From f2cd0c5328551a3ddc96ea2c1dfdab34663d48a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pere=20Urb=C3=B3n?= Date: Fri, 30 Apr 2021 10:33:36 +0200 Subject: [PATCH] Amend dependencies to be fully supporting Confluent RBAC implementation (#272) * add rbac tls test cluster * update dependencies to use core confluent libraries --- docker/.env | 1 + docker/rbac-sasl/certs/ca.crt | 24 + docker/rbac-sasl/certs/ca.key | 28 + docker/rbac-sasl/certs/ca.pem | 52 ++ docker/rbac-sasl/certs/ca.srl | 1 + docker/rbac-sasl/certs/client.crt | 23 + docker/rbac-sasl/certs/client.csr | 20 + docker/rbac-sasl/certs/client.key | 28 + docker/rbac-sasl/certs/client.keystore.jks | Bin 0 -> 2741 bytes docker/rbac-sasl/certs/client.p12 | Bin 0 -> 3784 bytes docker/rbac-sasl/certs/client.pem | 89 ++++ docker/rbac-sasl/certs/local-client.crt | 23 + docker/rbac-sasl/certs/local-client.csr | 20 + docker/rbac-sasl/certs/local-client.key | 28 + .../rbac-sasl/certs/local-client.keystore.jks | Bin 0 -> 3855 bytes docker/rbac-sasl/certs/local-client.p12 | Bin 0 -> 3698 bytes .../certs/schema-registry-client.crt | 23 + .../certs/schema-registry-client.csr | 21 + .../certs/schema-registry-client.key | 28 + .../certs/schema-registry-client.keystore.jks | Bin 0 -> 3993 bytes .../certs/schema-registry-client.p12 | Bin 0 -> 3844 bytes docker/rbac-sasl/certs/server.crt | 23 + docker/rbac-sasl/certs/server.csr | 21 + docker/rbac-sasl/certs/server.key | 28 + docker/rbac-sasl/certs/server.keystore.jks | Bin 0 -> 2749 bytes docker/rbac-sasl/certs/server.p12 | Bin 0 -> 3792 bytes docker/rbac-sasl/certs/truststore.jks | Bin 0 -> 1330 bytes docker/rbac-tls/.env | 1 + docker/rbac-tls/README.md | 72 +++ docker/rbac-tls/certs/client.keystore.jks | Bin 0 -> 4687 bytes docker/rbac-tls/certs/client.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/connect.keystore.jks | Bin 0 -> 4689 bytes docker/rbac-tls/certs/connect.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/connector.keystore.jks | Bin 0 -> 4701 bytes .../rbac-tls/certs/connector.truststore.jks | Bin 0 -> 1170 bytes .../rbac-tls/certs/controlcenter.keystore.jks | Bin 0 -> 4725 bytes .../certs/controlcenter.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/kafka.keystore.jks | Bin 0 -> 4677 bytes docker/rbac-tls/certs/kafka.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/mds.keystore.jks | Bin 0 -> 4665 bytes docker/rbac-tls/certs/mds.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/old/client.keystore.jks | Bin 0 -> 4687 bytes .../rbac-tls/certs/old/client.truststore.jks | Bin 0 -> 1170 bytes .../rbac-tls/certs/old/connect.keystore.jks | Bin 0 -> 4689 bytes .../rbac-tls/certs/old/connect.truststore.jks | Bin 0 -> 1170 bytes .../rbac-tls/certs/old/connector.keystore.jks | Bin 0 -> 4701 bytes .../certs/old/connector.truststore.jks | Bin 0 -> 1170 bytes .../certs/old/controlcenter.keystore.jks | Bin 0 -> 4725 bytes .../certs/old/controlcenter.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/old/credentials.txt | 1 + docker/rbac-tls/certs/old/kafka.keystore.jks | Bin 0 -> 4677 bytes .../rbac-tls/certs/old/kafka.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/old/mds.keystore.jks | Bin 0 -> 4665 bytes docker/rbac-tls/certs/old/mds.truststore.jks | Bin 0 -> 1170 bytes .../certs/old/schemaregistry.keystore.jks | Bin 0 -> 4735 bytes .../certs/old/schemaregistry.truststore.jks | Bin 0 -> 1170 bytes .../rbac-tls/certs/old/thusnelda.keystore.jks | Bin 0 -> 4685 bytes .../certs/old/thusnelda.truststore.jks | Bin 0 -> 1170 bytes .../certs/schemaregistry.keystore.jks | Bin 0 -> 4735 bytes .../certs/schemaregistry.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/snakeoil-ca-1.crt | 21 + docker/rbac-tls/certs/snakeoil-ca-1.key | 30 ++ docker/rbac-tls/certs/thusnelda.keystore.jks | Bin 0 -> 4685 bytes .../rbac-tls/certs/thusnelda.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/certs/zookeeper.keystore.jks | Bin 0 -> 4701 bytes .../rbac-tls/certs/zookeeper.truststore.jks | Bin 0 -> 1170 bytes docker/rbac-tls/client-configs/fry.properties | 7 + .../client-configs/professor.properties | 7 + .../client-configs/zoidberg.properties | 7 + docker/rbac-tls/conf/keypair.pem | 27 + docker/rbac-tls/conf/public.pem | 9 + docker/rbac-tls/create-basic-roles.sh | 61 +++ docker/rbac-tls/create-config.sh | 7 + docker/rbac-tls/create-roles-streams-app.sh | 92 ++++ docker/rbac-tls/create-roles.sh | 133 +++++ docker/rbac-tls/docker-compose.yml | 492 ++++++++++++++++++ .../rbac-tls/jvm/security-policy.properties | 6 + docker/rbac-tls/kafka/client.properties | 5 + docker/rbac-tls/kafka/kafka.properties | 97 ++++ docker/rbac-tls/kafka/log4j.properties | 16 + docker/rbac-tls/kafka/professor.properties | 10 + docker/rbac-tls/kafka/thusnelda.properties | 9 + docker/rbac-tls/kafka/tools-log4j.properties | 7 + docker/rbac-tls/scripts/read-als-kafka.sh | 5 + docker/rbac-tls/scripts/read-als-professor.sh | 5 + docker/rbac-tls/scripts/read-als-thusnelda.sh | 5 + docker/rbac-tls/scripts/write-als-kafka.sh | 5 + .../rbac-tls/scripts/write-als-professor.sh | 5 + .../rbac-tls/scripts/write-als-thusnelda.sh | 5 + docker/rbac-tls/show-kafka-id.sh | 13 + docker/rbac-tls/start.sh | 3 + docker/rbac-tls/streams/docker-compose.yaml | 22 + docker/rbac-tls/streams/kafka/Dockerfile | 22 + docker/rbac-tls/streams/kafka/confluent.repo | 13 + .../rbac-tls/streams/kafka/log4j.properties | 102 ++++ .../streams/kafka/server-with-ssl.properties | 218 ++++++++ .../rbac-tls/streams/kafka/server.properties | 182 +++++++ docker/rbac-tls/streams/scripts/.gitignore | 9 + .../rbac-tls/streams/scripts/certs-create.sh | 74 +++ docker/rbac-tls/streams/up | 67 +++ docker/tls/.gitignore | 2 +- example/jks/client.keystore.jks | Bin 0 -> 4677 bytes example/jks/client.truststore.jks | Bin 0 -> 1170 bytes .../topology-builder-rbac-oauth.properties | 19 + example/topology-builder-rbac-tls.properties | 17 + pom.xml | 5 +- .../integration/RBACPRoviderRbacIT.java | 1 + 107 files changed, 2393 insertions(+), 4 deletions(-) create mode 100644 docker/.env create mode 100644 docker/rbac-sasl/certs/ca.crt create mode 100644 docker/rbac-sasl/certs/ca.key create mode 100644 docker/rbac-sasl/certs/ca.pem create mode 100644 docker/rbac-sasl/certs/ca.srl create mode 100644 docker/rbac-sasl/certs/client.crt create mode 100644 docker/rbac-sasl/certs/client.csr create mode 100644 docker/rbac-sasl/certs/client.key create mode 100644 docker/rbac-sasl/certs/client.keystore.jks create mode 100644 docker/rbac-sasl/certs/client.p12 create mode 100644 docker/rbac-sasl/certs/client.pem create mode 100644 docker/rbac-sasl/certs/local-client.crt create mode 100644 docker/rbac-sasl/certs/local-client.csr create mode 100644 docker/rbac-sasl/certs/local-client.key create mode 100644 docker/rbac-sasl/certs/local-client.keystore.jks create mode 100644 docker/rbac-sasl/certs/local-client.p12 create mode 100644 docker/rbac-sasl/certs/schema-registry-client.crt create mode 100644 docker/rbac-sasl/certs/schema-registry-client.csr create mode 100644 docker/rbac-sasl/certs/schema-registry-client.key create mode 100644 docker/rbac-sasl/certs/schema-registry-client.keystore.jks create mode 100644 docker/rbac-sasl/certs/schema-registry-client.p12 create mode 100644 docker/rbac-sasl/certs/server.crt create mode 100644 docker/rbac-sasl/certs/server.csr create mode 100644 docker/rbac-sasl/certs/server.key create mode 100644 docker/rbac-sasl/certs/server.keystore.jks create mode 100644 docker/rbac-sasl/certs/server.p12 create mode 100644 docker/rbac-sasl/certs/truststore.jks create mode 100644 docker/rbac-tls/.env create mode 100644 docker/rbac-tls/README.md create mode 100644 docker/rbac-tls/certs/client.keystore.jks create mode 100644 docker/rbac-tls/certs/client.truststore.jks create mode 100644 docker/rbac-tls/certs/connect.keystore.jks create mode 100644 docker/rbac-tls/certs/connect.truststore.jks create mode 100644 docker/rbac-tls/certs/connector.keystore.jks create mode 100644 docker/rbac-tls/certs/connector.truststore.jks create mode 100644 docker/rbac-tls/certs/controlcenter.keystore.jks create mode 100644 docker/rbac-tls/certs/controlcenter.truststore.jks create mode 100644 docker/rbac-tls/certs/kafka.keystore.jks create mode 100644 docker/rbac-tls/certs/kafka.truststore.jks create mode 100644 docker/rbac-tls/certs/mds.keystore.jks create mode 100644 docker/rbac-tls/certs/mds.truststore.jks create mode 100644 docker/rbac-tls/certs/old/client.keystore.jks create mode 100644 docker/rbac-tls/certs/old/client.truststore.jks create mode 100644 docker/rbac-tls/certs/old/connect.keystore.jks create mode 100644 docker/rbac-tls/certs/old/connect.truststore.jks create mode 100644 docker/rbac-tls/certs/old/connector.keystore.jks create mode 100644 docker/rbac-tls/certs/old/connector.truststore.jks create mode 100644 docker/rbac-tls/certs/old/controlcenter.keystore.jks create mode 100644 docker/rbac-tls/certs/old/controlcenter.truststore.jks create mode 100644 docker/rbac-tls/certs/old/credentials.txt create mode 100644 docker/rbac-tls/certs/old/kafka.keystore.jks create mode 100644 docker/rbac-tls/certs/old/kafka.truststore.jks create mode 100644 docker/rbac-tls/certs/old/mds.keystore.jks create mode 100644 docker/rbac-tls/certs/old/mds.truststore.jks create mode 100644 docker/rbac-tls/certs/old/schemaregistry.keystore.jks create mode 100644 docker/rbac-tls/certs/old/schemaregistry.truststore.jks create mode 100644 docker/rbac-tls/certs/old/thusnelda.keystore.jks create mode 100644 docker/rbac-tls/certs/old/thusnelda.truststore.jks create mode 100644 docker/rbac-tls/certs/schemaregistry.keystore.jks create mode 100644 docker/rbac-tls/certs/schemaregistry.truststore.jks create mode 100644 docker/rbac-tls/certs/snakeoil-ca-1.crt create mode 100644 docker/rbac-tls/certs/snakeoil-ca-1.key create mode 100644 docker/rbac-tls/certs/thusnelda.keystore.jks create mode 100644 docker/rbac-tls/certs/thusnelda.truststore.jks create mode 100644 docker/rbac-tls/certs/zookeeper.keystore.jks create mode 100644 docker/rbac-tls/certs/zookeeper.truststore.jks create mode 100644 docker/rbac-tls/client-configs/fry.properties create mode 100644 docker/rbac-tls/client-configs/professor.properties create mode 100644 docker/rbac-tls/client-configs/zoidberg.properties create mode 100644 docker/rbac-tls/conf/keypair.pem create mode 100644 docker/rbac-tls/conf/public.pem create mode 100755 docker/rbac-tls/create-basic-roles.sh create mode 100755 docker/rbac-tls/create-config.sh create mode 100755 docker/rbac-tls/create-roles-streams-app.sh create mode 100755 docker/rbac-tls/create-roles.sh create mode 100644 docker/rbac-tls/docker-compose.yml create mode 100644 docker/rbac-tls/jvm/security-policy.properties create mode 100644 docker/rbac-tls/kafka/client.properties create mode 100644 docker/rbac-tls/kafka/kafka.properties create mode 100644 docker/rbac-tls/kafka/log4j.properties create mode 100644 docker/rbac-tls/kafka/professor.properties create mode 100644 docker/rbac-tls/kafka/thusnelda.properties create mode 100644 docker/rbac-tls/kafka/tools-log4j.properties create mode 100644 docker/rbac-tls/scripts/read-als-kafka.sh create mode 100644 docker/rbac-tls/scripts/read-als-professor.sh create mode 100644 docker/rbac-tls/scripts/read-als-thusnelda.sh create mode 100644 docker/rbac-tls/scripts/write-als-kafka.sh create mode 100644 docker/rbac-tls/scripts/write-als-professor.sh create mode 100644 docker/rbac-tls/scripts/write-als-thusnelda.sh create mode 100644 docker/rbac-tls/show-kafka-id.sh create mode 100755 docker/rbac-tls/start.sh create mode 100644 docker/rbac-tls/streams/docker-compose.yaml create mode 100644 docker/rbac-tls/streams/kafka/Dockerfile create mode 100644 docker/rbac-tls/streams/kafka/confluent.repo create mode 100644 docker/rbac-tls/streams/kafka/log4j.properties create mode 100644 docker/rbac-tls/streams/kafka/server-with-ssl.properties create mode 100644 docker/rbac-tls/streams/kafka/server.properties create mode 100644 docker/rbac-tls/streams/scripts/.gitignore create mode 100755 docker/rbac-tls/streams/scripts/certs-create.sh create mode 100755 docker/rbac-tls/streams/up create mode 100644 example/jks/client.keystore.jks create mode 100644 example/jks/client.truststore.jks create mode 100644 example/topology-builder-rbac-oauth.properties create mode 100644 example/topology-builder-rbac-tls.properties diff --git a/docker/.env b/docker/.env new file mode 100644 index 000000000..a13497d8a --- /dev/null +++ b/docker/.env @@ -0,0 +1 @@ +TAG=5.5.0 diff --git a/docker/rbac-sasl/certs/ca.crt b/docker/rbac-sasl/certs/ca.crt new file mode 100644 index 000000000..e66a2dcea --- /dev/null +++ b/docker/rbac-sasl/certs/ca.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBjCCAu6gAwIBAgIJAMjkZoJ9cjSyMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0uyqRXnT58mVxwQWJdiBu +AjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg24fWgh2dY +5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGsClZLlear ++E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC/NTTy3Re +eF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIBmqQ5voiO +THvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48xzAQhz/F +AgMBAAGjgd4wgdswHQYDVR0OBBYEFG80gaFck0G5BSFtC9DVkvGviXIAMA8GA1Ud +EwEB/wQFMAMBAf8wgYIGA1UdIwR7MHmAFG80gaFck0G5BSFtC9DVkvGviXIAoVak +VDBSMQswCQYDVQQGEwJVSzESMBAGA1UECgwJQ29uZmx1ZW50MQ8wDQYDVQQHDAZM +b25kb24xHjAcBgNVBAMMFWthZmthLmNvbmZsdWVudC5sb2NhbIIJAMjkZoJ9cjSy +MA4GA1UdDwEB/wQEAwIBBjAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcN +AQELBQADggEBANwyw65l8xzNF0U3kZBtmS72xUaEW9fXeeaguC+oEnl5e/gY5Buv +H53KOeIgWnHzyr1yxAiIY3L6FfNbiPT3K0iD/7KAsE16nV8pGA2MSS1PSg3YLSyl +YR8kvzmzg+8uEpK7OmJ+DCfFlgHBbRjlEN06wK4O0fdocc9q7nD+4oAMGMzfzIM/ +V6Im58cB2IQWmqxOsAQJ6G7d/Suw65FVLzwz6Hw5p30OgZcjD8i8o+PIQfjgT/RN +JpO5FHCDGNlaBeZPzB56YR+YKNXVtatpBAhrWbb083s3mBvaP9mrUy8F88m6E6Pw +B4wtxqaSIjxf0bILrS05bu7oX0WO68EAOzI= +-----END CERTIFICATE----- diff --git a/docker/rbac-sasl/certs/ca.key b/docker/rbac-sasl/certs/ca.key new file mode 100644 index 000000000..87f707bdc --- /dev/null +++ b/docker/rbac-sasl/certs/ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0uyqRXnT58mVx +wQWJdiBuAjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg2 +4fWgh2dY5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGs +ClZLlear+E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC +/NTTy3ReeF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIB +mqQ5voiOTHvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48 +xzAQhz/FAgMBAAECggEBAJc+jIImc/h8W0E/3uIjBMu3x2eSkFcWspedtnSlfAu6 +02DccZDgmtpa70LHPdbH97vdhfUWXcvIXp+8aYZ5597CQiykow4IsB7PhgpOyMZ1 +09RkxUKo9VLY+L4YLRkE0ASnjmObY7jM+l8OTGKOE264GDtHMx9I5fh0Vtm7Skhz +PHH2g4KYxGzeRks9BX/C+YbT0fvikqrxjoCAYVqEF/uXuhgYS7e50gVTDhmSDalP +iRwEdC7kUSxAk2JJF+vHaSDnqUbRnMwfmDEHgSCDjq/mGbwWRJ4tlVGPM5HFuCMB +OKFsaSw/swVVCerK/5yRQAoXnXKzdRp4q7aUfxT2D0kCgYEA+1l6X7/zEVw9rP26 +imLP0xu8SnQkMH32W4icaVqWaK6FDnpSh8Jp1QfN+NmTlY6dzD3d2HQ0imrNO33t +arkhVmu3nWfCd61v7h2X0XZKemlIm4KnR5cKlwFJxj+sVp1tZz71G30tW9v8MD7W +Knb1kkcKVduz0JMBscZrlimSlgMCgYEA+UJXDYZhPnnn9hofza/Ps2N6O1hl4ZY4 +2BQ2kLJTBxz1ahJhK5drxBqIVTovnxEKYHwhH9NeY7stkpDON+sAe25x27N76gPB +dMzQ6gx6ZMQ9mVR/UZ+tFFOtr+gTGyA+r4pUQ3I/QxEZU/yr2md9dEiWYikjGr0i +cv5AQpRC7JcCgYEAvUPKXzFF0cu4cXv5rFzti1S2OwYrfgxLpu8+gCKDYb4QWS+I +18twL8aZtYn4lMR4VCQ92dDfA1+avPJ9BUD0NoQUFkXcbIu/3fiQqlw9huGil98R +IVo90ilZKRwnJG2UxQrmPFXNAv+qbZXTZNSA5C30PWSbiTI5M2lq9/7D74sCgYAC +EqQor6JlY5wjNspm6nxesIgWsECApMAqQ9jEUUdRetMro6V9OFAkHFhf5RD6UKj2 +bnHUEuzpBWh2nI+qdWDWpe96dT6ljoxwTTe7iokGB3+/o60/X4WP8rYyDUsDYbxD +t3HF8dBG3YCJa0N+mHe5nNTrUg5Brar4q9aa9yKrVwKBgHz4ULU7Plq3oujA87bd ++I4NDLGbadHOaHlGUyY6FqMjeyUfuZVuh9cD2L57KbNLn9z09H8r1m8nJsxzHXv/ +zrhwSYfHdlKrw4DOBquc9pas4fifbyNjMHLrJmHETNL+c3nnlIF6AuRbWb6ypb1F +j5xtE49UPVPCCWeQGGw/vbq2 +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/ca.pem b/docker/rbac-sasl/certs/ca.pem new file mode 100644 index 000000000..53f1e1872 --- /dev/null +++ b/docker/rbac-sasl/certs/ca.pem @@ -0,0 +1,52 @@ +-----BEGIN CERTIFICATE----- +MIIEBjCCAu6gAwIBAgIJAMjkZoJ9cjSyMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0uyqRXnT58mVxwQWJdiBu +AjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg24fWgh2dY +5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGsClZLlear ++E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC/NTTy3Re +eF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIBmqQ5voiO +THvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48xzAQhz/F +AgMBAAGjgd4wgdswHQYDVR0OBBYEFG80gaFck0G5BSFtC9DVkvGviXIAMA8GA1Ud +EwEB/wQFMAMBAf8wgYIGA1UdIwR7MHmAFG80gaFck0G5BSFtC9DVkvGviXIAoVak +VDBSMQswCQYDVQQGEwJVSzESMBAGA1UECgwJQ29uZmx1ZW50MQ8wDQYDVQQHDAZM +b25kb24xHjAcBgNVBAMMFWthZmthLmNvbmZsdWVudC5sb2NhbIIJAMjkZoJ9cjSy +MA4GA1UdDwEB/wQEAwIBBjAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcN +AQELBQADggEBANwyw65l8xzNF0U3kZBtmS72xUaEW9fXeeaguC+oEnl5e/gY5Buv +H53KOeIgWnHzyr1yxAiIY3L6FfNbiPT3K0iD/7KAsE16nV8pGA2MSS1PSg3YLSyl +YR8kvzmzg+8uEpK7OmJ+DCfFlgHBbRjlEN06wK4O0fdocc9q7nD+4oAMGMzfzIM/ +V6Im58cB2IQWmqxOsAQJ6G7d/Suw65FVLzwz6Hw5p30OgZcjD8i8o+PIQfjgT/RN +JpO5FHCDGNlaBeZPzB56YR+YKNXVtatpBAhrWbb083s3mBvaP9mrUy8F88m6E6Pw +B4wtxqaSIjxf0bILrS05bu7oX0WO68EAOzI= +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0uyqRXnT58mVx +wQWJdiBuAjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg2 +4fWgh2dY5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGs +ClZLlear+E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC +/NTTy3ReeF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIB +mqQ5voiOTHvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48 +xzAQhz/FAgMBAAECggEBAJc+jIImc/h8W0E/3uIjBMu3x2eSkFcWspedtnSlfAu6 +02DccZDgmtpa70LHPdbH97vdhfUWXcvIXp+8aYZ5597CQiykow4IsB7PhgpOyMZ1 +09RkxUKo9VLY+L4YLRkE0ASnjmObY7jM+l8OTGKOE264GDtHMx9I5fh0Vtm7Skhz +PHH2g4KYxGzeRks9BX/C+YbT0fvikqrxjoCAYVqEF/uXuhgYS7e50gVTDhmSDalP +iRwEdC7kUSxAk2JJF+vHaSDnqUbRnMwfmDEHgSCDjq/mGbwWRJ4tlVGPM5HFuCMB +OKFsaSw/swVVCerK/5yRQAoXnXKzdRp4q7aUfxT2D0kCgYEA+1l6X7/zEVw9rP26 +imLP0xu8SnQkMH32W4icaVqWaK6FDnpSh8Jp1QfN+NmTlY6dzD3d2HQ0imrNO33t +arkhVmu3nWfCd61v7h2X0XZKemlIm4KnR5cKlwFJxj+sVp1tZz71G30tW9v8MD7W +Knb1kkcKVduz0JMBscZrlimSlgMCgYEA+UJXDYZhPnnn9hofza/Ps2N6O1hl4ZY4 +2BQ2kLJTBxz1ahJhK5drxBqIVTovnxEKYHwhH9NeY7stkpDON+sAe25x27N76gPB +dMzQ6gx6ZMQ9mVR/UZ+tFFOtr+gTGyA+r4pUQ3I/QxEZU/yr2md9dEiWYikjGr0i +cv5AQpRC7JcCgYEAvUPKXzFF0cu4cXv5rFzti1S2OwYrfgxLpu8+gCKDYb4QWS+I +18twL8aZtYn4lMR4VCQ92dDfA1+avPJ9BUD0NoQUFkXcbIu/3fiQqlw9huGil98R +IVo90ilZKRwnJG2UxQrmPFXNAv+qbZXTZNSA5C30PWSbiTI5M2lq9/7D74sCgYAC +EqQor6JlY5wjNspm6nxesIgWsECApMAqQ9jEUUdRetMro6V9OFAkHFhf5RD6UKj2 +bnHUEuzpBWh2nI+qdWDWpe96dT6ljoxwTTe7iokGB3+/o60/X4WP8rYyDUsDYbxD +t3HF8dBG3YCJa0N+mHe5nNTrUg5Brar4q9aa9yKrVwKBgHz4ULU7Plq3oujA87bd ++I4NDLGbadHOaHlGUyY6FqMjeyUfuZVuh9cD2L57KbNLn9z09H8r1m8nJsxzHXv/ +zrhwSYfHdlKrw4DOBquc9pas4fifbyNjMHLrJmHETNL+c3nnlIF6AuRbWb6ypb1F +j5xtE49UPVPCCWeQGGw/vbq2 +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/ca.srl b/docker/rbac-sasl/certs/ca.srl new file mode 100644 index 000000000..a7c39cdce --- /dev/null +++ b/docker/rbac-sasl/certs/ca.srl @@ -0,0 +1 @@ +8D79F8130665E574 diff --git a/docker/rbac-sasl/certs/client.crt b/docker/rbac-sasl/certs/client.crt new file mode 100644 index 000000000..0ff582a1a --- /dev/null +++ b/docker/rbac-sasl/certs/client.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIJAI15+BMGZeVyMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKdN7qJYpPRbX0zStfBA/u ++222HmtLKLxozH7iDfdbt9FWYkQ8ZommSYaP82rcwhSpOkEw8NajyHMGvCN2emYM +fDCjUVhoyvNVEZYUI/eetCYERYbqUQPBIbZEjGuGaam+5YsM04RuWjecq+yR9E9H +hklQsFGAXeRewtzUmGMNUUJQNrQZVFF98HwX6EZ8FSzd7SYvbRIxwcs4QwO+AATy +rQcxvgdXtDyPyTGQ3X4Mv0Kr17tp4q3n5Km5OmFGzdYuplqCkSXnpqVVpapYgj/7 +PxXvgDTy99QfSxNL4Erj8WsnEcbxlnDdAqRDDbbcxMUl3xNNLy0IFp827ZbOA9yp +AgMBAAGjga0wgaowHQYDVR0OBBYEFGXfBpKtF0oDUL4GyuhNcug60e4nMAkGA1Ud +EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj +YXRlMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjArBgNVHREE +JDAighVrYWZrYS5jb25mbHVlbnQubG9jYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0B +AQUFAAOCAQEAQ8O6Q5wB8MdKc+xI9fBAq74H3fM5M0lbNnvCWpiiTcWlVvPUM0S+ +NV7PFF/bhYvxMzeEoZ6p4XjEUGprdNbuj3jauVdlZTuYR+J/P8fEpUmTqflfcTyk +Eh6t5yF+WQ4THGtg6/wYYhn6xsiNrZZSAHzl35kNjK34fr5rodyeE6Dtea3qAT2Q +GCk4d8U6ijZ+1A4DzqmGZkSynm4jeHMcDHnrtwXw19PtR/vi6vfHDALs0n2SAkWg +reS2orzR95Y6Wy7rh8iEmHUiiManskDzdfz7k4fujcYj2zBo1GL0v9Dhxsj2OVI7 +c4teSweVqgCbuG2WPSD/D5tjfeykF9/jnQ== +-----END CERTIFICATE----- diff --git a/docker/rbac-sasl/certs/client.csr b/docker/rbac-sasl/certs/client.csr new file mode 100644 index 000000000..a03f7a842 --- /dev/null +++ b/docker/rbac-sasl/certs/client.csr @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDVjCCAj4CAQAwUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKdN7qJYpPRbX0zStfBA/u ++222HmtLKLxozH7iDfdbt9FWYkQ8ZommSYaP82rcwhSpOkEw8NajyHMGvCN2emYM +fDCjUVhoyvNVEZYUI/eetCYERYbqUQPBIbZEjGuGaam+5YsM04RuWjecq+yR9E9H +hklQsFGAXeRewtzUmGMNUUJQNrQZVFF98HwX6EZ8FSzd7SYvbRIxwcs4QwO+AATy +rQcxvgdXtDyPyTGQ3X4Mv0Kr17tp4q3n5Km5OmFGzdYuplqCkSXnpqVVpapYgj/7 +PxXvgDTy99QfSxNL4Erj8WsnEcbxlnDdAqRDDbbcxMUl3xNNLy0IFp827ZbOA9yp +AgMBAAGggb4wgbsGCSqGSIb3DQEJDjGBrTCBqjAdBgNVHQ4EFgQUZd8Gkq0XSgNQ +vgbK6E1y6DrR7icwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH +ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG +CCsGAQUFBwMCMCsGA1UdEQQkMCKCFWthZmthLmNvbmZsdWVudC5sb2NhbIIJbG9j +YWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQBZlGoJ8Q1ele55lzaJak8Tt7O12N3b +WDiP+2IXYyzk3VJGFkYpTtmFMW9Rqg1jHTum+A7SrooINxoNxSl/yZTSb7B0eyYY +IFLkvM/3XdKDPIuTfrOxrKpYI5fxdpehZBX68ZrcBfYanig9JYwDz3njtNAnTTun +/KoRtpd6j3TF3RZsbqa9ZJm7iS3D1AX/J+myYXcxWdlU9M0wyswYqh1r4b6qzRHR +P8RBHSpA6b3fuy6bJXiqwf621uMciprfvRd9CjGOOZUfUZ30YmZpcCPTxXjBED9+ +zYQ2WjoFJpw9dw46E0BuUFcqJUk5xQP2sV9yDN18e5C5flzWI4QrqwJM +-----END CERTIFICATE REQUEST----- diff --git a/docker/rbac-sasl/certs/client.key b/docker/rbac-sasl/certs/client.key new file mode 100644 index 000000000..8738ba466 --- /dev/null +++ b/docker/rbac-sasl/certs/client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKdN7qJYpPRbX0 +zStfBA/u+222HmtLKLxozH7iDfdbt9FWYkQ8ZommSYaP82rcwhSpOkEw8NajyHMG +vCN2emYMfDCjUVhoyvNVEZYUI/eetCYERYbqUQPBIbZEjGuGaam+5YsM04RuWjec +q+yR9E9HhklQsFGAXeRewtzUmGMNUUJQNrQZVFF98HwX6EZ8FSzd7SYvbRIxwcs4 +QwO+AATyrQcxvgdXtDyPyTGQ3X4Mv0Kr17tp4q3n5Km5OmFGzdYuplqCkSXnpqVV +papYgj/7PxXvgDTy99QfSxNL4Erj8WsnEcbxlnDdAqRDDbbcxMUl3xNNLy0IFp82 +7ZbOA9ypAgMBAAECggEBAKPR6caBVedLOy65Dc02lkYEgQQKnTsV3U7XmhwEvREk +Lmm93gUZ22wItq+ogeHb0agVkUauup+QxTK/7doitIyJuTmNywIQptFBB7WIXQe4 +McLnF4Jmx6jxRHE3RpJe0ZG8X8WjKde5fKJzo1t+2t+/U3fNFEXQs8fR2arVG+Fb +XKPXyxDj8Jxv73dH2ciwkm2yNtThtXAm36rwFSJP3eA8SQ4lKikNsC3z/tPUzZtu +0h8eHmQaCdOLVDvBWjL61WEMmf7zodBonSE1xKd81lJzELdCKpEkp/JABvh/ezHT +yoWnU9PsYVBqGLRVlGeHJafyVAtNQMGbKvl6kpljfAECgYEA7EKmAwfCtVkPseod +Z8opOM0RPPEHuVgpgGDhn18q7x+/5r8YtAD+i4hoOje20/bHTtPsWyUlvFGsqJtU +6EWKuCZbDvTtzg7vP7hU3NpDDAy44HIXasrHWlyKtVhDuLV7ZmSHv/dGqf1oWMG7 +vGP2iHgCHaZnylIoQBIr5WDrDGkCgYEA218yBVfSnm4x4cATzEfNhn2vpAqsAoQ0 +kVA96PCstR6tjXWZYYVOGRdY3yJytY4BisAAyIpeAd3y/fu9QpuIdQiLlQeBEIQP +X+26IPkeJTYgx0mCikiObpXsfmO7XyYiO0is85qe6/4k4EuAm6o7NNCVDzqoKUxk +xtWPPutJRkECgYBV+bcB+UwAxGUywFhtEaNImU+BltDRwORxZFAWuAIevLYP2VC7 +CHWY/022idnNbst+wx4K2QzPaAVl4gjW8Z+Wfda7LaRwTP0BeinfqMmnU+XfP4WI +BjzfhDex4GnciKZcT48a63hame3kBrQzzUjExq82bPzuIlGlZzd0JH3EqQKBgQCI +ymmEj2jURd5w6LbvsO5lqMX3QnhT8WBeJG0Wbc0j+4c5KFWGS/uRBc/zA6YHtA8e +F+/lHPLVszKsUWeIuzdx0uxG97DxPYfgx3pCyVSU25XA7wOpeujl6DLZ9RKHmF3M +HdtK4+WpPoZ8HliJuLLGkjIAlxD4/5vvqId0Mn80gQKBgEtUVzFltd8Yt/u4AbdK +4xA1Zw1XZEfcfEcTfidz8WE5uoJYpChXeJKRsStQ+rA6W6Oxh28sZzytS4UjVtd2 +Sort20M+dApEzJNULzca2PYPHd42lAYccZlHem4sA3dHp6W7j6txJMeKBXTi/23H +fcZCumpWfg8tYvAgQF+/4kBk +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/client.keystore.jks b/docker/rbac-sasl/certs/client.