added basic cluster liknking example

examples/cluster-linking/README.md

@@ -0,0 +1,5 @@
+# Replicator
+
+In this scenario example, you'll deploy two Confluent clusters. One is the source cluster, and one is the destination cluster. You'll deploy Confluent Replicator on the destination cluster, where it will copy topic messages from the source cluster and write to the destination cluster.
+
+1. 

examples/cluster-linking/destination/control-centre.yaml

@@ -0,0 +1,37 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: ControlCenter
+metadata:
+  name: controlcenter
+spec:
+  authorization:
+    type: rbac
+  tls:
+    secretRef: tls-group1
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.destination.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-connect
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.destination.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-c3
+      tls:
+        enabled: true
+    connect:
+      - name: replicator
+        url:  https://replicator.destination.svc.cluster.local:8083
+        tls:
+          enabled: true
+    schemaRegistry:
+      url: https://schemaregistry.destination.svc.cluster.local:8081
+      tls:
+        enabled: true

examples/cluster-linking/destination/controlcenter-testadmin-rolebindings.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: ConfluentRolebinding
+metadata:
+  name: testadmin-rb
+spec:
+  principal:
+    type: user
+    name: testadmin
+  role: ClusterAdmin
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: ConfluentRolebinding
+metadata:
+  name: testadmin-rb-sr
+spec:
+  principal:
+    type: user
+    name: testadmin
+  clustersScopeByIds:
+    schemaRegistryClusterId: id_schemaregistry_destination
+  role: SystemAdmin
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: ConfluentRolebinding
+metadata:
+  name: testadmin-rb-replicator
+spec:
+  principal:
+    type: user
+    name: testadmin
+  clustersScopeByIds:
+    connectClusterId: destination.replicator
+  role: SystemAdmin
+---

examples/cluster-linking/destination/controlcentre-c3-rb.yaml

@@ -0,0 +1,12 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: ConfluentRolebinding
+metadata:
+  name: c3-rb-replicator
+spec:
+  principal:
+    type: user
+    name: c3
+  clustersScopeByIds:
+    connectClusterId: destination.replicator
+  role: SystemAdmin
+---

examples/cluster-linking/destination/kafka.yaml

@@ -0,0 +1,81 @@
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: Kafka
+metadata:
+  name: kafka
+spec:
+  configOverrides:
+    server:
+      - confluent.schema.registry.url=https://schemaregistry.destination.svc.cluster.local:8081
+      - listener.name.internal.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - listener.name.external.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+      - listener.name.replication.plain.sasl.server.callback.handler.class=io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler
+  tls:
+    secretRef: tls-group1
+  metricReporter:
+    enabled: true
+    authentication:
+      type: plain
+      jaasConfigPassThrough:
+        secretRef: broker-credential
+    tls:
+      enabled: true
+  listeners:
+    internal:
+      authentication:
+        type: plain
+        jaasConfigPassThrough:
+          secretRef: broker-credential
+      tls:
+        enabled: true
+    external:
+      authentication:
+        type: plain
+        jaasConfigPassThrough:
+          secretRef: broker-credential
+      tls:
+        enabled: true
+  authorization:
+    type: rbac
+    superUsers:
+      - User:kafka
+  services:
+    mds:
+      tls:
+        enabled: true
+      tokenKeyPair:
+        secretRef: broker-credential
+      provider:
+        type: ldap
+        ldap:
+          address: ldap://ldap.sandbox.svc.cluster.local:389
+          authentication:
+            type: simple
+            simple:
+              secretRef: broker-credential
+          tls:
+            enabled: true
+          configurations:
+            groupNameAttribute: cn
+            groupObjectClass: groupOfNames
+            groupMemberAttribute: member
+            groupMemberAttributePattern: cn=(.*),ou=users,dc=test,dc=com
+            groupSearchBase: ou=groups,dc=test,dc=com
+            userNameAttribute: cn
+            userMemberOfAttributePattern: cn=(.*),ou=users,dc=test,dc=com
+            userObjectClass: organizationalRole
+            userSearchBase: ou=users,dc=test,dc=com
+  dependencies:
+    kafkaRest:
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: broker-credential
+    zookeeper:
+      endpoint: zookeeper.destination.svc.cluster.local:2182
+      authentication:
+        type: digest
+        jaasConfig:
+          secretRef: broker-credential
+      tls:
+        enabled: true

examples/cluster-linking/destination/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: destination
+resources:
+- ./namespace.yaml
+- ../../../kustomize/base/confluent
+- ../../../kustomize/base/secrets-tls
+- ../../../kustomize/base/secrets-user
+- ./replicator.yaml
+- ./controlcentre-c3-rb.yaml
+- ./replicator-rb.yaml
+- ./schemaregistry-base.yaml
+- ./controlcenter-testadmin-rolebindings.yaml
+patchesStrategicMerge:
+  - ./rest-class.yaml
+  - zookeeper.yaml
+  - kafka.yaml
+  - schema-registry.yaml
+  - control-centre.yaml

examples/cluster-linking/destination/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: destination

