Add molecule scenarios to test ksql oauth

mansisinha · Jun 19, 2024 · ccc7fc9 · ccc7fc9
1 parent 16c4d83
commit ccc7fc9
Show file tree

Hide file tree

Showing 3 changed files with 129 additions and 118 deletions.
diff --git a/molecule/oauth-rbac-mds-kerberos-debian/molecule.yml b/molecule/oauth-rbac-mds-kerberos-debian/molecule.yml
@@ -181,20 +181,20 @@ platforms:
     privileged: true
     networks:
       - name: confluent
-  # - name: ksql1
-  #   hostname: ksql1.confluent
-  #   groups:
-  #     - ksql2
-  #     - ksql2_migration
-  #     - cluster2
-  #   image: geerlingguy/docker-debian10-ansible
-  #   dockerfile: ../Dockerfile-debian10.j2
-  #   command: ""
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   privileged: true
-  #   networks:
-  #     - name: confluent
+  - name: ksql1
+    hostname: ksql1.confluent
+    groups:
+      - ksql2
+      - ksql2_migration
+      - cluster2
+    image: geerlingguy/docker-debian10-ansible
+    dockerfile: ../Dockerfile-debian10.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
   - name: control-center1
     hostname: control-center1.confluent
     groups:
@@ -211,33 +211,33 @@ platforms:
       - "9021:9021"
     networks:
       - name: confluent
-  # # Cluster 2 (Kraft) goups, groupnames will be changed during converge phase
-  # - name: mds-controller1-mig
-  #   hostname: mds-controller1-mig.confluent
-  #   groups:
-  #     - kafka_controller_migration
-  #     - mds
-  #   image: geerlingguy/docker-debian10-ansible
-  #   dockerfile: ../Dockerfile-debian10.j2
-  #   command: ""
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   privileged: true
-  #   networks:
-  #     - name: confluent
-  # - name: controller1-mig
-  #   hostname: controller1-mig.confluent
-  #   groups:
-  #     - kafka_controller2_migration
-  #     - cluster2
-  #   image: geerlingguy/docker-debian10-ansible
-  #   dockerfile: ../Dockerfile-debian10.j2
-  #   command: ""
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   privileged: true
-  #   networks:
-  #     - name: confluent
+  # Cluster 2 (Kraft) goups, groupnames will be changed during converge phase
+  - name: mds-controller1-mig
+    hostname: mds-controller1-mig.confluent
+    groups:
+      - kafka_controller_migration
+      - mds
+    image: geerlingguy/docker-debian10-ansible
+    dockerfile: ../Dockerfile-debian10.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: controller1-mig
+    hostname: controller1-mig.confluent
+    groups:
+      - kafka_controller2_migration
+      - cluster2
+    image: geerlingguy/docker-debian10-ansible
+    dockerfile: ../Dockerfile-debian10.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
 provisioner:
   playbooks:
     converge: ${MIGRATION_CONVERGE_RBAC:-../multi_rbac_converge.yml}
@@ -261,8 +261,6 @@ provisioner:
           kdc_hostname: mds-kerberos1
           admin_hostname: mds-kerberos1
 