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..554fa6c88dee164f73c881bc531edab1b25fc01f GIT binary patch literal 2741 zcmY+Ec{~&TAIGAGxWY-}mwReZPhh-~&? zBAd+#wnPvaN&hM_27`%=0Vmk^>l>PvM3k_i{(Cx5tlrYw;4d&rhGMxUgjTAp>bPAhv1WsH@S6@TYH)xVhzu`X?$(`00ZyuP&(q)qBf;H7~aU-K3mZ5 z{fkxV>{$!BNK9jmUnovUBknnV$7NyoEstMel+8SG@7HK0m#0}8=%)CoJ2{LS6pe}w zkl+?hsn-35Xra$*cAa{I8g5!^aBIHeI7V){qhVG!bG0?J7-Yb9t|ZM_NS z#jCHrmO{JBP2^r?)%8z@rFN!sed-&QO?DtV{#=K@v7d4lKs^HHH4w%xKX`S;n-udB(NcR>XizjPzT&|g+HR5j%LVr z!!_>r9jexBwo!(i!rt{Yhu-To#?c*FY`(X)NQf=mS6i&mD(&2geb5X-%HoligRVi*%4zxydaR_aO_SA2QYG$+< zki~sU=^miru3?wQl2yyl^y+x7a>pm4XE~~`umrSRwE;_C32W=B)+jp+xzj(>CMHIC zY2RTG4S5ozl_$%WFHl!zdtOYkEEGq^I5;c<9l~{uGC(^I2TGN z%qeo6aF-!rI2Y&A`KnE#58v`@ppwAUjEfkBpKs<+5lbsf9I>5&sG+`}o`kATDZ`R4 zE4ewiXe#=@L4R;G9E(RzwC;WW${bV~f(6HnWInNs$~}yr1}cgDc&xqO=nl&vZJ#^B zIto1N6$y{guYe`9yk$wbD)-~T-f*k%(dY5x!Ih9DSr1o&=2*n$vxT>;w0;FzR6SQn zX-$c8pKOsm8u_zl&Kj;QwJA6mI>@I!q_3pN#T!`{dmz}*V%C}*O%Rt%)$_Oj(hHg6 z4w7jg^%N!_E-GOfO8aL9Q0B_@V*b_*wV4mxpwjoTxiher9l zhM9D_1=!b}_DiR*vtzwxQ|p-y7$Ugd7pdEotDm)FChFGy~_vJEKOS{_`~|MQ4bZ&MY%eJ+{c@CI<-BAAbRSIa^RR9CZ*5kQO?fN zIZ3&rgJXD-alJ)_jN6&oX|x!Z$2eW#;Z|!q|LHZhWzMenOy5wT;RCm@;@BBn5NSM? zu_R&jlIYg{wn`bB^(e-;7cK`|0nB=G4Ue+F9fNK~EjK)`@YGW2y;-NYu`s@i0%Y_c z9T4chRmsYSR1}p5-~dhlx4&*>fHS}c;C=GL0|EiACn*4+e3E@mxDx=6koaemAIS&i zvGOFiiX&B#XjSBe3rJNJl-h|}JO6HCW;(HL-3dDJH{j$c|EB`{mw%c5>)+FTf!6!z zqmA?I{li5;Hz2!E4E`_wMi9ZiiqN=>jH~cjd5pTLpr|L@Nm_z<`{}3dHK~+1L%2?Z zrbWgU=upOQr`YHzXuryGYXzNBB9FgB_Vo1_iDt39SfLLDC;TpjUHt}A#FwCH6#;s&h2%yDTnAXZbS&jwJ?$S9ryBgN+1RYaQmjQb|duqy=cbII(-J z?DvFa<77ngag(mlz3P-(+C^NEkT_Gi4p?`_UbfLk`3Kykwb)e>r$;rP1$?`Bu=xp= z)zmMxCaVIkZSAtiidt<6xONdDkP_m|8tNOX9KKl2KU8zLN2TPXql8uoEfm=^R}Sxjbi~i$ETpa2umGP zVF#)y`-{UFMt;sa>r-=j0>yG%`Xeo{>+}zEumQB%p~#uY(;DD>o=U0BkC7ib(>fS7 zDVG!Wp!lv{z7<2UH(eVzS%ut?7ok2YWIg_ z`u9G)l0}HdBGFsE9I8)|Zb;xYFMPLJv++8!UYQcRl%i#>=EMj-m*D}frCKqWU zjtvBM(;m@P$;~^H=UVJ=x)PRrYt5qJ-i-L{tIxh9%4-c_$aly5-`YRO(*-7tcGh!# z4U|2;@_P(5;_CO%Z-yI_=3~`wz0&*S5OQ9WwV!_};~iaJR$b6WfE;PMk=uUV!|KU99r2%lRD!+v6A9qLCR01ZGS6Z6V~DtOIy?e@mWCkIpuRxL38mvBmyb z7DFzWbGssOP`^+{(aWiLqWHq(F5!1KxOBB@H6-KB$fZAuiQNkZn`1$8QZ9|gdCWM@7* Z8N!>-ju*lPTIfYK#~fw|5CbqK?>_^r2-pAs literal 0 HcmV?d00001 diff --git a/docker/rbac-sasl/certs/client.p12 b/docker/rbac-sasl/certs/client.p12 new file mode 100644 index 0000000000000000000000000000000000000000..689678a6fbb4524db018f1b89b7175702b55649d GIT binary patch literal 3784 zcmY+Gc{mh|x5o#A8I0W!Mord+7_to^l5Ol6OO}R^?9132e{DY`0rcbF5nV9>wEEXtq^1J=Ei?a4sF3`04F7$BiHZ)%3m*mTA*HINsdKzR)tSCYx^45dT{AV*s@@!ILlbqKDUPx5BvB?`!cC|3?m%Oto{Jgw z;)niyg&!P(ic?zps#nRXTG4M;nza7)u{(QEU9hHt z#~^$9S|siVlUm%E-aR$5Vwg;h(~%PKNZS%vha|BjQxIR>95At=4=xXlh28`w_I+Ce zQ&i3ErpEW>rQK=_N=TP?4@OMIc!2cm%GEB`w9*-Cmc1;*Cn=+RgZhVu*rL8$W6yn` ziP0;GZw{-~N!nL1Hv@_~k-~*nf1@B&ixbq(J|HyM)O=g<0ZDe~vG>$uS5Iv2bApgo zMM(@AJd~nu+6y%S`2UoJR`G_4Dd?8BgDC?dFwyW6gFKbbS6BQp;#JW`(T4V}_Vtd3 zct#hIH;z26j~vLhJdsHn?|l^G-kadYsnW;JNM!LI|15VCzKFR2vE4=-v%!!6=w#__ z+15yH)0|Ghj8Ot@Ld1;N_@il_{9D3VfNMWq-I3XQ~5%vg@c8j9m4Jxrkjw8 zObbN{fs8~dY`voMBxP8qFW&0yZkLdL+$s8U53~J&&1c|LWWcTkMAKn}XXh87Vh{UR z3y!oO>y2IY-K~)^!Iu*OXnrj{fIT^Ip_r41~%hF&EE-&-l-`-LoErzd(-b^xqyvq|}T{iPJ zK2enmyBI)emdFu^=i7t;Ppphxtmz3G`827&pOlZ>kMO#FgxbA+AkXNl=erjwR5Ha- zpKG{~9;(rYm*PR@DLqP3K-FpS=5EwO)U?6I|)zg)W_v$h1#kE%}05B<1o2m zF5dhh&VKD{XCvGXw+qYTHQmhU#e{1_J+rzDy9vrMG>!;$ADIaSm?HCW;YmAam=KNkRnzQQ9JFs0` zvv^}Vpm0y9H{}kz*5jHGwVrUcwOm3)ILSd>J-c_Tz%8{+0sz$KGcau6W*a;A)Pz3ydq_QEkwk5|#NoIV{NPxYPj zrj?oZ9wCW`w3MXb2BiVeGq&jK>#Xt(kd;|$Vv8_Oorujb%uJZbCJEuTb~Hfu))Cof z6z4P1N149*)#pApZ}Y<{oyxaN`Hj85IiOq0gj3x_5rO8;*R6vir6=&rSJ0VOLk>R4 zR!vIz#%iIn$Xu@$U(ytEZMZ<4|7r`tYQvUxmxZ7v`6 zm6D)fzB&O-HL;+n<+k1s?eGyiryUDaD?m*OxpzSX5=C92CJk`eb5o`wq*9qkFbzC+_&jKBEn=cP8l z-HPfv%C3+bJb<#eoFQmc$;!9oi;e&|?oZU}J{R#|LgBQg7WQ1BtLbG^UBjw$AS(Q6 zLRB$qSv{u{9H?*>N)CPc{nZ@z?!o1S=d0z2ai+3NVkxrapRAIdQggWgt)!u`Ru> zK~Z>>tHwBXw8@BuX^^I6f|*QxmdpvPmv3l}2xLD65S({#mYdM77S)s}{4b|sVjk04 zl+$qu`oe1Y@eLN~c9X_Tg%%P`O!>@tIgQ|A9^7&v)7<7~J{C8`)ruX9_byV>dmGmw z@21P8;&3l>qrR5jgkg_l$s+bvpfza|(R(C;)QPi|xNE0;AUo=(Gc+q}=odV2KnDrW z2hwMs32srnQ|P^I8n&9=7iM@Elm4J@VdJ=Kl(PU<#eyWzhW;P0DJIZ*0131Y{@PA| z!=8@ue=vuEin^Ep{Ej35$^VajX#Sxebz}NNkWJk0f9MBD0QR$vOgch*_hRRd!w=V9 z@dcS8DTzFeG#tNTPc5VbRIhb@jVOnN)IY>9>@tTe=uAvT&n6k4vsUTtF<5Xi6{OJ0 zQTj2ixt=pd;AT`v&_i(@Ml23S^0Zs$S{39$b-5@?o?STlepK3Y@Jo1zE3&&kx@Y@nyzm=Uex+xC6uXeCY2UgfD}IsCGeq?9$IGAw6T z{Gg!6i$}i2>F2mX`I@IPw+z?aP*>A#m%THx4A*0Qp-YP^_++&{sOGQLi zV7tgx^XM;)QQuG72K9lq8u-XEY!U(_(ff8Ok@zgX>!+%w=~2z4bolBech{1OETzBs zCQxSJ8Yhl{YsoPqr#7W$diIar_&&I|PV%C8aI$8I;X(7XoV@r%sI0s!zkG?hOCZU?85SQClQJA6bz@r>!#c*)6# z)o3W~?7RDS)n)*Gm5<^Frdp9k;9-<(i`E@ukj~o-~=L zsY_fT*ejW*E2z8WjCe1pT7@^bJiW0SV(4!LD2qf`v;V-7jmnMLKSxZ<66kSEQ<;AUJ9Pe;I@22UQKI%UEq*i|&Cj)hKi&`tEt}lO5UgC|+&sX^GR$Gbb;JR9 zzoqF%Q1t`5gLoS80oK68^Q?e~vS57DVBc;kb{3K}p)D9Z%rGYK#D65L*v*bZX);!g zL1J2L&10U$M%c2JHq;AGkju7yml7QlkP*^Af+hFlzbJ{RA-lDmXKZF3u%y!kg}OHf zf5bjJ`s$6T2yr3Tyj&M=y{Rc+=!=`1G+1%hp@Jw9&mXyFB*jvO_96@*ZY`>;>jGpw=rSb~*s>)8CRRsCf z#~s()s!{dyBQk_aGmv-l>l|1r#qs!HtpfStqf})kOVbK7x^Pw66fpt0(-^zf2w4ZJH|M9H$;STdl$>M zF-CQ>o_k?j@kL@r67(iE=d?;-Vy(pD`-=8Kfvj)!T}`zYOlY(J-{6)jf5k?bhP5kG}OGbfWP;Z kJD0LoYFwrBQ-3o?Z7bD2TU!N!{BHii{$>pf`{%*_2UctRt^fc4 literal 0 HcmV?d00001 diff --git a/docker/rbac-sasl/certs/client.pem b/docker/rbac-sasl/certs/client.pem new file mode 100644 index 000000000..10c3fb570 --- /dev/null +++ b/docker/rbac-sasl/certs/client.pem @@ -0,0 +1,89 @@ +Bag Attributes + localKeyID: B2 1E 9F 8C 49 1A 07 B4 40 90 20 AA 36 45 DA A8 90 F6 1B CF + friendlyName: kafka.confluent.local +subject=/C=UK/O=Confluent/L=London/CN=kafka.confluent.local +issuer=/C=UK/O=Confluent/L=London/CN=kafka.confluent.local +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIJAI15+BMGZeVyMA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKdN7qJYpPRbX0zStfBA/u ++222HmtLKLxozH7iDfdbt9FWYkQ8ZommSYaP82rcwhSpOkEw8NajyHMGvCN2emYM +fDCjUVhoyvNVEZYUI/eetCYERYbqUQPBIbZEjGuGaam+5YsM04RuWjecq+yR9E9H +hklQsFGAXeRewtzUmGMNUUJQNrQZVFF98HwX6EZ8FSzd7SYvbRIxwcs4QwO+AATy +rQcxvgdXtDyPyTGQ3X4Mv0Kr17tp4q3n5Km5OmFGzdYuplqCkSXnpqVVpapYgj/7 +PxXvgDTy99QfSxNL4Erj8WsnEcbxlnDdAqRDDbbcxMUl3xNNLy0IFp827ZbOA9yp +AgMBAAGjga0wgaowHQYDVR0OBBYEFGXfBpKtF0oDUL4GyuhNcug60e4nMAkGA1Ud +EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj +YXRlMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjArBgNVHREE +JDAighVrYWZrYS5jb25mbHVlbnQubG9jYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0B +AQUFAAOCAQEAQ8O6Q5wB8MdKc+xI9fBAq74H3fM5M0lbNnvCWpiiTcWlVvPUM0S+ +NV7PFF/bhYvxMzeEoZ6p4XjEUGprdNbuj3jauVdlZTuYR+J/P8fEpUmTqflfcTyk +Eh6t5yF+WQ4THGtg6/wYYhn6xsiNrZZSAHzl35kNjK34fr5rodyeE6Dtea3qAT2Q +GCk4d8U6ijZ+1A4DzqmGZkSynm4jeHMcDHnrtwXw19PtR/vi6vfHDALs0n2SAkWg +reS2orzR95Y6Wy7rh8iEmHUiiManskDzdfz7k4fujcYj2zBo1GL0v9Dhxsj2OVI7 +c4teSweVqgCbuG2WPSD/D5tjfeykF9/jnQ== +-----END CERTIFICATE----- +Bag Attributes: +subject=/C=UK/O=Confluent/L=London/CN=kafka.confluent.local +issuer=/C=UK/O=Confluent/L=London/CN=kafka.confluent.local +-----BEGIN CERTIFICATE----- +MIIEBjCCAu6gAwIBAgIJAMjkZoJ9cjSyMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUjELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR4wHAYDVQQDDBVrYWZrYS5jb25mbHVlbnQubG9jYWww +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0uyqRXnT58mVxwQWJdiBu +AjgmFpOvzBR35HrwfRpqW3EgHtw4fsqCA9PxbX2ax4wG9e+1i2OdYsg24fWgh2dY +5REyq/IchGtL7zE/6ED1iWnPO8QggJZ0xSBrTjtyesEK7pyyZ+7VkUGsClZLlear ++E6zenJYFca+RFWyN/nazRUXhQ6fkP8usQPsP6GWT6PjBmO3Ti3suDFC/NTTy3Re +eF7WAvkrUuxFWQtl5PP/Pumvx2zNrTMMHSlsCrIU7TmNGvZCQrCcRiIBmqQ5voiO +THvSo0jbAXde2wAXWPXVv/vz6D0MRwIXZSCEM5HBCdDEl8dKqdbB/N48xzAQhz/F +AgMBAAGjgd4wgdswHQYDVR0OBBYEFG80gaFck0G5BSFtC9DVkvGviXIAMA8GA1Ud +EwEB/wQFMAMBAf8wgYIGA1UdIwR7MHmAFG80gaFck0G5BSFtC9DVkvGviXIAoVak +VDBSMQswCQYDVQQGEwJVSzESMBAGA1UECgwJQ29uZmx1ZW50MQ8wDQYDVQQHDAZM +b25kb24xHjAcBgNVBAMMFWthZmthLmNvbmZsdWVudC5sb2NhbIIJAMjkZoJ9cjSy +MA4GA1UdDwEB/wQEAwIBBjAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcN +AQELBQADggEBANwyw65l8xzNF0U3kZBtmS72xUaEW9fXeeaguC+oEnl5e/gY5Buv +H53KOeIgWnHzyr1yxAiIY3L6FfNbiPT3K0iD/7KAsE16nV8pGA2MSS1PSg3YLSyl +YR8kvzmzg+8uEpK7OmJ+DCfFlgHBbRjlEN06wK4O0fdocc9q7nD+4oAMGMzfzIM/ +V6Im58cB2IQWmqxOsAQJ6G7d/Suw65FVLzwz6Hw5p30OgZcjD8i8o+PIQfjgT/RN +JpO5FHCDGNlaBeZPzB56YR+YKNXVtatpBAhrWbb083s3mBvaP9mrUy8F88m6E6Pw +B4wtxqaSIjxf0bILrS05bu7oX0WO68EAOzI= +-----END CERTIFICATE----- +Bag Attributes + localKeyID: B2 1E 9F 8C 49 1A 07 B4 40 90 20 AA 36 45 DA A8 90 F6 1B CF + friendlyName: kafka.confluent.local +Key Attributes: +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIzK+7fIBmsI4CAggA +MBQGCCqGSIb3DQMHBAjfDj7A+VD9SQSCBMgkHhYnIOhDSaeOYv49mfzdEcgjyPRb +UQ9Q4uwk1uf+TuWOmLo9gAzR/agIKjcowYVVOlFAHQ13g55dwp7c5ISkKLwiNAtl +5Rz/MEDLrc39RHt49tw4SZ5C58gG7qywKMIES3M/EibxLyDSP/veFHego+avnNHh +xQiHQrZ84MhCaNpaWh2yZ+vVzAzvTaJhWDMc8o0ciCq0cW9PwbY8ufphaez0dx46 +5K3Bxx9qyZs1g0M4t2wzbObOlYbh1lsHGxpT6e941JLGSvLwtOitYCa51Dryyon5 +ySqKaIpA4Tzo5aMTstFt3xwYkq5Mf4XR9y6KoH/MUnlxIvtkW/KmnF9WsiwS2cna +H5KQVQ7E8povmIJCRXDIEpgtr/Gs3zaRjm55C3OJJRBkmrpaMPzWrhp1Y6JejDBC ++/RdR9tdNWgBtfpsfpv1QUAXBu3G9apJO8ruOIWNAjAi4ud2yfn6nZ3NYrY6NxNS +pgZUw3rwN11xHlqn3/FOiY5+1L5ECfnz5j6ZN1mHEfDq7okNa/NtYbIZrXtfL0Af +7biB+Bsb2T2oiWxy+qcsFOaOROUE8LZrFORF5JHvW9aKaktRHZ29UCW5MUWv9Jmu +ZFDoaqTyAX1lC2lx6mhaiRpDVS9klFRXT/XgbOIUe3IL0XyUwMpnHEK/dRldGu1e +TZQwkhDO8+mtuzdMlbUdTDH+WItzudtYfAqfi/kyergaiYdArNh0XAaf/9fly+5w +9toWjtmEmnfg7tlzvq032g143ChSfxAs3Q0tx+ZbBDlw60izc5QCRpc9GZEKY4BN +bzuR0bwAwx5wi/6SPpD4i2tU/zHM2iAeQfL/DUqY9xQNX3FbKVUWuL/1hfPdCxha +21RqcUiBmY8yTNm6VZB5cGDGyGIUmiXsq1LTzHJFK/Y/nE0YrbeXrzAe9cWSxfoS +rSdBnzVd73GaVIP+cfb+4VgwIvACFR+s+X8XqfnuZjytEkltzLdoN2kLpp2pShmy +Y+gSKjR+roBrRhG+gmp0/Nn81CQGUzRANQ1J/3lUvqFoG0z1vk/xPLUx7Bcwizfv +1JnYSPtj/PO1g1SK/PeKIPgd/yg11oPAktWI+XqC6nnXe4g5K+G4HvhMLeuIm6qA +i+DCGrXFJe+VyD0r2TRWzj/YZYoaJP6/ezhQxTwk8djVRYA4GrLuhJgmIQx9P7zZ +fyeWMa3GJcZUB6qrNTaKAwirEgJxFuLAL6mJapkmBmWT987RE5JIEAPBFWyWTlj3 +/RCFU8FZkHOFejhFt9Re5TbAUUTmy30u1GDsaapa0t9XzkTVc80EznoxnPxShPHq +7n8BU930TNyqbd4aKDvtfx+46czQWZ+raZ+mfQ9wg1H7UMQ7r4s1t4ZgkJr3h+ts ++WtIacoCeO876qFyH09+DQkG9wimUAKxIQus1nTeXAcMf7AvzFITxYK09mA4PHUN +uGLL6/abN9pg4GywbQgOHo4sPZdxFtjgpobinHovP3semgTrNWBPa4m0d1nLhGgD +zwVfc9ba0054mYV/twOCgFK+ac9Fmwk5RvTyi1f7ZGXKgYAwPLyM/KRxJm2z756K +JQT0pY/1XG4xGHdV3G6kD06pEtqWlEa0YJp3KDMFpDapHRJfHWXWVaIHZjFwbMoZ +2Rc= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/local-client.crt b/docker/rbac-sasl/certs/local-client.crt new file mode 100644 index 000000000..9af54385e --- /dev/null +++ b/docker/rbac-sasl/certs/local-client.crt @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDvTCCAqWgAwIBAgIJAI15+BMGZeV0MA0GCSqGSIb3DQEBBQUAMFIxCzAJBgNV +BAYTAlVLMRIwEAYDVQQKDAlDb25mbHVlbnQxDzANBgNVBAcMBkxvbmRvbjEeMBwG +A1UEAwwVa2Fma2EuY29uZmx1ZW50LmxvY2FsMB4XDTIxMDQyODE0MDY1NVoXDTMx +MDQyNjE0MDY1NVowUTELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR0wGwYDVQQDDBRLaXJpbC1QaXNrdW5vdi5sb2NhbDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ9MxbO7AK/tGYe8XegxIS3t +ShhqdokCQOaCRPTyNC+m97/gN2HRVyRzZyA0OSooBBvANpfWGYe5JhglRmWIOvPI +flE8RJllfeDUN3gFHxNcpbuhlsvuVWOYHcXkmTt0L+grF+6gupL6ajOGmd3XU+8e +7MoOW/77+diNXP8W4LQShtoycGI9SJTTjCfZ9SvSla87cjaTpbbd75MW6mNJYYwN +RHW7Gwb3N58KGZc0Yx8KE2pS7y8T1kUa7w7Rn+7AgIxYoH0EiTjyIPeO2Anc7FWD +mp6FBmMFRG3vhmpPq5DQDQH1S5WwhJ5+PWlh5wDkuWpzkKi/ZSz/1HwThiM1OJMC +AwEAAaOBljCBkzAdBgNVHQ4EFgQU1uWkeFAuwcx0i9yodk5qqmtWQK8wCQYDVR0T +BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh +dGUwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMBQGA1UdEQQN +MAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEAHHUUtb5YCm2XPRjYoOdG +dKNPEBOzxl5nRrrqpTc0DyTGzsXDRhrwVUhPWtKNgWc4XBb4rPZ4mwBCaoX4uPh8 +OfjmDti+w33N/iXoz31pGkwzCpsbFY0AxEQXr1z9KEf0jg5K9KufmmAczkVHB/vY +CZW7a/ZFpUdBvIapffpDxaJcWfdj1aTmruiaWSNHhs8cBYfX2reWIPPuWLJC/s1r +DM5fk5oDOmPekIjvQrLRm3ZYgxfrk5z4Vavz7RRnUSpcRTqTZ8b7QyPvYnVnkVKc +lpAeMNi0pIKJnV7O+SZcuIFEaXz+ejLFPWSQEKYH3LI4BVepu7N/P7gZvp80lggz +ZQ== +-----END CERTIFICATE----- diff --git a/docker/rbac-sasl/certs/local-client.csr b/docker/rbac-sasl/certs/local-client.csr new file mode 100644 index 000000000..104ee5bea --- /dev/null +++ b/docker/rbac-sasl/certs/local-client.csr @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDPjCCAiYCAQAwUTELMAkGA1UEBhMCVUsxEjAQBgNVBAoMCUNvbmZsdWVudDEP +MA0GA1UEBwwGTG9uZG9uMR0wGwYDVQQDDBRLaXJpbC1QaXNrdW5vdi5sb2NhbDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ9MxbO7AK/tGYe8XegxIS3t +ShhqdokCQOaCRPTyNC+m97/gN2HRVyRzZyA0OSooBBvANpfWGYe5JhglRmWIOvPI +flE8RJllfeDUN3gFHxNcpbuhlsvuVWOYHcXkmTt0L+grF+6gupL6ajOGmd3XU+8e +7MoOW/77+diNXP8W4LQShtoycGI9SJTTjCfZ9SvSla87cjaTpbbd75MW6mNJYYwN +RHW7Gwb3N58KGZc0Yx8KE2pS7y8T1kUa7w7Rn+7AgIxYoH0EiTjyIPeO2Anc7FWD +mp6FBmMFRG3vhmpPq5DQDQH1S5WwhJ5+PWlh5wDkuWpzkKi/ZSz/1HwThiM1OJMC +AwEAAaCBpzCBpAYJKoZIhvcNAQkOMYGWMIGTMB0GA1UdDgQWBBTW5aR4UC7BzHSL +3Kh2Tmqqa1ZArzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdl +bmVyYXRlZCBDZXJ0aWZpY2F0ZTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYI +KwYBBQUHAwIwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB +AQAif/KD3wZWFZL4xUtjwKcRXm0QsQ07sgapkt+TM6pJxNMSrtTCV367yyqX+/// +JBijEXFXCyGSKVRariCNJBlZPpXT/7EcOafn6z0vFk5Lxy5jIrSKDfQBdQN/D5jA +5hn4clH0HBBa2o6x+D9F60T6O02Me4JUUud366MUlwMDVjF+CN+Uvfv/HPz8pMs0 +W1pU6nkzpafxoWYVdpfbhT6zZVAxvWdu2ZPiAsrh5WMz+Qh1Bf5waJkkew1Fww0x +GQwa2Dkkw7yjxyqHV9khXcsDqL/mRjhybcYwSBKIxjPs8mvAxxqkBuCQH3n+OY9A +OnZcIcEVnZChGpisWlkTxAM+ +-----END CERTIFICATE REQUEST----- diff --git a/docker/rbac-sasl/certs/local-client.key b/docker/rbac-sasl/certs/local-client.key new file mode 100644 index 000000000..d708fa3fd --- /dev/null +++ b/docker/rbac-sasl/certs/local-client.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfTMWzuwCv7RmH +vF3oMSEt7UoYanaJAkDmgkT08jQvpve/4Ddh0Vckc2cgNDkqKAQbwDaX1hmHuSYY +JUZliDrzyH5RPESZZX3g1Dd4BR8TXKW7oZbL7lVjmB3F5Jk7dC/oKxfuoLqS+moz +hpnd11PvHuzKDlv++/nYjVz/FuC0EobaMnBiPUiU04wn2fUr0pWvO3I2k6W23e+T +FupjSWGMDUR1uxsG9zefChmXNGMfChNqUu8vE9ZFGu8O0Z/uwICMWKB9BIk48iD3 +jtgJ3OxVg5qehQZjBURt74ZqT6uQ0A0B9UuVsISefj1pYecA5Llqc5Cov2Us/9R8 +E4YjNTiTAgMBAAECggEAe9sKICr2ZtJ3NiUL8ns4a+gB4yfrj60T3uVMThJ+5snv ++NyQ0tob4fhkJxLTm2ZPg3AYQkexw+f9qWpZ6JlaFK8/H1Q3lfjmPUdi9UsuFTTE +mzUQ9PASrgPYqkOJrEMy+FWBHwUS6zIOHo+51FUWKmYl/xfZCVDKukd3FdKo1PgU +iQn8Rn7g95a1YxLBkXL9RUCuKrp6M7kawRWirvzgcYm5l0ICP6fzXo6zNr6d+0v2 +ZaQa0MzIpGF0/1Vhpbh1yvbT26aJhKZ5hnG9gbiAZddtn9KLsu3mJgc5j8bjrlTS +Nm6rgLkNbF87u15uv80xMnotm+/WR75JEEv7dvkbkQKBgQDO6zWRymOTA/JKp9eQ +qm91iWawp2uWX62WY/iz9WTAAknEMAn571Obq/y2EC+EmkvWg9TJeEqc8DxyQGSf +VDQIu63szEadYZG74b2Z0kTt8eVW1FaLyqyiRdVqXFwAO+lI86/Gy3slp61kohiM +2uQKgDSm8oaZCIUww5RLjTEF+QKBgQDFFfyd4Y/4FPasaF7aESMlVNTLTw55C57n +r1wXAXtFCdc4Q0MlO9yGwq99mE11OupFJt5I+m08j6enOvu9j/j5hMVBPtCTHaXY +qJ5VrVeVvJRs5nYGDM9/L0ZCBWsy7e0ZMmexS77c9wYFTbLqrIGvgSamwsecFvOV +kKatxwXl6wKBgQDAUPzJNEK4McLQgI9qdf6CT+KR7gmhCexdCy3slPe/PmExZzTe +iAI9feyzivefV4mFJ6JuXs96bg7AYfkj3S8/rrBIltRLEpRQ+88tWLGYNmvh+Bk4 +dHdfm2hwIsefsA9zLosBSb57kQ0nq0EGKawp1l8Zi/Bt6+1fFWiPj/swgQKBgQCM +BHLUN8vwk/QryHqaslIl037ace/2Tys1rn/eWE8bXUJp1l99tGmX0/iZYfqlrpWB +S3vgnQm+XNDfHih7JC3eF1WMZPQJkKaipijW9a+j0bYhKBnxcmh4Ez326aKfLCmm +HQlODGIs2dKNMgZKcwQvi7HKB9eILUYgnAPOsfaewQKBgBzJPIxDvqJSImcPthD8 +u2itVigrdDTNzPNmJDsi0RkuW68Bg+PLTrJTclNPhBjKt7PPwWGb9k/uGNZDyy5H +FncMcIvnorPCRvjo3W+V0rFyXswMawZvrWcBTeHb9kXOStrbBQ/1DPrknRuSjF4Q +eWHBgDv2YH1UzcRFjJZ3ZQYV +-----END PRIVATE KEY----- diff --git a/docker/rbac-sasl/certs/local-client.keystore.jks b/docker/rbac-sasl/certs/local-client.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..25434c8d46573a8b6e696f1df4a7b60b0970c037 GIT binary patch literal 3855 zcmY+EXEYlQ+lM2GXpC5~YXuD*B&9};piz63*t2HTDy3CBB&ZriTYFVYl)v4YRja6K zQCq53sZu*M=F|5*@B2LG`EZ~6oa^_y?~fOXz{&)q1EC18ZV2=uNr!a6LdQT?NPsnf z39y>KxDrL6$NyJEZv!UKTl~eh{*DoZ>Hn^n8R>w91n?1x06suTK^XrZ|9vh1hW8yY zDYQ9u+K+^ug9gt1Zatk4>jHuRT_#`xxR1J(n1o7vEo6m2Ov*J}>f$rAjGFIaTf+CUN@uhVEVo z+LysoA)2|4J@TAfXVWMs&L(kyja;QWEXtuc{ob#SOPL=jGi}jUrVsV0t#cBp6bAZO zluhspUzr>>zBy{)D-xo~aZuOq{#d2KUs|Y>Px6DYhJy+i*02N;z9aBJ<( z`+86A;s;sDk+ssEef#fZzR_+5Ts$M|W1iMwR~E!4(P5+e|pMr1?xmT6Ad&t5NeV$iz7?{Ems+ zxNOHycI~yjs)|3!ExzX2L3OEno75B28oJZzDuQnh$ZVY9RxM2&W#rjkENT+ONoAd2 z52y590jb9{t2VXDAC@51ailx+OhF*c+e-yWX|Wj^Jq~*r;HVi6#wi; z{vguf!rT@Vst&hH5NnWo($+)s1=0LTnZT;42~!i-vf@OMlBJ0L7t+lxR(<+aSj0==d;JM=${+?dL^VI# zq@*#$WppT~0p$CXCz2-0I6vk~=IOPUKKR8lrJ#m;&>2l)+v6(N+-}d?>n_-y^EX~F zHXXQ=^u_2fBO`^ZSFa!A@Ta$;lcn3vrbdz60j%v^BG2pcva7k#?O*$ia-5I znDExDc^OJe@|stYj))Q|vtuypln`MM`rLin(N$}bZmB4RE9jao(FTi$(lKkpt&+Qi zk=Hw=c7oVvoZ^^0P8Zg=nHCHK8GmOv4tlF;2V!jz^jj0}!V_z?qEB=h>376ZSH)xL zd{vJ+QgrWrtbW38f#kA=M~Jg&iTlK2PV~9u0rguVsvUf9W;@-d>_GXw@z*(q zX!V&lJe;RXF_T&?Mvk1dA8C#G5_1NVr=9-LU?&N~)`%~Fq#@f3ML%r7ni48^;Q2FU zn(x!SuYJXF1>bkKq|wWK*uZxSs#ty#^Lug_cdGQGOpH+>pTqH7OPH>1j;W6N>QeNh zlsEO|y=E#ZCr`B2(#X#{?F}qZEXPSB1)G7a*?yJOUlEt0lwb+uQn)w7-boqhhkhCp z^bfYvEsT>K8>6A5JJ@atw*gdR?(}!Pn&A5KSn0N?yIpP#vl!wD#5 z@yHv>xSYXfHsWyJM%RB#qBEwOyMV)+^Zhs4f>PAhCk2&`mE`kWwk7$dU2fA49nf3q z$+!*N)@FqscNNB!76L+@Jy5OHMjjqxO_k4cFtw?F>fBf;8 zzt<;h(fxnA_@u6;6MQ^~sb6Qv#kvlWNj5&nH#bHqRSrWRTB;5~jYPFqT^nu71s4;3 z)KM;;p9Iw?KfZplgLbS{2(U8kIh6bZeEmXYh6`Q5GBrY*V=8H>9CHD8EILnG3NhTv zpvDZZTHzlzJjbuU$zZmQ5oxoEdYM&?C6@H8+M7~5yH?Vt5J6+N`_t{g?0+~IsMGBJwA9F4#vXp7O=*Cp_#Bvs{u||3P zFI&BR>KVtLA0BFW%I%(C*YYnEO6Hc!nC06_5R@eoC45Ov%sWN6kjr;hbCcV)5b%nB#E&>39OXjrL7s*%N9(tVMojyDkLo7)iN{w~Lm)pOuV zcWo!;mO+|^FmB-qiN4ljAze>AeBnLO)GJa)YC1JPDa^7?uEOWGvj0ZSj#u_Zk&w`5?8se7q>O+Qft6TaOw&bZvlJdX5{ z5uqSUlcur>etrC4o>Z)ra$sm%-Uc2PRS>SP>gWBzobjeo?L(C(kn`q*k+VMByaUlf zEV;kJi|vl$>qaNIQY7fT;>wxjycrbsA%N;l?a<|G_ z*(h_$@iPDTO@=9RbGAl{IX98lP0eq!G2x;jWOSkW;xWp}XCz)=u!^g#*1<5Pb|b0q zW8Tc~r9G&Dl=RyhTBCb@WRY}hhsSREMDOkO$2c>@Mm1MZr+g^gcz`I6Kc9Qry;`Za zN99bFAESKx7-qw0!JxX(uDWQaZlZ?tN76XBJz($X-g1V==$4bSLNQ0mWQnxKA& z!AwJx82!m@tP-PRWhq(2u1rh_Hc=afgN(ut56o8oJ z;y^qUAYieO4B= z=P=*#bpzqG{>sx@=+5yTYe;}*D%D2F6|5{`51RmgUf#SifO#fn zMC<=%R8YEm;o^qc;@boURXz%&hq|SPjgAmU57mL-;#hUB$#2c_<)R2`d0%G zrP07ab$CVE2Hze{a_DZ-b0M4AbKtx$8yYtc1WW4XP@rsv$Of4g zv*33vrRPJ*ukQu%gLTWCc)_aWlB(ooO;9cJ$J?gxylU`m3A<%eJ=}0=OiazKE??od zwbLE1RL&&t(aNg)gG8eQ?SIE}<5Z-}dN* zIHdB$b#%utIQtPsJ^Em+AOJfW@+uR;b^ z*ZUKPoeeDs-V+cm#5}NSHt4smv-ogONilD3)Z9^3zGhcr;H_LG@(v@x-Vn!>1UcE4mXal#oU?K)qrbS>m_jy&1A3^QtH<-r_d-hlqd=cp}zzJ z0r}|xV0e?DU`G(?S0-JVC`>;}ID2tq{WTa~a(cR4;LLq@CdQ&6=td?<T5Kzlan8C$Ib)l@b#H{;tA*2@#Zol=8nXP!W+r!60(*9=kU_v6zvVm>duXClAVH zNL9}yl33wOsRZ|v7W{>$0%*I-#=~&q8_xQZZqaqa) zp$wiYe!_QPK+FSEaeJDfa5&9(G{LzHLE2m9uH@#NsVpAFNHgFU|#!vT*1q$shmhw*U8=KgXA zZ|`+RBA(#>LD`U#)aj9wmiuae7y^AKFw!HXr}kX}@tIvPoSs?08C48)Ya#`0-4i zBfI1FobYGW-}A@?zBbauBlFxcrcK#Z0pkt2o7<-%0qV^;>MnPLip5>*zRegUqI7e$ zl31`9WFX-o(YerA2$DOdgL}oTq1|UNT2L6-CvPQ+Y1i~e4p#EE4)oreQ7z4QJ=dt2 zz@CLNtdR^)9do4vC5DJsIb7I|yi) z-Ld#HdCiAG+&wC_H_25~XZl7z(R?9tAI+ZTn?qv7f|_oMiO(?R+AI&E*qb{gL zaI~egAFGGP^xUlDbuwIRIBCeC?9k}jsQaq3WT8cg3TL?3J>AA%OX-kn1hzV>YDD#H zYarY|=jt=o1jdDgkZ z#le)=;v8aV>0OsAfnAi?>F`|2hQD>V^bIP*lGQBvFDrn@I_sK6jZ2bNJ?E@Xm>b_X zn7O_e8^B#?#cSl1IseX(aZ~AdnD@Te>Oprf_NH*-h}lvRC0uphh^CFB{n}1a)30Eg!3_+J_Y5LuL75?UyW(Kd+o4z%$Jomc8*gebrv=JdL zz6BNnKD1Z)EiiRYTf5Ob`4{nfH}j7}yp+Di-CG~;IcHwtM#?<17e!oF6qAhHLL{_q z4V1XcYr>EAidwr_`W=Ce5)aNvhWS&_bJ_2Mi})UgYUN4sML2vD6Tg|z(N({-n1`{N zJrg=g8@E~8sHKD~Gpq`eh|gD0*X8#iyJ&zUe)7hJQFkQdvKDc|3vVOe_dWBw`HL zS}4?;9+p;`9O5%DTCTV>b5}N6^z)9@N;kE$zPZ{#<{1SJp7`tIZkLTF zcM24(F&VzHIOT*;TXSzZ@fa4Qo46ek3S)jbtVMvcvFpIXlK;49$B7EtFJ+9f*{QX4 z$A9#oIeeA%J@)8^pH#iSY?i<`?d4@%{COKxq`cfO!m2Q*pO3cmh*4y$_T z;6Ouhz^=rUhG+a8&@9wvE;+o{Yr{C;jKSQUU<0r|Ke_r?BvD|03-adcgn7{WSinGi zTe#)ZsuzS`|4%D#ae zyNDPqB6>lK4&Ct<^bR$vpWHKR?Z(J1(1pb9qJ9EL1B}8mR5I{U&h4MEDy&~M=@V57 z4z?WRU#Gs>o7NxNNfZO5iQ68bak|ors~&2tQ5(yP-yPcNFLXyW3~Y65Fy|2iR_IT7 znf4gZqX+}rpN2`0)Sj?Krns|FW>;usS~hV`+Ia`C*M)F0ylpIC_b zCN-$@%^sJpN~JceFUPU$s#eQ&oDZ9%nfP6zwDjl$W%0HvL;zXav znld%qKsElXZHSqTl z45|{bIVR0oY+P1VeCJ_bFsFo4$l1^2ST~!H>jw({qJ@@(360BqHB(H#U&mmlW?nWj zC7xk9HL&yJ#v@oozI|c7);2Ag&uok((5m@yR{jj-`;V(p&$dE0jdU z2smgD3I}cdKZ^nWV=)b3w}K~&H{bqaF(5c-=s)ue2T6FWN3mI{+!mc(=&a}v*YL;b zLi2Eu11;0*hD-^cHMj2CdKHai)YzA+u1mqUbCG(^1AKV|plRj+N>_nnv^If#BGdC) zd2WhMu>Ht?Hk2Kk-sjfyEk@>tILa>M`$C_7IZ`$q-}}m1bNg6z-h#K3mDk2I5u9^c zo7?wtw}5C${xqP(^JyX)d#ggfr+w1>QE%rf;XOUm=bw#(dq=Bi_IvAR%S;fTe&$R3 zaNwSk3wPe}8zC09I4jKUQ|0;smSsL7&n_1MDqw<548%=@UvS>VeT`I{(ouYUtcy&V zzK?G3q_96_-kOUUWmf-+5LWJHerQD;YgmI=N$Ud?3v;p7RUCZ&Ewx9H@vO1dmdUsx z2tQPv?`-@S9nS-Pxu0NFLXjjuRs|+e3%oO>HF`&N7k2cV8(77h_+AWGEVP?A2P zJ z8O^X7N&b0m)UIF6rKQ-Y7gH+e6UeeLI4-Kbk;9XS*9#l;mFh8-r1IB>wRGBEnr}9d z?$xFBT7HNs;givGv3NZ4##(UN7c64F>^Vt3*#qURWkA3ncVqtiFdO><-u*P`By@vZ zOQ5s8&52d(nDp|Cf4&|$H}{}Ret+}LjkV$j21#GWm1v@6TLN$6+UeJ6? z{VXAvn(OHBilwsBRh#zkkZQrIo2fXK=H&W#GcUm>vti^Q{}mzhZrR=6A&<6BWp2#3 z=+Mlnmz0zZ4AP<5uSs7he5fp6!OBh2bYXTV-HW17c$K)_bWU}@)P$fQ1>TA?Hus>N zpthO5Ex$e<&b0p7F7vVCDgB~h!-RV&HnM$&P$om0(c^>rQN<|tiS0!WZltIPJa1dR z+YRb4)MKAs$rud@!Kmy=SUy9(s>mgYxt%)G9!c9Gr-bryyZ4zVo{SeMrysEhqtxe z=|pkUWp6dRty)5e@&^OqS_0Ixe{)LVjd-F)eT$lsBJ}qNe{;~2rp<>VjNBws0eXHa z!Q!7{xmfNm(Q7QyVyyNPBj%?w_9Q{DkqT)VaHFYU@VqVWVfty(S)j1Dfp%NcyT>dk z&8^`$8{v8xY5^%Z1HP|+>`s-`*H<+0UCrb@8HwL;7gU<$t*YN9ZN74v$+Hw(VJl>q zkcJ)V-DbaGC;sl?m9YrUW;$x%=e+h^<|) zm?7&BRWg1hhx^2p;j*+Bd-Yr;#pIZ$ZdKz-2LF2CI9>YF1iNvY`>5tTL3EJz{ywcx z2!Tb)!si7jObYIdG-_1QwnFR2yhch}sgE)5LT7NGRe8z+SYhYhQ7SMfWgMu7^mVtV zpnCd;SxO7a{=e-=!6*ghq5^mU!T|07A3!L;7s~rDWRhYAF_M`iWDA_7R5Pxu8hBh1 z%1w3O4ML@$5GVyHi6|II%titLF;bnoqKY0pc{}D{)Trmfdym==FAgGaHx{Wwy*sD< Hr$YY=MLX!W-ci{{ms@V@ij^W%I z)liGzn)8&WrwkRk#CZ6C9z75WG?2Nx_e<5N>ou-BQ%`!+?#w!LecI(*aAU9E^6R}$2>lAy zzC^UMe$XyOD~X2aclCQLMH+c0mVNF?nrG+I^pw zlnLFQ_z6Ng8c|elE@vSpFt7<`mwHHVYBb68UoHvRLAkMO!jrt|ajhtE5t(4wv>@@p z>U~rCap_Ik_v_}fYa42An4`t(+e(%nEm#B{nD5r_#`&ek;D=3E6tli4gP2F{77?

