L+0fw
45+
ARbL2TGg3SGAZgoTXjlQAHY1SSVaWCi81QKCAQBT2I2mcaWVZhTfQDA+icPG5pkv
46+
G5vcbBX9rVSitzZ/p22VV3rfEmHUCyEhOCwX/N3bmS5SaYWksr1TU7cnFAZ2GOQk
47+
kuitdCN6NbCAHVU4aj9f//8qyrPV8eOb2kWYMPrgzXOLcfBisaAPdf1yI+GU6gbj
48+
1NQr+xzeoMNMuHwKnXi0YWM4c3NhdOCDPBIRjkY6WxyzJSiECEXYYwu3uGis3hR+
49+
HbFra0XvD5hC6fep45NVWLgGVqjE9Sv7DeDiFZbbaiP4IxKBmwWXGPmpJtDk4N12
50+
JHOYwDsuBqWnK2Fs/TwoNb6EIziB3HMNGO/eSkFo+b9eB4l2sOyjxH5djx1a
51+
-----END RSA PRIVATE KEY-----

kafka-oauth/docker/certificates/gen-ca.sh

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
#!/bin/sh
2+
set -e
3+
4+
# create CA key
5+
openssl genrsa -out ca.key 4096
6+
7+
# create CA certificate
8+
openssl req -x509 -new -nodes -sha256 -days 3650 -subj "/CN=strimzi.io" -key ca.key -out ca.crt
9+
10+
11+
PASSWORD=changeit
12+
13+
# create p12 truststore
14+
keytool -keystore ca-truststore.p12 -storetype pkcs12 -alias ca -storepass $PASSWORD -keypass $PASSWORD -import -file ca.crt -noprompt
15+
16+
# copy the certificate to client dirs
17+
cp ca-truststore.p12 ../kafka-oauth-strimzi/kafka/config/
18+
cp ca-truststore.p12 ../keycloak-import/config/

kafka-oauth/docker/kafka-oauth-strimzi/compose.yml

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
services:
2+
3+
#################################### KAFKA BROKER ####################################
4+
kafka:
5+
image: strimzi/example-kafka
6+
build: kafka/target
7+
container_name: kafka
8+
ports:
9+
- 9091:9091
10+
- 9092:9092
11+
12+
# javaagent debug port
13+
#- 5005:5005
14+
command:
15+
- /bin/bash
16+
- -c
17+
- cd /opt/kafka && ./start.sh --kraft
18+
19+
environment:
20+
21+
# Java Debug
22+
#KAFKA_DEBUG: y
23+
#DEBUG_SUSPEND_FLAG: y
24+
#JAVA_DEBUG_PORT: 5005
25+
26+
#
27+
# KAFKA Configuration
28+
#
29+
LOG_DIR: /home/kafka/logs
30+
KAFKA_PROCESS_ROLES: "broker,controller"
31+
KAFKA_NODE_ID: "1"
32+
KAFKA_CONTROLLER_QUORUM_VOTERS: "1@kafka:9091"
33+
KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER
34+
KAFKA_SASL_MECHANISM_CONTROLLER_PROTOCOL: PLAIN
35+
36+
KAFKA_LISTENERS: "CONTROLLER://kafka:9091,CLIENT://kafka:9092"
37+
KAFKA_ADVERTISED_LISTENERS: "CLIENT://kafka:9092"
38+
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: "CONTROLLER:SASL_PLAINTEXT,CLIENT:SASL_PLAINTEXT"
39+
40+
KAFKA_INTER_BROKER_LISTENER_NAME: CLIENT
41+
KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: OAUTHBEARER
42+
43+
KAFKA_PRINCIPAL_BUILDER_CLASS: "io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder"
44+
45+
KAFKA_LISTENER_NAME_CONTROLLER_SASL_ENABLED_MECHANISMS: PLAIN
46+
KAFKA_LISTENER_NAME_CONTROLLER_PLAIN_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"admin\" password=\"admin-password\" user_admin=\"admin-password\" user_bobby=\"bobby-secret\" ;"
47+
48+
KAFKA_LISTENER_NAME_CLIENT_SASL_ENABLED_MECHANISMS: OAUTHBEARER
49+
KAFKA_LISTENER_NAME_CLIENT_OAUTHBEARER_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;"
50+
KAFKA_LISTENER_NAME_CLIENT_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
51+
KAFKA_LISTENER_NAME_CLIENT_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
52+
53+
KAFKA_SUPER_USERS: "User:admin,User:service-account-kafka-broker"
54+
55+
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
56+
57+
58+
#
59+
# Strimzi OAuth Configuration
60+
#
61+
62+
# Authentication config
63+
OAUTH_CLIENT_ID: "kafka-broker"
64+
OAUTH_CLIENT_SECRET: "kafka-broker-secret"
65+
OAUTH_TOKEN_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token"
66+
67+
# Validation config
68+
OAUTH_VALID_ISSUER_URI: "https://${KEYCLOAK_HOST:-keycloak}:8443/realms/${REALM:-demo}"
69+
OAUTH_JWKS_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/certs"
70+
#OAUTH_INTROSPECTION_ENDPOINT_URI: "http://${KEYCLOAK_HOST:-keycloak}:8080/realms/${REALM:-demo}/protocol/openid-connect/token/introspect"
71+
72+
73+
# username extraction from JWT token claim
74+
OAUTH_USERNAME_CLAIM: preferred_username
75+
OAUTH_CONNECT_TIMEOUT_SECONDS: "20"
76+
77+
# For start.sh script to know where the keycloak is listening
78+
KEYCLOAK_HOST: ${KEYCLOAK_HOST:-keycloak}
79+
KEYCLOAK_URI: https://keycloak:8443

