From d800fa162dc0d07fa728d1afcb7f2faff626ceee Mon Sep 17 00:00:00 2001 From: Kabir Khan Date: Tue, 30 Nov 2021 16:00:49 +0000 Subject: [PATCH] [WFLY-15772] RHOSAK now requires ACLs --- .../README.adoc | 4 ++-- .../xp-install-rhosak.adoc | 24 +++++++++++++++---- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/microprofile-reactive-messaging-kafka/README.adoc b/microprofile-reactive-messaging-kafka/README.adoc index 83e19ae995..bb162e2af6 100644 --- a/microprofile-reactive-messaging-kafka/README.adoc +++ b/microprofile-reactive-messaging-kafka/README.adoc @@ -1032,7 +1032,7 @@ Run `oc get route` to find the URL of our application. [[xp-deploy-project-rhosak]] === Deploy the {ProductShortName} Source-to-Image (S2I) Quickstart to OpenShift with RHOSAK -This section describes how to deploy the application to OpenShift interacting with Kafka provided by AMQ Streams. If you want to use AMQ Streams instead, see the <>. +This section describes how to deploy the application to OpenShift interacting with Kafka provided by RHOSAK. If you want to use AMQ Streams instead, see the <>. To deploy your application make sure you have downloaded the https://docs.openshift.com/container-platform/4.8/cli_reference/helm_cli/getting-started-with-helm-on-openshift-container-platform.html[Helm CLI Tool]. `./helm-rhosak.yml` contains the information to deploy the application to be backed by Kafka provided by RHOSAK. @@ -1053,7 +1053,7 @@ NOTE: Although the above command will return quite quickly, it will take a while While the OpenShift cluster is doing the work to build and deploy the application (i.e. as soon as the `helm install` has completed in your terminal), run the following command to set up the service binding for the Kafka connection as mentioned earlier: [source,subs="attributes+",options="nowrap"] ---- -rhoas cluster bind --app-name mp-rm-qs --binding-name kafka-config --yes +rhoas cluster bind --app-name mp-rm-qs --service-type kafka --binding-name kafka-config --yes ---- You may also wait performing the above command until the application pod has been brought up. In this case it will log errors that it is not able to connect to Kafka. Once the above command is run, the 'faulty' pod will be taken down and replaced by one containing the correct configuration. diff --git a/microprofile-reactive-messaging-kafka/xp-install-rhosak.adoc b/microprofile-reactive-messaging-kafka/xp-install-rhosak.adoc index 5f071ba7cf..e68147cac7 100644 --- a/microprofile-reactive-messaging-kafka/xp-install-rhosak.adoc +++ b/microprofile-reactive-messaging-kafka/xp-install-rhosak.adoc @@ -18,7 +18,7 @@ We will summarize the steps required to set up a Kafka instance in RHOSAK here. 1. From the https://developers.redhat.com/products/rhosak/getting-started[RHOSAK] console, create a Kafka instance. You need to specify a name for it Kafka instance, for example `my-quickstart-kafka`. In the rest of this text we will use `` to represent `my-quickstart-kafka`. Apart from the name you can use default values for everything else. It will take a few minutes for your Kafka instance to be ready. 2. Go into the instance and create a topic called `testing`. Use the suggested defaults for everything else. -3. https://github.com/redhat-developer/app-services-cli[Download] the `rhosas` application for your OS. Make it available on your path. +3. https://github.com/redhat-developer/app-services-cli[Download] the `rhoas` application for your OS. Make it available on your path. == Configuring your application The Quickstart was originally intended to run with local Kafka server. In order to configure it for RHOSAK, we will deploy a `ConfigMap` that provides the config properties required by MicroProfile Reactive Messaging based on the configuration of the Kafka instance. @@ -29,7 +29,7 @@ The Quickstart was originally intended to run with local Kafka server. In order oc apply -f $QS_HOME/mp-rm-rhosak-properties.yml ---- -If you look at the contents of the file you will see it follows the pattern of MicroProfile Config properties for Reactive Messaging. The ConfigMap properties are merged with the properties in the application's `miceroprofile-config.properties`. Where the same value exists in both places the ConfigMap entry takes so `mp.messaging.connector.smallrye-kafka.bootstrap.servers` from the ConfigMap value will be used. The ConfigMap also provides properties to set up authentication to the RHOSAK Kafka instance, and it contains references to properties (e.g. `${bootstrapServers}`) that will be populated from the service binding in the next step. +If you look at the contents of the file you will see it follows the pattern of MicroProfile Config properties for Reactive Messaging. The ConfigMap properties are merged with the properties in the application's `microprofile-config.properties`. Where the same value exists in both places the ConfigMap entry takes precedence, so `mp.messaging.connector.smallrye-kafka.bootstrap.servers` from the ConfigMap value will be used. The ConfigMap also provides properties to set up authentication to the RHOSAK Kafka instance, and it contains references to properties (e.g. `${bootstrapServers}`) that will be populated from the service binding in the next step. Once deployed this will store the ConfigMap settings in the application pod's `/etc/config/reactive-messaging-properties` directory. @@ -48,8 +48,24 @@ Then go to https://console.redhat.com/openshift/token and get the token to authe Execute ---- -rhoas cluster connect --yes --token {your token pasted here} +rhoas cluster connect --service-type kafka --yes --token {your token pasted here} ---- -This will tell you to run `rhoas cluster bind`. However, we need to wait until we have deployed our application with `helm install` in the next step. Once we run `rhoas cluster bind` after deploying our application, this will create a config map bound to the `/bindings/kafka-config` directory in the application pods. +The output of the above will show that the connection to Kafka has been created. Make a note of the `Client ID` which appears in the output of the `rhoas cluster connect` command. We will need this `Client ID` later: +---- +✔️ Service Account Secret "rh-cloud-services-service-account" created successfully + +Client ID: srvc-acct-4321abcd-123a-98cb-1234-01234abcd123 + +Make a copy of the client ID to store in a safe place. Credentials won't appear again after closing the terminal. +---- +At the time of writing, if you did not make a note of the `Client ID`, it is possible to recover it by running `rhoas service-account list`, and looking for the `Client ID` associated with your account. + +The `rhoas cluster connect` output will also tell you to run `rhoas cluster bind`. However, we need to wait until we have deployed our application with `helm install` in the next step. Once we run `rhoas cluster bind --binding-name kafka` after deploying our application, this will create a config map bound to the `/bindings/kafka-config` directory in the application pods. The `src/main/scripts/rhosak/s2i/initialize-server.cli` script will get run as part of initialising the application pod, and adds the mentioned `/bindings/kafka-config` and `/etc/config/reactive-messaging-properties` folders as config sources in the `microprofile-config-smallrye` subsystem, when we we pass in the environment variable `QS_USE_RHOSAK=true` when building the application as we will see later. For the bootable jar with RHOSAK combination there is a `src/main/scripts/rhoasak/bootable-jar/initialise-server.cli` script that does the same. + +Next, we need to grant access to our service account. This is done by running the following command +---- +rhoas kafka acl grant-access --consumer --producer --service-account --topic "*" --group "*" +---- +Substitute with the `Client ID` reported by the earlier `rhoas cluster connect` command. \ No newline at end of file