n6lf}u^E zCJw{P#zio|_K`{P%{}hVU*colZq6{*-l*50ud7DW@|y&rF+o1!DI)gFtY48BlrxyI zx8(!ZQZw<@C(Rd~?;-rPiUAb4olP8SWSnFl@>X42T&)Sz6GHH6M=3t~*t1295<$Mo zE_POIC>7+_akivOLsrA6E!!8Tf>tYO1@fBPi~~8J7^OD|m`(2!9eU9T9qW?u?Yh*? zK_fbqCJzzQ1Wcr6#w2Vy*>)b|P@HjVasuxT?4wA(REl#$mX&yUTF2!oAu61cw^iYX zgD_0Ki4{LNDoQ^Mw_{9pCG(*GU+suWzoVb?gU#Ngp{Z9XPLEoW9dA;c$HW>`AND<(civJM(rhD=Z2losr1(JO8Kdje zpR5g+14-)D;UXz)u&F(Ml`7^nm04F2kEJlVu_#JNgin4;AhCIBxDf7FK{Fk{IA-aC zcYxj;<0~%&lzs;-pV@}+$=2}jQ5DX9zo|)}U#e#4+3S@U(?HGmc_1uMrJcZjCF8!o zs}N6f;HMXOActN%)599N$tMu~bfX1Ijd5i(aC)&a*V^m2H3mZ;xGZhWvn<5YNUdou zINqZNS#F^CjGM>PZ>M>Bv{#g)ljM0(U<^4br6FxQ%D>uK?}A0GZF2hmV0eDT(?UsB zA_~v!+)?mOo7BaqapX3=WkiPr;W)lE;kKV?rhL?)t*i`|rfrpA$bI$ALDFHWU<4qk z@^$J`>Qmj*lRsNHJ|pb_!jrl*o9X&JD>o&wTo^Yd-JBFjG8!45i~bT)y&(2rjN|dm zP($A3qF?KwECsf2*xbgtcR->RYtpAB77GaG3R*)`Vrd{KbUNXmvVJ6p6TE+sFHUH-;M$i|o z{qL#-Qwhp5$pW4O900BWCx92=34jmad#79gZg&sg;_Tlqx5F^l z?7J*cHLO*drRK)u-?~B%)@DuGg=bU`LLG#9x1DFDI*ZyGVc9lIFtVLcz48bVBJeRY3ou!wYZ@ zFCn=lhAwWo{`Q>qy|QgYW2@G)x59dYntO==W9NpuUnA%6kcXW7vycW2Jao;kDXUmZ zdzrea@_Cc^ddtJWo0)P+*Ysf!cX@41nuPW*&54oq@8-8ZU%sMkC0M4j*1`x=TkGRR z@{-F;6jq&DugPLs<`hIqLP?%Kxu4(F1UbL|lp@(?IHNuSs zn*iVRCIU!B#sUT+risS_!lo4uoOb=fdjk!U@>!{RTFRJS_JSPeAM&K;>z-8lr1dPH z=7_t{{J6yNbeKLo6*vXoO>NFykop-Ba69MugU{fkq zaBgoN=BAeo1hi@ll_vnE*+lsB-pg}We5SGOUDnJI5@3bC4K*zpiL0bw9N}21>f9*_ zx!9!5A8O) zFUBMpQ!GSq$`w{$!k$`~^dhE=Qp@fbgylIM)Iitq0mL>~D>=YPOpb^@^+JfYEKP-H zrHB#}n?5~bZo>z@HnHkFu8JiS?0nq-%VxOgRmX7eYJ!>Fifq#rPdjZCRpEjlzGTLZ z#o-)B43_e}D1juxF=w-7=lLl$TN~=`Wy=I)#~g}jbj1RLuCJ_;B;{is>-8i(djp22!cgt^o65q))5EhDf;$S^f9n;EX_ie3X zF;~H0jn0r6$TGDHO+jB4-5X->s@Pcj!|o79@Tpf;o#IK^UvtdFghy<=k(tWdQ)sY& z-*9L*dJMKn!df!lLT+3?v(?ZM#asWg$n?X{Rgqk2`OAaZ%hZD1hJ(iW3FaPq_3Z<6 zSe`MIGNAPEk+$nnE+r$l_vjeD>N=T^XYa{%ynq+E^!_ne>Bd7BDS0$SN}i(lQF+hR z?Y6#3_}jtObmGefAzSF;!hMwe-Cx)(G^!Rk5s8dK%CCKTYP0Ai$bres6P{}I?qkflTq@< z_k-hf2SQWGYQvblQq;4|_wD(h;HECUN_8_6qg{ZSTE0*=b%rXPNm1tsIe~(_O=&DK zi_9BBJ6OgjwWvEPb2}i3Y24HAiF)hKUp!vDRrCf4iR$e=(cTJe6lf>iVDu)rQQFn~ zcqikZ>3)GjPg2G~G9<4^R=C{JX{2AgAS#t}+naK;cE##2t@%Z^gb}J#U6hfC`le_F zd7I+aTqC^AWBriKRN&Cc|29KzGL>0~q;kILz(Gs4|6OLqGY90y$7ji5Z@mq`u|HDk zR~7RcLf!#m?et-q%rJUKfi5#)2X401RRHXxc`tSRG7B1zZbNyx@A>MX1utC2 zP9ml%Bl~5EIOJWq#%JcBO8+*e>n0M~l=ISn8REjN`~9zMJ)T$;sDDjQ!#*l4kyJ&AwLQ?rCJ z@9n_I?+=QSrR=G-pJ;yAPBiqJF5s(NwlbX2zRqh|q*ziBtvEV5A}k*N^Xr1Tc@2>1 zvcSo2W$ssDB_`G4c=PMephY6Jm`MKHY!#kn&X;ztN0Up@n?8CoABVs?;+J7cJw3kkdR1AVc_C@fkk`=-@PF|6@Kbx%A%AaMS=xQ~&D4YK4ZAABZc}&HX^4 z-;vCs$4{T7YYpj*a4vqpT*hwJAK>dKI1N=c8_JYh)85AAc$DUCC4@;IVHAt(U^a{q z4P$-rK7~!N{1pnYYQ43$IHl>p+%^9|Q5zleq@XuD2ZzUa+}~&1?;HX$pcVk(wx5?s zWq)@DxuUQ*V(OTUO`hzvMOF=itcX)$K+ZrlA#e7srf0+p{3%@tKwIJASi|93qt!UW zHghIq#@#PK`MF?Fri-C;=+Gsvn70gVF0Hm4=3LL^T)zXt{qaR&4-D9&&~h|NPKs@N zT(gpL;!Te`0sX`+4tfpu{qS1JnPEPHw#cI< zO3kYA@RZ=wE;sRC8Gy^eS>a$p0v=L)JbD5Ei0X`F_9R)2)RTI8&FdcG{fQP-83Ur) di&OmT=lZ7oP+PZ&?`RHD@JIU!4<8s)^e=7eUZem3 literal 0 HcmV?d00001 diff --git a/docker/rbac-sasl/certs/schema-registry-client.p12 b/docker/rbac-sasl/certs/schema-registry-client.p12 new file mode 100644 index 0000000000000000000000000000000000000000..2bbd68998cb9b99344781c5b60c79d0a9e0439dd GIT binary patch literal 3844 zcmY+GcQhLe+lLc`*qhdjRkI{&mD+pNioN%W6`@pP#Ar)fwW$Q9N{p%)DKUytqjqgt zp4Rp#tyQBw&pF@sJ@5O+ea`P(zx&*O-sgg17y)EJawvwOkCIv<#USOF9!Lc&!7vah zFboY>xDJY;=KQy!EWuENuMhWDQ&&vPqfF6S@$5<=W} z5o%FXi3Oxnz{;?7;@E8np8=Y}CT|R-BT>g082MGZf4BqF07f4`oe)h;@U63<<;w7d zXKgZ22?Q!j4p#ReHW4f?%{1nsU|}O`;K3y4#U!TqC)!bXTdYOvH7^!uq9HKVKP4x2 zXK=_@Cf?H7XX`AFJ%G)a41Ds_ry9eeovoc-?p4dI(&$S_4o^y5ELbqTU^16g`i_INs^w%JHBZ6(e#vlPG<-hL3DJn^$lHosEv#`~`Gxn_cJW zr{yiGM&Wv@C=VQNQt?g&^uqY|R_5bAgrPPZe(5@%=<_;ywJZ>3o=MNVjoZF!;E@4X zKZl%V6_#+*v~Fuui=qp9=J;mWACAknvSRxBXb89Q_x0_gce~raB zwgZD-;rMIw@ESn3QC67Q!!Pk_c)jIBwm+_PX5R|A&QMXQK1WH_9tBlq{RY4G7G1;Q zTH5{$iW?5Tn!?t_wKXDTsd95!1NlGUe1awNC+{%MH#Va+hMs0~xc*W2VVSs2;1pnz zVrweJZFqgsBD{a~!UOEiA!voxXt|}xaN;fPER~$*G0g|@z=NTA4ZnT+xl*5Os8^}I zn>o)Wc|||*G0=2v`f;Wnck_Ifex5$}@_qqr6|Pec+U+$RCL=;$6B#JsnjS0Pv5~qH zWw#~|HY+negcjFTMso887=-;A*vFEYR(q1zSiU`7lbdDA2Z7Xxrw9R$uHN2kVdUof zuWlyi7`2Ipx+s3P%8NM|468b7F*AO12+#_Ok|^F26B2SkCeu zS#cLTp#J7HWq&G{1>7H6UsowJ?AY7La9 z@8~4+2UeBz-3flo{-RWBWXhIZbZZ*Cv6PF_jpMU7X{Vy!OzeF>?|&^j!7>DJ7I9v; zLrz|#6Q&Lhuyf`VEr&zmU(;>Jf4sXyQomC;-Ee zFXoe8R`R|@b4+LM*@z*CFuKKt-G1Vhp+x?{uBuqsG-qOCx98TeHve%eJCxK zp$Bi851VG9uusmof3YB*0a{KD%R7SAt#+U@vfd2~izT88WrwnuT6H{!zeao|xR>J# zsp7sAl@z{-w~ln-1uRwEWpWiQfB!4YEQIGmM*dKMQ^zetC%Hj$iIK zpBePY40Lho(M??_=^nJFky-n$wEYQ@F(9;63%Yla0E1!8XCxWZAhGsiODU?wkXngM zCA(KVo!yS*WL~@ETfIFf<%{lXWy7IPmL|`i0pESlYJw7(3%%+x91-Qf1<^Zo#&^4_&iVro2Wd}KA`=KFe3Lt zi60HLJz9XmCyk;@FU?PCtdj4D7aOT@^Hr(}y8Sez>iKLHHV8OnS7%JOlP;opDS1=x zhoCg?lF&d$IS1ESx!jG|oOjP`9@ci#+Js;gGCm(aoZH9Q~O3ukyK}bta1X_aa zYDg9td-a+V8seGlr4Nr4AeD4;-vat3HoaHztr=5_sl*I)LIO-maTno5A!oeD=C;i?9RYc=dh19>|XEv1%DPk=&~E{&CAmFj|G_nmo8 zL8_RFd~K*a@sFBNy*$fAuq{`An}b3L8Jke#VB!IvNQqj)16Wy6Aoc{n#e+WQq?~Y8MVR?!l zfF$@T zG5Cq=bL1WRKBEhuePJEi6J06IsPv8nHv~oG85x&Ls7`jB%iJ!i5VddleUf%Jo!O1L zJWN%MiRn4gR^I%Wo!vyZcsiwi+n+b-h4UU2Yp!4s*>*D9!@y&qXVg;eWm;A@1AI0W z;aE*dpG z*mUXdcf5Fb#mzM2OzeAG=PK#za3-QvafL^_z?6V`&G+A#-olJg>Opk62V5MqR%8sMeoJ7w!T2>B#EjN$#reB=VPc2ZpRD;RO1%*j{O}5XFGI z&F%^c#pHO7eqe4WEwWuUC^~KSGvz_W7H2Yt3i$er{_R{J?g! z(CBvCI$k;WIYZbInTk``8dde5;*OI8pKX9N%+dlff6h+g5Pzw%8e_WHSF#|}UBtcL zWWV^@(+O~0L!@$C$-pbO&m8it(k}PIiP#8STtYt==w_SHfn?)MdFR^`Iw3_T&iyLQ zUF8=tgF&A{nmvR$XTR1XueR}*-b_1b%JCJ;XLdiq=kSsJr2Kgr!#1R@#NM9^t}iU< zj|@gQA%^jfcveGu-!SXx<-Pd026l46io>GJWOO{Qj@`!K0lUa=Y+g77)Nn$tvC~1CQ zIe(2xvv;Io^LsUP@bDzU$z{o#kF#TT>`;;FOm`0}=&xa3zI|IE_?OJDRluaO*i4xN zSu_&Pfu%WjxeP>3u=rRt%s*t0d?g(*US0W`ntyW|*NzVI8hjo5l$eLxoF9;%_`6%* z!UBeZ3jP0gq-KY4P_T{RFUF&Q78>aa5+FgFqr>xUuoKku-z7Gf2A>)r9N-D?19$_1 z0PcXB0OVEj1^8c4)K!iKNME%ffM9?R00D@&>VmJh^i>YI;_d(h6b2Q5Qd5E?8OX`F pKmZE1C7=}jbyGUN^7+f*^RP^jf{I-p3UJW=IAqn7wf0V#D5CI&1h;JUAAPDdOrud*hj%NhWE|LJ+L@Gg`|Hp^R#X)d@ z{Us9nX7ga73t!H?>v7RxC!-WNH~}qIAOfhptg3&TJ6T`I;MD*#r7$sFu~I#FWM4P% zLu)|SA5=U$+tp)(#p9|sc--FONvZ#Ke5c{St)x>=Rc=UsTZ*R`e$u~lOG4L{XIIWV zXL31%nkIhxgK$vJDSG2CtJ&P?Y$#pjX!iG#JeKKRNV-M;%K8x!p%gKe=H6>hCGEU2 zV`akbHo*(JGs)e(xm~isY;{tWh)DWkgJ&ySeV13j$|E z1lJXD22!Q6Y=xNlw!3b1d<&_AMH*or_T>3Rw;2n&Thu}C2Tq^bPm+{>6~j_>{0be# zDUswcGt7~dzI!uF^9SXSid&qFde8eUwZ$n+y!4xzZvrAx2)*mh;aWic#CL$Bqi*K7 zj4ZC7t(o~LSN6Itj^SA114A}pqn~Uki#{$0$m)oaT|~g7X!FK?bzTQ?Dz3w4kN1K} zoex3Dn_M;c5vB6L7BBf*P(?OFb6|Bh0twMMnDY=`u&A>*pLOjGZ-|TG?AZ^3@vRKw z^0cZuUEJx%2shI`d)ggi+c?2 ziTRalGmm)OPycJ!Stk#!O01@F+ed!{uNAkXczqTQ!_}^A&;zyTAU%<*0>+vRM(X3z z5(f4k&E%nuGs950whW6T5@e9zJ->_oV;n9odtNh8i@f{x8XW&&O_LO-t-p(FNO}M_ zKiAP|Iyp2Ni_j_2wX3r1vblbl@7;5wYP6%~&uqlr+ldwlljsU5yDi~{*{v=VD6;V@ zZbfc5|COXUmDfn)75rR%E#pE#sv9_PRbqP_x_MGl-{bf%&T#K3Crnd;p=jUs%fv!v zt5Y*hb^FEiN@BuTK5nJDIk0QRG#2)G0+Hd4Ve2ewJ6U~Ot%Yx37``o@L#Mo>ev_5Q zjHQnp-On<(q^7Yv(1O3zdD7>j=XHfIJ|*8t%P7fTPf0s;L(7h-yDTye=b-4Yqew3C zeLt+V7XG5|9V^*V-&Svk%ij0Km&>XrRJ)_aC?-Z{g=h$WV(7CX$j~?t=plGjGQxXu z#A|`EpKb#xnPZLA*6U5tQ|^~mM);$)s{G0O)CHBnQ--SBxipL~Np7{rQNUW+O*cR$ zxuUW7lB7Ibnxd#S@{oBK`D;_jip6DrV*K-scva;IkQ6!hB`cO5N1N&-OO~jf0Q2o;gm_uW*^jD9)(x7rJ$A2w7y8UmM;zPFAnYaTNV~mrkICY zy{PL*&A(L114o@Yp$rHFxC4Ctyj207fKWil;V%df0q{Od;Q-ac9D2yz0YONazej~o zaFC##f3UYS>O4yGJPM6Qokyb4hidKmtBDJ8XxpYkbm(uu;Zyy01^5sDLjLPtnb~PU zJr;1l&iUG8&cAOHv6?oQ|MV}O0K$Dt*L1mchtW=L%SR#IkC8D`@L2sc!-sq8<-qDU zC-}+B`}yJcflUS1M7(cf$opzt8F8Yx^+ifrr^a`oQj^SmTIvt3o;O#xN-^jInITiK z+h*E;rexc;v_Mfya5sUeEw;KY?>x^>_m_Nz9D|y=_CIL4cf2}pS{TT;cjUB2&2<9( z4Z8>u3`(vm&gr*?m@PGop1@}|+7MC;!^j7Wv;%{v5)J1 z?jpWUvN3v%;rz9{vc7fC6HXG3#XU{*Grj*avf5~WZ;{>Xk(X|g%a)WHhw~Q&^LzHI zHUHR+TJ4^5TQi%v{6q=+^~?yp!rW1<7lz4^$&!d9&ckaa7oyhOGCwUQI*D%3!y(Rm z7thKQ%lofFKgDck34PfA;=I(a-!eDs#;pO(rP`>p@@5*ONqF1stVX0)6eU-N2Dq<( z&EG6UN{`o3xafHIR#fT4X@o%|bu`10OL5vk7n$i*;n?lqOFdbzDte#BrJJ-#MUSyg zcPAAap?zdj6VIe^AYQbu5ra$Z@RWDY)Vn0r=T&=VAy9nr8 zARx>&1^9R;3cOyN3YL6nChH#_(Cd}Dc!7P}$cKwM;-?T3Qdg`HN&K~pmo^wY_%=t7 zpO^5K`}(%&%vNqkvU78n>d~jTuUWGubgibkd2*ifdY#t0rRr5tDD??mQ1M5F+Bjsl zgWRh4-Fr6bO#6}K<-A7+!y21)4s zr?v5QY^<#!u{&VYqmr#IEcLs962(V~dXNJ$25k-Lo9q)L+R;q2zNb($HZTtoZSO_B z&k?6mpn|?!$islqx}NVPFnJZ!lGU>qwyBIs*{Um3?tjeqED^TZJskd$QJM6ypM(3U zDgnBP-^-jQw8njJa}P_L#hx%bH(IF7W~l+y4*|OILav z2}^^Y_B8QU^zY#Hu|jbaUG++cNWJ~dI$N-|XGsuz=H*O<$udydw10Gln^VyUf*Nu) z)`~0VqZJURHACA?k4*3({KFn+a*o%vwPjs|<#dT#HdPKNJ@Ky`R~K1Z{_e^+efmO% z6H7w({kFu8lwXp^M1%6!bh=MNYjg|6kDrW2k31!Y1dW|KPJUPnL=@AL@W{ zNA2~RZ7aZ7Vec-MOSVe%7LktW6!ONbxl;Uf+KVgZU0>4Y8#zx;V gX&`uDmn9|^$TD6EqN1=$p}7Mz$|(*`VEnWH0Qwmp%RSMian;IxI$5gg++m| zFw7r26p4i%|2u*dVxjAQED|LJ;7^(VcS3<=gHZqX1zHLS5(a`!t-&fJH?Li%q=W(@ zu+VxL7WjqPip!RpD~|S@#eWueL;YHNwCJlO-j|a4zK2CE_}*^DZarX0rF>ADiJhfP zaT*)0%Vx-eGjaW)0-TGHQ&PL^+Eyf?qXj(qDQ{!Z|CLo8@k+Ox488y0p0sdPGAv(B z^yT%iPkzD`x;@Ncw6y1Rw#bDBXBvI{qpNaW_k}Gn88`zFtgllQXkOW0``N~#O+_Vt z(B9jUjMTpTQ8mI+ro|>%y6C^_P|Ep2CN@}5krcuFJHw+-Dihq3vU zujH!C=pjmKfpVi_uCc#sLrd602TO`)nfgtB0uzR>wvBp0wu0>4vqcmAY&%XACZk@p z&Y(jmFND>m(Ac&5F?01i=?zlTg|TU2DYs%RdyUS$W%CT0d~WW)$azeYU-L}>@3d@O z$(Y5_lrdxUyw&OlH?rAUgT?o};pu?Zh@J@kJ%dfp+yu|QkdQk}wpn{F5RKvD#`f!h z9p&M)oHQtvz%a?QsliBxSBRxMj}@ph)ju_9ObY3gJAUiMN&dWHRl*pvfxZ24o!>e5 ztk&n%7uXGBp99@GV?{y)&_3KM2){9^)QvGXBOzu*AYHr!b`ceK*VYN;q& zMVQsK%2IN5_}US*$l)eY2HB3_RE@EIz2KdADK=Mlb>>x3>9M|{&e*T!fZ!@=kqwsR z516u}SS5+blS6Fu!S-jG8;xEAy7%%|1etgusZ8|}19OFu3%A#3n}fe+g7C){0NP3F z;Y`GEB9|^bi}DV$@19P{q$40xyI&-~L0qDdL(s2u$6)UD<=bM<7lfoP5;sK;AS7B} zK(ANuui_xT&LitC*}=3py3eGk*+zjeLO)l#W=ARJnJ9GFXM3y>54dRj*wP$ho~yB9&eX4>$%WntOYoSjsA^l0aci& z)aRI<*8Qz}_LWoto?a+ZOF39=kLE)ogd=T_-*=CFv3&6M=Jzf{2DB(i#{aCfCumO+ zb%uA|nZ2%*9+#Eg*-I(Iy|ziK2LpLt(mO1F zaHz}6Gcie3(9jOAsmav`kvn#0_nCa;L#Ed>>5W{n@}r{Ka|7rJxX3={1zplE+b3 zfo4RYy=uIqcADv~n1jDV4U>#7xD{_;0tP1f2zSV|>vicZqUY~8V|`fZr8 zCa>-tdZk7Kc0*at2Zj~w2`j$s#v$EHB)^J_#CYi494G(8CcTZ9lJe5wQs`+0c#(MC zdxr#&kH)mGXIgEIyN}(CW6GNE?SrXzmaq6GgtkU9e3OFW%`bBM4ZE_~89#(|O&sRT zPNGcgp;|7w!Hi7MBK1wfz}qI;i)%Lp2KnVP)L>yEtwbQTHtXTY9q)pZ##O9WbZ$Ek z$7dNX>g_3*_C@~-Mv*9aJ)cMeW`62b=R-=Ygj1A9S3e%WV5APc2Ogg<+ z!JSt3&E)DT0@X2M$4hbAP-*>`4q z#`(Cs`c_a1S5)fjG}@Dw%tYnE(=^V$^Lb9aFq*{H$z)(3QDe*U?WBc7uoL^2HLxMa z9VzTV>o`jwH~$2P2^f-7l&wB-HnxBNWiRsJZp^!Wlg5w1ok_xDF3N1zGoHRIv@Gxq@eAasX?ATcY1(}f ziZT^bsb>Uz*he{7nD7;lr|Fv0|5lr|v~S-qsMvPbNxKnQlOb$JZoBGHDNO{n{oIu@ z$*p~A#oeo(#AiuN@hrw|h-H;Z{1oJ%EQ__)wFdA6Ib&399q%Q4~$~XU*}8 z|6;D~Cui|JlRG)ea#3+xR9%BlwL1x!+BVC&^(GN6;7Cy~EmCHmIiS8c%x`qXEd{wJ zEuJbkr&2WL=3tV+3sZ>^lTdu@!n^)bXOlV01X_#MQ%KvRDq_4{cEXxQ_ibyZw8w?< z-0i$2JUM&NWdb^m36Nm-nY!@UC4qU`QW@hD8+?y6oH{GIEdxU2r<*`XEI91{08Swm z{0M{vyZ^DB|AYgC=6`U9nu4+r3))3uL7V@Nf`I=}5He<6FcAEx>>mmOVL|;Y?nhZm z(7I=A7P%eSc^(gT3dEgP!Q*-{juvUE*}hkcJ|U#En>eX>HjOkAe%s6xA$#?qiN;vW!t2WU?zl^`fKwV!2F>WCU||u%)gsba?Wu48E&Z^(8{v~! zT*gAkot_1bwOoBf)8W!|vYgtgw+N)pvU$@>46he7d>gAznxm@1qgB0)%arW1WAw*_BwN^QcWY;Fr(dIa$bVNl zuMTyabLRwib>R7_>BDd28c9*K&50%TXtV+AtFH3){A>vSsYt`o0~e)gr$s5cK+PF**5J!nuL7)3-@$_c`I}MnBI%9&R9Pf z-_7kN=+x`HP$%lyM{wBVqf<;uERv+C9Iyc2wn3jVND5+m<)=d$m1B-dEyVhP zV}WlQf(oLmq_5;0CYds^^Vy|(wgD!IYT&hM(rE!|NQFs0@Rwn$Uj};ER>uaRIa8k6 ztgRUDyf~nRS;-5G&~+LZKadn3TF|8V6`xxVHu`FUG(^cxV!K-ebE)qs^RG{_nPCjT zvbicWOR_6+qZ0+N8^~L{h@o6QmAg~!ryrjsN4G{s)(v)w7wtRaHo#Sk*_ue!(PyTs zV)tGI8*Gv43V)!JD_ZfDKVfR4-h*wS$LrhzFU~ON^1~5tUQ5GY;n&%2#y~~Ug7)4ewQF71ALC_oKAJNba(%HlK1|F z#_-)~=gm0^S-6x6)jS_vNsx)xF7amI+CG6nF_AXzY|9+Ay-%MEwfxdPEHY<(w#*b$qR#JC zs`AtRG4}vxnaPFU^GD%ucTKqisx0ZA;!`nEmgpWdfz&w~{)@y&*&e?SP<}Hra=VW*(vUSfe%Gc@h^cXjwZ3e4=b-|h%UWz^Od!L8R;R&!&;IXGkBj5rUG7E>C* zl?;)kv_3T1$I{-ZREATDR1$o}?2%mm`yHtm#27(09nXG*L0Lp8J!AH{q-5$GtS^K5 zkaGVn-4qi>2m(9-4gi<`$|8V=03U$&pUw*q0C4`Jo&ZGtXrDj61HcO@hU7$2LBK*V sASE0O0Nu<>=Ukx>aetE}NW6RP`qdv@9iU7QRK2rssl0~+{?CK`4~xkd^8f$< literal 0 HcmV?d00001 diff --git a/docker/rbac-sasl/certs/truststore.jks b/docker/rbac-sasl/certs/truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..37f593dda876d4be141a24218a718ab390c24bd6 GIT binary patch literal 1330 zcmV-21}f(0%D0Ru3C1m^|`Duzgg_YDCD0ic2e*aU(E)G&es&@h4o%mxW6hDe6@ z4FLxRpn?RwFoFcR0s#Opf&{V#2`Yw2hW8Bt2LUiC1_~;MNQUniQS55jhIY99s<^`b`Qk6$GCFUdj8nQVgx}+aK3xgeZIn|%C?M$5o0IH z!2mT{vRFo{tq6StQhfo+Y*x>o@Q`ZJ;e-AB2yL>>GDY)h;A-uE-AT$oVL8HrHPoS+ zuA?rN=^?>ALPVzX52N5!B5#3iA z_+!ra?=`8Kr%oUu>St=%(KZRP_PJ+iceT7a1}oni@;*$2b4oKYcsMT|%m??KaL@jC z`cQC3AaB@!hb7z(TSxT!@Zb}7N*_*Qwh2|Ga^_5HrCcZ~jslJ}a2q`JRD%k?63XeN zFG0`(_z->ju)>dNmW`)t4WwVN8onXLfz$iO`>+M?(H4jBkjt}DaR~-?x-awK%I)LA znR9#)CRNW|X5h8iD!}3_wzQc+IVY3@BlK?zDfl&Gk9MB($iB`KM}|Db1srB{b}+^# z{!a`=Oyy8|-bjW4YA5`OdS4Pt%9UR}#!vW@LtRsZ2I3o#yu{&R><&R{6FQq?PoEf9ghvc^^_9PsQCmzj`Tqg#<;k+{OsaI10SI$o0j_Sk zB;ujZjZ*OWt$z-dEMf*I!lKr#Qp7h1D+tkEd{$7-4|b7Qud;(0nUDD@D_ywvf3K!_ zF9erVKC0C}lTVvi6-?0^AHD3mm6=cJzMBFCnqWd^|b3&7J%+4-gbZ>9#AJvLPjBfu>N>LGAC*Lr^AYogrU4y%gl5|MVOW%wj zTA=?r?G#!XZiv(4@OLIuWVAj9Tz75{?)XJUuiml!~~IE;$brD#`+yJ zsQ6@&>X(cCAIp!CQH?^XLaG2eZqA|~v{Eg6dtx@pmRda^Y<6b;9#!^;6u&ld^KabOO1~KjE0Y( zO}YDG55IqSU|dYMv+f^nEjB)Z{B=x2!Z1ECAutIB1uG5%0vZJX1QaulermDt_mVTa o2=dmi@skl)!0-eVAeO0uX*l_yal!TCt(U0aI^2~10s{etph3QV4gdfE literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/.env b/docker/rbac-tls/.env new file mode 100644 index 000000000..a13497d8a --- /dev/null +++ b/docker/rbac-tls/.env @@ -0,0 +1 @@ +TAG=5.5.0 diff --git a/docker/rbac-tls/README.md b/docker/rbac-tls/README.md new file mode 100644 index 000000000..9e8b5ed53 --- /dev/null +++ b/docker/rbac-tls/README.md @@ -0,0 +1,72 @@ +# Confluent RBAC + +## Predefined Roles + +https://docs.confluent.io/current/security/rbac/rbac-predefined-roles.html#rbac-predefined-roles + +*Description*: + +* _super.user_: The purpose of super.user is to have a bootstrap user who can initially grant another user the SystemAdmin role. +* _SystemAdmin_: Provides full access to all scoped resources in the cluster (KSQL cluster, Kafka cluster, or Schema Registry cluster). +* _ClusterAdmin_: Sets up clusters (KSQL cluster, Kafka cluster, or Schema Registry cluster). +* _UserAdmin_: Manages role bindings for users and groups in all clusters managed by MDS. +* _SecurityAdmin_: Enables management of platform-wide security initiatives. +* _Operator_: Provides operational management of clusters and scale applications as needed. +* _ResourceOwner_: Transfers the ownership of critical resources and to scale the ability to manage authorizations for those resources. +* _DeveloperRead, DeveloperWrite, DeveloperManage_: Allows developers to drive the implementation of applications they are working on and manage the content within, especially in development, test, and staging environments. + + +*Examples*: + +| Predefined Role | Plan | +|---|---| +| super.user | Sam is granted full access to all project resources and operations. He will create the initial set of roles for the project. | +| ResourceOwner | Ryan will own all topics with the prefix finance_. He can grant others permission to access and use this resource. In this use case, he is the ResourceOwner for the finance topics. | +| UserAdmin | Uri will manage the users and groups for the project. | +| Operator | Olivia will be responsible for the operational and health management of the platform and applications. | +| ClusterAdmin | Cindy is a member of the Kafka cluster central team. | +| DeveloperRead, DeveloperWrite, DeveloperManage | David will be responsible for developing and managing the application. | + +## Interesting commands + +confluent iam role describe ResourceOwner + +confluent iam role list + +confluent iam rolebinding [command] + +Available Commands: + create Create a role binding. + delete Delete an existing role binding. + list List role bindings. + + +*Get Kafka cluster ID* + docker-compose exec broker zookeeper-shell zookeeper:2181 get /cluster/id + + +### using CLI tools + +docker-compose exec broker kafka-topics --bootstrap-server broker:9092 --list --command-config /etc/client-configs/professor.properties + +```bash +docker-compose exec broker kafka-topics --bootstrap-server broker:9092 --create --topic foo --partitions 1 --replication-factor 1 --command-config /etc/client-configs/fry.properties + +Error while executing topic command : org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.] +[2019-08-20 14:29:21,562] ERROR java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.] + at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45) + at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32) + at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89) + at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260) + at kafka.admin.TopicCommand$AdminClientTopicService.createTopic(TopicCommand.scala:190) + at kafka.admin.TopicCommand$TopicService.createTopic(TopicCommand.scala:149) + at kafka.admin.TopicCommand$TopicService.createTopic$(TopicCommand.scala:144) + at kafka.admin.TopicCommand$AdminClientTopicService.createTopic(TopicCommand.scala:172) + at kafka.admin.TopicCommand$.main(TopicCommand.scala:60) + at kafka.admin.TopicCommand.main(TopicCommand.scala) +Caused by: org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.] + (kafka.admin.TopicCommand$) + ``` + +docker-compose exec broker kafka-console-producer --broker-list broker:9092 --topic source-topic --producer.config /etc/client-configs/professor.properties +docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9092 --topic target-topic --from-beginning --property print.key=true --consumer.config /etc/client-configs/professor.properties diff --git a/docker/rbac-tls/certs/client.keystore.jks b/docker/rbac-tls/certs/client.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..09c8d63a81692b3d9743ebbf20c820e6663ad272 GIT binary patch literal 4687 zcmY+EWmFW5wuT278tERo8EP0{5TrW<=?)QwPLUE27(!BF2&o~ZMLLHLL0Tzkq#Hp& z27&Y4yY4+_ogaJcwch95`{x5eP-Ow?o`ZnY0lzPk8jPGz z`Pxiy$7o+Gna3-iZHwEkZ0dTIw#9WK=dJnPxH*ac}~|51RTiNCU4D3q7cJd)SNKC4v9$R!SZ&`LK0=u`%u1hby!unxqdf#W;*FXKrM#b>pO!K^ zVdIVp)a-d9S#RYuF=RMg{w`Lt({EAhk^t}73ay|J)g9fTol5%ohb{#O^a$#hV=wOA zay?1Wsa}X5NJ+~xZ|6l*(ej4i&A}$SRVFk1XX=p@Ew&T0(#FZTpgav1{R@58P~gSD zXBmZsp@@R@j9dTj2F^t_(e^66OHaJ?vWBDf~xi4BBXQ=YzUq~7g zlorjX4TkGR&1eTzR_$JiO9mUs50JouK)nOCL98XXq&()8XS@`lN1IqulN$rlSX>R0 zPc?!fic5&qgRX#`TGf5QE<}6c*eBs4^(+CeSgWRPjxs22_{-cv z*}V0fG37&T1OX>dcg$o$4aXuz%J?E`doFn*r+!Z)j&bN2yvGe=RNm2}xS|El+~#W> z-!HcsiUNZO6?~}_ED5r~wx3&tI(XS()KfmeTmw9Hm4Ql^Vm70KWwLx1N3*(SruCiV z3p=~}slUhJ{b3bs$BiIbIt1DDtf#@a)0)#6ktWAhIA#s~;ri86bEsAB_@%))Kq@6f z&?l$;3nd{+p=}8i;4%Um^0lh`?zyoXk2^>@vCOXM-MYuTsV(joIOtXl+)mWr^fK5&{Z-YlWJs1T zp;K}~)>R^sN$Q!IRNxxh6mRdoC!M_g0xC2CB5NQO_>!y32|yjkEvfY7a8PNHyFjFD z@W&WB#umliCQ_3CRhtwn+L1Z-q+}I1UHx-&C|)pD7i8t8r#Y9Jd~peJR;CDY->OKX z4J?(^(K1IQ)ToEd<7gFzjV5P=jUU(QgjTimSLjOdcmN+|hioK@Epgma``jCbfSZLw z(wp(bLh?UQ&}8=6X4P3N1AFmlNNw#87a7FA#qz4+u|XosVRgk6})bdbmoh*U2T&lg0QS z#-0>w5wq?<|1Ew|$aZLCtM411916jq=T@iso`u7{Hsnl=Z)VX%tXl>4>dE4}{o)5r zQY|aLD5=-h1^j}tATt?1u@Z_Q883jQ_oHY5CbZUhdriSLK3QT9 zEwPsuXy~c=5U=sG=>EWUu%>=@+9Q6+My>O$>yJ-fsDZ7@MkPvccWkRSuU%P`s*)MK z-&y5cn-48K0q@$knsC3`TfB@_@u!HiCSqraU1wPmwzd+ zqwn-`Q-2lH-pz;LA)SCm?}e85+AY7HRCMBn*y*z7D-!Zg-E=`>t`+ zM|W9Xd{j*TnhfN6_WjXa&azJ|R0{Cha;y*chUmcJ9_i#krqgO@-1e8?mdMkT`_d=d zKjT7@T%V7m+&k7HLAS2Rq(!N!!@7e88gIBezDI$5UyWogJ7>-PcKT59<<@Ih5QAZj zk@iJSmeL4un7wM@!;c>6#;YT%&FWK{c^|X)@`NBLnst}#U{+^ZPZWK(Xc^DL051t` zYkm?VH1enEvt1-#`oUH12Re^fin?JLZ>I62Ekeg2$Y&i@&knvcf*4;Cbn_$oxsu}jV z+lbh4FjUB`Z{0>6Jx@@^OKPoYm>CWNhX<0|zc8<1ZhPO%#8gvGlKiokr=$(}rVKuT zbrwoBm=YuiBG!u!lgQxS8_PRKJrwa?+u7zCX@mPdG~2M$HtE}AdM~uA)U29iik)CY z*Nj8ts`O7w~DO?70=t++5{`sw4NXtw$$b2eQnjSJGtEi9}7)XbBxtb zyorm_X-eBaoMVK3-!zLgH(VbLLPTbPR`}(aTz<+?J$&rnpjU0O)fr0q6PRu!jRWRq z*}*?ISvXr#XhF${XPYnK?oQ{^%972Dk|4YB>G?CBNNW&^t6N&brx z^|AT#SzB|yO=^A~emq7|x7L;RlQx>iugce(ewkh81PJX>&xjmYcXXa!WDTh5)?;JP zwnrAWVwJT)>1hIcL_%Ec{tWI$T|5=9jh6O%yNTd#6aIQ-G?7_e0b!)PUyO)yn0!qV ze`Nl(WeGP=^y2PPG4O>>dMJ-OGj)m!O=NwvVnGG{$d4IwQ$jmq@Z=&{7{wpDtqo}s zPU?eE8g=?4RUy1Bm%ZFTN39kZR(W(+pp?y^tW5KfaBV1IpKKN#+fW|vzWcX(=0m!p zG^>ssseQO0rwjMVV^lD~re*aMYa)|i7KiOe40A-l_3jvdnZeg)$x~@i@6ODDJ->0D z$D(wv&e-%b-FUYaiQ%I_FL3lqSvMtqkOIf`g zQ@N`fQjp~6sC8>(KSN%c5W`VfO44>(U`*%lJ$-Fl9HfkbXV|Q!o{R-kXsCo<2Jh$1 z$fxss-0)#?Ca6FCo3*g`Ai9Rw`p#57&SSymtoMxHOYvGQ`pa*P0(7^Uhbi7}-q2%e zCnE#O)tWStHs${Caf{7i2EM%?)!B&<4~%aCdgu1Dp7t6nys2`ICadAR+=@%*Z^#f( ztCOC(j!FzcDr(NCK15P6`Xp=6P05<$-&gwy$Tp;jkG#+i{R)5dK67;%8IqZ7CjfgT z%3y;Q%nhcs*O2ugcB2E?$$+({km@1L2VC_e=}uyJ6p$y`5^BTlN#j)H#A$%#Q33|@ z)a(iy?Kw?t|ItW}8JpJYNe(6p;empSl;{59OhezpzhWp!Y&~`BWUoS zM3BE$w<5q@C;?X2aFbJ4ObJm!9zkh4v~g zUv0bC;zTV|zf)MNmwZ(DrW+BIrw*lv_$zvwH*l)G;&Cv-RosP^|CG#(2g};f`?8=y{yo zHxqN2NZ!``wD!ZzTs!9-_Ku0(SG4AhZ&UyD>&g@A{Dq4xm2fBWT8q(O+kY=`6qhFw z91Dn<(iAv-%BYkr0?k(3S?u;3m7MTmvr5`&=GpX^${%+mWF8$LJ0nWNW*GB=qrSvu z-BXs%qy5DrjE!y{Rp?Yn_feLVdT(lP@huui-dBqi$mi7)a=fg?Vwq=HRTitwsY%us zAtlYXk_y!hcLz#rT&}Li=`4S^a%&6|ufQ&VcxLEQSKu>6dV$yjbS>wuC~Lln>M|dPA(KUwqy8{FuV-(F zgm)n>-OBKCf+Dsj)_L+Y=hOd^U5`mLLL7H5Q|ZJ9Lz>sCTW91}v(H`|o|b~XMpRlz z%r=L=rY*PL%pM~^Mc8t>WO=3{r=2 z!J>N5-#V!*5}ja2Eu|*Tg5`&*lWAv#srTRtuN!WL@)FDDk}msGCi8LC)xRS~`jRCx z$DZ8ICRGJ~UA_J4!t2YLex1f3jnl4TzaAC<6&F`}`-E*LHQhwiyoa-h#G9?VGrpG| z*&gODvhbnNryJtK$j+07o%0;L6XKJpb*4_P=F7!D`Xv@3YEI~SH>psGPCRxp#phj;p6lgbz zBlT;&H?d@sr>4`>YmzwuIYEFce5Y+m4+z%#d5`IP{Hti5Ek`v@E`{;Yd*#Us)~$_} zLtTC-GPkaI#f8PIb`bdZHKFrDC{DqQQSWaI`YIJ8Ox5${N35HJ(Qv1yFM;x_E)paC}cw;3l4mk|rq-Xs(Qqm%(@y;7aV+v7^*rWPX6k21=rUp*pP ze|f$Nm{~GphWWTg7^|m&tKFJhXwuR=-AP!aIzm-VJxJu}-i z?8BVPEhDMp&54hj4gZem;fg}P9CSc+mdHTZ`3D}i^vRh8Kq7^puEp} z99J=3_~_TDN^Poc^pU$bhpE&3MRcSp-<#Xe&Yv-2B1xc%u#63 zwaz+lNms{V`6saMND|#?)C+BbrYeu+-|7V@G$NFDkPbS-`MGJtv!Wj6VAAF}56Oo) zcIb9^&}0iy=+^8&#Y?1ZP__>IF%EdrMBB2Nkl4*S9*&vVrfNmR^RlM?oX=kjg7b%^ zq&o~y?`$leCW~%r{8#CQfv8!^E$Oi$w;S`5@Y#aj;?v F{{>yp(x<2`Yw2hW8Bt2LUiC1_~;MNQUW zmVa4CMc|sI68;J4`^bFC+r3m$Q8@Xb5q$_K*3==2f-Ds05+)Z`tL-97GQi#WDBR z&KzJAmEaKf<|taCze^Git<$^I+QhNs!i5m}wIJ!`R>EoH;5~xy=#`W_7D`T}hrVou z4he^PyiN0pm15z($%)NSi2@+VPuiYWz0k{hfK|*3gH$qPZU`_Yc>3dJB8jZB)+}k$ zBw8BSS0>vS*P#wYD^-gvh`XJipjVpUFjNkclogc{@*O@o*ZR+pe~96q@3YdJ$@fA zzRn?h@7r#`@pvL1-n#ess+#KFS0RY=Sn~==Xl*6zU`j&0WeR_X<4*@=a>OeBxo_0 zm3^maSpweG;oTWV8fe4JAnM%#O!1Tp86%CFDbiEa7?48XwE~Na+JInwc`3Ab-bfb1 zSi3Z<-I24|G2`|s6LgI%YiXMjNSG4jSsW)^h!iQ4VseznjBW*WA+V6)1{HM_P?c2{ znyJU)MO>CdFFkk9-1NnQqfZa`GxyBIe2sWK+TLscdH%$sc;~DSU4_!$6x>be1Zw>Y1gDoD4r&1Vh3hl zt2GJy5jxAYfo#qq{XOXU*>Sjai!eSgAutIB1uG5%0vZJX1Qf+(wIpNfHv$e!7sfYd k2{79}n(hP?)$Vz%#deZIu6E(R41VDB^f1xT0s{etpjFu>k^lez literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/connect.keystore.jks b/docker/rbac-tls/certs/connect.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..43c3b32ebea62071a480f4a1ccb3cfe565a750fc GIT binary patch literal 4689 zcmY+Hbx;)U*2jrmV398A?s936jzvN`L_)e77U^YKq#IUR!lgtOSdi|NF8wJWNT-On zq~!H|=Y8*;JI|bX&V0Wo{`<@vFoH@C4;LSdpdugu3C3x~U6A4u;+7&PF8~P26EK4E z7Z?Hb{4Wb=4L|@b{>r9*!;s*?|8Yvm-{DLE8tKVxfhEG* zyqsJ5KhWR0B>g959eDUSgN6VEU{th?jSq`l>Q*}O8XRXg$-H-Nme$?+UdtpjoGzFv z5*FVC|E3kN+p3in?3ajszDPxplEopKFC?G><=7|(PHD5rDFg?~fU5xNKfYS*5atOk ztm})cM&>^*U{k1eqsPt;L8#Q_%Vt)L7D1J`p|mLuFE2YT>jqZ4kjuv93&`W4ZhI+Z z@uWK@pd%}sT6Kc=Cdf*1ap0qt)86`Q?>?>-l@EcW9>?vI`wqePp?2-%biF6Zy*jG; zmjaddOCL=OWPdG;`FM))dKZT~jl6rUX52@y_v_xacj?J4l$dOHQ^VxT;Wxm#G|Il_ z>EGo#Icr6MSI(eDW&ik=$9HP;WGFPS>ifIE?FmUmqW5qaOh5vCVu;2*A`%$i>eU-z zs5+B?7)O_Dh`W!aDEIpdysl#|bTT=(YelvV=iYEIMuv&J;*jXqf!FI!UqYu-?capl zuglssN|&)0S;5Lxn4>26iV>Av13YMv-mzxArP1QAVVM_n-UKZl2-22dq!BHXktX@V z4v>5^ia|0plXx@siKd>^zRP#9&#*qbQzk_GY1K*YDW29W}L0EuzKe?HIsq zpdd(#_aIt(h>s?5M4|Kd87Y5~o+3{5VnEhfn?AZj@H;_S9sW0-kvUie7uQo- zxCUB6aQ7PMgAH{vi;3ZNq9Lg-ngl_Sjv5~RZ;u<|+EcT3eK3G$uSeyBf*EFm`Pn{=}4Ot-4TjM9x`B-&3vLPh=O(Wy3> z{`L)pEoiEls{-+vX9qWy!