[WFLY-15772] RHOSAK now requires ACLs

junquero · Dec 2, 2021 · d800fa1 · d800fa1
1 parent 9192670
commit d800fa1
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 6 deletions.
diff --git a/microprofile-reactive-messaging-kafka/README.adoc b/microprofile-reactive-messaging-kafka/README.adoc
@@ -1032,7 +1032,7 @@ Run `oc get route` to find the URL of our application.
 
 [[xp-deploy-project-rhosak]]
 === Deploy the {ProductShortName} Source-to-Image (S2I) Quickstart to OpenShift with RHOSAK
-This section describes how to deploy the application to OpenShift interacting with Kafka provided by AMQ Streams. If you want to use AMQ Streams instead, see the <<xp-deploy-project-amq-streams,AMQ Streams instructions>>.
+This section describes how to deploy the application to OpenShift interacting with Kafka provided by RHOSAK. If you want to use AMQ Streams instead, see the <<xp-deploy-project-amq-streams,AMQ Streams instructions>>.
 
 To deploy your application make sure you have downloaded the https://docs.openshift.com/container-platform/4.8/cli_reference/helm_cli/getting-started-with-helm-on-openshift-container-platform.html[Helm CLI Tool]. `./helm-rhosak.yml` contains the information to deploy the application to be backed by Kafka provided by RHOSAK.
 
@@ -1053,7 +1053,7 @@ NOTE: Although the above command will return quite quickly, it will take a while
 While the OpenShift cluster is doing the work to build and deploy the application (i.e. as soon as the `helm install` has completed in your terminal), run the following command to set up the service binding for the Kafka connection as mentioned earlier:
 [source,subs="attributes+",options="nowrap"]
 ----
-rhoas cluster bind --app-name mp-rm-qs  --binding-name kafka-config --yes
+rhoas cluster bind --app-name mp-rm-qs --service-type kafka --binding-name kafka-config --yes
 ----
 
 You may also wait performing the above command until the application pod has been brought up. In this case it will log errors that it is not able to connect to Kafka. Once the above command is run, the 'faulty' pod will be taken down and replaced by one containing the correct configuration.

diff --git a/microprofile-reactive-messaging-kafka/xp-install-rhosak.adoc b/microprofile-reactive-messaging-kafka/xp-install-rhosak.adoc
@@ -18,7 +18,7 @@ We will summarize the steps required to set up a Kafka instance in RHOSAK here.
 
 1. From the https://developers.redhat.com/products/rhosak/getting-started[RHOSAK] console, create a Kafka instance. You need to specify a name for it Kafka instance, for example `my-quickstart-kafka`. In the rest of this text we will use `<kafka-name>` to represent `my-quickstart-kafka`. Apart from the name you can use default values for everything else. It will take a few minutes for your Kafka instance to be ready.
 2. Go into the instance and create a topic called `testing`. Use the suggested defaults for everything else.
-3. https://github.com/redhat-developer/app-services-cli[Download] the `rhosas` application for your OS. Make it available on your path.
+3. https://github.com/redhat-developer/app-services-cli[Download] the `rhoas` application for your OS. Make it available on your path.
 
 == Configuring your application
 The Quickstart was originally intended to run with local Kafka server. In order to configure it for RHOSAK, we will deploy a `ConfigMap` that provides the config properties required by MicroProfile Reactive Messaging based on the configuration of the Kafka instance.
@@ -29,7 +29,7 @@ The Quickstart was originally intended to run with local Kafka server. In order
 oc apply -f $QS_HOME/mp-rm-rhosak-properties.yml
 ----
 
-If you look at the contents of the file you will see it follows the pattern of MicroProfile Config properties for Reactive Messaging. The ConfigMap properties are merged with the properties in the application's `miceroprofile-config.properties`. Where the same value exists in both places the ConfigMap entry takes so `mp.messaging.connector.smallrye-kafka.bootstrap.servers` from the ConfigMap value will be used. The ConfigMap also provides properties to set up authentication to the RHOSAK Kafka instance, and it contains references to properties (e.g. `${bootstrapServers}`) that will be populated from the service binding in the next step.
+If you look at the contents of the file you will see it follows the pattern of MicroProfile Config properties for Reactive Messaging. The ConfigMap properties are merged with the properties in the application's `microprofile-config.properties`. Where the same value exists in both places the ConfigMap entry takes precedence, so `mp.messaging.connector.smallrye-kafka.bootstrap.servers` from the ConfigMap value will be used. The ConfigMap also provides properties to set up authentication to the RHOSAK Kafka instance, and it contains references to properties (e.g. `${bootstrapServers}`) that will be populated from the service binding in the next step.
 
 Once deployed this will store the ConfigMap settings in the application pod's `/etc/config/reactive-messaging-properties` directory.
 
@@ -48,8 +48,24 @@ Then go to https://console.redhat.com/openshift/token and get the token to authe
 
 Execute
 ----
-rhoas cluster connect --yes --token {your token pasted here}
+rhoas cluster connect --service-type kafka --yes --token {your token pasted here}
 ----
-This will tell you to run `rhoas cluster bind`. However, we need to wait until we have deployed our application with `helm install` in the next step. Once we run `rhoas cluster bind` after  deploying our application, this will create a config map bound to the `/bindings/kafka-config` directory in the application pods.
+The output of the above will show that the connection to Kafka has been created. Make a note of the `Client ID` which appears in the output of the `rhoas cluster connect` command. We will need this `Client ID` later:
+----
+✔️  Service Account Secret "rh-cloud-services-service-account" created successfully
+
+Client ID:     srvc-acct-4321abcd-123a-98cb-1234-01234abcd123
+
+Make a copy of the client ID to store in a safe place. Credentials won't appear again after closing the terminal.
+----
+At the time of writing, if you did not make a note of the `Client ID`, it is possible to recover it by running `rhoas service-account list`, and looking for the `Client ID` associated with your account.
+
+The `rhoas cluster connect` output will also tell you to run `rhoas cluster bind`. However, we need to wait until we have deployed our application with `helm install` in the next step. Once we run `rhoas cluster bind --binding-name kafka` after  deploying our application, this will create a config map bound to the `/bindings/kafka-config` directory in the application pods.
 
 The `src/main/scripts/rhosak/s2i/initialize-server.cli` script will get run as part of initialising the application pod, and adds the mentioned `/bindings/kafka-config` and `/etc/config/reactive-messaging-properties` folders as config sources in the `microprofile-config-smallrye` subsystem, when we we pass in the environment variable `QS_USE_RHOSAK=true` when building the application as we will see later. For the bootable jar with RHOSAK combination there is a `src/main/scripts/rhoasak/bootable-jar/initialise-server.cli` script that does the same.
+
+Next, we need to grant access to our service account. This is done by running the following command
+----
+rhoas kafka acl grant-access --consumer --producer     --service-account <client id> --topic "*" --group "*"
+----
+Substitute <client id> with the `Client ID` reported by the earlier `rhoas cluster connect` command.