-        kafka_connect_secret_registry_enabled: false
-
         zookeeper_kerberos_principal: "zookeeper/{{inventory_hostname}}.confluent@{{kerberos.realm | upper}}"
         zookeeper_kerberos_keytab_path: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}/keytabs/zookeeper-{{inventory_hostname}}.keytab"
         kafka_broker_kerberos_principal: "{{kerberos_kafka_broker_primary}}/{{inventory_hostname}}.confluent@{{kerberos.realm | upper}}"
@@ -295,7 +293,21 @@ provisioner:
         control_center_oauth_user: control_center
         control_center_oauth_password: my-secret
         control_center_oauth_principal: control_center_sub
-        mask_secrets: false
+        ksql_oauth_user: ksql
+        ksql_oauth_password: my-secret
+        ksql_oauth_principal: ksql_sub
+
+        sso_mode: oidc
+        sso_groups_claim: groups
+        sso_sub_claim: sub
+        sso_issuer_url: https://dev-59009577.okta.com/oauth2/aus96p2og3u7Cpwu65d7
+        sso_jwks_uri: https://dev-59009577.okta.com/oauth2/aus96p2og3u7Cpwu65d7/v1/keys
+        sso_authorize_uri: https://dev-59009577.okta.com/oauth2/aus96p2og3u7Cpwu65d7/v1/authorize
+        sso_token_uri: https://dev-59009577.okta.com/oauth2/aus96p2og3u7Cpwu65d7/v1/token
+        sso_device_authorization_uri: https://dev-59009577.okta.com/oauth2/aus96p2og3u7Cpwu65d7/v1/device/authorize
+        sso_cli: true
+        sso_client_id: ${OKTA_CLIENT:-user}
+        sso_client_password: ${OKTA_PASSWORD:-pass}
       mds:
         kafka_broker_cluster_name: mds
 

diff --git a/molecule/oauth-rbac-plain-rhel8/molecule.yml b/molecule/oauth-rbac-plain-rhel8/molecule.yml
@@ -1,8 +1,8 @@
 ---
 ### Installs Confluent Platform Cluster on Oracle Linux 8.
 ### RBAC enabled.
-### MTLS enabled.
-### Kafka Broker Customer Listener.
+### Kafka Broker Custom Listener.
+### OAuth using keycloak idp on all cp components
 ### SSO authentication using OIDC in Control center using Okta IdP
 
 driver:
@@ -171,42 +171,42 @@ platforms:
     networks:
       - name: confluent
     # Cluster 2 (Kraft) goups, groupnames will be changed during converge phase
-  # - name: controller1-mig
-  #   hostname: controller1-mig.confluent
-  #   groups:
-  #     - kafka_controller_migration
-  #   image: oraclelinux:8-slim
-  #   dockerfile: ../Dockerfile-rhel-java8.j2
-  #   command: ""
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   privileged: true
-  #   networks:
-  #     - name: confluent
-  # - name: controller2-mig
-  #   hostname: controller2-mig.confluent
-  #   groups:
-  #     - kafka_controller_migration
-  #   image: oraclelinux:8-slim
-  #   dockerfile: ../Dockerfile-rhel-java8.j2
-  #   command: ""
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   privileged: true
-  #   networks:
-  #     - name: confluent
-  # - name: controller3-mig
-  #   hostname: controller3-mig.confluent
-  #   groups:
-  #     - kafka_controller_migration
-  #   image: oraclelinux:8-slim
-  #   dockerfile: ../Dockerfile-rhel-java8.j2
-  #   command: ""
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   privileged: true
-  #   networks:
-  #     - name: confluent
+  - name: controller1-mig
+    hostname: controller1-mig.confluent
+    groups:
+      - kafka_controller_migration
+    image: oraclelinux:8-slim
+    dockerfile: ../Dockerfile-rhel-java8.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: controller2-mig
+    hostname: controller2-mig.confluent
+    groups:
+      - kafka_controller_migration
+    image: oraclelinux:8-slim
+    dockerfile: ../Dockerfile-rhel-java8.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
+  - name: controller3-mig
+    hostname: controller3-mig.confluent
+    groups:
+      - kafka_controller_migration
+    image: oraclelinux:8-slim
+    dockerfile: ../Dockerfile-rhel-java8.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
 provisioner:
   playbooks:
     converge: ${MIGRATION_CONVERGE:-../collections_converge.yml}
@@ -216,6 +216,8 @@ provisioner:
         sasl_protocol: plain
         kafka_broker_cluster_name: kafka-cluster
         schema_registry_cluster_name: Test-Schema
+        kafka_connect_cluster_name: Test-Connect
+        ksql_cluster_name: Test-Ksql
         rbac_enabled: true
         rbac_component_additional_system_admins:
           - user1
@@ -225,8 +227,6 @@ provisioner:
             name: CLIENT
             port: 9093
 