$ylV^qUCSP_t=8;=^~ehwM#*AYIz3sDdUV`bB4>DNc3m z636h4Tq8JLto%hCYVpNPq7_fM>&)Xi)5jM75YP`dnApt4G|c50a`FzF(w^pdEFK_g zN7Rtne6=t5=~<6)LnHJ)4A8RZ$>(^measAsvB)qv#|C93WW9NKr_79dEy-NSqp^ef z;r2vYerYo-06sW(8{sW+3vnNhtCyT+Ser1Lza#W7uYN1z6{G}?-R)t~H1>IgmM^o6nf+=oB?EFc z@MPiCm0Hu!$)D=e7xHO!-P~rBf*WWxIPV(wjmaAFLsPlx2biER|F7de=cW#S^SzGg zo)2$@SVkzZ4!q{@Z1XTWO*qhZHtX4c?q7(in)x>@t{&A+vi59I!aslt^k z3yBB0Hl5~Zu6@mN)Vt~k5fi<~+nN#?OA~xe+i|DAJj$e$I6Stxf%o1X>JYyi?8D9L zavAPu!exiL1e(E?q9D!O+w(@GEa2PxQYxuhWoqi-2WH60w~6n^Pjt=GGXnB^*C@Tun<)#L#)&`oD~YBS`qs zUX_QjD#yh;o&^z*yDC5QnJK?j^^(;){LTWG^&z5fa(VeTm2i)ClpQF5f;+M+xml`k z!zUZ$wi@2X#q#P4gJhDnl|*uAkLc)Y-M~@GH1BqWGhJD|_H4bMA?3{ut7#6tR=N>i2?c*aZ8H6Az zrvRX4c_2Fy9V#%$mI-bjQnt5yxEWd!pfK)_ z>5S9f@T8UG{#h)eu|lqy2U(i%SXrUMlRO8niRo8!S4ZYY#XUTWOA`Dyrq3Dmr)rH#yVNbwaFY)qT{3c*frSxU#+ z-jr+11di$?0b3z*QO-r#w7%3>=7?_ZIuf_q5BGfw=p^^$Ge!wc&l~|vlb!oExN|aLEZ*) zVqH}rl{O7d6lXoVm~nNzOV~Xfj}ZiiM&AN6_7gOIdz;Cfiwwf-qZzpPlnJ{}TE{jv z=1szSIP7d)26-nWepZ}9l4}ubgZktzd^O%jsgHmWDoJyr$)t$0Pm5Xgm!Qj@7mp04 z;26r`Q|d;X^EcM}ESN(W{*nhQz|o>O-H&PWpWq~?CC9%HCZzQKD*LS2a{jG zS?cXsEt0%|O0mJ8#dxHGZF-W;RHMRWaby-LNe#|bk_u<&$-1>Yk>S%&J%@V z!u1XNg73obeVJ%Ri(|C60FvoWxO?X{Kj*pHozT{(am-Hx^)z34F*-9MyzDIt7zI!a z>lQt0gvw4tcJBDvELnfjOi1Fb-mKyVz(|dh>P04z#)I1(!@AGxA}6EiQsl%mn}zmU*AVA# z((-#XjP&ZP3G-Wt6ww%;ygEj6D~kx^FP9sw);ZBnv3@hx)V5FBo~_+{H*$THQKdH4 z=6Y~TZOl-_Eiz8q{VJfx%3lM*A-oV&D7rW>l+$g*e~Qn8IJ0XV23{f;s;#s`woc<9 z1KCCO8!ycF<&B-gIR})T1$|8JXIyqT8+B`#vIdj<nh=@7|Xjn#qp6_qe3Rw86v6YM)_k!6w#&X!G-=$8gp{_cT<&p0;&n&%6>jGxa= zn|t<{3|_7UVO;|w)HB(A_)wxe7{NCJ8ymHo=tB{oe2@9c6^bw|9x$6i@_5LavZ;#T z)V}{$*KOk9UCArn=}O+p-~in1Y$)#15HVzq{V@A*S8lrHcSQxw2F!=6gCpb%?9_3> zzJj_Jac}4ou^i)67Ey5AsJIu;PZ*bxRbyZ<;a~6(t8o!E`Z3~^UE&-g_Nl^Mgqblx zfy;Bu=XoMi4#-cxx_x{23!9X6LSfY-SkIX5<&*kgva-dRO}!O3>DGFDPpkSX%>89n z+BRevF02~A=h92!{swIMW0hKnDk!_5Fk}LvnqPnW)bCr=G|@FZyRG}@_M>2q8#2;b z`}g@X@sIFTJ6PFk^f|B?{CFjJfXT=%F3G zuN1DlGbYP0ON5OTyye1fDBsR;Mj1?D;fCF`qyD0GWNyBGc?Zbv4=vM!r1dd}-OX3V zhH*c=RDV+V-tmo~bQ^?~g+XExEClS6e}6unfy2YSN0Of3^xcP{jy)4T*q~XT8{7yP zEJ&k|58vaQAb+|8x0=;HTo)q70g}CDfB6*9~kM$81YMeTd`%esk?ASIVy?-(S&qP8R0PCjl5l^JKH~{ zJz558-)5NQlquCi1wfVf_QC?}Yjr!!{EVX?abVE6|ghl={QU7v2I zO&z-2lqx}I2Lexe*RuS%&VGofA5}Y!c1>tU54F{<#6getBuB*3A5xm-Enzg0X|os- zY-T-5Z^3(WIRrxRM*((`-p2mAvxd}KcqsKQ6KeNnc;{+aS|3SRk<1qf&@r(mLx47) z;`VWhWtdl%h<$U6$!Ql4)0~$8xq_ky^_$3+KzBd!l~)WIIQ^o2_C5fmlTWAyV1p5c zb=gb*(ydT22r~5h&RXQUciqBJvlwyuK%1L27{I27HI-2Z`bCx=PlqWUJ?xp=qr{dm zCv2Mw^`*SzX#llB-V$@X-?zFD9EPoI7w2^KvQ~7y63=4NB|UpZS$8%6=R}kQMJ>l; zyo5IV=M^{PWmjh zgN%C$jIGP$o@r}x0e;k~<7VNeZqpy_C5uL$pP2t^>jLrkuPg~UiG}zbeVyY)r4hLNpFAqfSLWEs~QF!>cai#wP DTaDLT literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/connect.truststore.jks b/docker/rbac-tls/certs/connect.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..7d2d1a2c15e6262ee1fa79627dbdce17823403f6 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQUNd66W&X^^ClP%iI z%xS|CDaZ{L@SMYi2g)jVxF2&0(!}SP?eh`72_WqwDDju(FTiOe_1R+0k)C3W3{~Qh zbkGjiZ72G=AV=2tkGxMuk-5rYS7;D#+Jxb>A2w|Xy5lTIa(?Jm2tPrS4;$c_2xcI1 zR%f!5BX88StP^>7?woIlrt?gMtZ5B_esK4gg?t)2o1WM-r_&dWtG@bz^>0rk3; z;ND~lL!`awtDHkb_3i-(cFfRh+6E2tZfk8QXd)Zfsq?^7zEaAMU(;K66FB{Fzj6AD zurX4-aX@r=UxTo%g^I9G(SehOUSU$y{h8;Ocogp;si)0PNbCySG4^(anD$P@-+QR( zCbb{6xPlGdQmbfH!UK~Zqhr=6)x+Yo-E&2Gqpi%~6gbGDPx z)#D+1*-iXzQzTWu|MCVt@Rf6{84bN@$3HvvLtK6(U z704=)Z<7s($qYpzo1J5;j6MLk10vnY2@b48GR#$C8varuaC6e`r^7;!n0g99wJh*i z{qM*}>&hQr0zZraV}3?Gt87#wmaH#%_ES&+}NpOtF8+;Og$76V>XrXZ|w^T2B=_(CCOo(SN~-- zL^>i4@)kKtYx)B@k>ZP|Y$^@Pib*mC$`Ug*`{hN33S98{R=0wMLIPBrZ8>J`>S4Hy zQwo|uJ)lqOIKJQnD~$*W2kf|CSke7^&rq&TB(MUhf}vWHR(VWO8~)tCfj_{_*Yccq zNeP1*^8a?OG<^=iUZcj#FxpITM8;=kj3fTz}oeXXkiIAR-}g|aJwZP)=p{7Cl9os@-RLyAutIB1uG5%0vZJX1Qfv{^2i)j`Zk^}y=25o k_ic`hQ+xyz*sAXn!w@Zy9fy1ew{hzFl+s<^0s{etpk$pKrT_o{ literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/connector.keystore.jks b/docker/rbac-tls/certs/connector.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..d99f99e37c5fc1b6ed441f7a1d52f8745bc15e62 GIT binary patch literal 4701 zcmY*ZbyyP)yJd_KV|0f!NW*C95H?!6oG@w<0!~t=;0OUp0bzt7APqlp(jC&$3@IrI zK_sN}^WNv)@80iupZ9ssbIy6spGO)?Z$}ION@MBiNhw65;87=305U)xmL5ogrMr>F z(p^YnLB9VXft*ONp!gbPjVtHLJIz0`foS~38TP%DKC$A zOe#!Ou*Z;RzZZ?=*&_xLb=@PulJpI?+`SgoNPf})WRehKb}zB%dwNA?@a z<3ES`*G=RK>2%Wl0uftvbSmkVotS#mdjsI!RrJya9x7(+Gv;$bZ7mQ~B(^~@KNd%0 z=_j{O{*yvk_C^oe2va)Mvjegd2ggpN>W<%Jyj8yLatPOHt3J^>JzP``_p$oG;|OWl z&8uFL(IWe_#6LwhwQf&hDIjSK>N}<5!Pghmx|tZvi+b=25h0LnW+&y z9&o^?l#led;*A7To^@yDT+TvnXPXw9U=-oKdUbUj0aSj6z@hp!UBx`@`<1QYaq?W{ zwGh!8E{)MsAM zD>#U(!umGn#6#tKuVVErR*mGoUKHrEkLu;0tvhI;YA%y^Xr1Qu&LBTEC!@cqK|~Pa zun;%DgJ+*!9zIUu%$BjC-gC-uXpPdZ@SuJ{bWTvG3RSSiVQNr}C}<;z!0VI1_1}65 zq<99m`W^b?e6=(@^_G30PZGC7JA2ZT2`2;F6zxnbvu4tk^yNqA_-?IniR+Z7j^J1) z28C?bGG(FSvlzVks-(I(tKF$Qv}H-#pHD;)h)|K4VGOI6l?{lxwev3WU5%&-dl^?4 zK3E{w0XEWKrLbYYvS;bVtD?`~q$Nn%p-LiDf6c?6<)4QNxDRFnhFmJ0{@kVjTEAE1 zFjX{_JFi)E*mLl;hlIVx#Rbfxo6CQ5TK_ZwCWq5xZN>9^1;G0>h-QuA#5#-hD`FH# zz)#OkXDO!QN^pv}B))yiWEEVl(Tl<(-89i9H!11+0z5eje z2BswXU=nGy7E$?fEVastUy5s;Uf7dElWs`V@!iMJ>?ZQf-SzMC5Sgd*m;`6JGRX|c zaHhoeA6}625g5?6I4i{(w@N2uvfnp$vHY{Xk?fD&Xb`oN2kUrh4{)<-Qu7==3UKA| z-zbm}Mo$o#z9}BaRTSv>ZOYX6jO_4o5cB;Qk=}F`Ounb?>gRNaJNbHW7tC1-xiXzJ ze88SvoH5c!x$vfX-L`2hu9OP$rci4uwq!96|Gu$vlyZ!M^?TYZ{(^x|hj{F~Xwt2Xy3>gZ~x|Q#_VH7+74TU;m}Et|p%POJ0g2 zXxgpRR*Bb4a7QH)Kf_hHrc@JWC+IbU@Q49Z*7}YhUsHURjg`_2Jbg9zdFkznP*IAo zvEd1fI00xtl&QOp{HRZBETZ^rVICR-FV}%j9JFbBULi!f6M8EN<>Hl;@1T0py#KCB z3Pva+7d?>+kuQ+6`0e`8-!~mkd$MgRbz<=~C>3{WXwnp4V&5SMwZ;Xt5d4KKN$ocoh|L)l^EJRvj zPQUr&(ZgWlNAR)769K~67K24!eqTwgtsVDu3=CB&yKs;Ky`0(5zXqL>$Z4nl1S5T* z0z`O;8Hx3j@W^)g%9l-lO5k;t6*(&Og!g`j)3F?r^e0i96{nj_wJA^XC+mxr_qV=^ zAw~kz>JxociGNh6;EPH18KGIV@sEW(-T0qaJ-u_i*-KlSY;MLCrr0#IQtHNcoY0D> z!z|rlZg=qXWjTVC8-FrHF}TU~!&!!j?+dkpSRov*dy8o+j&<$4nZ7==p?uCSHi^Hr z>FN2VT+^{uQsMX-5d(IW@68=rOWeQEHfk#tB*V=NKelxFcJkYRp=Bmb(m5fBBdUFQmuq z#wfBfT$@oLaJOv!-d3XLIbLWPJy-a=s^a+l2WU`bQBbwNy}6RbUB6?`$(!hp^K*Nv zci3Hy!O`0SG6_>09~~F3%#eTTnJ)OjAt|)Yp8Iw#;v^+Jh71PRZLrmUc!tUQ7UzB4 zEK~Yc*bfI5uEiH}FO|5UJy9OZ$sd^CW%O+%6Y~NxH61Nm`JRWw;qzTl!n9^w{9!>Z z9DFD8-?of`RX@2z|{2l1Mp-E-;@g28Z4xck#s7OnjOEq-Z8A8 zyGP~@9!J4R93Su;s-=IO$vozniqWKtPL6kXe(PBlu$+^^kMWkMTp^N=hp$ABZUJb>58{w!XJ!Hw#T40GSzdQ$^FJDJP3GV~zOv4*Bx z0s7&F>3u^08oi%W8RZ`9vBDV3D2-(N^YVF=X=B|hqat$cR))z45{c&($Lth5?~?lCX`RX|?6)nR^c=!3;D zYS6wbu)Sj9$hGjIsm5^&r<0OJLkh81A#XKwb4^%CB?diS=I;ECjN8SpL=iKhaQ2Z3yaY2Bz& zK2wk0A8A*E5Cx6&M4?r8C5|5vMO8D8ZR_T(jAS*tQWsQ&GE%wb(rmoTxFBAEWsQ~R z9ETVfPn3n&E42=%mP|4`T-xDEycyFyL3S@J9@?@ zP0|PG`f1PQzCO@tW%77Dn_sdh@Oheb_J?KCaEo41@Y!7Owp|GKAf^7hrO4 zr*5dZHij!}ZpJc@`^fC>+qQFAOFFGPbejR%Qj8Tr;S)Qf=P$mn&03IVvSQ9v-3rF= z&IrgDkXcBlubNcQ& zpO>q)2L}kd-u+Xsm{ADTv<>M1As*P?o(%kaOM|98qjiGQGQJ5}YF)rvP@q%k4NN9( zDo8lg*XoI-Fw^F#VzYLh?JM5=wcyF9a1vobGf8~EB2w1{a+RnJUE`DszPDoJ@m8#`iXduhvaKCN!@R}Ou2$v3 zrxAPx7365T3u=}jPgQ&0fP{Bx6mnz*^%DS|6a4kVC)Q~^dXTj0zUAA=aY`t*X zYL2P%-Wh}J$)S2(2QnCKM!c_mYI1qLR2q6CPrE~K5B_+nUrltY$HQ+XYm$0O%pvWK zz5P9HgOn^0fdu>lP>3?`cbj`KZ5nhbgjv57;AGaP-`bM>KpvfZ8|12`rO~XX)+iNd zZb~5elR0M+sBagbEcQv5WnVR7Z8xK#S;St}4smxdpO=(T@+XYCq|`#(+hni^dn~%0 zo1l3*7yi!?LaR9=p~9kK(jBZnTYHt6d2qG*F?tLs!qb<~Vn#7At+}z@3dY@e8}VpH z5Hf2G`h}m?Gwtq@s!Qp~M+yu!_Z_n+LCb3!z`cgAE|c+N*T1wKW5(B&SaNVnw6D$B zxxVK-Ll>?+W0Y<^GE$g(Ko>D{R4}ZJruhl+?Bz-wY^dH&jL*sgulX>^WICU0B$(ZL+KXNab+Sic->pD{H^g$Fm+2@ zTdO1_LAcseE@(`T#!h%(&{W;;SeNR&6+zQS`6j0`JbnEUUUztW{iWRrE23PHVy=bG zZak#0FK@`3v*N=ORIYB&CPQl5RHb#-G?h&SsX=JBnIIu1bc05@a-~7aa;iH*GI4bp zUxnPsW{8cZ8C{`!4`9W48s~Gi8?=87a0A63WEq@kYjF86t$>)Ct&Dj4ITBJHk788C z3cC0O=R^}1b9%&b+CzP|@Bbso_o_IpEMV)Zi9bT`%(u_*#5~f&mBapH5_M-HWfJwl zb4oVy;PR4zT7;^xiz1MzDcLlK;)@hkI%Fua=y#xV#?xLYb(=?5;o4mH_jb~OFAl1Q zP=uO!U6e%jlxpcArLC7Ayb`RLZ!dYhyJ6nV|(C^u|H@fCpY0gr8tSkQ0|0emWv8C zI_!I1-FQGU2aRC$wJ_D!qt<}+I8k@}Y6*G&ZU_7lR5=XcUr9G^Y*DsQf&lR0*}v78S+%FKJ^Cq9FYge2?A zlVtNeJE0+x5RsPo9O3JhS4M;pTyRXmH_Yo7OOcHgKD}H7hZQkj^*6szb4qFX0CUT4 zL`ZO-rA2FRYBG|nK2iHH7g{6ACO%Z*S*6@;0i!QhtC2;x2)Xx<2`Yw2hW8Bt2LUiC1_~;MNQUXa0`-_Qp*0N+(|a@UZ@3^*ZU37o^ffAJE=7w>ADeN{Xs$!)Af5 zh@031E7e)uMPnxsf@GBG*=zI1Qyie|SS!GZLJ(BEj|XjNHm=60X!Ac|0nFO@X_F0K zZ00{*`v`<#xLxfRcX%@7Q_Rt*Qi#wUlGk4Kc@~_qwslYg-ym-b)|w#%)?Qir zFcvDNHwVe`BSYn=-FAr&*RXKB2N}R>0eV8k$meGZr;DwmpfqyJNuDn}u49=4il6>1 zuFgh&CEk$iO9VA5pl-8`XLY?5B^7Z}mmfYc`@6KMr-V0VEjicIH@oxy zVZIcsmo29X9^_trVBM62DL`hH2^HVi!e(a>uU%q&(1C>FDeubG>vnpAc8ro*_-@X*Gn zuA}laewD}$f;n<1#Dka7=lZH5T;u&VvnXrZJFlWDI1;g#qS23{2-lv!JRi<%pxMY?gg5o%S$6_me8>>2O zorTtD-8GJ~T@Fpo!Y%3=;1DrV8A8RnhD)0fb;iT=-9s0TlLeG>f( zaFfD`5QYXbUgQnwC6D(T=?4MM&` zgCO#9K1RKK=)=v8=niq{&H)Da3rGn_DJd;6!U)nS9a2&P zL-Txhz5DLEAI{qA?7h$V_yfZ!y|94TU^pcoE&*SRdJKjHhzBf!Q!;_zlyrY>Dli-; z;J+fA*C05K!(ZFx?^xgx{ofTaArPww4!QxuK^QPEF5$oJzt5RK)Q?l4Rk}F-e@I== zl(!{ydYd$Hv9YiLeR?1`=-ZscyNp4yUs<8Y;Q-^EViPF`)M!)sXR=xn7t$&ndK?RErhzWX5iAo<}6c%fV z55$30Ef<>Z`ADttEhYwag8!(NyxZiE5XZ(I#b`-OlGy0{l%zT2H>23L0^1LYv`6k4 zC{wR#n0QkV_r&5Puly*DX&YGNQ`0%rxM{^oRa+PuH1M`-ta5VlE8Qg>}f85}%D z1TDh7x4UH(P`oh$8Srw6e*X;$BdXi^bgwdvi1IdpO#RJc^jG>-U%?a*_l-S+CwZyZ zV#zn@o^a_rp%bs-WOuZtAoIiHDDV-J1iGAS&|a(gnnPWP*GZu;)K9X|WG?tO(TK6i zX9{-0*RSzCCN)H2t0clS&r=Y=uOP9>VRSVcTY8seUgXvGo|;C_q>)de;vT%^R?VBn zRUHpHZ4N6fT%i6B85&7C3fb7!ORt-_0p=Nw?LVbLajh`nc}W2i2c=}E_PaLa7>Bg8 zgPBE9nurvf)OSyBz0!y6J~48(gFG~Y(-U9OLi*Ycs0?O#oPAUxlsrUFhl-=As(8Mn zlYfuDyc=w4HC`_VOHT_*#{{XU6FCS$#QazCRQ9xmI@7n?F$p_ASm{E`EBOw52&D+$ zS$+v?JjQeBpp9>5i4<~RGAv_JcjJLsK93sbv6N8ALDF8ATFMT1yG>RhkO(;UzA^Nx zkl*7tRi$Tz;^b}>C$ck0TO*9KKhZ&0!PAtI91^agoo3`?k4&cXFD24nGqbrBUiu9* zqT_eor{WM9Zis#w_W!W9Ib^$3P-!;qIeO{tcE#|;vQ&QDj$K$43f)}$DcCKiz8<__ z`Vo87dX1}jvrlRW6`4LgAnCF~#0n}&91_`z+MPG}(IG4bD$ok~ybu-bGWc*tqaSof z7)CqK4P@ZH1gbb++<#*(_`(mR_^^*IHZqiJ)pp53=2ET^Kfu;U#%d})wwVAq_vHNH$CY(81Efj={ITVC z6>0<1p&jGQ#5Nw{*`r(FK!pGxQ_1aixZx;Inf~yP&hcQR@hroPi`$Pn6~d zCCo>mso3wr7z0tyy#51W?$Dq-Rl9bY5{-xgBia3-i_yC;EEBob-MHAD*unXuQw5cv zeW@MxOx1OMKCP36f!A#mEk&wtp<|rU`XwAtYFncr8VNA!k8+M%S(Y>u-(^Ux0>ZB# zL}f7f>9+6=8h!qUhe=gH2>3RPUu2$a929<5m$QDHH_HameYHZV6-Rmppghcq~@n5k}plQ5v-rUdStlTD0_m4D6yNf{fCEU zZLPfM74<31@}3I##%iAqAb@5)j}5bYbZrzeldHXYd#RY3yxbAXM<7HrA}gZ%7kvMw zC;_zyGYccY9^e6h0ek`8f7R{p2L0Ct1$cwm{!^t9p$1VJI=e$zMI=O|#l%I$rKKdK z#lUdltp6|J;TFM(qyJiOv4DWT68xV8_+Pxm{a@bpJU{x;v6NwdZNmB86rzt-896Qe z7jGlr#ELIrZe;_j<^Zo_HK_&1iqe7oCfPa*4Roks&PN4&rU6eTwd}y7!%R2bpLM3@ zF}(g-d2gw($Li`8s(g5LV5Wj}I=61z?xzEGAH0$dmBVVRiw*p`r|`Pf%2u!-WCYQE zjDe|jbI{&_IeV*#_}(RCQ3y{E#>s;}mEB~Qy%NT_kW>=|bI)pl^`CL$%e!gsL5BRq zGe7*UKO!T}x^CHO5&RAvedEacMI!0h5~cn-*G*ejDu%Mqp3LiBN2lPo4WQ|nf0CNj zIgkM`@pBkWGVz!XpR`Uc>`Q+a}VMO(?rxM97d5 zgMV^3vIPA+`l#4nAS{9*H($lk)!%KwX))FceWca)Q>0B z8q8D%7I;ez+$B5)$dbVyQ3A%Vg8J-daq&jJ^a2|VKEfQExRD`l;VMts*J*b2qZ%=# zTAV3BCE&Jc`xdaH^0Xu~gje zlYM;u1KW#GrQ#O(Wrzq5(Mou8%EFQ*WOxKsv^89l_IiR*Aww#`#xA$86&xV1Y)#47 zRFQcg%sW@Ul8w6{KB1|c4-Fq@kSC9~eO?-yRoKor92m`SdeS6=L+-|`VbxVY+d?uH zSj4O5m1wZ5G&JRDs!L*`|19TOHsf;+-qn%bGvg?t$fppe>~m_+`&owy7o!Xxxl+3t zQK>|#2cUMpAZ7xh7f^|~vyfLApAv6C2`nVXV|p}{yes*rP+WkaAk@;J?JJ_k$|e~B zsP)DT+l4Zpi~Ri9rHd;>cv_#ItrTLZgv)Jj7vURAq~>#OTW6%jdVXbq8#+eVnC5b> zZAKw6xRf$vD^1R&Mf#L2|JV6`2s19^#b*&Xzd1IZeMPII;W78&RuKQD&GG|NX;kg#!{b)*LquFTC>$j0C1 z&JscywoNDk;}os}55B)8(n#9grTmA{fV^lls?+nFf*^2J<;gEzZ5|yja>EN-580i= z?+-lgj7kosBM@2QdaK4b88DbWf$YbE1{SP%v94z7MiH+S+uG)?JzgIX=7)zpQhPrJ zZZkr1EO{G522lH~jy!1oD@;8jpu2-EWh4|95dNa@w~?SP;GS<>NV&koDrC zm*l`CdiUFj9JF}EG==&fToK3`r03klX%YFmbx}yEnp#ZvAhelj+o_6kHRhuJ$=7Pz z^bXZu4O&MVSsKoEW>l4mQ1Q8xef0~PJvm?x zXhju`Fa1ni$@WB84#hoAbYJP2oiLT}oIE?Vh^U*=(U z2hU$DCTfMbO5Ennajf}rErm)+S6A!PyGf5@EklNd_Qh&7!(hhCb(<8|Bl1c1CD9PH zu4wJ0uYBz>3z2=0s8ZGCk6&Y1Xhc>diZ$ywqs$LqcFkGdRm~o1XI7RBPzz$$0$XY?(J8JF zUO(5{i6Y_?Bg5IqZRvuA;D8S)x|GKVk&Eh&_nDrj7F-7h?&j9M=$CKQ&DhVn*u6wg z(!AI6&u0~&G5iL$A9pQ>`GtA>d59H6>Ssa(Y9g|uoi_EEVw2~2Okkv@ZmE3NG{feMR7{VM1YjLlKZSB4nVjEk`{`%=k5zt+|DF zjoq6zWypB37Q{^&{#`PgaRk9;_>KZBD29l5Q6^Erd{Ep-{5GBKb7A}2I;5eR-&3n| zgrg(3#uC=ChJ&J(8uU9g>H2(h(}JW&*d?+-xp@Sun{^;dD<*@^bAFhPIml;Xbxl@g z;Zx70x-9xKh@oz+!?4Zi?INoCcOvi!E4&(_f|uJ*Z^pfEWos`Sn6|!`J<=HgKa^QM zIGrpi9Y;Y0oHKkR8t`UIQGd!V?Xg{XQI(wJfN0B6=+; z<(94}Vw}|5M^ZAHe|Al~!zoaUOso!ed*T=C&`*?jL`iAr)%6p=-0oxvoE+c7Wttp& z(A39q;vQU?>gBv8s*}y*MY7T}XRLW3~ zqy##%TmqG{TPGk+zIg~SfYscseIgqp)??Xw#%UC&nVDdsE_=wwirt)3hzd8_m<{|Y zoJg~-8=1_s8{a;JKMkPrt9a6;7`I$DP#9UTqxeA%7y~xzP8j>UE*QT5$nM)SxP|Jn{*4{}_4*SQ8*dT_Hyq||;DL?6Woi~mb zed1n=@(^6|C><{X+pm?Mb#iK0|C7uyma~(#BjqRsFS|BcRobXoi#dZ7oSL^Wqo&)7`TKhWQgay;ES;; z#9gM-@5;BS=tRf0_7DwQdwz~jaH_`jxouBc){F9)I?M~jw)C02-M;* z?O&Y+U`v?B{X@^(m}?Gmc<9%j7GHS4wbVa(k`58p8 zr6)z3G^a10S34DZ5zQVnGL2w=i2iC0ex;Ls<%6v$vD`~AmEsi4V%FkA`@@v=$xedg9`NeV}vd zhGSG+o@k=>AkOJR^}d62?dc~yb!}BC|BaD-wD$33A&0f=Nr7UrkJ+nI!h|!!KjfU! zJ?pl{xAcv=ogkA(hY+PCHnc6~_qj|%oU#s_#Jzn!ylFfbahA@z`diq1 z6I9ndUja-!7UA=v{$}=8FSkn-EDvS_6X4?TlVW2r;s8L@DqnF(Q#hF7-kCOEOp7pJ k^{~yx<2`Yw2hW8Bt2LUiC1_~;MNQUl97NU)mgb|dqf0s{cUP=JC1*jJ*+)dTqa=^rtV5;Kl}uV^_L?U|{jpNX-sOMvLiI%t%Iz7{0JKF@4D_t)@lP|t^JB=*|Nh?M))t4~ zo(DyEqYCxNUB3l^mBya5+fK?hzVMiJWYJ^D;x`}rOYH*XAC}CGX@WFw7U@USV1u?3 zQ1^2#2bHB~#<1(9NpIqx- zF=@p>q1mSv+O=s#4m>aiE)r}!d1`tyogWIiMcxmU!3!HppdpxtJ_+h_^$!;1Yy}Qu zf-AwZeDMA;l2+Qq9Y!+f)kD_e0Y*HPt0PkR1(oJ@HchXn**OuS@e_p5E>ThM4wya> zN1T~FQ3`7_M^piT$ZKZHS4C2!oW;CcTa8YpKUQQMROba~QF;GA%6IM5dV zH-SNQk#eI^X?T;VfYN_I#g4ZmSKhFbCC@Qb%Dy*P4Vt~jGrZ9 zDfBSW+!*P{eVn&pW#4T|MyaOB-))jS$w11bW z?Ml6Ja?S5#D(EcIE-g}_iX8pHP%5qh0am9}3ozZdE?%nlLCuLSDDz&giAD?fcN?nj zk}fRHp0PIJ^7gXH`2S0r+l&OAyGo7~c2`GH7Yb+ROt1BWMgO1JH^Sc<&^U`^3%t~w zK9Z~gUmnpy%WXRr;ewbR9q{W39tXz{*X8mKePNOfSxV;g?!yS4di8&<>O{eTWZ%ve z{)xLD8SVKqY{dBf+O_JIhSzS0Hw2@LLx_M^v1Y-0YSOt)ZulFwBG_EHSCG6;ssMXP@ zj5b*8>RY0_oRef)Gl+$Qr!w~#DzkLe-6YyYrOE8)=1zq=^KdwPp<>_3!VQLD&u~Vv zyh+FP`dn)qxVao*`RCE&bdxrIltuD1YffA_MGEmWVR6K@gUP^G>+i2MEvKI!drtXz z{9FMz=zJSStP?xh16m8;M8WBo^roj9Y``-(&$5np)bnqVo{dmUHu*CsjBHk}y@1xD zAV*d^mnZa|3&|JUX3MLD>1n#9$uK@JAutIB1uG5%0vZJX1QZ@^^(f3b>TzXX>#yib kOi^IKEjk1g%59!u{ycdqq?N9xhH&0&qbb@$0s{etprv>(tpET3 literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/kafka.keystore.jks b/docker/rbac-tls/certs/kafka.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..6e70b0c3b017382eb7de62842dfb376ec28f2cb1 GIT binary patch literal 4677 zcmY+EXEYp)wuZ;(4AILFHF_|k#^?#rqxU{~^iB|r-br*(M~hyfj4pc1=p^{`PK4-! zn{(H_=dAN%@4eRZ?!A9L5CoYl5Cao}Aic%G=Z;j2yduKD#VA0K9%3O#cmLu|2m;&g zzane{ECjaBU##)BRB;IZ?+QeK0W3gZ-9ZpoR}d~7g8#>VpVMJc2y?5gk=a{Na#Mf6 zvpAqbP~4HQ12F-88dwOd;p0&eb15y2iKi%1!m$`9`M%%Dyt5w@Z1pYGOSCa=8`=?t zny+j(`PlT3iqHmAj-#j8d!{pfhy1(p$rwrJ-yS#2cq{y6TSERck8(;m(MYbBQvg!T z&%&Hh+~KIo-PFvvqM|HM*gT#Prk6G3)0*>T<+c9i+gh`>5;FZb zvej{~T{XeHx6_;VDXt0k>M}Dc!_Nvw9yiY50sYWY`O6M_UpEQZG9&5vP8H4@Hr$wc zx1Hc6hFWZQ`*-6y^t#V}F?10mZ`OB`NHwx1g|ff32%Bp(CL)`hnwJP@v`)-e((kk~c{us+Bc#C$7sA!~lCHv}M-;bkgxE%YE%bVEN%ZZM6^Dg8Ka=_D&g z457257mL@2e?@Q2Sxdy4by)wtoBU9hcXSYxkY4_^;BIt~d~xJhQ%1ipXH z@bomp#;owi1HSnU**UFz`U?BK*qt^oQ(GA1{Egm`3a^a!(Mq|2pR0k(EWCTfC z{uWDujTwh}G=y>w0B6q@c2HfxyY(m4 zFHzGUN(I+gHR@G!2R5k*Vvc4OX_JX76kR8TIILK2>Y~LrbKpLCiQcox!y!0=W&;%1 zZ;nQ5eimJyNr@VUY4H~Z&}+KLM6BH2tFz-0PiPpdJX?YZl|Qjt)ldJrs{nLR_64N9 zwU;Te(DORsQ=A4aC+_2(*$vq$q+wFhI+K`a|c`Rvrw zI>tg3QFF2gb};?m@ZL&VA~i{9L{gI=V-Dn6roZO+JCDO zp8^VEAOJW5ECIIv>JaAtM3hhpEHWJjXB#G{2vkf+SU_0pg|M(F1Of8;_Yy8n0Rm+6 z7g+)^0Dp(ke-e!U@+;22{OU-fL3 z?(;#s&b2A|o}^Q^H0l!>P5vj0%Uv7-HLt|fF^ezCthwfW`!RpGbY*MwTF})8RF#F9 zcq+>I8xUaVkCySs>(1xjwNcecN5I|l`%@8jX-~%YohlXKmu?kDrXp&xpT8)q#Tay)rdK^@)*T1nezUDpaNyU ze^=1lGTma#sL2qol!^pgykIuCVipTJ2{&`MGCgtu(iy6*S(?PEB72`mG4A#lN4pO% z$?Imi!p_cOx`TY^RUcUVBgfl@j19F24hwY1z-hUyzN>p>r=M-TOx#0{PS?a19U?YX zN}Y6jC7qTUGdM`QN(PBL1Dk^67?|#TbEE4s_ zh~90a0lBn~s_R=$e+QFa((JoT{!Uum`c##qj2#otg7sM-Z7M+DhgufzpFwV+kprz7 z0R?))T95(ND++$Fp{HYw!hK1;Tjb z-VYmX1p?sWxC?uv9&n0xy_mL5b7A-EN#lKcQloecj?@#JdaHCOG-LGMQ7H%{86Q0F zO*c}TJNtdgPw<`f1JWKeu<}*%cwOykoIQeMF%#OPioYY^yJ^Eg-0$`k`6%cQ@=Y!*uM+n7_+hnpI&z6_T}5LV6O z*8~X`BweSIx0Iup%W=LjmYukvousSpZVAD{R6dp)fYchjPYb$bHNx7iX7N@3XzPvk zhTgIZe zu=}Ms@}(@FRQGc>p$yNDU@Vm@g&3aAQ;GZyj1b$+!jA%OTIqL%8VbA(g9Ri&2;AOp z!Qk4ru1S1#oopa{f>+SMW5RW=y?x}LQef()18wl+VkkhE#-fh3GfS6Sjns2#qev(1 zk4X))TqOv-N; z%)1lymUi_Ll!zaF`mJ*uYyQ?)Jd2R`# zrDmT&F|DNG2XQBf)6U#!XiCZt6?o9~_yJ1!XHGxi#7xKc+o#*OuI0!J0+VV35-|Zr zd5jpbmH-EC%he5JiXm89nwcH}S@e^x!;Pi!4&&oDJrJ7bc;j#ytHkL&h$q989)iy5 zELfMx(=1QPl%@_F>K>_9aS^pTc(w8r_wYK1dVxsMs}Q%Dv)9WnH&S3;fZU6|H-4)g zeyggT3{37nywoGY;w*vZ{IPTI`@k~~|0-{+YnThk$OtYV**4hl9IMzphL@SlH>{49 z2|-%M`mC)R-}${T;V@X)7SU}D1SNag5-fn_NC|F{>K&%qGWR%~kxmmf-tLSFS|9U> zp|1;O#mbI;_%8dhk-i;i{gvl5Op2?nW~q0zBcpOlXc}RD_iDaaq*#9@W1rW5;Iz47 zgR#ojaPsEk=(-Qfd)d~WTN&fEb}DDk$q(bs>w7B`F^v*{g?hG60CT9_mZhU6Ee27; z_x)lwYP|C9No@bsMoMIuo3QNri85K|nhbHc6eVlo;R84eorOO5k=*9h5Obo9^{KCD z!+Aw^oJvFep}dfWFw)-jBb{B2OUQBv39@ug*7v~K|9T^4VcAOD#;@$qU_peA<@45B zbB{`D_EUsvn9rjLC3vi(e&*}r2G|=-;7-g=<*)fo%q4g&_&!Nzn8#*ikNUNsMC(j% zpJpRVBQts2QHGhLX;`AlIT^2H6gD)X8C>qnvEQg@?x(IilDF0CfRF~=3+1XK8D&T* zGh`Hg4@X(PBH)Gjl~-KC#T!b^MsR5crEcjxD+3q*apj-2G=;HTHS-M?Hny-PAo>}07<7tS7T4PE5>79knHlVjftmX`OtXIIUz~Yz6!Zt zZr>y)wTbF6&OUFWSYX#2)zWMT#P4OwVBpuZG8ZqOfaw)V7Hc?nUdapx8ZUP7g*=qs4FV zoLvlwrs9z8{Tn$>DnYj@#n^V;lPd*3o&lb7ZfMW!LTD`p#OKyY$sQD zN2@b;sKZ5#F~|FfJuPo8C@C`trb6$jklpHo+>OmD462{bdPM^!(%WKwHv|m(vep-C zJ?lgGULdQU)Q%;gb}1r+jf($D!TScz-}{pLRjA9;I!q-Mr)Z%_t?WSEjChdKw8i)R z+d#oRt}vwp`q%d$Pk7x`8|xXib+iJ-XL4BdpZ04M;PN1F$}I@VZF#NCs=)b_IPpSNcv z&H_?{ZyYKF6uR+%sfw58n=fi=}IbAC~6p{Q zWgycFOwKmOPn8u>W5@^!BYfj4v*;@~BAWrBrk(Vz*>Z0gr~{x}1hy%29>a!bcktcz zL9MrK6Bk(5Q@|!`TiahWP#8#ahnTdsRIGqVL6{-;n literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/kafka.truststore.jks b/docker/rbac-tls/certs/kafka.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..89bb13651de6696a0cb1b1638781e7ead51678e7 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU70mX)W888JQM-Mi^bjrkd)r8n! zR~v1#?ch@iM{Zm&pXY!O%w$5Uk0j)wocKVG(M?Mx71t_dY?uXWcfmq3FLN)_@RnXJ zw14qq{9x<{g4NiS*U+0=DcgiSXpQ+dZU%W_mo8C~*LAm1#IA7X?&SNb;vFR;&WCmd z|9CjsO&Lu?ykkCdo|346TWo&Sm6_C+)t~IwM4Z+_a&D$XRy7Id<7Xr8KgX&-R+368;8#spvv-V)Ebumm2^i!M4MmR;73vnZWzvY6f9owR3z1Z1ZsQWMOO z_@4zGO3@!M)z3<`M7Tmw8m8F#vFKL;Da3pkYl3?ZT?_n14zE=H^L3gq|D+hTx`q+c z@V{ zG8=PjVaYL8*DFKh%TIa)_Ef#IM4RcV^JgmF=E-vMUR=3 zydb5yt?gzRWX*aJed<@>xhSXt#dKTOhmdJgu0jJNU^vI12Yhn}L)VGx-fvIK$I`%^ z+H8q^RG21TnB)5{p^Q_l(7;q&txXEZ66U(m4f=EhB5O6HFj?&8A4@*0*cuXxa8(4t-<_g$PK?SyxxnBC1pqU%G=P z0sLlvMRMjTRiFtbK%*F_Kha58LE5I&@L%7YYarNk3w*^Ch}UiA=c|%7FLG9&;`?D-AkNO>b+Ys0MOOywY^UK^GB53XK^JUjbU+UAg z#p|$_+n&ptl58MoiOrb&cBHl@YAFvi5De4JVC;K3vq#-&9FLFuWn>gnoA#r5DQ1$D zP(m|{5{5x1xqxpu!pUx>d~BRETrfT`AutIB1uG5%0vZJX1Qb9}X7;$#7=TNW8=s)u kiHmM9iM<3A|55}derAtbw0fv@5 z-@WVJbJqE>*Iw&+-@Si6U<9Q&4mK_rL2*a`;0;#`za+sX#Lhubtl=Rjmj1zWU zxl+L^!a@@w-Z;2ey?S^EyrD9>X5iLgtL^W3Qm7w~4EA7nIp3Tembmd2c{HG{cBt0~ zQbbPkzZO{H^&QspnF%CydcUZn!JOp(>VDOd zjw;8Nd{vHPLP4uH6gB=wWE0bh-|xd zpG>$H(zi448U;rjEVYFJmXEf*6@>gN9UwvcD|l>jQo?0hv>zX%GrUt=PDHrKv~f2N z_(H?dG`F1%j#zO!K8rDFPdy`;Zfb#?u0}>(ta|-D zxAgL}z3)itf7fLp%^Vv81ZwA>M^WNmGRSVcX%-hFL614Mod`Mqsr!>TuQ#}uy$E-} z?FjO>T@D@R@u~rzfhMaApoHDsc!5)R4swglbf;si2cXv6@BRA?ZLO^~T4%#N2cao^ z%%UVhi|otII`@yo4eyJ#)g^<|p_$KnnRcXYJOS@AF{E)7^&ja4CCpdmMIm*s^ArrP zjDZGc*~WVOP$FlYw;{e{C0Z1t)dkOc`rL)SSkD?arLcnsOBF(V4j-MV|FVP7oN$bCWm&&mhC3ai&+9bIj5YnzPth7}*IB8aC1?^&gDlcBAntM< z2`$I$O{x_tBEML{;~S&KSIA*p%;wSaD}<%RJg5$`iMJ3HzH^2zui}`?0PtESs>v54 zIsw@E9*W&3pC1AI%zUWwCyT<|YRIALg47IdaXKwxCepmDJOhp&&~%Zv!nu7U+T2(-q+C1Nss0yXlE0v7X%jGZ%57gS`Uu}+Jsz9*! z3~>JW0+I)jn3ELw9YgcCK51ybfnATSe}W9y7!9&xdPKx5%+GNZBbit7>BhJxY^ecI zKt|CBwnB5P5-d~Ju7MY%TYO-T9R?iI-WHybuU1e(G~w4F-*0-I zK*B^%39#I-?6ADREdRk&!XP|KLuWU8W?>0oDKT*oaVbf0h!hwBbp3aUkRS&EwD<>^ z;9z6@v-JOyVE>m}3I4~eF~>u+`?!%;nd-~60;H04AI4r9|F2s^5I|bp-41yJong_M z%7Qhz-qqX|m!^3$oA@jbqNrI`M+`T)^66Tgdyu(FpT3aWwDjK7^>?)Tmp!sGuGj@x zN1=<_riE$&aW{dE9$3)=+J-h4qIm9!ll(Jq41o>IQqW}j(ib^Wxgq@MsQPhW;%5r! z{)z(R$6gXju|sA%;GPZtg@}#%c~aS}$OgqFxAt%HL9&t)-LBPaG48Fi1m2K)YBd;n z<*^Kh2D3^7(f9lFI6M!aU}V)N!!2pmo-<#+_*!L#t!FV|xUAiOiop@_Mhl940QyZ9 zv;s-J;MyJ9Fc3k0YEtnL;-Yj#>!1+j}3~ zcV$K|UP3%`Bg}<`4bxg%@7Et@PO>|hxi2P(JJu-af&Y=tz;5Rvvz8s!+r|*DHn-2n z1bR=v?0-1OXc`EwceiW5lwn+Ib5uRNl0O&_IlgWxF21lPG=O`%<~>MIZ2!D5(6!dt zICxXvD_6!DW{7xo->zdbE+7e&oJRI9 zO3YvRmfec+Vq!2;t@1LRkly?HWS741wAOJ zCj~{(jQ%xAwEc(!SEfH~tyd99M?gZw5^;9yETGb{x5OPfKA)HqHy`C;PB@dgBU{#F z>Q?LjvYF>fST9kSKtUk``&$5Z&%n%R!(#lPIaq9!IiDN>X{$2!rkxnf^;p@nE?@e@ z$a3!iu1DVgh24@IPd_6TTaU9`}oD7gB>1NY~i*ic3|FP!W(sJ|+^ zTbNmUw1QPmMt|-yK0;q&DeFn7k*%EQmqKn&SGr^l8Q)IQIx4s79-V0Fze6pB<-x{D zmn3tp!j$dHn0?ztC;$cD!%)RCf@*#WV5Pkix2aN0PkcXZx)Ur=8#zU}_73e(k|%J{ z{xgD0 z`2;OWr^ArMNq=ZkbO0f5>z^Dr?$5)Hn7W-436ai?G~p`+F9q)>Pa=wgZY0t&Q2eH= ziOq9Qk30cOW>O&8rmx>QREO^d-2s&>CLhYPebYASnB9>IaV}1L_w&3@7^AwAvQ|ap zb8LDan-27&N1`5g{uI2`ZN+~Eq-1h2Hc5?7Bqf2hA*V38PacOhZb+lC$vrEJA^_Dc z@D3B4E}oDY%LGZ#I6Qag2fNA(#Z&&V!|fJV;i(E$#L!5{uZktfeCmFnBx=Zn=2zt( z-Lz1ARfVVA_pzI#!+!j&J+5bIw@$#lz^KvMI49Wg$t6PpEH5c5i&{hFXk z#@TzzZeBM>E-&G+UhIXoszO_yjf0e`P+^sozv5jl5SJLeh`t)l1Tn4GP-xr(?;Bjl zZ=h}JDI8ZgzFT@(zFn0Gb#)~t*yT~@ut@J<=27&jBa_^iIE2B>)_h59w0oZ>r~~+S zX=^qQoUtB8;2B6`wrc0{&bR)2>x(3X1H>pW+y0#K-pt>kSr*!AEwYW4nR(|$Q|LI9 zZibiPQq~?@#L?9@#rOpFgS(i6KKw(pRWpU6O@;0qy0xGE7~38etK#dBY1G*3cy!;N zEzEnzg-Oc1&Ds^) zD=pGBH@>5raZKQt_Zgr8;sCAsAu%Qd_+gcTqeB#0}_Bl7DN=|6RZQI_=Ql&%90T z&!rJ==k5<1PwaFe32RH2Jy>R^9HOigXV{~kSz9f#dEV-OEO?FTZ757Vd8dr;U%>L5 z?j!W=M&$LEStjGJi?>p8ty_V$uz4rfqE+7)rRTE38t26lj!(#fTB2zuQ8TnBUrwE zW>X%lDfdGNaA378P<()COKD1`Z>eMUmZw$9m~qAQp+^Tw=~)wsF1ISK_C9DZ@J|$B ztD9EcAH;QYvzgv+VfzX+FMqLKaWWvi($}LWiYK#LvA6EEg;gs)*MdVYdHwk+!({{I zE_MgCB7XhY@E9#Y&pk8nWgDKQwptUiokOc58{c9jA04;=P_<-)^nQA;lfV?5_ctXo z^78xEG78Ap<{W)?F4B7SiO5ThUONlR(paCfE`yuGb6w-HWue$&WZiE&2dqpL$9%Vv}up zkiV_e+H7-B@1;uNPyU(oXB_ZZD{)$PI~zoyg)mSm@pU5|l||1g`uvK*PQ0J>M+zm? zSD(MjY>H7c?gypWD!UTtlSkz>21>C^aH92Wl5I4jf@440mXru+ek*Q1W|QqWNF?sI zZhjo*uOUx#_XP8ei-xFFPB>D9_&wxg+wr*!G?P~Bhv+gpi`zAns^g4{%0gn8K@Ruw z>y`fUcW_`(9K4~CZw)ax*b`yR$l?8nR@tCtIIwT()<`V3`o0A!wR~2|6ha%@-e$t+!1=B1k(oy8Ixi z7NFu!+nM!J^wOoGs4yat2( z#5EIeR`LhhcY^XyQ^t7N$Gc_PCGIG-ESNAo^PM zm~5qX>Fui*zgIuD^V-MdYx;!ZfT~FL`Jh}?x6(F8s)Wu+$o|#>hpfp1Lw{Ko(4gHO zb)$v+##>IN#oRBY{-|kXkPj1b*Obi5q0n_2rK0@mA;j8}OM!!2q_-GCMHc@+crrQJ zl1ubN(MoI%IH#AkReV@OWTCrw`+Z9G^7gJLPs5YS9!-oyI#m3q&!R-3=cJaXS8dqK z+*FKaGgf{n@%C3p)}nyt7tWtW1cxt-5ROK*67)=p`B>{VHx#gfAH5HpQ!fLh#|1;T zj+NiBv|8MWyK!-`@Y;!YM_PY5Hg*qFEcvxEFSa@--_rPr#&6!|wC1-#s!HS)uY?bM z!E3ixWfKtN4D@U4IT8h_qZ845N^8xKgGHX5l&W$NtiASLJ8kRCsv5natGwI9K2$0r zw&=C=0YpI7)y>(@|I*aY2Fuaz-W^Rnl4#H)cE3saf* z5LVTM{yf%rp?kK0Z9OZL5t+-GRBRN_53ChAQ)<2Ag|h*u$L>H$h2nrrrT^WA~RXk9ZRgxd5$(%YJS-$#Qb*}G6d%+b4oZXbgJHNc}Jx4 zxyi`<){1*iqaewy5czX97c2*60Rsr|`ABhb=<%`eK*|9N(lt4fcp7U|t4>mDPJ5}i ht9T$&X87Dt5;Fzso}BzugYta&e4!x@E_Qg%zX0rb&@})6 literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/mds.truststore.jks b/docker/rbac-tls/certs/mds.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..98a4c9e361d32e9ea5e03b5c3e3fe9e21fd22e91 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQUvC>;1hGtG>VFR}$b?c0LEBtfkC1W}PH zX&}|YJ^oN$Zcjv^^W6i18=eZn%Py`{!2UVb*o;wG*s&*oE`6Z9GX(BL zU{)~OJ;RKf;`cKc>9YxG0HG4M0a#_>FlTN#!Z(e>I4qxYYIc(}#q@9GQ_c2A%gDeA znW9nnNgNcs6$dyC;gIX~kYeMnZ7pPCO+lmGM}y?NUv~MkcdhQY&SDal&=7ME{UpXI;QJowOE?m?4f49QU;q0m;{H$i%kr3uV-9j0GtR&GQ6bH5r-lPCp~d| z><5mf;~eH6X=tBu`W6sF&NxMD6q0+}k@{o|M0dY(gfChi;8d@+3eV7$zzq1zt!