kafka-oauth/docker/kafka-oauth-strimzi/kafka/Dockerfile

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
FROM quay.io/strimzi/kafka:0.45.0-kafka-3.9.0
2+
3+
COPY libs/* /opt/kafka/libs/strimzi/
4+
COPY config/* /opt/kafka/config/
5+
COPY *.sh /opt/kafka/
6+
COPY certificates/*.p12 /tmp/kafka/
7+
8+
USER root
9+
RUN chmod +x /opt/kafka/*.sh
10+
USER kafka
11+
12+
CMD ["/bin/bash", "/opt/kafka/start.sh"]

kafka-oauth/docker/kafka-oauth-strimzi/kafka/certificates/cluster.keystore.p12

5.47 KB
Binary file not shown.

kafka-oauth/docker/kafka-oauth-strimzi/kafka/certificates/cluster.truststore.p12

1.63 KB
Binary file not shown.

kafka-oauth/docker/kafka-oauth-strimzi/kafka/certificates/gen-kafka-certs.sh

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
#!/bin/sh
2+
3+
set -e
4+
5+
STOREPASS=Z_pkTh9xgZovK4t34cGB2o6afT4zZg0L
6+
7+
echo "#### Generate broker keystore"
8+
keytool -keystore cluster.keystore.p12 -alias localhost -validity 3650 -genkey -keyalg RSA -ext SAN=DNS:kafka -dname "CN=my-cluster-kafka,O=io.strimzi" -deststoretype pkcs12 -storepass $STOREPASS -keypass $STOREPASS
9+
10+
echo "#### Add the CA to the brokers’ truststore"
11+
keytool -keystore cluster.truststore.p12 -deststoretype pkcs12 -storepass $STOREPASS -alias CARoot -importcert -file ../../../certificates/ca.crt -noprompt
12+
13+
echo "#### Export the certificate from the keystore"
14+
keytool -keystore cluster.keystore.p12 -storetype pkcs12 -alias localhost -certreq -file cert-file -storepass $STOREPASS
15+
16+
echo "#### Sign the certificate with the CA"
17+
openssl x509 -req -CA ../../../certificates/ca.crt -CAkey ../../../certificates/ca.key -in cert-file -out cert-signed -days 3650 -CAcreateserial -passin pass:$STOREPASS
18+
19+
echo "#### Import the CA and the signed certificate into the broker keystore"
20+
keytool -keystore cluster.keystore.p12 -deststoretype pkcs12 -alias CARoot -import -file ../../../certificates/ca.crt -storepass $STOREPASS -noprompt
21+
keytool -keystore cluster.keystore.p12 -deststoretype pkcs12 -alias localhost -import -file cert-signed -storepass $STOREPASS -noprompt

0 commit comments

Comments
 (0)