-        #kafka_connect_secret_registry_enabled: false
-        ksql_monitoring_interceptors_enabled: false
         oauth_enabled: true
         oauth_client_id: superuser
         oauth_client_password: my-secret
@@ -242,11 +242,16 @@ provisioner:
         kafka_rest_oauth_password: my-secret
         kafka_connect_oauth_user: kafka_connect
         kafka_connect_oauth_password: my-secret
+        ksql_oauth_user: ksql
+        ksql_oauth_password: my-secret
         control_center_oauth_user: control_center
         control_center_oauth_password: my-secret
+
+        # SSO in C3 vars
         sso_mode: oidc
         sso_groups_claim: groups
         sso_sub_claim: sub
+        sso_groups_scope: groups
         sso_issuer_url: https://dev-59009577.okta.com/oauth2/aus96p2og3u7Cpwu65d7
         sso_jwks_uri: https://dev-59009577.okta.com/oauth2/aus96p2og3u7Cpwu65d7/v1/keys
         sso_authorize_uri: https://dev-59009577.okta.com/oauth2/aus96p2og3u7Cpwu65d7/v1/authorize
@@ -255,10 +260,3 @@ provisioner:
         sso_cli: true
         sso_client_id: ${OKTA_CLIENT:-user}
         sso_client_password: ${OKTA_PASSWORD:-pass}
-        secrets_protection_enabled: false
-        mask_secrets: false
-        #ksql_authentication_type: basic
-
-        kafka_connect_cluster_name: Test-Connect
-        ksql_ldap_user: ksql
-        ksql_ldap_password: my-secret
diff --git a/molecule/plain-rhel/molecule.yml b/molecule/plain-rhel/molecule.yml
@@ -91,19 +91,19 @@ platforms:
     privileged: true
     networks:
       - name: confluent
-  # - name: ksql1
-  #   hostname: ksql1.confluent
-  #   groups:
-  #     - ksql
-  #     - ksql_migration
-  #   image: redhat/ubi9-minimal
-  #   dockerfile: ../Dockerfile-rhel-java17.j2
-  #   command: ""
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   privileged: true
-  #   networks:
-  #     - name: confluent
+  - name: ksql1
+    hostname: ksql1.confluent
+    groups:
+      - ksql
+      - ksql_migration
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
   - name: control-center1
     hostname: control-center1.confluent
     groups:
@@ -119,19 +119,19 @@ platforms:
       - "9021:9021"
     networks:
       - name: confluent
-  #   # Cluster 2 (Kraft) goups, groupnames will be changed during converge phase
-  # - name: controller1-mig
-  #   hostname: controller1-mig.confluent
-  #   groups:
-  #     - kafka_controller_migration
-  #   image: redhat/ubi9-minimal
-  #   dockerfile: ../Dockerfile-rhel-java17.j2
-  #   command: ""
-  #   volumes:
-  #     - /sys/fs/cgroup:/sys/fs/cgroup:ro
-  #   privileged: true
-  #   networks:
-  #     - name: confluent
+    # Cluster 2 (Kraft) goups, groupnames will be changed during converge phase
+  - name: controller1-mig
+    hostname: controller1-mig.confluent
+    groups:
+      - kafka_controller_migration
+    image: redhat/ubi9-minimal
+    dockerfile: ../Dockerfile-rhel-java17.j2
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    networks:
+      - name: confluent
 provisioner:
   playbooks:
     converge: ${MIGRATION_CONVERGE:-../collections_converge.yml}
@@ -157,7 +157,8 @@ provisioner:
         kafka_connect_oauth_password: my-secret
         control_center_oauth_user: control_center
         control_center_oauth_password: my-secret
-        mask_secrets: false
+        ksql_oauth_user: ksql
+        ksql_oauth_password: my-secret
 
         # kafka_broker_configure_control_plane_listener: true
         # kafka_rest_oauth_enabled: false