$&3 z(+-pxL`&~uaPPJr)x1J5siiyK!bkg<1R)T;a{{z+NKsA^I;`08fn!eG+l^ULST+!4 zIvs)w4F0Ee3{~>tG@I3!k}98SR(b%kALj!no6A&t66AVVGP0q z=|6*N3gh}%@mA)>p)KCF)#LWU$)&*as(Ht5FCAb5!&Bxy-dMkYdO|=@<)c11l5jcs z&1AwUwewz5%Q7qV^a1NqeRXpm7=Qg$Jk`QW?i#aA2)cC zXE@`0@~R5PGv2%ZOWa!r5Axdpby3$R(R;dA{S<0W2}U08OVOn1U}o_zQEkuI^gLX& zPs(1s8bB{328B6M#neNgrmQDuAQ0E}hFpY=-w8zV6nWJ&HB+3u8X~haJ*|(g>{`yh zyM;c9^9PkbVVhX5R2)P19mLs99N>tc*&?Bibk(O{>RjSLH z7lp7U|EEXMS&jKG2a|QEA+IpWyB@m4)__v6%$ZI?*$Nv_0!EJ4iHwEn6z6Ub$G3F&G@Z@lZ%C7`nhADwxHVu`3_`a zh_k%BSVczXl2VJ42!I9XZgaTUJ=}+Jb(yly;7SBpNiVWx)Ju6P5Fp;FQ#c9&UG0=q zK?M{ITGc0Q8YODNC?IbE=3#084^#`7SBiK=H8J=Jf k-+M{7t~&%2zVk*0DUcE-@zVQIEy5v4-)-Zi0s{etpcjl1p8x;= literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/client.keystore.jks b/docker/rbac-tls/certs/old/client.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..e7d398c6e6c542a3db82ecadf86bc3dd86819b90 GIT binary patch literal 4687 zcmY+FcQhLg*T)5kJ&LMPdzTWM+PfuG?GZ}tJ)5Eg5s6i!)T~jnHEPeAp;qm^saXwb z$E@e~zUO_P=RAMhbIz zw+}`DUH&TqS`Z?DCjVfAe@YKT_J3RCqyYRp1mQIpL5KqjfJpxz|8ty~kWTWfu%VW} zrBPA$vR6%Msx@@2umPU{uUnrGLD(PvlV2xyyf|k+-RAEr#}4g}lGqsyliO4s`VXD@ z(FS9B*}1GI#6fAKysM{aNeqy+gY@TERI_)6r}gZbqZ)Y}+Z6xf_kYrP2>F8ii}cKKLxpRX*KJZqF^uYc(+8en1^z zv&e{B&6ZdFo9WloHMTime%6tG7n*sU+D_pc&e2M6b|hLcM|^){@yRP}?@`VoOPofL@M=CT9aeg#YsEOqVr*5^Z?y0IlDe9>c%vYi%6 zUX_$#A7>DV{_ZWdc2HfkBT}~Q_RE#rhC*xWAvMoS6OD@?nP}yacgQSDR``b2E-%N;+eLkCKagQC zQy|GKo(v~xS^X;#v3vL&_@|LNWy_pi?%vu@jUO(Zn1vPal_bqQFmYtm9H=(sj**38 zUX8^EUh$|467Fqj2D*NUnXiONeOL~ieSvuO2$*jm>Tj{>3!sON8>u4{*eBpEaW_&vHJQ3Q)*Ofb%;@M6s z3L@XO<%;WQUiT9eEyj%VOaRl31$J{ z*4E9S01(S0nO^%(mrx14qmUE1N!s*^| zKPlAh#DDqD?vH!#LywQ7t;I$&?qYer>#uw21Q%gWIYg1NXZVzF{Vv!Wc|5CIQhS#| zN~RyRU2S1DBGj2h1!ukA#cVSl$Ap>+S7=6d7qu~=CrO%8`)+Xysc0>`7eWseQr%N7 zMX5-ZeY~606auQ0?v>e9Hd(|pQSkX~hnl1~vOszRt;;md&oJJUj~OOK$$^zG(?$)F;52T72;FzW!XjveKfidrQVs&FR$;UV4#&o~wi5(#@F?)MVS~TzrpW zQUOfq&gZs*Z@C}*ZiG$H$*i>;>F8VJh42fJ>-|#~LI!S84rStg& z2pKa%SjgUHb1u?yYTn;xGbf`UoXpi=`7M`>8rDz!1{HSY-&0S{Y+HIj0u9QA!Cm@0 zJjvI!w^9!;Yu{BN4helQO3`v%(LbN~@on-jVdbPlP&w;QJ6>Y17)-==h#y}tl<|rx zgPH%WN)kFzN>*|_J3Mzh7d!_%PdtAx$A7~6qI85bMlK!>?4nX&2?;TAX$f(0DG4xw zJow*3M4&tbxyL`q1s{O-PkZ&B1n^&m1^tgc_+P_@ zA;|gnv+dO#Se^^MK5aqDF%x;>$D|N#zvmeQz8^Dt+JdiGXJp#mN4@t|Eq4*FcFg5C7LU;EVD{rbU&(~oQ`S5B!{Pm19m1c4Qk@J$K2x7liL3;fTVa^O!a!=+P8qg6u z(4CpUrS=x|s0n%Dm=o;eM=hMVWKtuw91&mTY3RYQWbkMGM^?5(xssh8a_3gzn#Z^B zxqOvq2x<1hdM6}S(pwDGzd_)+BHen&^DLW_J82gFN=o_V?arBFC* z9g4nt^3({rlkRI;T(gbxYpZAMTi1x!;n*#z4LQY|C4mcWd++&st0M+c69)akuTk3Z z&#lkO^?Z`#&4#I_2Jt`foFLhxpCwsKcU(keXt0tjtb!Z7b{nhFu4vqYc%&pRFCcHY zW#i;CXzHetL8GT&la)H{5~eDwX`fmo_fDA4ByoDvIuXE*UjFV-`^#QHG=Fo(`?QEx z_+f&qxSziSDUJyGyt3?rb+BfRE5=M+Xe;rQL7Y4@&2k_u+xMDed`O)>({c&Ooh&IR z|6;@;h(a~6dIj)NV=cEolywC)7TS|x8KpuQ+ylvso?qyOCu0Who9eO$F~WNL4+Zal zdMfselduUr^~EVaU~xBx`azU-cpK!cRA7$&#jyJ2>j}22gW2>}^{*>TQ3sDFFJ;zg(%NJ9>CA3?F5*TY?J8Hs zPAgEu!yg@>J#z&di&N!2|FfH!nqAG(j|*tx4ggP~81R%@5v_D=|K<%mwV{fe_tD?r z_n1b7IXBi>MK$yXM)+Ht$vG5sbf^)s+wOWNqA92)*UE+#$_ovBU7sGKrA6;ADjTXo zcvrb?uAXBz?3bS*z~(}<2r-&XQb}+)yX=VJ4U@G^4{Wz!Yr_g9tmN&Gt4arIZCZN6 zYW(rv83t)6v89?JH{0RphM2A2)yClAI=zA)w=m0WGQXTSv$Qs`h0a1IY- z1Cab?U$0m?m0U<5$DZucS{j2##pfR4&L1*UGlDoP-V`cy<=}*<;fW;-x+(-L>`(Tk z4GKH7Op7E68y4R)sE21!48DgqES(KR6DSAfALva2NL{HtohjyP!>y6_fTARAG*5eW z*kF-i3~YQ#RkS`?Q4VHI!z9eru+x;@sS4tdnoIBlekw(0)-J)`%N2(5CIT zHQC{2bI%wS+HYyrl89hj0&K~Xr$xcbJWF+v0-$Zdg?OgS51;>14e}|p^2+9)dHsgv9wHf052KALZWxX&F9W8cF@aubIOGdTwXp zAApmbN1{lF9ORX5pCK@hhQ&~~^+4mviq>bg%xP0}vo1cX^Cq%c*Cv%uneJnngD-RR z?m|f)8W`#}t}Lv_PsDwZ@K~}Il=z_cA=Y|aEw%Wis><&Geh%S!_Kh;dpI6*`yeDZ9 z_Xx^dc)+D@n(*_vRq1!9KJN%s`@S;K@<2|#Z*B2*^h`#OC@L+9(7@-QfC`R)WB!l0 zatMK^lPW{})-qZr@>aakkr7k1cQyx9Kvp)Vw+N)6xWLZMea_LG6ObVJOWY$R0& z#yTzF+|0Fa)N1A%ddrS@oSGE4y{Z`95^A#U9gp!F>`Jo8M;W@T*Cc6#aYO6 zls)~%Wqn$+!_k*Em8mW&14AQJIw1Y`Etl{qa7*W9vttPK59t78H}Z`(-_ozr>+G91 zlxe{i9pl+|$QKq&-X^mSn{gC_e$!ohMi|cE3zY{g+-8}-6$OaKssr|Hk^}nHIS-ik z2I15aSK6&;#pUk#9HkE_*>59mH1iyT5jCZ?yOlCuPmSv(aJcpoZcdl$zqEN5>RrznTbG>ZG8c14b8qScZXJkK-UFrPLd#yERHx@qxDS$ z61qISRlVroOYW>q1VAv@GfzrBgh2>~rSh;GZE_`8Cns)j^}URw_UPA%EiG)sIvU;1 zSKF`LU(eZpQ|u{tN>-k1Z-d=_c&E>4#rWpXHoypjJK=t0Ol)@Dm@5M79Q9;y5cSV* zU{V}a%!}5P{9~1vT;;U7I!fpAZKF(j4R&B0Ul+;_l* zvPUQkVjK2(vC?HMl&zHLh1AF-KUNpg5*95n_Czdc z>@lKA{sX)%Bd=#B1zp1PfjW_q#skO_GmiH7qKc-jHSd1){@@QQ!vR&!b3!tNAkJ898H%5BMNk@b{^7zJ)sC2MGu$i z>0KyP_(vh&_gXN#kG`Pb#x9jEsJ-vH!?txkws*(bobcwRFmd?M5#r z^ZKdlBR{@Nr$nZH%I!aYeI)@?Lq5v?G3Xmvcj}6Jk!InR2LX!`)(jY6=|b^oM_#`! zt10~B%Pva@B*b9nZS{v_^hqW$HN(y}n?}kj9SqVd)e&Tk&Occxww>n5Szp7&e@7+V z0^wa|X5pF!fkWGhr~0yOROTDp+JU9_(5)2%t3#s&zn51^xzi>phh&}8s%9BKCw@H$ zdO~r+SE4%7gdGG9(lxAqAxl3WW3cPLwm%m*bmtqdVAj_;D9XU2Pb2z$@xWxwmE05t z<|eIgRZlzYG?XgZ{uG5>;-lHKYsM7nGDj(wN&Ah=>iI<-1VBP^|_p|*;Ue|FLfy04zk_T6*&3D zH98OXSL1F_i7z5=?{}FOh!9j6f+naoVmgh5rppH@sPlTOFZ){vrW976%9j#g`3fTu!-z;})N2ERW-Iv#LZQQc8D&OUB#o!#l)7{5$%hE&MGzo%?QMemKXX(65}TA=d-PIi^0-x4K?(3l=n_xkW{iklu0yS&`5F zy#c*eS(@K@g;&WsIE|}Q$Ybv_RW?i|a&QfoKk_NM<{{+7H)ifNFI|z}R7LNaH~Sq~ zS`GYG)U~HgH7s=>h!5_c204p?<`@I}sS~1su`SA7v)mRclRdK^9Bgy{xUDey+c^dN z9#>jtl2jZ@7Qos-bmrPU%6%gZXHTOul3&`6+}s}mn}vO}7Of#x2H_M?EAP(Z9QoWI zL1#cVfpt&#?H6C10>a=rk~R>}GDb{F0LM533nu1Whk8hp@X4~*ttS-^z>$>Q;U}f0 zez0_$s5*Ml&(ONls(UNM)DpSGyddb!>0J9uKL81yoh3nS&DtBz6f>2@`#eZ~P)$EW zA2HK#iSe%BsGQ;vf5+$fajLtiM-TQGG)#pG)xIXONO*5Qr~!DB566uSgyENB6Ze3g0bck(qUR!7-#1GetETH#3BBEjk#wukr$r; HfXe$9*x2-m literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/client.truststore.jks b/docker/rbac-tls/certs/old/client.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..a2caa106e490f5c54a44ec79e736b7a21dd4df57 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQUiT!2nMW+NnoO?xMN>=Gv z*9QZx_4F9{-pd?kJJs`K)sTlGk~;^`8Ftb)E>5Uc4L?;?NhQr)H1cS>ooP7P)jjoW z0e-1567M5C7aH$iocrKYCYw3BM2O703(C{?xv9Z_E(4RRCEym=bIvzXIHe3s2iUoW zQLN&DNQbn^#mxtYsca?nZ{0$w(^cVSaxR-8RJfWK5N9j76jB3f@BFUu*Dbf}IHs*r z9(ShWc88=0H-nmt4GLO!vNosj{VBWo4t7odr)7u~_I&yq2%!e1#M_jSUQyEk{rqoYMc z$P6+D`AHDHXF=60AG{V~8{h>IDM6X1a}!CY_i!%QnIPPUEaq7L5(n1|jIP$+^bg>` zl)3*uo8pY;(|8)UDiRORvN92hD2G)_ljq+wk(sk4>@m||Hqw}=(u7q5Sp2OBAD<>& zTyyy;I;AbdkB}APnj(e}-$U-2Mv(4Oc+ELJM2*P%MX$D&E1%X3x2Ko=yV<$Iht3Rx zdAc@vo4iHLtP1X)BKq&ITHC%>S!$Tl7nG!s9wq2TZd*x%J;t{cdXTe@bexw7p7y`s zHTCTs66bx`TGjCl$>#D%Yc<%Q?KZRcBvwNPqo<}`+LjC}=4!Kco{2xuZUw&Oo?*it zKdc5`txRT{tR3$Y1r-IzC?&{CU`z&Fr!4hZdVnBuCNBsl8P-!Y%S;IwXo$K+@CU*3 zMHnqlu~&4oA7q!muC3BNJKH+_z(u?*dr*w)#py0FQ+-Q2U%7EMoN<6*FWxU!GEfr0bNjwGWim+L%oZqITzU zop?S_hWiFHfsR;S%XcZUD*Aq0j`_A+g<}t<+Y??2EXVL#R4? zSBIf{lWLNeJ;m@f=X?Mdq6lIT;F$@dxB{?8&ric?!GUzWY0R+Qw!Z-r|JK0s{etpaE(ajsO4v literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/connect.keystore.jks b/docker/rbac-tls/certs/old/connect.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..2f0848a74d5570b5d76128a995272c3cdf03e49d GIT binary patch literal 4689 zcmY+Gbx;%lu*S&)q~nOA^N_rwyQM?AyM+U31f(007D0iN6p#*S3F#D+?mGJD5ICOi z&5L=nv$H$jx4VD-W+9PeS{Ue8WqiEZ*vHu#q>0r>yDMeqzA10IQW4~fLOfjkF1`yct=aat^jDWn{Qfk)pJlJDF= z2&)SP`}n~C0~4+9B~~QX&|(>cX1RwzY6}i6?C=tmeoL^AQiE<6ZfKUaeoEnv7+iNu zpl^9Wq9-bHphh`<9#_XPvvlP_H<$)PT*EvkFV(YDjSP_z-yEyxqmDPEb=7>v6zhJU zvC7iXz5F>&ekOf#mib{0b>r-^*9~#5%zq7r;!`=9T1+Ry=5a(V39u-Ebq1~5dT_ZZx6Qh z-WWlAWLg+5nPcTPUNm7+v5I&WAYCe`bdV_muTFHAA5X8s+Cf}TcHPdQp_3*U2P9BV z?WLNQ9YA#d;oee7F=~!9V6?*?8W}G5CUHLdEDG{*8~6U%_MiS7 z9&RG_L;rU>S*scEJ^}lUXQxokYU0NCY56rc_ug%u9l);3V0s+c)cB)uPH%k|NHRh9 zR4!g^V{mHvQ=Bu`Qh$;i7X#eYlO$~>$dLhFvxMzCOS<+JKex3e!3fVbVfUEbm(I}G zC>!f=mzi4r>lfRPq0HE=sl&Qil?}(zpJg9wA{~G?%@=3WIBE`^*D|gZp7L!};DEGlo8}IPt}{fr#rfmC;!5m6v30S z&J`%BLeY(4l#*Rly0q@;#-Ax%Za0FSz6=IYe+w}@0CFh$47U7!|C@P!Cv@4{h{q9hk?VHiOd}xnbn00`-A(_;%b&=p5<{?aO9~!cLl(@upwF)*Hw zguTX2e{d#&hN|CdZpH|FAdsZSep^C=8_Za^>{yS~c~(8F#gP3~K^N^#P>1Y z&9BLT?#=ory*A}q)4K>e?Xt27cZcqrbWNdib=xq8PH^pst|1ZNd)tpyvyW~HffL^F z)ECcHqp}nD-TE4%tte>S`|WJMAG(iTK7Y+T(>4jUDYR!5SE+oJ{=F#jBE4k1JTc?h z`V4$6Lrs{fq^2=q(bGxPAurzvRzV7Lz#W&VhX@Eq2h4_Tag`;5PZzmb*Oj-ORIDj= zQ+nDq6-Hq8K#6RogBF>S6RP9!)Q3e`?2}4>MhovoX6-|vwft~uwbaxU(fr#m(zgps0`_L|hyaNf7eCLpT6< zBmwN7BSXmPtNsLhT~TXaIpuhwJVslQ~r>~f?P4V^ik(@w0b|cBd_HZ<8G|;d`anzgY^M| z&0tecjCWD1?r+O#s#cZx0?nW#~ zTV$gUk_ElOIFvwUi5BAFl3v*tk&56?P|ix$JTNK-2={vCxT{vKJ$0qREOy&%u)X`E zS>~=?`+`QUjlJ=zoq&uOpVf3!sQ1DT^LIQX5rDaQ)`Nh-TuiafTLtL{-lIL`oF4Gs z0il%Dgzb0ct8OgiXk299LR8j@MdJcy4}LLsXqxQa{lyp&x1U-s*=p58hrSmUbG)$EH?`gv95HrB5k z`R_>zw7Y-nngjh#Opd8uSCO{F%xEdCrDXm1(79G8tFxTq6$A@(^q1+IG$5wZY7wvd zkeS`IntLt#LbLj|a-3H1#N4YbKXX&}zC8IyF2l6gDF;OCNwd{&Wl%)qm*^AY>IulA zv#k3{q=rwbEvZ?5iALQkQGuBLu{Me0wU0 z2{_z|XeuLv^FtPP#wU5}DHrL`g2UX~3MJa;GW{0?*KX!H`oj&FA#vNp(suWxEhANt z-p+E~kNz5Q;NugoF$s;YUbLg^Q#-&2#Lx!EIDW+SM28D-?$-bD0<%0bxkA%njv36b zGJGouyDFjVp7sVTDc|M}9@_{+2HY)5xXh!AM@$$IpZS7j$qsxD%FigtWU#nbwrouf zqqfhHXU07ri=zFBxr*|fxmo8_#Bm2Ph@{ep4f^{m*x3-1wAB#cUu!YhC5dbzuJH!% zGu;qLyCt=@T&^?>Rh`o}?^a_(sp~X&pLL-|M~w=7pFhmF`P3}FQ{!7Ajbt>>v*MEu zY%^rpr`oqkD-phg?Pm}=x}sIE2#(l(srgHArBu=bC3s36F#79^?>v9U+gDJ|t7)B* z5E0Np%_UqXaaGs@HT>}A;6W)Cu*04cKN?F3u>V@~ntTJglb@f1+r`J4IZ)=(sBT}6 zzirC7JttB&XBQ7>jFAyeuEY^wzSp}sap?Fk`tEa0xMHzRk-M08&y@O!E7JwIvT0o( znd3Y8MPN6wcf9O!m8sKbzp>R&B>1Ine(ex94zj*P|O=>0Fo=dp=|qnIQKQK`1DxY?um70eZ;_0 zf8$LvdzWq;2uAl`p-EzdCD`S!e?GjTKa*JN9#C8y4^sWq0-)U8;-r~}Dtx>!`*PSk z_%T!NHdRTm!|m7Wi_PFQiNKpLJkVzPkvMm?ef#Mvl;h&t%=>e}DyoAGm16h}nOAzS zr!;U^f_J9%IQ@^NQKe5BsAOFIxezqU9yiTp>X^Rj`HSqE{Q5&!z^i^lT zEphzBtWx(r8L_W@r+MrXo~k`3fzQ}VrOZPB8wX}<^<$F2DMlS9)n&^*;xCjMVra82 z2(5*9fIK63+dVt`iUPWrd(2Dtnv-9!ey%mT60mRt%}wFSVNGOX>U$9+dLQi|i=Kvj z>m07;xZElN&fm*hU+&O%c|LU|kaQb_i211 z`hB&3@4I`P=cWNUe(Gg)*l9R27m`yY?%mU~gJRLIaefbDn`s>>^l@qg?A*+l(8&!Y zAx#E|=hxo7zfZ3AXX&*{*TYRs_*HU-sxjBPWguTBI&`Pjvg#R78De$6NWi~uqXq}F zwlok*)pO{wbjXb<^tx;9ja`)e9a8 zHRIRH$Gr|MSCzDoKV!M!;Z=?0-8M(XOF++A@_~g=JXQZUlsIlaHCBeapZBbod(k6M;KFJ*7nzcDN? zEA}qCKpL%i98ySan__L!u?68(@5Av4`^z0ASm-VlN>vtu^z*Lb{c>)_C~%k+{l4}= z!bOxK2D_W1&N?nau+vR=xbvvjX4S=%yoE|Ap`{P+(v^P3=0i4o zjiba5(c6!?B?}DVDn|=G9&+cXn2ruAlV*9 z@Cre8ML9BR8-B!Jkk2!xr8ooca=1G+^mAp#gYGtekIZ2^;E{3SAdZ zWEBOPF+}F=}~3Y^5P4FY(unpbW`$FlNVjCEUl}8kIC|AJ)%rii|_Y%txHn+ z6Sbhrf!tX}OiUK&#QfQk&B}$xl_)HyYT9!1t4_0k+@p-Gr7mq15=(NzU2kbMOHIt3 z=%3)MJDd7J?DMD($T-P#zTeu-_d3ROZcXoZ?Ct;P3?L+*uc3a>Q-_{<=@qp)<-0n1 zetx7_5E%w{xt#f*l8GasMdF9ifAz9$NqNdIXi=%riHt{O{s3Sh? z+nglKBaPOJczZHogYQAU!uk^uxXEe(&mI|_NZZ~b&|aO-HeX8v0vz3@fp8x?p;`&JfuB` zC*|h@UDsU|WKXv#DhRsjQs+14=&;V|t!e|$>N3|~Qk4sVAKB{j6)+n5&k-6uC(2DD zv-Ts1g6Cko%p}tx)>u2}K&4;L_%||zqYR^Ar?1&$d^0d)q;rV_D&6l>lGEa`i8Ewy zn6j^Mcf0P2M0Bjf`9srU>`!W95l>09zo?DQ7-gjr${uOFRTjAdvBUZw2B(HRo!{Wg zi659XxEK|`zR_}LFEQR`D`tE6q!G>l)gX*?hK~XsgVWodzDq0HZhuhf3i}=A?b~&a z^HHn5yp$Ew&p%;U2R*B=5lAFBJ6Y@-Icg4Sc3~jB81XJ5c|J3FB<%3IjN^{?yurjt z{5UE$)65aw&uBPDwu8VxD!V)>>~JHHTo3A`q@zI6gr4EoN8LX686pE=hTs9Pxrs0_ zK-g$l6p2wI%zs7^?MMJHk;RP|$aUt_ghgRx?21LiSb0!_K0PcL1k?>1jH|=IM3064 E2X8>^VE_OC literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/connect.truststore.jks b/docker/rbac-tls/certs/old/connect.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..14d59a99408da25b9f960526fb60e39f3584d7fb GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU|?E8_|Jj+ZEx00s{cUP=JC1*wkHEW^AhYNo^M$khr#iQY(}ZZlSzHf@31s zx^x~o-f{*m6Mpx1R7_evS!vc=wYaR3@Px+vOYfvk1_7M4%z8Q7xPl==GHb085RiHb zl@IgePw3zod-pgi;)!gxE?t3NhEEWc)lm{%&cU?uALQw_t9QJg!qZ`n4GScw{Q>kF zsdu&Ky3H;S%q%Z6CMZz-iV`tYB3ZQg!=-@BFK*kHN~*gtGSD1Y^hwa*qdCU;@D0kp zZYKQ*FKNL_Yr`m?dR!cA4n_fDS2~`_U&AumZl_x}-i)Xt103~d+VF0iP(Xr4@a5T8 ztzEiW?kn)<_b>0f9Ii$9WH}fv42s$&qVQ(eT$l3n&FXJPgSj&1Y=YzUfoLe-%S({i z_sjes96OiJUtk!V3EehC_BHUF6o=+a3kK*ey7t~BZ%rlH_Dk41(nc=Z1i~ljYTJn3 zKge>FAUboZwtEv1q$(qMAWqKv!DloBw8&M>D?;@Ga%(oz@zWtpci;p{lQm8)trfRe zXso5x#>q13uxGC78FGSS_rpkN*$G&)0nsL@wyM_@oOnwwph8Q&r(I$c+jpR>LPTV3J=4^?mhr-+Y*>!7i zxy{cSBZ3z(F02&)pzvFYFzI+ay7ph2e;~A`L)c+RYhdgwZDUe2#?`{!h3H@-2DCoA z6;l?Wi5JxNy=@sY$0A)OpyrXY8o2%4&bZ6&Eo;e&vXvMdct6{u+z<59PV%3Y7^$lW z=L#1dTb4)Mt*igzGOm(4kNOh#TKb{hg_a-EE1Dr!%!}QcrD()<%{NY-*$Xlhr5OM+ zz0UVf=qyzm7`{Z|ih}M8x}jh#+e5<W^_J2?b1Oq`}rC2qC<@Rxe`wfn-+Q=M@3s85#cBr&KBru_sL4&8!Y+_K)) z_vL>Y_NuGgtXb6EI)q+4_?vwU84?T0dGxKr32o{o*~?chZ|ps&X=4{oMf3Fi9=R>R z;-D5V5YGV0mER~OYV{pvVz~1rfjC$wC$4FOzB$?>+0}~j?Wl=vrXrW%aegDEZ&D6I z(Yc5|4g}mj%5f&8n1f^0OXFf!=zJ;UEMp%e37Ug5!He#2hy`)d?Bh+6my z7O^xd32ry%Wt`$e%&@X)pA!RUk0~9tT#WwzZSF{5ZWVHb%o7KgwAX1l_>2@q)Ir7E zk&cqJ)UReoQ)3|%P#Mw%cbgoKXt-jN~*2!txqdrJ@`^xh#T9g(6GDI(G$9fZ)O zO0Nn(s&wJ=ZtlLjZ+3R}&3n6V_OFM)(wh=ZR2m%M5Y$aWwM(vH`)S!mhH9{h>TjrdSISbo}AF~&^p#CZI-xk!xH~R*&ShT2vR7c#;+31nh+>ua%Ud`W-gBzKSQqc_UCP>`!l+S?=?li-)VJJ+2 zxX@_63l;SJPfgmpYaO&qYTH!kY!96 z?X<^qQzY8e2c9~xxv97ut05wuj`4~|HPClz0XY_*KT66bM3-c)sj<*KJnBF07fm^6 z%xVyo*rd~&<6m=-n-qg?Of>F|HeT|6T+H1#NoQ*7AQy-6qSjH3ze3>VHrk)Qw0}Mr zHobpPszJ8f?&$VX>9;k(G=u84uCvpi`_AqHfzSr=dRYZf`?zH3*5cDwQ&eB_-Ib&h$m_p~iH5dF z_dM$J{C;IeE za~P?fdP*T{9==kd2g|8_8fW!J zKc?s2LfB+vkjGh-c~h^MFwdp_w|+pN8}U2E%Et$y!lf?eoG6;h0B5j;q2B8)$s7hb)7umpPxpIosW&+>xrdwX$YW~m=l$#xb&u1K z=UJFXC14V^Seng&zllk?h!ZZPYQ$*n;b!f}U+QN$vk4%9ry>DoWqSfc_sb$2M%mx* z(cpjPL#oBtHtD;FV7iFRjSJ8XyR{^BW!N0ta&XJ|9{BOS4`YN-=48DSfd`~}jwtM` zFeGsm-y((1)vm82ajaXHuF@-P<`2@;_+a&d^tk!dvadd#)0)@L;7%8Eb3j1O3yT3;Pm42h37HlP|LmF5&nxvQNYIr#u9f*6Z zFO+>u-=!u{_;f1g{dlHcn5so|4Mt{M zHfM`7%C|A-x`sw%kxO*JdktPIG2zq2Zj7;XXmGfnMAC`qc|@cYGIDv-hW>4!4K1%$T3T!J8ChiQH$A z`Q-WFSH74r?}4jI0;||G0IZHCQ6a-CC{gLoC{#rUI+c4sc7+3b^BHbf1i<+vBITP; zEw8|h4k^~N<{^r6jaOP%A16lf_q;>7q#j7kT<%1N~D3|vIO zn;!})o-|v?g;QJ8hv-NCczKkd2Q!|h7T{w$@+c~#*-j@*nIm@PcGp?h1yxS|u~%qH z&_6HfYDJlC`bWLzrg9i#!sc4sl63;EbxBYMSMG+U*j4-SagOE-mGMRLE=1HcFQ5DE zDN=c;QcV8B7@kP!sy_^+EC+!dp-;)gqP&3dZMlU9W}<)JiK0gs#7%g939R_#5^z{%nbSW(zDe(|3?Eatixr zE8bxpW0(9W=ym>-Eg5laj>D43fbBmOS@F!D`Da};3EP?GwI0lxM-VzsHV+5_K9m|a zB{-NVX=MBG-rEXcY0VM2Gyk%0?pbvF5i-bnm-Pr5`5X?l&tdSMx9p8m-!Plqc7g)( zfu5>)3MV02zKmt*Z%*)YP5I82p3rwgKrXUL@^(yPbGYJqI<(KTNLu8DXJgjn z?yk6OHDhVS)V2e?BKePrc+9(Yp__YsXDbA3#+GlSEWbSNU2#fDbh$xWS))%>`DZuO z@p92F+`YR7+A(P8Is7Fxc91rQ{Um)o=HL~%jC@phGP;sZ^on=QK9Ju3(>Q)j10>>| zl)5ViuX>{Dn^mJ5W3W|U9mdr`Ze2^l0R9uKG538aG9PHsGPKJ46WOW~JE7f5S&^~) zODll6Kl{Ert@<%Pn_E2d6BPzqzm5=D{t~~{Ob;049a5Qq?qCCCQOHr+>P^Xg9>`~3 za|}D&UV?pzi4OJ;!%leJ42i+O?kBILl9L-&WXf-=(WdY|&;35)P6vQoAG}?#Ffh&7 z69QtTL9s_h2?PLc#D1JsS}FhHEHrz6a|rezpNyPCi1bG0u}{1hx;rh;B#|_P)Q{%F zIz%=fh%?c?{^p8kqlVS%8}7OwYCg76FYlxUK9c<2+1Q_kiyC>_n{K`YsEDl&4DhLW z(DWTj1DNs?ZPzR2f(wS|)UUnT@PmG(`uyD(i5(4nL=(Yz5!dLE8L_`5^Xv(I)y*i| zTUj2MEh6vY3AR`l{D$h%%-KVpg9vY5C~#al@Fc6f?^|95jxP4%idM* z_hqC`6Eyp8ry<43#^-=Fr}tSYY?*P9EHpDebr(WpaoavYg>M|z7%luc%oW;O2(yxT zD)-;L@T$*KT8D({Y)>9b5PI9lmCvP2c%JL}<8Zlk!k9=a=z)~~rd_$p^WwXM{12B>g;lq(S z4#5IC+}rb}R>}u>TTl>+*8bUEN13aMV^&5jvD*?HtjqO>Owxf4>FBf-tK1mQ`XPdD zMefJ3+3U?0AM*_{MItHc)(Eman;Z?qn1KJ}2aQzPK%vnGTX z=Hr{y?yl2@Y=2hQntf$S35VA6cdG>$RO$zV4K!{37qu~LJgSc?;UwUo>GqFl(-S=# zrWvF9X;UEdLH)<(#n#t5O^t_~Bz2Nn11aqAp@OeNFGfT?YL44f!1&X=9a}vK^@Qg@hKQf)me zW3c2i-M`zf=ue<5iT0vM9kAJC9{>CMuU}Nuc7il>X%t2`x@+EDDP7du7kcMu^v%$Q>O_8RhKxF1#9_ea%9_RK7}tC%b9FT=&~GFpciAJ$$54JT>E9j3$0x%(Q z%cm>5(#0M5BDXlF z+r&-0OY`iW5mXjGMPC1zLAcBnNly7pz-JuGy?LQb4ge_MZrinHbqaD0wH`RAl;xIhAA<=2YHKMz*T9t=rr--$J2T`5us zf6`JDpaP0DDDD$9S840YoLi9>9O0E^^~sYOn6CX4RGT|03POv#U$-_5YCJ9AUvZ+L z8A1>7rzZYlqAoHg%VE6jh*#^Wk{0z4TQ%}GXc3{{G7W$coSfrhU&1sO#Ex1xU-Hpw zlM=dJPMLjl)IS};NCNs1{yGc-K#AV{?$@HeR-4sPz6*?uP2KRm4@PcO89z~aAIO@> z!vAbluUb@!drg5g)&5AkZ%*qi#$+6F8Lt_7nX@`W9f#zUP@2SGyrjJM zDtBXp$(UiK_Nk#sWo#C>EGlqVNc1h7D&lq)uU8BQGMcGs*jSNSf4{WmmVd{F-}uMu z5TvfzmmSaW6aVsgax-Rt+)3)eh2dU?^@lH6Gke1;u|!QGg~t;l?k&hADS$wLb=yE#1zf zdMWIv(Yj-tL+ROv;{0T#_x%v5mJ-gMOvK-=#N%KW0kU!3UM%BypNo?4HF?uGpH>(B z(v!HIaRWVgG&?NY%T8lgMO&fi=oUGZS=F7{k#YpjF>*@W3D-7|&UmM~J)k)#XNsc+ zb3w|YCCvT8MF)CNU#;gCVoOhS?j|BVe;>OS8m$qrBx7`?C2G^N<+wy<3gxAT5BfBR zO`{1USM#-;A)PNcb?lO0H4n2Phtn)!^~VCL$9Kib1dH7zq;hLoI+=M{HgyzmoJ#^P z4;>2LE!iT}v)xh`@0ym`<_lF_0@a-2Ly=5rMN81k{x~ye zA(Cb9yu&3fb6_d8F1HW5(K%RVP;&9IMZUp0u#v_~cA%m_8(FNlf)cl=^3*F(zc=-Utl9%%Xh!JyzyxLEO_Vttkve zfBT)RH&hGBK_!rsI@@GFYNhuc+Kw`K3lNwFV7MTnHZDQ0ZbfsD?z{k@_M=;uFmhYckYucTC#Oj(@W6g)0b$Rd=&8 z@gKZ6-ibN2I2ZejML9EdnPJpy-rh$^pPphe+!KFn^zKk`{M4@-BgE_I@loDN6ISn- zF>;wQI@INkD?x|y9?ajr%G7P-{na)kuCZk2Ll8*KEm%1Q4^!aV;6ob5cfTvv$TKu? z)G~(4KgaUjo@9J@Nic2@zwf3t;urq_>^1Z1q3-wJ6};nH(HV}86woJU8^R0OYRXpu z76@4c2ZDkW1f?b+W&sfa?>uyB%w(TfTyxh*P=H*VIjJI1m%uwm69;!wNTXPD4@*jW Rt-J+<x<2`Yw2hW8Bt2LUiC1_~;MNQU;hb89p_6am`o(n@3H{R`*S|bug@vV<*_z8eH;+ zBWw$=z|u}1AYl69-Oefs2QEZKuV~_ZgHwN#G~#m~m`37Ag|VKLgDW?V8ZmGTB8$u8 zawt~s)7-gSNWOXj=O+gII*i09{D5t9MHXWK+!PKeG>bmj^5w^<#63jAu}gCEUb=() z)E>h+M~VPb&XCDaEplCCBX#|R(M!=h+XII82uY()*y>P>o zd2O3Q0&sv)8kYSW3e|cx^+ve0;ol-!od$Gvey3x|{5#zEYwwUq(!SUi7h1-Zsr0*m?9E zrHIYxWKiC>BcADyjo?$(YNiOc1hiEHEd8uTluWhnvI&Hkj@W!iOk}><8Y(~c3k)wa zU1etxJ&V5dgm+kl0yh5^)<2Zs30q0Ba6-uD;&ttp@!UMRKsd!g7BolwyzDM*&SvOO zZTDDZlO}$w2eX9fF^ew@8$9WF>QzYerxh@CBQKcoptn-(YZCe{o=F*($o3Z#sUBoq zcqS>l^p=x*0r{o&KU(rtbV|!$6Qx{k6%V2u$Dq ziZC585SX@qZOgx7iiQ7wR|I%KP!R&-7K*^Qgg(W>`?vk~IUNQh@TAFHS{#yU;H0Il zQ7&sh9}|TQ0t0$*DBN znPTwL&Uv0cHWw9Izo?O1Qd3{lSo1mgZLY>d{rCA8O4q?-n&4O#SGjb%;ix)T4PUav za%k|>$2XuiS6x0y{z9)MnA@r3J0*k^Zvv-;`vVmBnQ!?&s%*7I{7f4sU7J!}R0g`h zsw{hT`4LFj0moqL{1TTF;&kc5oHl5dyWk8gLiS0-{II4&=RdhPDn zJ=-{BY3E`gktoFBEp-l>7j;y8G!=>cduRctKW9-DTvu)9#x&SQ;;{G;aN{~)pZ}y} zO&r8JAt|ktV@lk%RVIUgR|aY97<}^(WS!oyY;9J*%oZcki8?A~!-y%5s&k1F^RwFc zG)Xu!L)7i7HP{>+i*%7DfPmhWC)ndS?l$fr4lxohizaHNWz^PBqqFag!Y~~pEcFO2 zs9V)*jqSa>U+KZ6x!lQh1`Cmf!!oN1{mryPQ)n zFLG|NF>LvzG*;6U2G~NPdXSMA|@7h+;F?Qu_ zFLq6kvfW(6>_*iqy;{@c!kz5ru3@5DikBQmqp#!I1zxTdqd~wtldABoLt1OwMjsJ4p&Dkc^0{AKKJY2>Yp|xd{p^Pq z!F!_@Y5(Y8QW&&Jt#@Q?XteB$LgNJ}DGjYqRFoEbl3NO7jlWWp2qZ>F-Y;ykZocqY zCpnL=T&<9YTdPE@o6{L&iDMCwwT3bWzUyVfr!zK)N;4(ra9%@F%lX#ALH*aQQ>#RZVD~Yat0Y#W9!xy;F7ZXp>%I z>pzsLFKS%RBFS1+pTCQf`=itohYpo)B8~ri**&!Mo_l%3l@@T$u;Uv{Z72@L$!^Xc z+#Y=xdcDM25e6NI*I3E;X5)GZ4uY{#Xzpb4{(=sw~JuzYv}x8s5OE;@a@J$Yw+dn2W8iy{YK?hMJ5mRa%l&UauduwT!HM ztD?PLeTg`6lv*f<>-p)*6!JcpgY05O7#&6%KMunV@d7@*cdqqA@xUJCj%6wmnHc9P z=tj3#Qow|S^{TAs{ZFqaq`)ua#Lr9!Xzim}awaC{-v_67*t=%T|c&&`=s^-z?X3NBD?^f#vymP`7(`McClE;7M|Dyhf1#fqbfVX;% zr8)bSF0&Bwl;~JPTAEqycJo)duQ^up`q7iZE&Qb8-B?O5WT?;$ijU!8fSMDg^%s2q zrYJ51M$bqKumQLO+yLGH_+NGTyV?C~vjf1PEdQxez#tf8FCAU&m|-GNAt3=lQ6WLW z=TInuApQSK*jPmfg2=yC7zhaXD*^vWfd9o?tpDXLS+6JNHFdJCbm_vw910nv2A(ed z7jHum1Trj|qLAtZ9rvi`CwOL;8rP4m_>1K=8zyH-tpjyDLslHw!dIT6v1j`(Pks-U~RF zQp{1bvQr6<6_caK*0|QyPvFC?hepIdS;+=3=153ssXJ8u6zp>6i#*`)MB}JvYh&S@ z<}Tvl9fAyWlTI4q-^Ek93svI>VJDIgWJmN1E~QiBbCRpDD1^{w&s)@>6<^|__GfK{ zieB#a8}IX~sg08p#bSMSp}dG0qgbLk9E>U8F#CK#ltU#esVmGm*c0vg<4VYZc1X+e z{UtCV61kWvid~KLVJ>;1YM8LlraTpDerzvELi*s*HOK^8_sJB*2|u@HFnZ8m+jMY= z4Au}F>rfG4nI~HWWlefRX1D-B=%UL5$SSiiioRKP`EqBf24#lo zWBO=US+@4N#;gz(|nwmTajLOFWvtuAuJ_N!l-iRlH` zOMA;tERuiDj-o!+m_7I;SM~z+*O&p!D2-+8h`y zLGfZtjxnxE;tj=P;nmw^8nE&iwQ&lW50__mP)vL-R~ zuaC~L^oh&(FI)+6`4w!Z)rLvkLg&vk_j;;#pSFn9oveWp?8WIp`d$SZOyERrpE{#u zcG;%sJ1h9_E}U(as8E^N%R6$4$QubR-u1{ajLL+C&nXnoNBbT1w_IQJjGBgm=Jv7K z`w?H~LSnMTzgZ3*Jvp~FlJQn9_^8N+>Ba+~dl}A+dh}IFr*`IiV)tZRPmf5Vz^|^9 z_#ah&zC7)9v)@Dwd8Z3|=6zz;d@UBY(ims9`tG*JUBjy_$~9Na1w@G{^v#vlho9Mk zap>(Nb$S$d15HhI2Qn6^fYiP(2Tyb^EvLVWx2T}x1f_$mbW}r}0tZjxIqGjyWAKx-bmkv(9O8N`dYPCwfafjS8bzt4Kh@RRoX$h+gtEjn*nuNtM=jCCp8O;Ad5~=r-*O^PAp8`IsU&-nX9%g}FDQH>M0&o104v z2T_U=q2qi3j^(@@_TMW5O)E%DOOWr>$|_bB*p=H|1KDsYYJRy6-66pzBWVtn4_ zH0D9YulvPHicoO++PW>cUo+=dAT-Mg9h@PjQpxi%e7~;KV%dtv07=x9-R|Kh4FW0w zqxio01e{!yeCJXL*ug>@;W01|jDO+87JFY5xtGjEU=bi3z&bCx7v>*yos@WaAcLpRXh>L}8N6(4m z;}k1!M)I(UWORbDJ#}PCIYjVfMJ=Ff8%p=2+>cDJy(HWeoz6NsWzw$F5|xov#nH2P zyOl?ck)GeCqZf5DYqot*jrYl_dG(v`=!nBwTcFaO7Zaj{K>QpW82C;q@>sHNs%BjH zbpLS7Kg5Y}aPwf!6TX@_PZJ(ZJhS^Uf?T=SsH3hpRS$QFyHhIsFhAcV1;`b$qQx{k zRpq1+Vs}EEs6KDC2n+I zi!&$j2eQLeQAxD~_12TKX_v`N>Fo2uQBcRTca?EBVGk(f=%LRN8&sp+tKX`bH(s6- zYO^>gKj@2yT3*Jns$kP~)mxE`ZH62{Y`6KJHd8;W##b#_pAsTHHquffQfowHGU*)y zTH1Mu&z<}01K@?6K3}g-Qi(dr`56ARl&*&~^mm4PWjBM4J+uskx2}inY@Q1{4%zs3 zsx%+rr)zuy`0nIqg>q}l3DHi<#)RW9RUwUWQ#4W3VootvU*$*}NiqC&J<}t`ZsGYS zf`S9f{Ca%&eA;HT#IJkDWg42;2G5HhkW9oA%}V<1Bw6J`t+1xPXuFTE8r``tlFfKQ zbDu1z`UmAW?`N0|NuX%sT*_*a!yjE=IaQ?wJ^<=|HrBMWR9rd8U6ol({Hiu%Y+PrUzSS#UpWkxM=LZP5oAUwWQ7+WDv$#` z2g`^(V~EN6ro6VN{Q_0oDe`kE?2K@GFS_R|%No)51MYoxS|N90=Hu}Q(?1XFxvqWh zii9^Vn>s)fJ|7-KoX+S+;n6bUP$?)26c-DVhX@R!#ROnLlzvDSC#-JlB&+WkN*BMA jF6?66$AFx5lzHqmCR2i(fUCiXZ?dNC@LCWU7*+H?0u|jW literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/controlcenter.truststore.jks b/docker/rbac-tls/certs/old/controlcenter.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..93e7b743414669f719f845ee3de422a6038dd0bd GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQUOyy{ALtPV)jV>|;Iv{J% zQ=VA9Di9RPTdhoFrPJ9m-=PD4G%ICV!QXz5EBY`vI8|WQB9NE(2^In{*y~J(y){UW+1+1 z<^>GaNTWZP6V+FYFt%DlN)`$-)16^-zbdQlwC|SG)@{)5+jkpo1w2{5jByG2qUw(< z&0E1FBOofR>PSV?LxwAezD-I0<$GI<&VUTt&E(dnAkBY+di>Xmr{MS zEoABM?FSrnFnTuY@!pR6@DIQ8wt+Ps(zddi;%NwpN8?qe)_^-2yREO%T*PAhfbJH# zcf5>giV6P#pD$tnRo_hqKd%&ej?vCKNUg6*z}*~|V|)-EizD7eTp@=XV|-So``kmk zTvvBC5uWOCXTMlX1sUm1d!v*WjHj5e6`DAcw(3J4hQao-I`o+VDE2;|QQcs&%X4hO z`4N1LAJqK~9nGWz_eDW?8j z0nN)uBiZ#eUqLt42(Kcr2K@7vX(m{d2o_+*U);I_4@=xXt+#Q`$J8483RyTqAWEas|TdLIR*ktIS#%*d}I{&qZRgc--bJ=^oNfILtx(`b~zG1&Y@3+qy-bO~&r zcCU&iczLhQDZF*BtR-Vd9hx>=K*v((;_x$c^6>cPHzS(YCY=kccRSfpSUzxZ zeaFE@z2qq_?}}0I64eS5ZD((JXFmh$JKQPPXE;K)dg}YUXCFYJJm^Fn5zFYY#p0Y( zM2G--^VP2%{O?XU_9TO%-JCHB+$1x_SC5I#LBBbt*m~uMD`6+U1~CA^+;A=IV%tW5 zDy{D}XgEjFX*DmZxQ4cBPVDu&0NmH9D(f)oP*|t}c$5DSH}hS4Q$VRopH3u2UuRuN9=J z;0a3XI#&d?9AYI8cwd|&p;ttsL)J0m7%*q6_+dZ~i^)Vvr89BnL*{|?#WhK#^fYcMbl@`dnSyj!l{2{RZ|k0s{etplNa+O#lD@ literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/credentials.txt b/docker/rbac-tls/certs/old/credentials.txt new file mode 100644 index 000000000..232122736 --- /dev/null +++ b/docker/rbac-tls/certs/old/credentials.txt @@ -0,0 +1 @@ +confluent diff --git a/docker/rbac-tls/certs/old/kafka.keystore.jks b/docker/rbac-tls/certs/old/kafka.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..1ffe44454f2c06028f9a22aa52e4af63fe688ec9 GIT binary patch literal 4677 zcmY+FWmFW5wuXse=W0Y;jUZjkN{>265}ha6&*mZ3pXN?N)*q(Qn%RQeORp1bZn zXPqBA*7NSYf4&<8C6PlzMF&BNAAs0AF{&}Q_^6nu1yJHs0F?OfFWv<~F`WKO!Y~0q zF%14NLR?KazjEZ#d z=0(bN9ETw5>l(+}PK3VD;TjS-q4dFu3_fc^`SR_%I43500+>sYnZ1w56Ej@WCri5_PXwFjQy#M^+aH&n9Cf0s&0!nlnex;#<4 zJ2ibwC1VgdLAS>fX7#E%*6U?VZqA-$%-)kcCNecy{a04)OgGB{`o6 z+c$lu_Ox}vS=EU#qsOYkNx~(`2xDB~#go8DdX~WTGsDzS?j)_2WS4K(er)41^PVgu zEAx@2I~TzYU%wOc{S$+6|D&q_CO9r>Au%lEmaNUH-F7#-N9>}`>u#p4a`cjGP?#9n znjdJq-DvVLXFNITm&gYNyb7H8z|e;7=lYQ9h`moJw~yJ_HNUxfQFOeK5s;wx!E%l; zMSMSsw(hrc=5t?p)iZrS44DtszI96QO)I6@BXZGf*9A z?>+DFOKQrkGIa56hD8C<7GtQQQQz8n&Ze>tMz^Ab8Kg|tAw(rn^*_ za{mA%+LxkEIUU3gFbk7(!Njib=u*Ym_T+e%XC`c7uWG|_&NWd9l2Pc4>|?FuXhpBrSp za-X7OjN%8T4{EUfTy468zDjvqzDF0OoIxGNrMf=-9RVn`0LZ=b_@&G>o=I{9m!f30 zf1!z`Ib^_L%>!0ldQ~85Vv<#!3$b8R_Hng8_yCa?^FMeA6m=oyb z8$O~$6vFIH6J39#z@!Zspm8Zk{toet-nJDAM58N9bNK=v3%h*s%R^aXEZCJrprABy zQ77-EvV+4U^`@n(YBeY0tu>xZ>%z+}XYV@>9i$@qhl+oDe@%C`!pmg>dzVH9iAg_I zAY8jyOOqMvy=F0sUy;pjX8ct)?to@b$pmrB}nu1nPti&ld*pPNv-+I?5_6r9r+=L$3V5hD1 zdAZ6!Wk+TwZ^4zTY0m@PmNQ=ZI9wouVR8s=NQ~8jS1l4N@WtpSBoeZ{bxt@u0*lgG zS+e&(TvA0%e9&94t(3T$JWGclU8cS_^TMc$dTEcQ1F5}pJ!sp|N3hb6pyKTk+OK^yAYOQ)K*Li zt{oLoRU_}8t%d--$(v5SB2uQ&TZra}orXPdpu-en_}T%<%>Q_oDIz^qC-y@} zabZdKhV#@!tAdxoF&GHkZ4KMQ=GI_o9n=fTKs z{?zV`L^BK2w7(>b^Zzf&!