examples/cluster-linking/destination/replicator-rb.yaml

@@ -0,0 +1,66 @@
+
+apiVersion: platform.confluent.io/v1beta1
+kind: ConfluentRolebinding
+metadata:
+  name: connect-rb-cluster-admin
+spec:
+  principal:
+    type: user
+    name: connect
+  role: ClusterAdmin
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: ConfluentRolebinding
+metadata:
+  name: replicator-topics
+  namespace: confluent
+spec:
+  principal:
+    name: connect
+    type: user
+  resourcePatterns:
+    - name: topic-in-source_replica
+      patternType: LITERAL
+      resourceType: Topic
+    - name: _confluent-license
+      patternType: LITERAL
+      resourceType: Topic
+    - name: _confluent-gcsconnect-secrets
+      patternType: LITERAL
+      resourceType: Topic
+    - name: _confluent-connect-offsets
+      patternType: LITERAL
+      resourceType: Topic
+    - name: _confluent-connect-configs
+      patternType: LITERAL
+      resourceType: Topic
+    - name: _confluent-connect-status
+      patternType: LITERAL
+      resourceType: Topic
+    - name: _confluent-gcsconnect-status
+      patternType: LITERAL
+      resourceType: Topic
+    - name: _confluent-gcsconnect-offsets
+      patternType: LITERAL
+      resourceType: Topic
+    - name: _confluent-gcsconnect-configs
+      patternType: LITERAL
+      resourceType: Topic
+    - name: confluent.gcsconnect-
+      patternType: PREFIXED
+      resourceType: Topic
+  role: ResourceOwner
+---
+apiVersion: platform.confluent.io/v1beta1
+kind: ConfluentRolebinding
+metadata:
+  name: gcsconnect-idempotent-write
+  namespace: confluent
+spec:
+  principal:
+    name: connect
+    type: user
+  resourcePatterns:
+    - name: kafka-cluster
+      resourceType: Cluster
+  role: DeveloperWrite

examples/cluster-linking/destination/replicator.yaml

@@ -0,0 +1,67 @@
+apiVersion: platform.confluent.io/v1beta1
+# Confluent Replicator is built as a connector, and so will use the `Connect` CRD.
+kind: Connect
+metadata:
+  name: replicator
+spec:
+  replicas: 1
+  # Configure to have TLS encryption, and use auto-generated server certs
+  tls:
+    secretRef: tls-group1
+  authorization:
+    type: rbac
+  image:
+    # Use the `cp-enterprise-replicator-operator` Docker image, that contains the Replicator jars
+    application: confluentinc/cp-enterprise-replicator-operator:6.1.1.0
+    init: confluentinc/cp-init-container-operator:6.1.1.0
+  podTemplate:
+    resources:
+      requests:
+        cpu: 1
+        memory: 2Gi
+    envVars:
+      # The  Confluent Replicator Monitoring Extension allows for detailed metrics from Replicator tasks to be
+      # collected using an exposed REST API.
+      # You'll need to update the version string in replicate-test-extension-<version>.jar based on what
+      # CP version you are using
+      - name: CLASSPATH
+        value: /usr/share/java/kafka-connect-replicator/replicator-rest-extension-6.1.1.jar
+  configOverrides:
+    # When the Connect distributed cluster hosting Replicator has a REST endpoint with SSL encryption
+    # enabled, you must configure security properties for the SSL keystore and truststore used by the
+    # Replicator monitoring extension to communicate with other Connect nodes in the cluster.
+    # `/mnt/sslcerts/truststore.jks` is the truststore location when auto-genarated certs are used.
+    jvm:
+#      - -Djavax.net.debug=all
+      - -Djavax.net.ssl.trustStore=/mnt/sslcerts/truststore.p12
+      - -Djavax.net.ssl.trustStorePassword=mystorepassword
+    server:
+      - connector.class=io.confluent.connect.replicator.ReplicatorSourceConnector
+      # To activate the monitoring extension, configure this property
+      - rest.extension.classes=io.confluent.connect.replicator.monitoring.ReplicatorMonitoringExtension,io.confluent.connect.security.ConnectSecurityExtension
+      - admin.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required metadataServerUrls="https://kafka.destination.svc.cluster.local:8090" username="connect" password="connect-secret";
+      - consumer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required metadataServerUrls="https://kafka.destination.svc.cluster.local:8090" username="connect" password="connect-secret";
+      - producer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required metadataServerUrls="https://kafka.destination.svc.cluster.local:8090" username="connect" password="connect-secret";
+      - sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required metadataServerUrls="https://kafka.destination.svc.cluster.local:8090" username="connect" password="connect-secret";
+      - confluent.metadata.basic.auth.user.info=connect:connect-secret
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.destination.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-connect
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.destination.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-connect
+      tls:
+        enabled: true
+    interceptor:
+      enabled: true

examples/cluster-linking/destination/rest-class.yaml

@@ -0,0 +1,10 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: KafkaRestClass
+metadata:
+  name: default
+spec:
+  kafkaRest:
+    authentication:
+      type: bearer
+      bearer:
+        secretRef: rest-credential

examples/cluster-linking/destination/schema-registry.yaml

@@ -0,0 +1,28 @@
+apiVersion: platform.confluent.io/v1beta1
+kind: SchemaRegistry
+metadata:
+  name: schemaregistry
+spec:
+  authorization:
+    type: rbac
+  tls:
+    secretRef: tls-group1
+  dependencies:
+    kafka:
+      bootstrapEndpoint: kafka.destination.svc.cluster.local:9071
+      authentication:
+        type: plain
+        jaasConfig:
+          secretRef: mds-client-sr
+      tls:
+        enabled: true
+    mds:
+      endpoint: https://kafka.destination.svc.cluster.local:8090
+      tokenKeyPair:
+        secretRef: mds-public
+      authentication:
+        type: bearer
+        bearer:
+          secretRef: mds-client-sr
+      tls:
+        enabled: true