Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: updated redpanda example to use abac policies #7944

Closed
wants to merge 1 commit into from
Closed

feat: updated redpanda example to use abac policies #7944

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions examples/command/portals/kafka/redpanda/docker/application_team/run_ockam.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ ticket: ${ENROLLMENT_TICKET}
kafka-inlet:
from: 127.0.0.1:9092
to: /project/default/service/forward_to_redpanda/secure/api
allow: '(= subject.kafka-outlet "true")'
allow-consumer: '(= subject.kafka-consumer "true")'
allow-producer: '(= subject.kafka-producer "true")'
EOF

# optional, reduces warnings in the log and order the output
Expand Down
4 changes: 2 additions & 2 deletions examples/command/portals/kafka/redpanda/docker/redpanda_operator/run_ockam.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ set -ex

# This script is used as an entrypoint to a docker container built using ../ockam.dockerfile.
# Create an Ockam node from this `ockam.yaml` descriptor file.
redpanda_address=$(dig +short redpanda)
cat <<EOF > ./ockam.yaml
name: redpanda_outlet_node
ticket: ${ENROLLMENT_TICKET}
Expand All @@ -14,7 +13,8 @@ relay: redpanda

# Declare a Kafka Outlet, with a local destination.
kafka-outlet:
bootstrap-server: ${redpanda_address}:9092
bootstrap-server: redpanda:9092
allow: '(or (= subject.kafka-consumer "true") (= subject.kafka-producer "true"))'
EOF

# Create the Ockam node in foreground mode.
Expand Down
6 changes: 3 additions & 3 deletions examples/command/portals/kafka/redpanda/docker/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,15 @@ run() {
# attestest project membership credential issue by the membership authority.
#
# The identity will also allowed to create a relay in the project at the address `redpanda`.
redpanda_operator_ticket=$(ockam project ticket --usage-count 1 --expires-in 10m --relay redpanda)
redpanda_operator_ticket=$(ockam project ticket --usage-count 1 --expires-in 10m --relay redpanda --attribute 'kafka-outlet=true')

# Create an enrollment ticket to enroll the identity used by an ockam node that will run
# adjacent to the Redpanda client app in application_team's network.
#
# The identity that enrolls with the generated ticket will be given a cryptographically
# attestest project membership credential issue by the membership authority.
application_team_consumer_ticket=$(ockam project ticket --usage-count 1 --expires-in 10m --relay '*')
application_team_producer_ticket=$(ockam project ticket --usage-count 1 --expires-in 10m --relay '*')
application_team_consumer_ticket=$(ockam project ticket --usage-count 1 --expires-in 10m --attribute 'kafka-consumer=true' --attribute 'kafka-producer=false' )
application_team_producer_ticket=$(ockam project ticket --usage-count 1 --expires-in 10m --attribute 'kafka-consumer=false' --attribute 'kafka-producer=true' )

# Invoke `docker-compose up` in the directory that has redpanda_operator's configuration.
# Pass the above enrollment ticket as an environment variable.
Expand Down
Loading