$hIOLWhiDBK zvzkw<;1ZmTmZmf5-*loYau2p?B2|^c)<5MqRIYOmFnz53LL(i0H_@R@x72~}9b3Dr z$U{sgnQ^CV--Hh1K7xhc%#x%{kcG!mYb+E!b*u46l|IWmfx|kf%-y|1G4aL(R`FF* zi>osob7lPtZExpM439F!efdy22MFJ2kO$W9oN`OhMwQI(Yrl2K8hvH{(tZKfg=?E> z?i$S$OY_{F*}f)dKJn4CZ1H_2UjX@`g;o*D*ZpR@P$jwi16+y=!Oc&PeHT`2R+R^> z?Hv~TO%R~}9`Z&PBaWE-wG3Hv`I%aO=s{d4TGEP?o>l6-!@2-a_oisN=3uC4T`P!p zkC~gaEmLEC`Fc@YKf{nyooc=??6ckeH?`l*g3zFZtzj!iQQjqDjeBjLdh;-q4Cn`7 z%o(PI=Br+7ukU_m_V0N($G;y{Hb-8p7a|*OtV0Hy$T=(0K~n_Z0QVW;JAVW+W5lFe zE=qKQ=+$CJ^e!b|m7p)TFG%1+w`J&x<}3k}tn+;ks-b2kr*(awWZ@4@CN@5D`up%t zSE4D3M>-$W7~{zErN^Y4JpR1@2pFRY4^SL2=5yni_@funr4U9wIWuQ30ep)1&|I>% zygQRz7C_X|-}e+axmv&%C0m;W1Z8O=Tr&K_d6DRLT2uI`UzC=YaeGqgwnXS$f|%qK z(wKd%|3nDVK!p3IuGvo_ZZ|2SjR^uq7XIJ}QGDY^*6X@SV_n#e)!rl{0z!cu=`~t2 z5Rmw^u6xR+VKZ#mJ=%vg1d%1e<$GE-!Ejt#r z6bwXTEXWZNdKH8rU%whMCweRaK;`>3RxT|PZ;T5sDa(mZE~W|gV|y4-ZjW>KW%YCV ze7^)9D-0hXDyCulF) zshs0BU7Zl(Rrvu317~e|6>BPu8g@xn&RIWtjGF-p@A$DR&QMP0w6u4RMi7ESzn-1oUh^F~*Uc)OkTqI7J|}p@&l`%*0$f!S zwRLXY6#XOj?~BKxA38(OQY?OLikp8;f90B6_2PjdxPDWCi+RDRph$kJ``nK7J6a4O zrCxofv(exnVs}A|@I5dA%khVnaOZJ!Pv>#U-OigOmSl@R+TLZz$zyW%1%Cp*4Dc{G zV@t2oD^#mhuHRL%E~fl#0&4p7@7^VOG1^!#idXh@tmkYetkxsfkc_q&vYxJl%zjLnGaUI~*r+Qd zs4b@4p?PR)@@Ykv(cZKwug5$%h*ua$SCW%pQVXC?OJFOC-Mfk5tP#O&lSC_jY{?1SA+;@KQc`ipg^W22+>I8!I(!6c8SAlOi)z1lS5%sA>)C`ZFNRUSGJ@~R4(r~66S649}A?*>duKX zlS>Mg-npfUYfYML0n`=MccjH-@p!m;Hl{!@Oq^43G2H6507)$E%V%K#3y*&LwmD+i zBc~5nV0@(5`8-Mlvc{~Yhd=Uimn8IS25C~$e2%`T<}<(e~B|#3b>(<{-`KWbp9zc zct&iGe%&J>JQq?5m{zvdXp}+=jaTK#1<*DAtaNYMh**_n!95JJNTDBRK4y3~^(3$9 zUb=UMwi1?uC-qzRqgi4(bDxB`EXtwyo9|*`O2l zFo25nxMN%GEdmk*#|G@#)!0QoQDV6ICK8Y@OzS#5;RV^ucV*`d8Z+ri4stP)sh)7B zI@sEhaxAtb3H;-3babSny<{?!~9zIQ7@KYIdG0!C*AqbRDjvAjKS&JTrRcvBDiUOZElTC`wG>&DP zVDVx$5uMk*?fvvh5dGu9C5D0V7(AHM2EEs(DwoSnT^0+O&P5I$T9rHX_a<-#RpD`W z^<%!dN5PGu9yb5?T&p6S6~ct>OqaZS=VGocd@IN&OM-$k4))!T$%VFsX51Cc*nK`cg*Wfegi=0hd zrc!;~2@*AK&wjFSG(>%!X>Y+PmYB`!WGno=+DhWZII}Xg-o3`FNUPYw**P5P0T-8f zPt<0Zpl6j2Z$-J@{aUpfhfE8V9OINr)t@TO6 z*(gVdMvk2yI4d8_GPulT^dMYru$MaH-$4 z=0mPawWcVatK0CoiI^ik+;nmf<{$_g#;>or!Q*aaHb>+~mZ3=PMpM8#@TV2b4S#;Q zE@2(3&7+RKuYHr!cSw8J*~CeJus4q~J=xu5+pwa?9<&g+X)u4IfJ?~Jz`hAocoRR? z;4z*?(uj4Vq~}|V9FvP#PheP}dJ=Z#7cQ0%ka=NUH$uw+&lwJR z*+PKeA7X)P@LE_E@E;UEpcGg)l($ZYwQDDQJa@RU{($;R)JBLqdI~v$D$#1JAKc=O zUBniwu!FPlj;ocJqAkVcu%(i0lmY|+F@vyy7`z1NXfzlo0J8ZI-8PfEm6zVWL@*4z lfIi5Uln{U{B&s9O11?X=SwWV)yr03n(uc%CLr0A%_#ZU8zTf}= literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/kafka.truststore.jks b/docker/rbac-tls/certs/old/kafka.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..c515c79a1f109bc4ca355e102a5eaa228031e521 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU zg|Tln826>%8Bw1*RlJzf0s{cUP=JC1*kHfn>-QMsGxnm7#p+UK=Hv8aBSO7wr31}7 zT@PNlP;+!bl6>Yuw^LDB5RvZ}O|i3e7vK?MgnZSC#2fj)wLU&Z$sBA86}c>Ain^5U zt;kYBNsEC4yK}a&acR-XMr>}pyb2cx6-P4GpOYF0jqiPfF|4>@56gL7&Fyd2bmPu+ zeUGI3YU0>Zw*jlF>LTk*NVOqR)9D`~IC$p5Vy+Rl;~^r(ALqF+YP|{`-fOp7V$2q| z0Mz-(F3bJxuzzA$L-9MxD)H{5L5H`LhudCtMzC` zrNHp7CV8TO1VQs%h&zNlTQ!N-?#h#n-zABSiabfGmSf0iP>96HZ|?23+WZ?f%x9hO zUB$Lp@8J|stBj;xHoCAA_w~ye7BNCZuam%>Tdt>L#!k9OZ80l5f}A z^CIK#wb@uxRC!{O$h)%)c}xLn#LLpYa7Jd;S~0Q|zX?P#uOsKp(Q+b}*bAutIB1uG5%0vZJX1QbZgp6=Wq$qz$}(Mcls kfdB3w^w|Uy)TSW$hMpAQgBE{=hY2?Ud!0`PcaHDYgx&~eauF@!#k4SQO_tj1D0|LNlIi=%`fB ziS!U}=MfA{w0;9DFxD_4gE{9bV= z=iV^}p@-IQ{3QH?q6;Rz%pA=Pad2?JOwYBNk%fi@w4RZ!#ycdIJ#c+ST9N2AY5DL` ztBv#o5}ssE^|Spu7-pqxpxDo)%vEAR8X~uF49lw5W;atHN{n&5CiO|Ja?^CL-svKqt(I_@}bNQ()jqqx<} zqAhC*9=v1a6Bj&t-PR+W*iHBvfp1w~ZxFXb^+u1}xa@Q7xRob;7iMuzmLW`?dTUH& zKyDK@Jj=5|X#FZE4A)oTQ_>BwWO1s!{bQh#)u&NChO;;$g=iDf81v_)y7LCEi64tc z$jPD}EDDH@daV5G*V>ccZ`c;)|7>R-z0qTXy0#qbsnq@yT}_$|uUAo97eHTJATMA- z>5>`WGZ>lH>OC(+fOy1L#NykAm3*?LJj{>BP3j> z+7>a?LD()dUnXW$R@47-pKTiq{rVh9;nGTDO2X1Tg$wF`H8N_Xf#IlEpx-;qG#b|}y_3vCtIAFr_P zt{P3-(Jrk{FpNyAnU+w!3wSv8)xPuHyE5sw=*w(|Yq5g8Mcl=sCT5*2pSAeNG)pGA z^izD(4>m>ZPy$~YU*%-+1> zWGwB~CPS-vtozOO%-miJ2O_x6%Lg`J%Dh1YrB9>;;g z+(NpoA{UFnIC`zKuJE-2I>=yNia0l2VV(|K+gmzE9U5qsJ-SkbYD1PWQYUq5xU|jx zez)al9I>4HgXJbR>a>vftHuj}h!kGFViEOlR>O^RDqAz1`4-WJrPf9Qb6W2ovbW)v z)W1&!m&Eq+@>8b|@^|}awOA&jyME|e00&3A2GdAy{LS`2yln@Lni+SAQjr@Zk{4gA z8J#aWI3=NGPkFXJ!(Nb3YGxuf4V0raLw8u{FA-ZHjXSPU9q948uKLTCunds$->Sr; z5XNN!pn0M>p!oq=|AQ%oDX_?mTs<9Gge8DtVj`lFVxq!Q;y^H=$G=NBfFdxVXQ1NRw({FJmnjOj~=WfE_+WG|9?sJc1YroOSaes}Iux z&Ynct^7T-O2GQYFYYcUa=hUu3M#^gsW2%B{&rY6%Y!}~wGng}%hJ`x( zgqKQ1D%hQKjWlS88LoF7^|E{()y;rO0HT)!prS?3hJOF1(g#>{oMN+WoYvQ?$S zOrUAh^{Mgr@mtkGo$B9D2q?&0C=2V1i1lDmg75@ez=j!`SauMDobCa|MfAr7Y6zf_ zJDS9VPB{DE-^RShS$pmCN+WEIeA|SM#URapL~1bp+N_;7vvc7VtXPbbq@$v*m&o)+ z6(^~%?TqhEd!{j7guO)e2aUj^ySxvFp|o8`?1eyQRETk>zloNFdK57d?m*?wl2{|* zt68+>An_+|$f_}9#!z=9VDjVDt~c1KYx4K9M3#Pj`0xxr5N^Xxi|}R4Xz?d^*EGQX zrWO$!ppzMA-)pi)qDXGh|J6W}>8rw$mVBnH1B_n3T%Oc?x4{A;80rtZQ(YLa)}Zg2 zMj+%`7k+qRsFGHE)9}D&gam)VShs|Y;>zLd#1j(PJ(vF0eK;zk|K>GI2vSgi;BlP^ z$XohQfX_QvS`WA2fDALI3?)FTC0iehX`7rri;N|J=sGIR1>f7`t)wz%sGm24s#9~k zo`1PeZ)ewP^o9}SVwFoJ7MQwY9j^T=C^%|r4e0lFTg7|NO?Ik>Wm84&3Q0- z7GEK`*i`xDm&xk4QDB+XQ8y}?FSLa`QUTA;NP*?OLucT(x1Q`1ak{=9PdJ$9OU6U2 zcs8{D%+%YKq9bWGSaCSGH~rA@Fg!H zrQuc_*t4D@L&s17xTITj1nXl8w9n`!iUL&i9^%^1_TMBMrCM5}JWK zkN^zxYVZBl(D#X72hViK*;ekN)XSylF)B}B{Z8dLoe3&hbq5~Tbc^@{Aga#X#o+sY zK6A7*IhiFUA#!<2W>H>BrG(uf0j4AsmZ^Sm!J}nAZm;}&jJO}#1G?JR6z~$Z;Gn7s-YcxhIK(h;ZgiL$*|UgsIbyn>v3I_XVn86P);C z`1op$LM!iRb+XU4mfC9rE=xdEcb4qZ7cjtchqqVw-3u$Zdl=eMvM5q5`b7w38p6rB zrTJ=pzZx}vj`oJj$FgZ7U_ro`sVdJLlPyVUREGck$jEAKgVy_jeP+$k+ee(o;3FQ^ zU;)rgD3{7PmY#3brom5S|vBTacriAp}nm z-?oyO&U;7ZIp^<%v((BzF{LBF>lm25dQej2-ynhw=Z2!-(9X^#w;U@O69duxiUUphPJa@g1V-< zf=C<*>FqGy`!_8E@1lCN$?>I0-v%Me&;VAZFb7u6*E^F%3(|86d?~*MmURgc4VlAk zBNk0*-`o`NdNRiB5tz*qr&qrMypzOa&sIK^$SSUD*{~fL7M36bkaHZKVu6uOZawrT z2f;d3${c|p*!??K<`UmVmUh-Kg6YrW)S3eZX;14LKkac3quK;C@P~Uz$ z`U)`G+7>5?C?)yYQ%1B53=ydoa!YELwsl4Pp;!A;dM*f}C4hnVDOohQ&-~CnPo>z6 zD45HRGxW%>BGo?d8A;J+XM3ouOPefvMRUYho|5zUHXoOLT>oZJF2s%&8-%rBX})Z# z|BZq*K++V#}X1R1QdqAsbE1Inhjp*;=m1e}jWs5iWz zmooG&N)gw3UjY<8A@OG&=16fk1AmMA8Di6Lm=%3ze36x)W4q`v+$i4AuCL5sYtzv) zI78vPN*~Y3o0Hq?wqxW#fiL8slsX8GB_eDMp~x~5FUL#8^$*x!cldBFO`Cn1-i>lj?G?uyId_zQ1 z$d4|$E7&vggI3?Rg0b|`vgq9fJB^(i_IFy_q5^PdB5ar;FNDm}LOzYnb!M8!U2bzE z;4?ZZAEhGj`B5?W4L!eoL^wR(I5peZCl6jdIfcQ8-(w;wjxC)H#3Z$4v4PWijg#JS z{BLbHKPkMDZTRRX&`Iz)Zc&G=CA}x)gXid+uyxR6-*?xo5kD-ky8XXYU)0X zW=PK4>|a*-fdSoFER7neALFOW)~<*ARm`E;nEk$cAmUR3Phaj!lO5ijOmV@@j+CEtEa>`;~b+wKvU<461Q^Z0yzEFiBc zus|U7yP$@^;X!n#jYn&u6&Pw2^9(IT-FWPtoi;yNtZzre^oX8hx#DvG?)rpR$C?}C zamO{SR2|o9?Ho#~%h7kvxjVN6$S8a;C!{k@C1EOZqn7;z*ifsg<#x3uYI{CW9{#Y; zknN|6Aq2V5ZMs!YQ&ml$(pUxMEU^6UaO836pmL3c&=-kkct$mQ!alwgIjacENj^E?m(6Fs)*U#AYtBLDyZ literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/mds.truststore.jks b/docker/rbac-tls/certs/old/mds.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..8afa7402d9bc92354d1b8a3fa5bdc88ffbaf99f0 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU)Ub{aImWT)u;d0s{cUP=JC1*oex*OXO$`*xfIRsT15Q549=Qh=g2ENZ)mQ1V=wHVlwOC9`? zMYL7dczmjT-pCLj_Y=%*Z`{_<<90qy9u!Df#0$2 zo3AZ)Ew~eX1a+hwU|F6RDOL>crK}7@E&cxR3TboQ)Rv_2z@Ea&RhARc?`E<6-_o^T zq;~u@fm8z3v!lDlqOF;lS5^rTf(IjP6a)07scq|oWBAcDYi(gY(ip_4jEIQ(gEGLy zmjYWGYHfLZ=fbIORxx7g;jlT{I7CkX_5Ni!o5fjQP6P5+uq8WT&hQA8n0v8GHZeqb4Ri=UDQ#PzMm4f^H6K~K(uFVy(W`GZP*s<;%JupR`EiW_-{iVC zcNkY0@6fxR^osvqBQ$=H$&8q7Ukz~|g*g0~z>GNQF~M61Qz(s4hDc2R(oB?-e9$1~ zP&_=;3-B@YL}aBB2g~PBN1C}?GsK9^2b&_?Rp!Pk18!6S3-FV>c4U#nOFbdjUpUm-r$7L%qcY zp^cDPoO>ZIk-u?|O6`z?2V-5eeH0zA-#T)XQfX_f(|{$0Pv27%x78=TFF|a^r}kix zMJ(m{CRFj3cE%i5ye0vI1eV%5^Izr-hX}a-YIAPK3~IxC9>|O%vkAlzRW+Z<4E(o- zUd8*rY9YG$8&hTBiOUmCR2;2on&kV16|gncS`A+F}oYS?FSU?MUPDh@*7ZdeJ6R&;%(k&|I3hdRTs#&_i%L>q!d zkh<1uWB-O8sPHLT&53Nj?_@H3DhXvyaL)YZ$L%P18emq__kEdHb|B*jV#D5L<~8y^;EYs2{1k|AutIB1uG5%0vZJX1Qb@F@rd2mQzCTmJ*$2C k8nXWyxBLVYBzxb`N-|sc)FyE8lyAE9cdU!g0s{etpiYb|D*ylh literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/schemaregistry.keystore.jks b/docker/rbac-tls/certs/old/schemaregistry.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..0dee67c0f79ea373da6a3c770958e9788e22598d GIT binary patch literal 4735 zcmY+EbyO1ow8j}RYII2JXpnA@ZcynONJ%O+x@&X_NP{qHq?B|^ZL}yL-94$1D$4V{ z^WwZe?)mQdec!!*enK$HU~B-65R6g`NXQ$j8GB0tzz4u#lpMG)O7K6-ECj;~{C^hS zTU;2P<3IfR-&g^O|N9C=1i*&FaDNNIaBqcpfJFa;|2=2KrJe`V+CKWga}8CpNK9|` zgss-=kYnRu4e8;+a8bo!u2gEioHx3410Q4Grke*~7mWE$=y9>-z`Z5SPOc{3^9y&ww|P zgs6f@8Y~!kzu7%SAf52l<*AmAfjJy+pPV!$ua|IS0eEC&HRFo3hC-W7XdkKvv}e_2X#h z^l#S;l`AO;8{w%P9nZT-qRln;w}0tb++&Q!7}Dcujmxzz`J6+WR&utJGe3}|B^e=# z-oSEY6@h|@pAgxpa+|8^Zw$~n3$s~b$gGR&oR+K7VJ1Gu}ZqKKX zkEZRE);%H)?hM5c5{Qo=R-0Oao#VNW{kyq$q)kHA%kR#xMRMc)5hIcQN1qzuMTCVRW%0c+AMVc(?QgdOQ;u3z-1}iRKTHVf+{GWTYkF> zfJ4~0U*0EFDbRpyQ}OP0ZXFJ&x83Sfd}I_;Rfb~&AQua4VQCzMT>Nghsck-rIw%llTSJ~3XmLb}@L4k(!nc2Mi^%sOI zt!F?}YPt0L$#cFBPXJ&bo8t(4ewJ>6>bR=xM9<2p2XxtA*IH`_fkgK#wO zq8Lv~!s)=}$4Ftk_S8_}@*au{05H$6pyHBj*~M1vm7fyaqj8{6qBe5PNZ+ZcT|=;L zVa7HQEQiZY;H$$!NXsEp7!^UiAr_zJd z2rxp$S@hVHu9_Y@`fwc7=esO@9L+@EJU8J9!Tn_X`<<`A9$(#+lfCdM-5OPCnL53> z6&IVoP(mtPRfJ8Z|CYBg`7cJUk-#-#qVe9wesV{`?|3N{M)2cecgdrnK}%2voDxY2 zU({%V=M{$${Yd`B+>+F!t3Cm_sKjtZ)n+njMZww5G*EUky`co?k4zjgp66r1()UTq z%cc>m)TmZzil;BM_nq%U8dC4l?N3-+ShHY>KdUJ)8Bsx}#e0Gj0v7@Wc-e_W)5MzOnrThR7tX?ZLQnsZ)|-FK=ieSE1pdD;jW9JXrO_KVhbO`kLSkYfqLN~w zA|ld4Fi_$DhVX%K7%1f*O27tS{S(;#Ie`DyxWNBxT-i^V9OO0fGjT+QcVp=)!K!a| zBmb*$BVZuSGKVt16hDO0>B-w0O^f_l)90;Gf=-NqD8mzVoG3BPGG(P>qwn+q){J%g z9fnKlgF7BpP#1jZ?3kUYrH29~Bc}VBeA3v5?3;dPbe`*)PkBCNmtP}pG+1@F)Bcxq zTrpx&vt7oj6bqM2eQ-Of%I{b(A7QV*-Ey5I#&H*%pw|nJ8Vx(nfAhA+cG;<%dx!o! zL*I5%ysPm7qS4w#kY--QxD^YB97;l&=k|<$QUma^*ja?}~o61ud0>kXxvHi5|9njEEZu_?DO{5A&r!+`rQBY)J%K1?gYs$ z*xn>q7A$?_SyYku&zWBx9>9 zc6@tT8=te~eWHAohTo)&K>OV{r*nu}rR3RDcmQ(|2;cREwf~dB&1zaA6IqM4-O*8p z)_&7W>k7K0QuT2Pjs_vv9qG;$JA*i*$vE%!I_2o0mRRxzg%nVert!;Epk?9isyo`vujJy5)*d>&)5)80^mdRpvrDUL`S<`njxJWrECJI^ZGw zuM_`#qTPKl;~&3@BkJlMd%Y%8#aa2;T+v-itnv_anQ$Y{3b3BS9@l3p(`L$DS^n_s zqc*hmKmll+=5yUT#i_~9%e1w<7u!2EU|7v{EzaE76H&eJG&qIU`Q3#Q1u8die9r!` z^+EU#P-P&@HgkzEj57-VuZ=Q)cfZjD9&wpJ;DE+F|WKdet$$s$O`c%Gwb+0f!Am}fS zB)-hE?dPtS;^y1I0nD}jDr@!x&j#7$c$f++mW`|QMK8rD9mHd(HflMf=on2rR=^0) zgDx3f2g6}x&ku2^wsM9AMtx!`&8ljhyJ>P`NS{=dL0Q*Hrqw=6_!TSzMzt_ zJ`eZ-)3%tK3!fC>D8AkxGwP6<`??xwOLBh;2^$R#vp&J2E~lVrw?Ers%yDMhs;;N> zvV>@`G1&9Mu$TOUjU#p*jEYftgssZ+mA$9>j3sURPvBXhp!c$CUj_>{5$BBLK5|`K zjHt64>-W=;!0{78d;Ky_gTC2>>a*^wa7njmEKw{eWANKW3O~C<4mHi^TFZsa zzLrygH&k9NPs4}fDklH(AdTb+zUy5(PBQw7azh}jBM}Lg=dfa7>Rle|0fzl``Iu#r zh!x4W^D+iiJlo#c9YOWd;Kbb;gJ*3A@hr7{22=?$4(F_oB5A_sar>j7{OF4AA2qE- zO{}1nCn4w}-jtf#jgX4wX^ZHk9-z(! zYC=mzX@hR$(gh-l#3uV{=jzB751&$-{c{+;<48nI47J>&(o`I9fX0(%`i}jf2I6)@ zCWDd_!r>v#aSlAC-!=A8;O?T~7iN7G7u^9W-#dA~c(Q=$8O=`j8&>7x2jdM#_&E%R z@y8Z`)53QbfmE375aCd}4riGbs9W(m_7|Ddj1u3gQ$<%$1MQ9k;e$sE!> zWF!>K!B>8*GN?p3HVQ5nQN3;zg|Epxeur9Z#ZJqX(ot54a``i-6e8C`#429u(WYpf znT(Icl4yg>89_U&Nkslx##v9+HBVmi~C;Yev!uxG&$6hcJy=mP3O_ttDan4nh ztDySg<;K~ayAqs(*<>!4I09=@u!r}?99{ZggZdyt(OSaLHJc<~w1Bgvw=nu0;o&?V z>O{v{zn0FeX)&87i2;zH9L$EKZ>7a~@t&|Q-)x@#IyZOxYfxcBCmq8+XNX=sdUf&=z!=^DxNq~dcTl39h6 zbU8ytXvR5K$Kq}Yv&sqt)aXLa(`nh4nzCA{?F~!JKRh8o1XO0oPnm;SHW-nZYDUx;<{NC?hL8^rsrDJ=Aje#p1>j%Y|R;$lZ6hoxo< zzn*ND&hm5?&USX&GW#@3emVSd(XtL@PJ_3^01PU<&#p0C}2 z^}sCJl~=a3816a73S(zBe~}6@NKcP90_{Ln8f)_Hz<}hWI%2Fj3}sUumTa^-g`ZmE zccW(#4hbL?A!E7B!`0S8@-jlS&I|*js-Tpz_LnM(mK&wWr5=I1wEaKp8ItgE&N8D< z>@or3pwe&5v=p6KlRm3Y6{>}8@rOwxNq+qau^klN*Vs2+vz4IZ&+a2y=|OGu@ujgC zRD#jCg&SJWHIpbP@=`5HTh<_lG$m$O9>$R!`W(kuR(v$e`-?v9tk{e7JQd*ntTp9q zlwegBr_)hKl46^Yu;10JCi#J1F;>jJ6WW5{J33Z+^ICXtKk@9Ae8(N9bO+s}{XJ_Q z>-K>+s*VSx@64!lN^wR!ioUp3*4CU&JR*nR${1GWtAj8nCmhcr@V+!s$eV7EI|^6M zdnwvV1nI`qvOh@Ur#e0ks|$P|y~#avV{9e&)x_piC|Khim*F;BnzM=&Y}G3uq;k3J z>t`NfTG>hd%7^x=nVgPx)%91q%9xoiFD!m;=t4Fe^`TF=V-=UAa!nfWlbYVq0PePz za|+%@^O`1! z_4!1&mc2g52RmjZMop6ihUBUzh6R;Dy{!uuvkvd>idThtPgN1959L*1t3KnJD|9#n z;gu{g=>T;^C}M4G%)~4YCQU3Iu=;EZXEq}T*f~+U$46TeP|Sx|%Zez}aL4slaS<@r zFY(naNl$^;Nd4XDAsMep_xR~7yq@RQ?Kz6+pRY0{&|o^yCDj}h4p zTk*^l>#F5)Lvi%cZ>$Xmi}dStZN&p?gye<5LWDrPr=&R840u?$)Dlilu6}gR tzM-tPQ$Ic-^eM4RIl`qTc72QlE6Zo^EMRt{C8{}Nq0k*{96&7mKLGey<)i=r literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/schemaregistry.truststore.jks b/docker/rbac-tls/certs/old/schemaregistry.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..2572f0723f6feb16d33ab7f014ff24555d19bac0 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQUu6!0s{cUP=JC1*r+MHlsTQr6g2RxmKrBU7}X&b4``Yb^L9g&!iPVR(?ZE2i78g?q!cgOw0ukf)J6v!jd zqUB~U6LhDaI_*I*GQWGkgk#z0M<7D-l4Oog(!H>|b-I17Lvk1Rqp-VmHZ59DU4FI( zUXQn~)H)i`X-lg^{s~axv-^!BBcZv*hM*AMATt&k&DHi_;{y{1cpUQ}{%S)^@;K`( z>tGLxk_NFZ8{KzMp(*g9caW)gEv?MhCT7Znm^{PfU+r|rySg5t@tbqL6W8Cg08Vb& z607^c0_wL3F?V5IU{^0ZK7dtZHv~=bA0Xg%{Ui^d&k6|f9t*WI@4N~cqR{WE4s&|r z&~1`6VUx}rGHiH?9Un#(28<@zBt?coPRlqF*RY#(JS>oS-<2h9ORSjhSj&);r{KT7 zWn#W9Ad6D`s0q16nq6kS7x#GC-_w_=%leub~q!o zb0WXo3A7WO2UX#*3-hLB7vXtVYw4^6lJIevP2l~dg>j^-1I9Zb-?Wz^(Zho>;Nr%L z(dAjKwzZjtXPau4i8uH`1Z5F!b6<{Wlf5Lr*v}@zrE={biKp4xVR%;FarIu1#RgpecC|v~v_^6_njWF?xK2T@+ zygeywLwud{8gg*T<#c8kxvHeywh!MKN&D zD+Mm0*G;qD$T1FWZ>COb27!oY7Y;ir9;hgldPEtM8rrlYGjq^wK?t6S?B^YShiH`& zt~N8YC~a)9SUpTI`y;1Z+D}6_XfQr7AutIB1uG5%0vZJX1Qe`}8@fG}>UC2`iLR6n kOC;VIdE^8Xavni0GdKJSLq9#ZpgBg4n=0s{etpcbnk8vpW78ngkb&TZACL03ygwUk!T-vC!|8#Pj?8P$B1s`K z*Bi5yzz-Ik>$=E$03Obu4iEtxGr{qQ@onG4PClBdPj+)&$8G5!M!!XJtXR3z$DvJ^ z_FANqUxu&FN%yWqQwOoTG@`ON)FtdhU$6)w|2bF%Ce|ICNa^g00#_`%9`A7whI(}Yk&$OvCq74p5uZo?yHJ2+~0WcM66C09L>|#k2XxF#aKANZ7PMKzS%L6Dk^+@8y z)VT_Lc{tV7fP{9PTc%PerPm$z0nJ%tf8)k7=NG>fE*mFl+=K`G z*WSns#iUBl9<9%TWxjGo@%NP-xWlYO>rTzIar<82)tW7x_=`XMV!fJdcXHwgCrXNn z*=JpX8a{}K&^%ptoDzROR`ystrOw=_$;;S@j?$Y8YlcyA1>ptWF#VHd5G!?VT7yQ) zZ~v|H;x${H4jv(|i_RpIXjccXMwUJ<_dW$v&2}U$$cy40-&79Ia4`R&xrXgg<`(kDaBw%4_Ov6PoV(NODYKM?vV%lnoG4{Ho z3h4h}Q9+f8D=?cnlBs-{hq0Oq9|KZXZ7`HwuT>U>D|GiMk9r$>qZ3M_v)=&-B_(-+zj^FwVdG|$OJ)u!C zt)|Z`TGi6B$~a)V>~NX^iHnh3ix$mSc$qg`ZT{kIiKmj3R;#*v%D*Kso44BAv|~2E zKSCJ&QA<;k^6s=BMe_X7c8eS>gXaO@AF+dnCU$vng1KEd=|E@?2z}bsASk)_Lh2J^ z)33cngxKBvjP~KC|J|c|?dpw1DfYgQG)GDdqh}4GR)+4TdeEx^P~TIzLdNv20Q#GD z*802Ne68eeXneqDI>2_U2wPC*gKF%6ivtDc`~0X3XEP(``?Y+DYdHs-{JKMz2qn1< zhe%>6?H)Tt!`CuAzC6r68x@@3B_{^OW(?S)5pdx!Q46Io@YV}mw$Zp4-`_5;3bMN~ z5`S7nw86;`!x7s1D;~XRkW>6MSN1!MhX}@E{40Nynr`~Ddpb6{$X2P0OF~X(%B^Na ztFZ%RyGaSP`T9eoAvWD!>4*hipdih>Gpoo$uSi+8tKa0^v0r>fg!I{mx63XH2^5gG zhrHpxSz^q?RZs&4v)EA61kf2_ktw&Y1Tr~v0yU4rW$^37e#XB_AZ=q*GEX|dKm_+? zF@qttw6O!a9DYr5*aSa+?p5A$P?3s@5d!=e0_GWiMBlb26V$bJN?qeG1!AtBko$&4 z{#ig+_~uUBO?Q#RR~M1>8+TL5aGG2ezG^!dG_muMUjdR?kLn-gA&kYd$Yl3p-Hy~T zWkaqj@4p#nGU2JdTBtlK;^B?13G&l@uV<1*0$6`0dS?zrTCK{iJj!DUI5({erpJt0 zc<(Hfg*#{H1a`=r`{d*$#9Bk6pgRO?#+BjK&v;H@N$wH)bFWfNtW5cqA-5{brOS6{ z8ijP%bC4{Mz@(p|R=p^yJ;%7@yFkpLX+>RWhd%e74b2LIEOV4uj7>ETeyN|YDr>F6 zb(T&NQyfMr`GF|JDzbK&O1h2EHk1t>bi{;gk;|Q1O?_%QE^8x6{y-IzI9E4ieay|HPNTC3%ytql;tJ_9I_KjYqyK+ zli-vK?WYI?IRwGq)xIIm@0V4xScqM4xOqWwOjmltqd5$fR#Lf0;TO6#HR(xEVji^Y zKhwBbF_gVMGtn{Y8*iSbN=AO+u6xJNoR`wWo*IYT2t1ST zyrN6mlzW&MYci+h-#+j|y~oW9p|M&+Y^=hZh{i3W{DLtANPaXKfdmC-b}8P@?$W%$ z{PXC6k^HXgVSY;R<5|yLYUk$OfalT~stdk5IrC=lKMw`%{9B{Otu~WCo#{68?3$%+ zZ&VT4@RZW#)%2elta?rz`_&KWn7BL7C(ZP4Un?9bYLGsu5<`g}q@!6~K?~By238-} z&8SZfnL}U*+J=cpGydaZqa!KS)PUcxK7mc&zbREQCg@O_sDGOwwk!3I0u(2xe?Ct_NOw3OCEop zp4%Q-SvEy_WC0?(dA`**pf`;g|B$=x)}&yKG8d%A_O;m}v!3X?zxn<Q}^^C%i-!f9hH9+b%I53W&uN@pS&YSW16>?-B6eGi_I=&1$`=WPruA_ z!iwQ7Dd2=oi^Aiut~VSxms{!M6$;wSGlbxdWsHpzA&Nf{mYsTBrrFAbo-oiN-lS;d za^G&f#A;tZ4gf;&Fxnl+36_^fUNLng9qMiKp7LL9_P^2ln(S%wtt0c2DF}ZOH-Bw( zF;m9+oo38>u>wK+qKs|37o>F@`vMPSH?p5MJ79+t+E^VUB!djMXpE!k(R_J(%Iaf* z?TEXcqSpsXkQ8|cf_cZ{ueHxt@z;gm z%yi<0-GSNF>pgXbzCCvh*`*TNTvk*fglm{2g8h{cRD``lCl{7Y@F(lW|85WK?c;}g zG|7q7igr>*e>Y(}6txb6fS%-7Ju+P;9c~`-=3mC=CZ90d7r9JtTJt_({vta<`8K&N zGRs|nF?KVo`>RyLxJ!hDVDx0OI}bycZFf|t&_!&+#>tYo9Z6bXIhAeSyO~7#wq`N6 zNICPxNsT(Vls7}|(+1Mj{{8eFei?=56GY~;^0`)1!{snC*A>u;p7xJ;o*4FL%+`3l zP>F@&7h)-y_7rZ#J4`aL+Ii|jMT$+^wJf9zUi=2AdT9@68Pl$ut0#Z;cyROX4ytLD zK~;Wg6JaLD18+NO$SZVsy)klz8cY>6%g?H(p0a7GpPwc}uBG277CI1`1EODeZ5)L~ z5CNR7cHYR?td+B(SaLk#)%IP5O#`9#;i4s}ymLn~`NV6wxf2)Xk|_)ilf5PrNHxNA zY9@VS>+R+H73!`kZ`27YX*>0;^fd5dIQUbSy;)>a_Z)YkvSJAT`A5cQl$D12*qzQk z>$}!-kR0^j28TNp+@1=%S}0c*H5e3nL2{$2HAPt^4%En zSD5=^k$K`;wk}IXt${>>D5|S0uPyu+bqfQ(XXhT)hadc~DlN~0dH8=&xRg@33R#KY zs=zPv4yv^|ilej8TLJgHk0Jql@#bW_xgvXcwVbV^6Lm(n9BgY^Cz+z0K-pKa1shF) zl0JW*9uW^Pv&5*J-&e5Gx`yGNlvw9O%Nq!MqdEF&Dq}Ypu%MqiNd|-Fd%5+cOKgz6 zIEKf@i=Vjz%JU;h_x(+N=#Pj}WzF#~Qj`4PUp|@!ztnw;ASg0%(TVfRPQD-3?t}f| zcqvigG&93CzRZ%cQ_R&IT-ux89h~v4{oUz6ZzH4Vg5m4OU1rS*G}_$pTipYBLqBqE zZd>ccxvcL)IE(m)YPM--D4|0TK4gK0Lx%lb_6(xk?BPoF&GywE)wBl(fbd}CQ>*;h z9qWokbH%vH%$-T^#Q?-5vRF=|H=-M|oiqG`E~>HfdA}tM+UOIz(Sld+gIDuhA_2n* zvPOYjGPR!x7p$j)DXYc$e{xtjah&KpJ+BFfO#W8L5-XK4SY`KqwD1@FVZMG)$R0WO zQTwrDo!U_jC_FH=2C@1G?C5MiZVr}?ytez2F@dnDMNY1drmHAN`H zp*Mi1OUPMSXYs;vicYY_^=-J)tKZf{(HXHQj`YNryKo+l!S_-q>VA1ORwV)E>bsIe zeLl^#o44tWEmy!XacGQm|5w()@1(mnR{qw4?oaBD2pE;gNvr4Io*OyT1_vp`s9Oj} zK^}xPS}wX;)yoTo(Z2m#%)#~nX=jwDXKv;{Lkm)A+vM?X2Sz3@gjbW36Hfh~>z;ix zkLI0CgWuJ5M|69$xm{o_FuF;xtXb-kgFOahYDCC27T{btyao0Q#tb6_;q#E<0UqJw z04dk|r`lSRPAJv4TxxsA_uueChwgxsouPvBG+%ut87*Y;a0c28r1Y&C0eHBmqJIIW C3fNZw literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/old/thusnelda.truststore.jks b/docker/rbac-tls/certs/old/thusnelda.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..d2ff00a179f060bec25ec46071a85b75bf291514 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU-^Zi&vC5_M|AIEPx+1I0u0$I~z{)l1&JcF+OYl&Jh^1p77vzEG8POO6Vc z#`3~8-TSN5FAa0Dc7exoT66?*1q*#uxluzvCm3j|JmW__59WXN6;S|^rr#ZqBgchQ z^}qHU=e#tV0O&kvUu{W;)^!@vPNsl~RoA&hUf>muj0Z-h6W6iSF!QVP`g9~;-Zsl?&u-E3T=}4L$eA?Un=`mBZc3@v%?cxr`i0KptMc z+7G(;z*Y1QEDVTEIPdN;JW!oPtu|uP=iXi32@ws2@(0`Q?!k`tdIioRWEYFJf6= zAikBT>e8D3m@^T z{jt|?fiJ;Li{d}no3QZ64z;_CMlx(sa}&Iv-C-MKtAJ$9U8*eUh-YZWgYt^NfWOYu zwi8cuTfZQp%}l{l2291F z#Vt|@8iIJTvlpjzCI>?Ao$#BnC!26UN&kqx_%O>-h_w1ODFY}7gfay|fmFX*vwZ7> zh3f^~fzmo`g14??)3G&7=0ijbcX2OmtA5K)=+`qhqA`b_1_3S@ziZZD$*OYo!4hRG zE`#7j)1A!c6F|b!&%%xD8B4rRv84IsW)w71hKNFH`pITL2ZuEq`7ZLTdy+OzAPtEw zC(=G@+nqHhCM@1K1gEdMVev#4;(1?tIJJtncv~V*L8<^d^HeZ3`z^8$`0AEeL*I2W zc<<7yD8gn{!kgKT{8=)0WBQ|+)B!3FC6^E-f&JM>!#<&*XS1&f7f#_{qHaoSb~3JK zX4Qssv1wN&Bsv?9tke>94kSE1#yusKpbc{X5(A_`%XJ~ezibdJxMw3cBr5mHCTrYf ztBjnJoLd2PcJvq4d_QGf>WvGmFfcwaAutIB1uG5%0vZJX1Qhh9eB%LMj@fdH#q#id k1nT27Z@>f;UbyKKFsw|jzL2{`Uiz$auvP3O0s{etpuPPT*#H0l literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/schemaregistry.keystore.jks b/docker/rbac-tls/certs/schemaregistry.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..25ffccc2a0067a0c1faf2b370b8a4bed9f78c655 GIT binary patch literal 4735 zcmY+GWl$TAvc&@g*8s(#I20%(xD+oCoTA0u3x(oPEI^98yB2qM*Wy~B#r2N_hoZOd z&3pIG{jhU(etUL5o>?%A&<7a_1q>tPMZ;u+L*ci$Na#qpFhV9EjF9dxrUt`Mz5Z*2 zY6pa&TK&alf6E9B`~S9Zu#k{*VZaA440sEEgNF70`0sH_An~oX?b2rWUP84-?V*=y zc<1jbN&+mE~w5wnxf>;-@y5oAEofy30SI~L=nV!ve|rkFV$i_hi7)q zBKT}sK{k{M`$&-4oWxhSC`}~!4yc0$;0Br;oPHyT4HoL{CQ)V?&ZRWMtFz&QSFu;x zk+yDuC^<38NvA68PB8sQ2k_mpo#rK~VY1&kf5A&9&3oy?e&-)zM~rMEW}tzcbBV3S z*^iMqDk|1W?ZM^e-jez&f>k2kT=<&yXZ{L5Dv~=yLXId9;MAY8vhov=C1V)f&abRVR4w7n5pq#6%)XSuj+5l&wi%#x9d`Sw)ZNRTUs2Kqt)6B-et~67;}6%kupt2+ZJ&yt z#Wvm2J8;URFQzVOg90ipavf0%V)Gjrn=RZgXgY_9K>B5ij#!>v4Xi&G!kNx4)w*dM zQ*)`)|9p|$MKKbWFqB9FkTSgERXpK+UoktLc;c$%wBjEieViDR;Gm-)IiboZ%! zTe`&!GLuir7+xuiEhr*tw$2$B@5Chdz`4~Tp@oIta4DZpRj3pJ%Fz2}>cJTh=c=ml zgGOT%8!~>nG`Hg1qT=EhBdMv^ut@Rsv})J;4pSe6GrpH!Z22Nn3-XNb`iUUOL#dK( zp`OQ&We&grBbm=6gju44gX<-hna5$uWDKqY-7qUx*^Q|wDT*y{a8G$Q=`(lQYY0ut zwwCyxhE`1cB-7f9cRrEn#8o3F=e6yE?p|%iaX#UH&V|=2@>ATMnkhNV2I=miElx}E z0*;@z(EBnW6FOa+Hb1G2=HmIb3YK_&Ej@Vhi3VlsVGB{8RFU`=;p)lCS%2@orvF-( z9>6TVRo^uZysMW9F!ck9WSQ7RZ6DcT1=adkEt()u-(D(JXlrnPrMcZ#`G`{l)ijFg z$j(6KN3ns{?r6r4s#{XPv=F>`Oms42D1u;_rWsVn=ChG|`UkO0%#*0+miIv#@6L>} zyF?SA20EB*?fiNIM7>t20h!=Vce?xonfwUCc(75j#BX4&-z4s|w(1_nwwkl#3RXI% zo8JdxSqq0)I;bOPEAWK@`Xd{Csev(UP{%{)gSYPB9KbxOa;LJF(^zcxNu)!DA4b~O zcOoZ1Jlb(UAW$|Vp)zvQqc^&_smRt}hV#>(=1tJVP9zs&V-?**p&kNFjZ7)YpT>tIO>;fDzE@^SMC3G(st zf?+tB|2Cnc<-%~H{-Q8sB*0&R{bz#oUx|zMKZ%RW()~+NhzE{&Z+5>I|KRR^jaK=; zi5mdJf%Xi-Cp?-fEE#hVYo#u+=a5nt)lPyt^55R>|uaEa})QRyPtihP_eIF zQdmpYb_hq7PZC_g^_;7x5>1VJa?4)y2qx{&qFfb)XCU{y8I0^&U5TnMbkhu_Rr8?6 z%1LISCU$mpdeJx@w)TAIQ2RBY_%i0&RcknCo+?RSn809Sm5)<$PG{==1Ymj7uQYNd z;ZXql2ZQ=z#$bQ42wm{dVe0w42;JniRuEz?*H{-Q#P_CP~J zj{^k5y|lS}m*cd>ChG5))wV|3KHeYWYoA0^;#nvxR5e~E(8}GyRs;%yXW-0cnIaEX zY!9J{9=9En@-M~e&sViN`s9-;8NcI@Ag#L+xTjF`M^|U8t3@EzY_IoM^ZaIJJV#@U zu93|^+x4bOqUrJ1BR*CER8P@MV|Z^jxIe0N@iKeowecwuQha|@-ZDWTPiPh#m>#Mw z-q~V)sr)vWy+){aql>6gxN>+e?+nXOmudC$OG6w*7V1(^QCzA$*`iJ6JVDsTFq`GC z;jsa)M=Oi%4C2nK#}3xgXZa)+NtMH5OmsF(KlhJ+QoS5Jn)JthB@Ue0G@FeKI3+E~ zkY{navbkE#TQ6!F0AU9Ult(U=N+-;O-#l%HQ+s*F8_n)r?^evn!mE=Bp`wrcSfziO z!+1uL{ES2946h|pNhmXF*t9DsX2VJh@V3894y@8(7oIODd{GWm>T)5||BTW~sT1~R zu)fhc%;lT|q$H9zfbO=gj;}NhPO1`R32YY08D4l-5i?cEXQyT~FBP0pY+A#V((X&;RIxUA936r^#yf_If z4N!+(t;93%x4)YZBleF~HC24^RopskwhpzfA-HcfbM0@0g!>oopuhGbr0A~`a#$9O zydy_7ODJt+mrbKb?v|ukM6<0L8majPruPtaHaRMF4#FL&0hkB}8q=p> zo+SHm8FPQM>{?I7D+ywy&Kg4MGU;Yer)WT~g*?>KJMIsxRP%O8Kcg;P;k&Nk6 z@P&q~{f`?jm&X#M{4@_7+ua-K!5XMWJ_Xzr4)sFda|!~rFQN*)*H$7TfOwIP3FO+E zF?niF9izkYAc(ym+X#!eI7^_TN&bg5&k2JO=0&N}=25y^e@rRb3D0ZEVBjvx8x-<* zB%DZm=+`t9fEgPX=Gx$^k4rn`k4rp`l`kb;g=S^^k&s4|?BGMkR)%PLBz>&DVlKma zSg``xli^#7PVZR@sp$|_gZUK3?X-67dey&o+h*AOr!=e$cqgT6`XzOT?S zUMF&jK`aMncfnN?6*IAOCPmY!P~3Of)-KO@-m&+SFSX@aCSz8n;RFNZ*|tx7zCIwQ zA!+|O+rfod-Th;{@(1nR(`=z~g3J_WvY`1f1$Hho&d-GF z^(~F8_ui^*{E?A+OMZFa+ZVDmDw?TN`d^1`cp$o`uA8BuB?SN$RynpUqn*74Iz%xK zoud;sfBs!#Uw@8}iuW-Z7fA366eU8ySyq2qxKPm0GeNz?^9_VZ1>nq`72TO-+wx|X znc?qq&nkVk;fi50vGp6()F!bzCjo5{9wy}WbF2C72XvCw8N=7A9$uikHr+Y_qW9=M z!F2kzG{^G&iG*ha(W_r>&I|gPEGxMf-hO%Lp~A8k-9=9y{v&ZBfPZg&8rd-WY4xjLe9b%bcS z&z7w^j-9;auk=-PE|Es_bDXYB%b`ve^oP3-?rF7+U$rcmv>Q^btTAO!{JTVvL)CAR z74+koKFUEH{RmE|P!E!ea-&&$8k@rFCcO??oR}rzJ(_DSpBkRLuysYYFz>u_#k|fc z$%=}XLd=g3|D?3C+t$(R=F+I0d0*Xa2ovNTMOPiz-;ZM}m5gVHtho{_Q*2f{^E!p5T4V4OCxrKq~ z=vM_hz@0UH={1cfQfrlZb@6;{!%r zUE?}p;f%#8+TM}ZeR4DPM8!$nlxTru*L{_23ZV0|oTl*Qx`!3AIjPysYHix;bI_pt z%`YBb)0WdQjTpUywpJFQ;XaM2N`)p4mluw>B(eaLh^+_voB8MNOHPU(3*4=1IvbE zM|(#xUZwC8wG;k=IibEAl>wKLl^lJDjnjdEZ0h^Hj%aHc(+sc5W_J%gIx0i8;P zX(v&Gf1s{+Km@s5SQoCRc+)5b|2RSPhQc-}Mth7zdaMC3=vh&JBICQy)acI+y=g?~ z)%`9F`xJNe_^Q;!Q+9ii=9ibWV<{(5j7IQv-JrlJwsr?_dJ}SxY}6;sO}4soIhhaP zh(x|S_g+jY>Vr1Whi$jCA*FmZo-F;hpwWZoc}h~&F1HSKXG~EAF%SL6D1izmg=fsO z_u+$H{X@T%@K~8Mf2|BBbS_TY8P~ncCH&En+|FiZqjWBHIDSZLMGJ`i9siHXqdv@L zNXd8$b>`c)=ceSiksg0%W&;s&7>+Yni7TH-Z?xjqvsuX_2zN{HnVac9$88)6{~qej?1y!Byq!{|HTTY8@Oha4T6vr3b~onxnM^v)Kjf8ess zq}P7G$f_lZ9~oR(NsFz#-kLOO3|>drt+77V7%o7shOXYpeR>Hr2@~(0P_Lh$szlBa zTUI`+dc{cI|4O3vaz&f^HUK;62%e2=DyZ7)`_0su1|`-Ays&6Z|(7;#%5m9)@2$EeU%x?on~8 z&5cB8BgH03M2)!T5KwrVyI-2q?@JClGv@9GgKZRd8_$Ze&z5uqVG-NZKWJ=y_h;Sq`G~@l37JreqMj7@X&sBeVqiKjCK@U`9ttuADga0<3g!w8 vtbulvY+OB?L()l@J>J^@i4zR&bfUn_@Q?1cTv5D*+PU@TG{`7O@Z5g^jF0~3 literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/schemaregistry.truststore.jks b/docker/rbac-tls/certs/schemaregistry.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..c47cf3bc120951c9ddb1d1a38a37fda9c6d2195f GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU$`G~gQ=?g0s{cUP=JC1*e1%;mI>4D>$k+aj|FbNwNLvfdaG3?>@c^ARBlt0mVKe6e5%W`k;dQ-m(^-3IaVV(s!IuE#2;uUA)jS+%S ztR)thx|9LEu$rW;bLWEuy94N2XR|K-zMilT8|*T1V%K5J)fV8 zrL8G-1lsHI_iI<1v}1Xvrx<4`?4TCTD}&y?cScLH?iIEBf|y&W_S`4{MT;6HhKMjd zih;JWlT2H6jZhEPz6No;y@IrINYaYFrd{&n_r5bkRD#|L#9w^!zEgFnwnr>tG*X8{ zF~;0E`!aL@Q+h1Cax{fecU!>`4izM8`Ox%Kv^O@*6rkn28A@ z4x34Q(*6W6cm7twwTkiK16BkA$1pyrlE0B`{bjDy^lruwnI!Q8ZUn56olFbQwlKI< z@Q#%Zr>`50g*m(bWLQJ5c^@ty?b=}!%NON+1}&i}S#FAsoHb z8;ou|6)8;*-rjqA$}ZbOeFG@@ewkcSyrED&%VplmbG?r;JBOV2Kyb>+-U2;eoE%5; zA7dJGN-gu<7CSMDId7xnKe5V(e7OBwqqk3-a1B*$?>RB;Ksyjn>3=3;NB(ia;`Lrm za_k}Muj{@JDw#W43>Z=b-nkJjOhv41skdVlkIK#9UURb=j>BywTe>ZR)exY*Ccu?j zK-3Pl9maWRb0rGL_u-@^ckMvro>~BZ*=~9=2`DVPtXU>JIG>fF6Prs=!Ge@f;M3UmRN- kyeIy|aQg%l5~XP+DnqA$UZTn4O;%>jqVVBy0s{etpo?@D7XSbN literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/snakeoil-ca-1.crt b/docker/rbac-tls/certs/snakeoil-ca-1.crt new file mode 100644 index 000000000..0be5b2061 --- /dev/null +++ b/docker/rbac-tls/certs/snakeoil-ca-1.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZDCCAkwCCQCaHu0SFAy7tzANBgkqhkiG9w0BAQsFADB0MSIwIAYDVQQDDBlj +YTEudGVzdC5jb25mbHVlbnRkZW1vLmlvMQ0wCwYDVQQLDARURVNUMRIwEAYDVQQK +DAlDT05GTFVFTlQxETAPBgNVBAcMCFBhbG9BbHRvMQswCQYDVQQIDAJDYTELMAkG +A1UEBhMCVVMwHhcNMjEwNDI2MTU1NjMxWhcNMjIwNDI2MTU1NjMxWjB0MSIwIAYD +VQQDDBljYTEudGVzdC5jb25mbHVlbnRkZW1vLmlvMQ0wCwYDVQQLDARURVNUMRIw +EAYDVQQKDAlDT05GTFVFTlQxETAPBgNVBAcMCFBhbG9BbHRvMQswCQYDVQQIDAJD +YTELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt +DR+RvNt1VpNlygxjAYkRzkiPwKEPpsSNqa7nb1bUblQRN74dAmdMVGSvMH5Ny9L/ +PuocqqAJeXzu+Eqqd3njXx97YCOKhEN5HQ0Dnjakw9BYWpd93jbV3PJ7tnnXm8jQ +tfPM8VyF+hdbpjowzYNzvZKsaCS20jbahmlOAtGw4v5/kmjsBduPoZ4tAH2OcRqe +DHyDTz6wiM+o7P80Qi/oOku/3wIfvxs6SmyfdeYAVuRhLqa9pK5IWp0VeM7U/XMW +KCIO1dvx62mVGL8DJ6oW1TxcVSArVS+mRcS7N8UjymMQ7erlhzHhanSCZmMa0H8E +1sWimEvBa7yZ+hvSN0afAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAKJLj/9OaSVy +ky+g27stB/IxzWjQS/CQ05UA8ysn7Q11KR6bK9PLTouDrPiT0Sb0geeCy+h6IvD/ +olSK45upwhfPHTCPP38dZGQ0wbIfv8TzcNmykTAtHUYBfDNYr+4nVSbSZKp5+zO5 +62qxR1aMNvhtRgVkB4oJxerrs9Nd4kgbLyaIEwabmvpN79wlHH6HZTtJYdN8FT5s +SjC9PwRm/z5H4ceArXnXgJeRPgU2Z4Qa+60yDhKGCIoYaNjNDhdo63isLPI6OVTe +2xJhWXsg/OOsw7bVliRvX9zTaqBR2UvbP2oROG5c1+l9m6mXYp4Iysj2kcURU0aV +/ngcGoq5Qhk= +-----END CERTIFICATE----- diff --git a/docker/rbac-tls/certs/snakeoil-ca-1.key b/docker/rbac-tls/certs/snakeoil-ca-1.key new file mode 100644 index 000000000..389febd2e --- /dev/null +++ b/docker/rbac-tls/certs/snakeoil-ca-1.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIjGgAKGaHAQICAggA +MB0GCWCGSAFlAwQBKgQQzRqDXYmCf6FisE1Jf1blWwSCBNATRJo0wkqC8CfjwYAt +uKh+upZvycOFTu1OsSZV7840FRUUkJxvUN27xZetx4zx4khhfV/U/1sHMiPB5l8C +39axKwLUns9zG2MnSAi+bKhVMK59yCd+xw5HanyviDAT3Xj0bbhhA+hx2GRF9pm0 +le83qp2+flIAGSiOoCEJH8Rp1KqIVUzDo22oR2L9xw3GL6fEBlLZCRmj5DW8ZSs5 +yDf3PSZaRrlElvLt2PZmLVeSlvdmBPqO1rNSM16eFAeThwfqy/lWFdepzJLyhKfF +pLqZB4jxaLmD53ef/woz20ldgY3ZA9bMfzRxkeECabZUeTQ0974VxxHZOgCAKikg +VhoAIHrCvzzgFFMH+nxVGh0WRLV4M2WCg2au1SObAyOQ4ynu4e/rRaHx1snplHEU +TcdAX7re2+3zkZVb05D4LW4FAXim8xQ9K2sVnMsmwmTBf7pI8xcLtvsGTrBRVGW7 +Y8Zecwh6B46CjO1vmnMC/8z4xxkC7Joyi845Gcahou/XgpzpVNuAhV4ZJxzd+1aR +dJRes/AltTCtYy8GhbJX+MFjyYjWWhz94EN1Vvk2VyYwdy24KWR1oZpYQ5cayX4M +2wXqfQkLeYkv8JMfhD87yaKa1CyI8ai6p8Hx5xAa0EXv6gnQLwkwayaZjZh6DQv1 +aKuiBUgARjchUBm/yaKEFp2Fr6PoSIWCJc0/9KatqchgiH41uOM7dzTreGXzieEJ +FpbYCyXvrQMVR3IzsN2eqhjqC+X6xueXIG35gbEdLd1OPplUwkNq2NnG+fIO8L3Q +stKnRSqMEdcKq6PfWXDMjuLk9+aRlofA0M1/gD/zJ5QK8vW7DGv+gyIE8ZJDq99z +M2LIR/vkP2x5uSQvQcrwwv2qjfyaePg4UL6UJ1xLWu3ZFiYnJtmOivrk+KSdnCdA +Ar5G7ErUeM5IkOv5DbFaBlPm9SvhIxdLg/rwtyJoVmTlfXNjorlXVqkXxhHiU+3W +xIOF2R4/++A4rKwX5IxBgLr3XfMrAUXmDgdJfxN4gZuACd+tTIB5bRXcDkV1Qc7J +ydo4UtkivmylYzylbxuqS3pPi1GOYu4NaRVgGH/VLc1IeEr9eiqwTglGhUNlTvPs +RXYVzetJ2i4srRbUkqWOA+10vfB5NSrET9YBSDTngmoozqeV9GiS+3PlLgJZc5oq +mJn/5HsC7Boc9z3+Yklyi2FlMbruKdL+tkVQoQKCNCtQ8lQnb3tD3Up4C8ztiVyy +Sa5U1DP3xT1DBNyY+eYS6cN/7KWg1C7dLREdnMdTdWno0apzOCHkD8wUWqHumaai +OJpROA8XCw8BzuoSozrh67b9danJLTpajwzAu+gfnZ72wpMcXsSHUKOr0gkcLbHi +Rwsvg8QRJ7+PAcIpElVWelRQ6ky6pJ3yN5M3GTeP7sueCr4fFmAv6XVxM3yncUMA +h7q98YkUHmfZl2WRf86FUp2KKo1+H6o7hcy6zr3ZOIIDzIoKkrM4kRqDwOqmRh8D +KMBoe4/f3n7CZi0qv5YEIj1umWyLiI1M+lc/l7XxRvu3h9FVfFl5o7F3prA2uMjm +CtwuF6X1B5waELnLyZX03o7HbN0R48ioWJuXK8C7qA+L4yeDa6vfgLNuSXiHWaK0 +on8dEUb6LdlWc1uZ451+dgRFXQ== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/docker/rbac-tls/certs/thusnelda.keystore.jks b/docker/rbac-tls/certs/thusnelda.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..96bf4ae811cdd59fc2fa9240351a076305512040 GIT binary patch literal 4685 zcmY+GWmFW7w#9)Nx?!YakdhARp`}|I1nCf@n*oHO2ZmITkr=u|N(AW+r9_7MOGbP6A;reWM!_i0fiTKrVHoAU zFbvo0KP+5ZAPm>)uWbIejPZ#7XN!ag8wUjg{uYJ-F~U4}ME@)Q4QB*`Xil%DYR6V> zDQ4m{&0^2mz*8tm8~|3o0T2cpA;|dB&?>~-qIChsl-b>WH3_vY?739I!aVmN%-G(b z!G!P=?A_r0{4}PW{n&Lrkb`>moBH!`_RRwqg<^Y5=yFq@)?YVOakiUZF z4+N8hRbQ`mZ!5D`hV)kJ_JBQS*$nsO#U87SAj8V&I4zjq!!65aBlgB>w0hhKSNFFg z+Ns&$9|;x?NdIX(4u6jy(_`hY@B8hTcnb=p=Tj>(P29%se{0rR*T5dI>|RC`S;dEH zeo^+JOWh=np#ee@bYR;_cWUgisLZ8YGiAMR&P@1Bb`rZF5FSZA==wOzP2xaaRy~nu z$L=~Hu#ng2_wuz2O;`mtq4{@A5*qqE+g@W6CTPFAe0p5iBqcWZjTw=3dN z$ln!n%Aqv;qC=e!NU8)`!Z5ftKV`;R&@3HLq6jE3`f*-Jb!={e(kkVf#-OL9DN!DQ zR{5+iM*YZ~uo&X|vfe`Vd{1g)75xJBTHqyW>OO%!DLppD<0EA$^Fe?N3P7UZUE3g` zRm{{5H8-Lux3f{#{3wf`4vsBAotDeDRWcgy#vgM3W*A@C z)`$02NAZFA(=!LrMDO@`DxMtK8@tg_Yufu{Rh5jR`cX#NCMB|1xJN+Jc`EB3bS21pU`^h-imD*avE9&2ap)6|sDY8w#vtrk$uR17ruZ>FXRxYE_ow{h zq9nZ#IEH|t-1c#Bq6-C9YYgSaO_;%>%K;WKh6J$50%3px6Q?gzfsC(Hjv*m;$40*u z=`J@~Gy97FSX3#zMR36nZ~B(PLNcB!>^e#+*Z4B0&tKawZvT0$UQGfq-LptDd7Gm* z{!}ZE^VrEh&wVFV^G#4tY(3m21aBCG4)1~AA=1zNd>)KW=XDdh7>FUNrI~(oc#J6tL))kdcnl77N zN22^cpv!;0lU0%E7?uIhn(d0aRzk@FW8wm`%U5fPs)F5_&F9_ZLgN$$k0mk!O5u(Z zU4Hvb$L8rt0xKpEyhYLZVb@PoZbwqNfvou75Qp?#)b0!%21hN-29?PRE_l$oeLxr8 zWWdX+K8OLSBwR7rwmB+FxkTtngxZHbuT`{1=o;pJJe5))x0*$LC0+MuLQzM-FGtVq zbN#WK*HEh`dlez1I7tH~Ns32p+kk1|=Ih3OLfz*z+a%Nz+6wZ`pE&cMsz0>{iQXAI z+Sd$v3pGoG4WZhc)WU!W?4RI~5IsEpt$o}{~(33$@L`|6O z->4)6iGWzBu>7%Hu>!FCuspGxuwG+1V%h!wkw+pRAeHee4=1pQgow15xTv_al(dw% zFpR|i-#PerC>V*;U&#&!8|!bg{67c#KRAo`U!3*s4z(eAy31GT*|WqVo3$2N*6I7- zoQ;H$fL)y&h5|b3SU7d3%sYE9x^#l%OSPO$bkERIubhyF5lA)N4+y>CHNAepl6Wxr zH^gom*Av#tY5=FhwogXO=H{6NV-+sG%ZG1%LX3a-9}afoff3P&WC)b+HPD)L%yPI? z^6tzp%TXDPR%jUErZ*hHifLjuj9PaV^42o?m`RCD4}W1?&KCiC!fA=XXg5YaDha` zL-QuK$_qAQ=}uzC^P7KAy7odfTUgoQ{JC+Q!bKN1w0O0u6f<7NO@Cgz1W?XP6if#m zUGvkYPrX?z)5D`^e5F{@RHV_AA6w8p;Zn!3wWFs6kW6JLq~N8T|GUr#b>;uh-Q&KJIO;4$yJI_fzdUCz=fZ_?+VPO#wT&`4!3+tQm|8I<)|l@{ytaS&JH96gQmPY$?8?+=JZI0@e57V?)Z2e`gt zGkevRQ@2xiqCTfj)HPWOHtw7Wu$XXUBb(?30K|Wb-`5c3bsrVdH6(Me7X3kHnF(X7 z+zP%eL4?{ zl7!igiGXwrN66j9yARaRKC;j{=fQ)Y06vY%DSE%}xF*L>&T9O7Gp>V^vM5(Kz!Sfk zNhK6SA>o>xwp_RiK5oxJa0Ak8d!pi7EoRQ@b$^zpS1wGf)2_`N7`53@ORAl-)HKW5 zYk*5sl1tK=Oq%|+{+ZHeBX)BXWlpxocwkgPdE8)J1BQ>xKe2lndLDL$&r#@>lcGrT zii@iG>?ZexWel8{p6*!X*Nzq?!7P7OiTXk~%enKrgUgxS9vy68gJ~kzQJP{?PX?w* zzF6EmNoC4(67)8I?bJKR_LfzeSafPGS5pQ)NrPxVYcb(qmQ{`?XKe?3m~z2!8-tS4wR~X!Q6aes>k#A( zOF=6gJ9Kz1vcb~JNK@Ls>uKw<6d$6C-O6K;iQ7w1cW;dpf)!FSq&+CE4qAmAMQ^}F$=46Sb&gpJ7L z7wPCcqkUtWdJQ_ga(YGfP&f_kclO1d$clQjSoBKt&uG=6kxYbVlsaWsTe&9$mXMlj zv~Yk#fd8Z^x|RHq*Bo_rg(ydM)K8pP?nL)|#c-YMoXWf3BCQWD)@-bQ8sZzWBLGg! z5f?+8@2m&M&7B5X{g_uvw>nZ|owKLp+pRKE>Euclm0V3UMXZoiX^8B_YS zgnu0~p`9thdsKJp%O2F#DllbgdA%yw4?^a=o+ zens>oaR}vVpJKYK;mYG?5OL0(`gi zD_bzokK_bkDqr0+N|CD@YmJywJ3-)sD`o{7sqC01~3l)pe?VLs2z zd8BBXN7&R0mg7jI<_`7bvK*xrlbD=t0^@1A+RAzj-qNr4jk|Y&jen4*33xYZ%ofyHiRE`#{IZ*tQ7XsYcz@AA?Kg{*7Ck8_XGSmH&J{Y5!`%0YYzxq|98>DM6og^@%w?>5Pxr=P66h4V~ z<(Q&cDyw)o2mO-z9O#7z{U3$zTYgn&Y&eCws?MvV7!bYk zhqh-aBnpZ}C(S!|1fB)yRyxGB;+urOvLEktz)p)i2|2ouSQjJ2agiOM-B@EmG#T6E)eilyR14>iJrbf(N`cxROVnECUa+6 zSfW|M1Vzw}`CadxpAf|3efyRqmd(VGsc~h_}`Pn<{wH1)LdjT zfhxtBXlup`|3!r(bMRRB9A&E#u98*5NLx0vt^KJKO3liN^zYFj+Ut*=#Dh&$t}<$m zA75ImT&{DYW;1BcD3gT6m3RP>FU850m(4gV^w{3{v8pVQ2CPo=eZpO$v)L*nI*RkJ z4;`JRbB<^YH9?)n6@OBYn1DMaJ}mWC$Td0e7l9+)72FMe-EGcl&`ZM-GzV5jKNv(>%2vT}@!Aq3*&^8CZ^gcnC$iVPiPhSv z<*_~IE~sh7AQ`8};t{Esa$VR+pQORGY}^;*@S)BdH=0@a4rSqv&=c`3ci6IeR2+bd z^C0cakkYxiYU>w3Aw;XQ=RwV4msc#`L>HD^_eDQCr-VFQvtS9C(@+V0wT{apV`EdY zWSafKpF!PRe>jaCLX@&8P~683{7!u0z0Vb1(^OQH1|8zsApGYAw0&+FEQe8JAffk@ z8?;)xWIjYOEr(o26PthKJn7a6IMue6y##aOo5veKR-bGA{WjO{j}5~a7IIo}=smvB z;M2O12LXeitL=X8BT_e#Ubla=OI(~BBJwJtK+J9i*jWUaHVG^vO{qmZ-5pRcbD==w z9>=gLNubz;1sARZs&Z?D=*CFskfE0mF2P|aMs!9KTP}9OMC(qr#r=B&^@u>*B zczt#|&-XFPDQ7?D$pQG6`>Tu?@uuZS5vG2?o=}pmgmvFzW85%8@Rjy71=d0MsAx#1;>)L|v_5Eo9sRqf zPx=^xK8=p^b72@a@Y_Mi+hLq>WqCQ9WBTnY(h8ZcZi?43NM2!iVK!kxJX}6901g8# z77)a1TIs@-{=Uc1J!()cLpSz9x$!*^lpd+X!=N?MtRe6q`3&R&tFOYH#sOf*q5cJ* C_Oyur literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/thusnelda.truststore.jks b/docker/rbac-tls/certs/thusnelda.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..c3a4e5f7bace81dda4b9bcc30dec6a1569243553 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU&e z!(N8nEK|YkGg(uz%fAwV##}U5JzrXsENB0*2j4*m@2g8^vv|xb3^N6rtN~?>#GLNK zxU+3G1Uvuf_`cu}xn}QZyDqrsNLU(WbPr;>8F~0=_zKncS0dg_KvDA#JP*br)i}z10>Kyra0;t*#(MA} zQ|fZR?+5Dim6YUNjEi~F7kZ6om;>4o9Th&om9sc-z#BIEoeuS7#Vt^%oJLM5-V|Vo zvUU|+J|<_7bpfXVIKoaN9fQ()CqTt4T=GPNQbf?-*TPlbQ^qs#fAObRjQkK$>*5s^lF<(wAY_kysP(N%mSXV7An~mcGl2M|C92`OXJkkeA#tVjW=Tr{gZvi6qVN6 z`ET#e?@JM@XPLWmcYEG+^D!Hz7~q|HeFt0K+v}#X{?`E{&wuMi_`vw>{~eh}_5~LU z@W+Xk#4{)7L&%k_x)6+3o!?ay6|`+4+KbCkK_vvMND}4 zzE8f`iYy1cZ5g)8MJ~f>V`(KwGe2<$@e?AZv2dfep3Y0WqRgaDfm9Ct#$Zwo*UF(R zb_hr659(pH-oH&|<5#Ge+ndP*@4Dlt#cKhk>jKb7i}ip{a-zO`@1WPTn8kz$Ne_j@ zWNSloPWCA-v-x#wLQqTV kK&B?7wzC8jQtl&!r`iKptpaYNhGMmf^gU&80s{etpcZW;RR910 literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/zookeeper.keystore.jks b/docker/rbac-tls/certs/zookeeper.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..39a7d0262bbc7d636c16e16fc91cd78ca2bb594e GIT binary patch literal 4701 zcmY*ZbyO6Nx&(IVE|Jb%8kf#RKuTiiE&&1QkS<{f=^rehfUtC@ODWxv6gc=i(W=px#F)64d2k8<5KjIGfs@}t;Mnf} zVPU@l!m-W&%Eo`Gk3;xBUql3$Sb1>Z-#qXV!i_`lzw+O5dLWgolNPA%PMm$@eMB)0HaqM2nP<4JC~mKc}%Q$k@g6rG0jO5@RZm&psU*S>LK78bR7F`EaBE^ z;*5$Dm*;NkFB2-Jl6AZVf#Vn=hSk0u)(TVD=jz))i-7#TbMAa09H+g0)~{@VYk%|= zqU(_$y3H#Vlo%Kni+PX;CLI1JwPG*++F)Z{U_XL)7hj5$rqq4rp1R__wEDZ%MnHI= z@np-F3lc{?{*h(u-m8KA2SYrrHL>KHAWZjRb>7Oi@FjO=&`^@J43^L+MO-niUw@`1 zE61Y3RsuDCOkp^{Nvx@W^p!@+0yOofafgb0!~mYLrDWRNcdtQn6wSekZAsX%ba-~h z`97VV<0@l$L)*vFA6UYp@Oj#a>1ooEcaxmkS>GSQTOJ@99P^$bfN%kY;a z+L{2t$73opYKuEjwhLC+_r-cx!-!bR-x2Cx?j}4t=*nuC%pBX}wz;=%5=A_gTs%3n z-?B&Ba6`9n>0mmePnZP6(znA(>NZ1E;=eeN_I&lgxuR7@OX!AiDbK~Q-Tch*!Sr*a48@$oe1!epRlxlQp&?In_SfzckRX!y* zYZ1wuxC6TO?HtPAkl%ChE|Kg(Op1~IQb)oWI;vKvD0w|ab)69^?C->Fb1HP6Bp{9T zyU1R=_vh8{?F=H&GaKDJ35w?`9`9p&)#aVf3YinaEb zAl`>=#YY3pk-8DLzeiklMr^o`#6^`a?sU%=BFBU8R-Zywe+nImCueTi5gzG;RMv8)m6=_zfD=qcYUV7^%7^m;!ByxY!|-TNTsn;==f{0yUzvdODh8|AFfMy(ci=#wl{1|03w`Q0I& zc{LaG`NJ!Lnb~tS>SsaT7^K*X)Tvq}`yUKv+M%2u_|mFk<6X>fv9JuoNHeB9ah%cx zp2qK09>>KwXN9sPRnwoeP_wq=OF>Jm^~<+dNzIJp%aXMPAEl%mHr<(kw()bM7R3O? z2(}qx@l}$X`NP6>r13FNLR`~4rHvV;aQ-r5z$c*P^_)VzcL$GFLS=-;0`^kkpGSBOYf3l_9MEo=SWw zK`JH+j6e+czi`H|`wNf1^!oo1YC$R>g}$S!9gCotprnYXkf@}DC`1SXCyM-c4=zp~ zoXF>|(2oQxhgN^fW47f)kPS;(}^0 zg5{`Q^hjn}#_`svEd1eJ@!6JRh|K$$46tZt%dcu7vAky&FNMsT6kC|JrHWM@i3K8G zDkLgur!PY&DO;3&wt17()3`Yy?AySC(wuMEXz={9n>IfoO$9@lS}()d6gRU19|!qU+mcOjdDf;u4uXQDXiTd;rlhLoYsz z=8g*94DI{^l_xR((OYJTXp_1d0bS*~2+yD=(!Cc%uKZufL96_H=o&M;UZ|CVcZw?< zpAb_M-j449{iYEcK{f`tuX(<|=>9<4*4wf|d^0zdqL75-Y(9DxDhbZhu0GgCbI{4L zt3FEQf<`32*hK29Sd}?*SXl%!&S-T9ov^9}dhrm^2&Z~*81-q2+e%gBK7?!Bu^3!2 za+vpJoYmIk{)Dk+uYDke%Vk=Ciy%jhtlq&njdlKwk(ysD(CxU60yOV}wOAfQ-`6I>ubU08R`h!^=?)%AX7-Ve$ zKGUM+mHsmia1PnvT^Ng|EEpP<-c6K;)lD)Q7GgTazc<2;VksmT9HtZnp%3y~(|gn`N<1y<(Vw zr*~+T)i9BRpIG($>&PZP{zFRIU9u|{vDxjnB7mM~k;aGB0TZ7!sLB|X&f9*6qAHv+ zF}AWxPg5g0doX0#lnYau%a0XoQmN&sU`qU$%vou#3O)qfFP#f$&M|sDCMXnmPK=h; zhURVm4923Y=|$%yfdD|)j{%Q5sIYNGNb>9;Vt1ybd_5-}es2&7$rOt2$q|~TH|^qY z_Lwo}{gWzdw*aPzZWZTJpE8blQ`_2MNx(?pm1$#4h{L}WtRo7q$IFIxcTMR8CWUcL z`V`uHYY?!MchDeS{eGw;nRTkcWQ3>uQu)XY72=Zovg_5z2B8R1}W{B6$bYB4s<(YcPouBId{uj ziiLTfg=h_YtfK*pZ>_qe9&SxZ=423Hu-@L!g{o(AP&UX_%m!9pj6|hqxX#(#+Uu=o zu3I++3LWc8kAz$LUqf*%KtFzCiGCVUq2iRiyN&%L+QvKZhRvAb;%ruV86=O73@o6< zAuQLiXD10Jacki)2raw%CF@?K(n3eQ$(;DQ#b`K_EVMA)&RtpG)BNFM%cWbbh4V9e zLy7_aNOexWU+PpT0wj?DS=OcLTD(x)3glCQMp^NC(6tUgYWF)zuZraoQe(1fUiIQ1 z6OR65_?0{;bh>e^inRE`4;AZFf4Hw}bzzgK1bfDQ4i(}(K`FW*u$P5-oC2N@Tr6lN zyN|8dY-122$6Oa(JJk%tD}}I3oL^V-y^2P!{V{VQNSd|};>_Uoqh);^Tt4lmk$b52 z8GY^Yw*2t9@^L!$p3|bv?;}_oQz##KQ`Xv@#tC{5rfZX>A_{t??BMWeV;og6m)JXM z94;QmDB$QMrq__DW)bdN9j+Fe-L$JgtakEqT8%if)r(FmZ>$!K^W0?RrOCFw_HI;Y zWWf*S{Wlz6T1N3`XRZ!zjriZBl4UWeV69SS3nu!1ct2dCivA-(bOcF^p$;~BGnv^^ z-MaDCG%qIBgb&3eEj9e>8!oEgD^&~BY`<2>{#d4W$UYN!{xbz3s3s;C1XC@T>+zXV zE&h0#q-)Ey(Ko+bS~D@*_c>9s=0&_7r00Wy5urKv>s4`IZH%dk&FjpoqYqx{4I$I+ zImD1a>ofD!OVP=Qf7W!qEv8;RUc@~m22~Bd=`OB`syRJG&LXAoJnX8%q7g}z^asnB zy&IuJDAKCP{D}}F9L5zA@;pUj6Qg(~MKibT)aGxxoc%cWv@ixw&5T;91Y~(hHV20!8 z1upFwhr#ktPa2dsm{Tdpy? zUd^J(_%7j2;tOkzs+ZnO_B=42P#^y$MI%I(k}D^3J2^`B_h^^+QNYo0Y4zAH@VV>O zE;KQL0mfAMluYlN-A%KaBmcPCL|bC0QNzZ=oyUH^TOz0ATlcBqQ@3^_HzC5BXg=!% z17$jVipk?XFo&+{s_<}+I@jtT6E<71HiA&sQ1tn!qus^!w5wa!^HQV0v1iosBn)~g zljet)Z}T>h!>ebNncmL*OUQm(YeU5E0&29`hJJ;eTY_n6(eu?{%9V(9FmfYT2S2v0 zuVa%yz*4zIO0J-i`}fl8xyPk$)1vf&bY-VO?r`SRZw*HyMVGG~D1413u#w&&hA{`_ z>vgt50rB77j7LJWRc8U4d>lV~_tvcCi7g=Sn$II&Qa~jqi)Y-t1SDisB=?WJ#zua* znWEE{)J0~~>p!`r&8HbR44y29;G$1Zb0jj}3M?Oo`?ntn;o~PbG`w~E_nl>mrf@tgy8Lyso%S$+js_zh4kEs zCT5w1bygY(psNZ<$C`tctAkhZ2?McvRFVTmjtt*7nJ{t8&@)$5GbIIYASqA#?MXH# z@F+Wa=+010AdjQRy~OpOA+a`0Ih=PyYPm@2@(#5JVF;wR z)f=Z2zxp)#&Ad|86{pPilR8*~%1ZkUgS?z)oN9AG+5qwgPD@E+q*miA84<*|)~3eR zi^Q|nS#|Y}Arxq>S24rdvtJi*?!EaJ`9|B-lmmW99 zpAYND%5FD=I(oBO_UZzBtTDVT3+nG0W~_ZSZ;8Hdz&`b;rNEA0*V8N6{8ox7ob<{l z(BNJ?m%xzuq-O7v(`Yc&l4)W#F=d4;T-M4sTcA3oMs?E7lYd~u4b^a)G22~0NK4_k zNb`Ad*Bs;xOcys(CQ0`uZ&-7L)h3io@#}tCYo<*YS5oi)j%Q9T91^B#9z0$xX~;SS z9*E0#hrrkjyjqNG!{Zm@1|AfJX|kO6t&O{{YX5`{GOE(M%sU2uVM*+r5k1s1?#>rp zfP}13bmyfll^7QP1BxxskEZ_NGWN|O7|Sh=?w$P}oZE|g?Esd5qqnkgVe2IE*dgub zBWxXxaV9q1d7Kh0;#?*B3Oc^0=Q9qX&0=1YY6lV M&o?XpW^~@a05|E{{{R30 literal 0 HcmV?d00001 diff --git a/docker/rbac-tls/certs/zookeeper.truststore.jks b/docker/rbac-tls/certs/zookeeper.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..2138bb9f43be97fb229cae1c318d434bdc318a15 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU-^sDvL{FW5a0W_ zqrXS-f&13??ap{JYmJl69qXfOd&!#E5r*VE%zmwJ>_vMRrXoX)!zBT!i`-E9vm>aN zn&q>U%W!1H3pEq{oTC&NN7xj>@Ew86ZNx!)HJ^h6_@Fky23JE*OhR5+g@VA0&)-D4 zQtu)cPmr1h3otyU=dN9B?c)ez+ zFs;W<7%w1M@`=7u%#|;cJxZ$DU+|Wl3ErP@$MNmi> z%D6?Nq?|$Mfjh}?V~dhy=_}#U8w4>J8Tb}AO0O`1L!wOE?8^o`v}^Z`(T5sYlsTZB z%x#y{X}WPCLUF!bRh`phIu{?gsj(aoxTXVNV*gZE3a^|`hduGG3M%5NSmebZ4mZz_ z5)K>i#~Fi36SIj*rxz4lJ=NgfuE{2fTrO;(DrSz2nR7jg86;M;0%`pA>$EF0dVddT zx#uQ1B#ia603p9R_=}U0<;{p{gL3mSW0re2mqf?Zy-I`Owimg?@Rx5IR)iAMBd*`^ z*BH(zR!TYpn+ljggKidD2&8ByQAWe(4>>C!x;H}w#i@pIS0K-UQ;FET%kD_yjK@+c(Nr8Ood0m|A{6OC z!gCNV93$ZZhPHK;*v%>usaU2-a7$yzXeHFr!GzppJonyooCLAa5^ z6Ul?K1}fCEYEAE;ayMlgqt*AR%rHJMAutIB1uG5%0vZJX1Qe%Orlzq$QUFB /dev/null | grep \"version\" | jq -r .id) +if [ -z "$KAFKA_CLUSTER_ID" ]; then + echo "Failed to retrieve kafka cluster id from zookeeper" + exit 1 +fi + +## Login into MDS +CA_CERT=./certs/snakeoil-ca-1.crt +XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090 + +SUPER_USER=professor +SUPER_USER_PASSWORD=professor +SUPER_USER_PRINCIPAL="User:$SUPER_USER" + +## Create Service Roles +CONNECT_PRINCIPAL="User:fry" +C3_PRINCIPAL="User:hermes" +SR_PRINCIPAL="User:leela" +OTHER_PRINCIPAL="User:zoidberg" + +CONNECT=connect-cluster +SR=schema-registry +C3=c3-cluster + + +################################### SETUP SUPERUSER ################################### +echo "Creating Super User role bindings" + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --schema-registry-cluster-id $SR + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --connect-cluster-id $CONNECT + +echo "Finished setting up role bindings" +echo " kafka cluster id: $KAFKA_CLUSTER_ID" +echo " connect cluster id: $CONNECT" +echo " schema registry cluster id: $SR" +echo +echo " super user account: $SUPER_USER_PRINCIPAL" +echo " connect service account: $CONNECT_PRINCIPAL" +echo " schema registry service account: $SR_PRINCIPAL" +echo " C3 service account: $C3_PRINCIPAL" +echo " Other service account: $OTHER_PRINCIPAL" diff --git a/docker/rbac-tls/create-config.sh b/docker/rbac-tls/create-config.sh new file mode 100755 index 000000000..5c55026a8 --- /dev/null +++ b/docker/rbac-tls/create-config.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +# Generating public and private keys for token signing +echo "Generating public and private keys for token signing" +mkdir -p ./conf +openssl genrsa -out ./conf/keypair.pem 2048 +openssl rsa -in ./conf/keypair.pem -outform PEM -pubout -out ./conf/public.pem diff --git a/docker/rbac-tls/create-roles-streams-app.sh b/docker/rbac-tls/create-roles-streams-app.sh new file mode 100755 index 000000000..6c05d066c --- /dev/null +++ b/docker/rbac-tls/create-roles-streams-app.sh @@ -0,0 +1,92 @@ +#!/usr/bin/env bash + +## Login into MDS +XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --url http://localhost:8090 + + +## Create Service Roles +STREAMS_PRINCIPAL="User:zoidberg" +KAFKA_CLUSTER_ID="x64IAgb0TfOs-3-YoGB4gA" + +################################### STREAMS ################################### + +echo "Creating Kafka Streams role bindings" + +# Allow Streams to read the input topics: +#kafka-acls -authorizer-properties zookeeper.connect=zookeeper:2181 --add --allow-principal User:alice --operation Read --topic source-topic +# Allow Streams to write to the output topics: +#kafka-acls -authorizer-properties zookeeper.connect=zookeeper:2181 --add --allow-principal User:alice --operation Write --topic target-topic + +# Allow Streams to manage its own internal topics and consumer groups: +#kafka-acls -authorizer-properties zookeeper.connect=zookeeper:2181 --add --allow-principal User:alice --operation All --resource-pattern-type prefixed --topic porsche-streams-app --group porsche-streams-app + + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperRead \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --resource "Topic:source-topic" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperWrite \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --resource "Topic:target-topic" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperRead \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Topic:porsche-streams-app" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperWrite \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Topic:porsche-streams-app" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperManage \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Topic:porsche-streams-app" + + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperRead \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Group:porsche-streams-app" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperWrite \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Group:porsche-streams-app" + +confluent iam rolebinding create \ + --principal $STREAMS_PRINCIPAL \ + --role DeveloperManage \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --prefix \ + --resource "Group:porsche-streams-app" + + +confluent iam rolebinding list --principal $STREAMS_PRINCIPAL --kafka-cluster-id $KAFKA_CLUSTER_ID + +## created roles +#Role | ResourceType | Name | PatternType +#+-----------------+--------------+---------------------+-------------+ +#DeveloperManage | Topic | porsche-streams-app | PREFIXED +#DeveloperManage | Group | porsche-streams-app | PREFIXED +#DeveloperRead | Topic | source-topic | LITERAL +#DeveloperRead | Topic | porsche-streams-app | PREFIXED +#DeveloperRead | Group | porsche-streams-app | PREFIXED +#DeveloperWrite | Topic | target-topic | LITERAL +#DeveloperWrite | Topic | porsche-streams-app | PREFIXED +#DeveloperWrite | Group | porsche-streams-app | PREFIXED diff --git a/docker/rbac-tls/create-roles.sh b/docker/rbac-tls/create-roles.sh new file mode 100755 index 000000000..1bba922f0 --- /dev/null +++ b/docker/rbac-tls/create-roles.sh @@ -0,0 +1,133 @@ +#!/usr/bin/env bash + +################################## GET KAFKA CLUSTER ID ######################## +ZK_CONTAINER=zookeeper +ZK_PORT=2181 +echo "Retrieving Kafka cluster id from docker-container '$ZK_CONTAINER' port '$ZK_PORT'" +KAFKA_CLUSTER_ID=$(docker exec -it $ZK_CONTAINER zookeeper-shell localhost:$ZK_PORT get /cluster/id 2> /dev/null | grep \"version\" | jq -r .id) +if [ -z "$KAFKA_CLUSTER_ID" ]; then + echo "Failed to retrieve kafka cluster id from zookeeper" + exit 1 +fi + +## Login into MDS +CA_CERT=certs/snakeoil-ca-1.crt +XX_CONFLUENT_USERNAME=professor XX_CONFLUENT_PASSWORD=professor confluent login --ca-cert-path $CA_CERT --url https://localhost:8090 + +SUPER_USER=professor +SUPER_USER_PASSWORD=professor +SUPER_USER_PRINCIPAL="User:$SUPER_USER" + +## Create Service Roles +CONNECT_PRINCIPAL="User:fry" +C3_PRINCIPAL="User:hermes" +SR_PRINCIPAL="User:leela" +OTHER_PRINCIPAL="User:zoidberg" + +CONNECT=connect-cluster +SR=schema-registry +C3=c3-cluster + +################################### SETUP SUPERUSER ################################### +echo "Creating Super User role bindings" + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --schema-registry-cluster-id $SR + +confluent iam rolebinding create \ + --principal $SUPER_USER_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --connect-cluster-id $CONNECT + +################################### SCHEMA REGISTRY ################################### +echo "Creating Schema Registry role bindings" + +# SecurityAdmin on SR cluster itself +confluent iam rolebinding create \ + --principal $SR_PRINCIPAL \ + --role SecurityAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --schema-registry-cluster-id $SR + +# ResourceOwner for groups and topics on broker +for resource in Topic:_schemas Group:schema-registry +do + confluent iam rolebinding create \ + --principal $SR_PRINCIPAL \ + --role ResourceOwner \ + --resource $resource \ + --kafka-cluster-id $KAFKA_CLUSTER_ID +done + +################################### CONNECT ################################### +echo "Creating Connect role bindings" + +# SecurityAdmin on the connect cluster itself +confluent iam rolebinding create \ + --principal $CONNECT_PRINCIPAL \ + --role SecurityAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID \ + --connect-cluster-id $CONNECT + +# ResourceOwner for groups and topics on broker +declare -a ConnectResources=( + "Topic:connect-configs" + "Topic:connect-offsets" + "Topic:connect-status" + "Group:connect-cluster" + "Group:secret-registry" + "Topic:_confluent-secrets" +) +for resource in ${ConnectResources[@]} +do + confluent iam rolebinding create \ + --principal $CONNECT_PRINCIPAL \ + --role ResourceOwner \ + --resource $resource \ + --kafka-cluster-id $KAFKA_CLUSTER_ID +done + +################################### C3 ################################### +echo "Creating C3 role bindings" + +# C3 only needs SystemAdmin on the kafka cluster itself +confluent iam rolebinding create \ + --principal $C3_PRINCIPAL \ + --role SystemAdmin \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + +################################### OTHER ROLE ################################### + +confluent iam rolebinding create \ + --principal $OTHER_PRINCIPAL \ + --role DeveloperWrite \ + --resource "Topic:connect-configs" \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + + +confluent iam rolebinding create \ + --principal $OTHER_PRINCIPAL \ + --role ResourceOwner \ + --resource "Topic:zaragoza." \ + --prefix \ + --kafka-cluster-id $KAFKA_CLUSTER_ID + +echo "Finished setting up role bindings" +echo " kafka cluster id: $KAFKA_CLUSTER_ID" +echo " connect cluster id: $CONNECT" +echo " schema registry cluster id: $SR" +echo +echo " super user account: $SUPER_USER_PRINCIPAL" +echo " connect service account: $CONNECT_PRINCIPAL" +echo " schema registry service account: $SR_PRINCIPAL" +echo " C3 service account: $C3_PRINCIPAL" +echo " Other service account: $OTHER_PRINCIPAL" diff --git a/docker/rbac-tls/docker-compose.yml b/docker/rbac-tls/docker-compose.yml new file mode 100644 index 000000000..ada355574 --- /dev/null +++ b/docker/rbac-tls/docker-compose.yml @@ -0,0 +1,492 @@ +--- +version: '2.3' +services: + + phpldapadmin-service: + image: osixia/phpldapadmin:0.7.2 + container_name: ldapadmin-service + environment: + - PHPLDAPADMIN_LDAP_HOSTS=openldap + ports: + - "6444:443" + depends_on: + - openldap + + openldap: + image: rroemhild/test-openldap + hostname: openldap + container_name: openldap + ports: + - "389:389" + privileged: true + + zookeeper: + image: confluentinc/cp-zookeeper:${TAG} + hostname: zookeeper + container_name: zookeeper + ports: + - "2181:2181" + environment: + ZOOKEEPER_CLIENT_PORT: 2181 + ZOOKEEPER_TICK_TIME: 2000 + + broker: + image: confluentinc/cp-server:${TAG} + hostname: broker + container_name: broker + networks: + default: + aliases: + - broker + - thusnelda + depends_on: + - 'zookeeper' + - 'openldap' + ports: + - "8090:8090" + - "8091:8091" + - "9092:9092" + - "9093:9093" + - "9094:9094" + - "9095:9095" + volumes: + - ./certs/:/etc/kafka/secrets/ + - ./conf:/tmp/conf + - ./client-configs:/etc/client-configs + - ./kafka/:/etc/kafka/ + - ./jvm/:/etc/kafka/jvm/ + environment: + KAFKA_LOG4J_LOGGERS: kafka.controller=INFO,kafka.authorizer.logger=DEBUG + KAFKA_LOG4J_ROOT_LOGLEVEL: DEBUG + KAFKA_SUPER_USERS: User:admin;User:kafka;User:professor;User:ANONYMOUS + KAFKA_BROKER_ID: 1 + KAFKA_ZOOKEEPER_CONNECT: 'zookeeper:2181' + KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR: 1 + KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: https://schema-registry:8081 + KAFKA_ADVERTISED_LISTENERS: INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://localhost:9094,TOKENE://thusnelda:9095 + KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL + KAFKA_SASL_ENABLED_MECHANISMS: OAUTHBEARER + + # Configure interbroker listener + KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL + + ############################ SSL SETTINGS ##################################### + KAFKA_LISTENER_NAME_INTERNAL_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_INTERNAL_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + KAFKA_LISTENER_NAME_INTERNAL_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_INTERNAL_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + KAFKA_LISTENER_NAME_INTERNAL_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_INTERNAL_SSL_KEY_PASSWORD: confluent + + KAFKA_LISTENER_NAME_EXTERNAL_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_EXTERNAL_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + KAFKA_LISTENER_NAME_EXTERNAL_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_EXTERNAL_SSL_KEY_PASSWORD: confluent + + KAFKA_LISTENER_NAME_TOKEN_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_TOKEN_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + KAFKA_LISTENER_NAME_TOKEN_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKEN_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + KAFKA_LISTENER_NAME_TOKEN_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKEN_SSL_KEY_PASSWORD: confluent + + KAFKA_LISTENER_NAME_TOKENE_SECURITY_PROTOCOL: SSL + KAFKA_LISTENER_NAME_TOKENE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/thusnelda.truststore.jks + KAFKA_LISTENER_NAME_TOKENE_SSL_TRUSTSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKENE_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/thusnelda.keystore.jks + KAFKA_LISTENER_NAME_TOKENE_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_LISTENER_NAME_TOKENE_SSL_KEY_PASSWORD: confluent + + KAFKA_SSL_CLIENT_AUTH: required + #KAFKA_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=(.*?),.*$$/$$1/,DEFAULT + + KAFKA_LISTENER_NAME_INTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT + KAFKA_LISTENER_NAME_EXTERNAL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/kafka/ , DEFAULT + + # Configure token listener + KAFKA_LISTENER_NAME_TOKEN_SASL_ENABLED_MECHANISMS: OAUTHBEARER + KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler + KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler + KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + publicKeyPath="/tmp/conf/public.pem"; + + KAFKA_LISTENER_NAME_TOKENE_SASL_ENABLED_MECHANISMS: OAUTHBEARER + KAFKA_LISTENER_NAME_TOKENE_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler + KAFKA_LISTENER_NAME_TOKENE_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler + KAFKA_LISTENER_NAME_TOKENE_OAUTHBEARER_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + publicKeyPath="/tmp/conf/public.pem"; + + # CONFIGURE AUTHORIZER + KAFKA_AUTHORIZER_CLASS_NAME: io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer + KAFKA_CONFLUENT_AUTHORIZER_ACCESS_RULE_PROVIDERS: CONFLUENT,ZK_ACL + KAFKA_CONFLUENT_AUTHORIZER_GROUP_PROVIDER: RBAC + + # ======================== CONFIGURE MDS ==================================== + KAFKA_CONFLUENT_METADATA_TOPIC_REPLICATION_FACTOR: 1 + + # Configure MDS listener and http(s) server + KAFKA_CONFLUENT_METADATA_SERVER_AUTHENTICATION_METHOD: BEARER + KAFKA_CONFLUENT_METADATA_SERVER_AUTHENTICATION_ROLES: '**' + KAFKA_CONFLUENT_METADATA_SERVER_LISTENERS: https://0.0.0.0:8090 + KAFKA_CONFLUENT_METADATA_SERVER_ADVERTISED_LISTENERS: https://broker:8090 + KAFKA_CONFLUENT_METADATA_SERVER_OPENAPI_ENABLE: "true" + + ## SSL settings for MDS + KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/mds.keystore.jks + KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_PASSWORD: confluent + KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEY_PASSWORD: confluent + KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/mds.truststore.jks + KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_PASSWORD: confluent + + # Configure RBAC token server (authentication) + KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_AUTH_ENABLE: 'true' + KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_MAX_LIFETIME_MS: 3600000 + KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_SIGNATURE_ALGORITHM: RS256 + KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_KEY_PATH: /tmp/conf/keypair.pem + KAFKA_CONFLUENT_METADATA_SERVER_PUBLIC_KEY_PATH: /tmp/conf/public.pem + + # Configure MDS to talk to AD/LDAP + KAFKA_LDAP_JAVA_NAMING_FACTORY_INITIAL: com.sun.jndi.ldap.LdapCtxFactory + KAFKA_LDAP_COM_SUN_JNDI_LDAP_READ_TIMEOUT: 3000 + KAFKA_LDAP_JAVA_NAMING_PROVIDER_URL: ldap://openldap:389 + # how to authenticate to LDAP + KAFKA_LDAP_JAVA_NAMING_SECURITY_PRINCIPAL: cn=admin,dc=planetexpress,dc=com + KAFKA_LDAP_JAVA_NAMING_SECURITY_CREDENTIALS: GoodNewsEveryone + KAFKA_LDAP_JAVA_NAMING_SECURITY_AUTHENTICATION: simple + # how to locate users and groups + KAFKA_LDAP_USER_SEARCH_BASE: ou=people,dc=planetexpress,dc=com + KAFKA_LDAP_GROUP_SEARCH_BASE: ou=people,dc=planetexpress,dc=com + KAFKA_LDAP_USER_NAME_ATTRIBUTE: uid + KAFKA_LDAP_USER_OBJECT_CLASS: inetOrgPerson + KAFKA_LDAP_USER_MEMBEROF_ATTRIBUTE: ou + KAFKA_LDAP_GROUP_NAME_ATTRIBUTE: cn + KAFKA_LDAP_GROUP_OBJECT_CLASS: group + + # ======================= CONFIGURE METRICS REPORTER ========================= + KAFKA_METRIC_REPORTERS: io.confluent.metrics.reporter.ConfluentMetricsReporter + CONFLUENT_METRICS_REPORTER_BOOTSTRAP_SERVERS: localhost:9093 + CONFLUENT_METRICS_REPORTER_TOPIC_REPLICAS: 1 + CONFLUENT_METRICS_REPORTER_SECURITY_PROTOCOL: SSL + CONFLUENT_METRICS_REPORTER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.truststore.jks + CONFLUENT_METRICS_REPORTER_SSL_TRUSTSTORE_PASSWORD: confluent + CONFLUENT_METRICS_REPORTER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.keystore.jks + CONFLUENT_METRICS_REPORTER_SSL_KEYSTORE_PASSWORD: confluent + CONFLUENT_METRICS_REPORTER_SSL_KEY_PASSWORD: confluent + + # ======================= OTHER BROKER STUFF ================================= + KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1 + SSL_ENABLED_PROTOCOLS: TLSv1.2 + KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" + KAFKA_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + # KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0 + # CONFLUENT_METRICS_ENABLE: 'true' + # CONFLUENT_SUPPORT_CUSTOMER_ID: 'anonymous' + + schema-registry: + image: confluentinc/cp-schema-registry:${TAG} + hostname: schema-registry + container_name: schema-registry + depends_on: + - broker + ports: + - "8081:8081" + volumes: + - ./certs/:/etc/kafka/secrets/ + - ./conf:/tmp/conf + - ./jvm/:/etc/kafka/jvm/ + environment: + CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-security/schema-registry/*:/usr/share/java/schema-registry/*:/usr/share/java/cp-base-new/*' + SCHEMA_REGISTRY_LISTENERS: https://0.0.0.0:8081 + SCHEMA_REGISTRY_HOST_NAME: schema-registry + # This is only needed if you don't have a license and would like to test as part of a trial period + SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: zookeeper:2181 + + # configure how to connect to kafka for SR to store its internal info + SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: broker:9094 + SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SASL_SSL + SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: OAUTHBEARER + SCHEMA_REGISTRY_KAFKASTORE_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler + SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="leela" \ + password="leela" \ + metadataServerUrls="https://broker:8090"; + + SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/schemaregistry.truststore.jks + SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: confluent + SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/schemaregistry.keystore.jks + SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_PASSWORD: confluent + SCHEMA_REGISTRY_KAFKASTORE_SSL_KEY_PASSWORD: confluent + + SCHEMA_REGISTRY_KAFKASTORE_TOPIC: _schemas + SCHEMA_REGISTRY_DEBUG: 'true' + + SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/schemaregistry.truststore.jks + SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: confluent + SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/schemaregistry.keystore.jks + SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: confluent + SCHEMA_REGISTRY_SSL_KEY_PASSWORD: confluent + SCHEMA_REGISTRY_SSL_CLIENT_AUTH: 'false' + + SCHEMA_REGISTRY_SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: "https" + + # ======================= RBAC ================================= + SCHEMA_REGISTRY_SCHEMA_REGISTRY_RESOURCE_EXTENSION_CLASS: io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension + SCHEMA_REGISTRY_CONFLUENT_SCHEMA_REGISTRY_AUTHORIZER_CLASS: io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizer + SCHEMA_REGISTRY_REST_SERVLET_INITIALIZOR_CLASSES: io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler + # how to connect to MDS + SCHEMA_REGISTRY_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://broker:8090 + SCHEMA_REGISTRY_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: BASIC + SCHEMA_REGISTRY_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: leela:leela + # public key to verify tokens during authentication + SCHEMA_REGISTRY_PUBLIC_KEY_PATH: /tmp/conf/public.pem + SCHEMA_REGISTRY_SSL_ENABLED_PROTOCOLS: TLSv1.2 + KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" + SCHEMA_REGISTRY_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + + connect: + image: confluentinc/cp-server-connect:${TAG} + hostname: connect + container_name: connect + depends_on: + - 'broker' + ports: + - "8083:8083" + volumes: + - ./certs/:/etc/kafka/secrets/ + - ./conf:/tmp/conf + - ./jvm/:/etc/kafka/jvm/ + environment: + CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-security/connect/*:/usr/share/java/kafka/*:/usr/share/java/cp-base-new/*' + CLASSPATH: "/usr/share/java/monitoring-interceptors/*" + CONNECT_REST_ADVERTISED_HOST_NAME: connect + CONNECT_LISTENERS: https://0.0.0.0:8083 + CONNECT_REST_PORT: 8083 + CONNECT_GROUP_ID: connect-cluster + CONNECT_REPLICATION_FACTOR: 1 + # configs storage topic + CONNECT_CONFIG_STORAGE_TOPIC: connect-configs + CONNECT_CONFIG_STORAGE_REPLICATION_FACTOR: 1 + # offsets storage topic and settings + CONNECT_OFFSET_STORAGE_TOPIC: connect-offsets + CONNECT_OFFSET_STORAGE_REPLICATION_FACTOR: 1 + CONNECT_OFFSET_FLUSH_INTERVAL_MS: 10000 + # status storage topic + CONNECT_STATUS_STORAGE_TOPIC: connect-status + CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 1 + + # Default to Json converters: + CONNECT_KEY_CONVERTER: org.apache.kafka.connect.json.JsonConverter + CONNECT_VALUE_CONVERTER: org.apache.kafka.connect.json.JsonConverter + CONNECT_INTERNAL_KEY_CONVERTER: org.apache.kafka.connect.json.JsonConverter + CONNECT_INTERNAL_VALUE_CONVERTER: org.apache.kafka.connect.json.JsonConverter + + CONNECT_LOG4J_ROOT_LOGLEVEL: INFO + CONNECT_LOG4J_LOGGERS: org.reflections=ERROR + + # Connect to broker + CONNECT_BOOTSTRAP_SERVERS: broker:9094 + CONNECT_SECURITY_PROTOCOL: SASL_SSL + # RBAC + CONNECT_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="fry" \ + password="fry" \ + metadataServerUrls="https://broker:8090"; + + # Connect Worker + CONNECT_SECURITY_PROTOCOL: SASL_SSL + CONNECT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_SSL_KEY_PASSWORD: confluent + + # Allow overriding configs on the connector level + CONNECT_CONNECTOR_CLIENT_CONFIG_OVERRIDE_POLICY: 'All' + + # Default producers configuration + CONNECT_PRODUCER_SECURITY_PROTOCOL: SASL_SSL + CONNECT_PRODUCER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_PRODUCER_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_PRODUCER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_PRODUCER_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_PRODUCER_SSL_KEY_PASSWORD: confluent + CONNECT_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor" + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEY_PASSWORD: confluent + + # Producer + CONNECT_PRODUCER_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_PRODUCER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="fry" \ + password="fry" \ + metadataServerUrls="https://broker:8090"; + + # Default consumer configs + CONNECT_CONSUMER_SECURITY_PROTOCOL: SASL_SSL + CONNECT_CONSUMER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_CONSUMER_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_CONSUMER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_CONSUMER_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_CONSUMER_SSL_KEY_PASSWORD: confluent + CONNECT_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor" + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEY_PASSWORD: confluent + + CONNECT_CONSUMER_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_CONSUMER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="fry" \ + password="fry" \ + metadataServerUrls="https://broker:8090"; + + # Default admin config + CONNECT_ADMIN_SECURITY_PROTOCOL: SASL_SSL + CONNECT_ADMIN_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_ADMIN_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_ADMIN_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_ADMIN_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_ADMIN_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_ADMIN_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_ADMIN_SSL_KEY_PASSWORD: confluent + + # Load confluent plugins + CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components" + # ============================== RBAC ======================================== + CONNECT_REST_EXTENSION_CLASSES: 'io.confluent.connect.security.ConnectSecurityExtension,io.confluent.connect.secretregistry.ConnectSecretRegistryExtension' + CONNECT_REST_SERVLET_INITIALIZOR_CLASSES: 'io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler' + CONNECT_PUBLIC_KEY_PATH: '/tmp/conf/public.pem' + + CONNECT_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: 'https://broker:8090' + CONNECT_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: 'fry:fry' + CONNECT_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: 'BASIC' + # ========================= OTHERS ========================= + KAFKA_OPTS: -Djavax.net.ssl.trustStore=/etc/kafka/secrets/connect.truststore.jks + -Djavax.net.ssl.trustStorePassword=confluent + -Djavax.net.ssl.keyStore=/etc/kafka/secrets/connect.keystore.jks + -Djavax.net.ssl.keyStorePassword=confluent + -Djava.security.properties=/etc/kafka/jvm/security-policy.properties + # ========================= SECRET REGISTRY ================================== + CONNECT_CONFIG_PROVIDERS: 'secret' + CONNECT_CONFIG_PROVIDERS_SECRET_CLASS: 'io.confluent.connect.secretregistry.rbac.config.provider.InternalSecretConfigProvider' + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_MASTER_ENCRYPTION_KEY: 'password1234' + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_BOOTSTRAP_SERVERS: broker:9094 + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SECURITY_PROTOCOL: SASL_SSL + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/connect.truststore.jks + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: confluent + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/connect.keystore.jks + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEYSTORE_PASSWORD: confluent + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEY_PASSWORD: confluent + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_MECHANISM: 'OAUTHBEARER' + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler' + CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_JAAS_CONFIG: | + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="fry" \ + password="fry" \ + metadataServerUrls="https://broker:8090"; + CONNECT_SSL_ENABLED_PROTOCOLS: TLSv1.2 + CONNECT_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + + control-center: + image: confluentinc/cp-enterprise-control-center:${TAG} + hostname: control-center + container_name: control-center + depends_on: + - 'zookeeper' + - 'broker' + #- 'connect' + ports: + - "9021:9021" + volumes: + - ./certs/:/etc/kafka/secrets/ + - ./conf:/tmp/conf + - ./jvm/:/etc/kafka/jvm/ + environment: + # CUB CLASSPATH + CUB_CLASSPATH: '/etc/confluent/docker/docker-utils.jar:/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*' + # general settings + #CONTROL_CENTER_LOG4J_ROOT_LOGLEVEL: DEBUG + CONTROL_CENTER_BOOTSTRAP_SERVERS: 'SASL_SSL://broker:9094' + CONTROL_CENTER_ZOOKEEPER_CONNECT: 'zookeeper:2181' + + CONTROL_CENTER_REPLICATION_FACTOR: 1 + CONTROL_CENTER_INTERNAL_TOPICS_PARTITIONS: 1 + CONFLUENT_METRICS_TOPIC_REPLICATION: 1 + CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_PARTITIONS: 1 + CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_REPLICATION: 1 + CONTROL_CENTER_METRICS_TOPIC_REPLICATION: 1 + CONTROL_CENTER_METRICS_TOPIC_PARTITIONS: 1 + + PORT: 9021 + + # ========================= other services ============================== + # connect + CONTROL_CENTER_CONNECT_CONNECT1_CLUSTER: https://connect:8083 + # schema-registry + CONTROL_CENTER_SCHEMA_REGISTRY_URL: https://schema-registry:8081 + + # ========================= RBAC ================================= + CONTROL_CENTER_REST_AUTHENTICATION_METHOD: BEARER + PUBLIC_KEY_PATH: /tmp/conf/public.pem + CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://broker:8090 + CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: hermes:hermes + + CONTROL_CENTER_REST_LISTENERS: https://0.0.0.0:9021 + CONTROL_CENTER_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/controlcenter.truststore.jks + CONTROL_CENTER_REST_SSL_TRUSTSTORE_PASSWORD: confluent + CONTROL_CENTER_REST_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/controlcenter.keystore.jks + CONTROL_CENTER_REST_SSL_KEYSTORE_PASSWORD: confluent + CONTROL_CENTER_REST_SSL_KEY_PASSWORD: confluent + + CONTROL_CENTER_STREAMS_CPREST_URL: https://broker:8090 + + # internal streams application + CONTROL_CENTER_STREAMS_CACHE_MAX_BYTES_BUFFERING: 100000000 + CONTROL_CENTER_STREAMS_CONSUMER_REQUEST_TIMEOUT_MS: "960032" + CONTROL_CENTER_STREAMS_NUM_STREAM_THREADS: 1 + + CONTROL_CENTER_STREAMS_SECURITY_PROTOCOL: SASL_SSL + CONTROL_CENTER_STREAMS_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/controlcenter.truststore.jks + CONTROL_CENTER_STREAMS_SSL_TRUSTSTORE_PASSWORD: confluent + CONTROL_CENTER_STREAMS_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/controlcenter.keystore.jks + CONTROL_CENTER_STREAMS_SSL_KEYSTORE_PASSWORD: confluent + CONTROL_CENTER_STREAMS_SSL_KEY_PASSWORD: confluent + + # The following configs are not required by C3 itself, but are required by cub to be able to connect to kafka to check if its ready + # Seems like C3 would generate these configs when started, but cub runs before C3 starts, so it doesn't have access to these configs + CONTROL_CENTER_STREAMS_SASL_MECHANISM: OAUTHBEARER + CONTROL_CENTER_STREAMS_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler + CONTROL_CENTER_STREAMS_SASL_JAAS_CONFIG: | + \ + org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ + username="hermes" \ + password="hermes" \ + metadataServerUrls="https://broker:8090"; + CONTROL_CENTER_SSL_ENABLED_PROTOCOLS: TLSv1.2 + KAFKA_OPTS: " -Djava.security.properties=/etc/kafka/jvm/security-policy.properties" + CONTROL_CENTER_SSL_CIPHER_SUITES: TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 diff --git a/docker/rbac-tls/jvm/security-policy.properties b/docker/rbac-tls/jvm/security-policy.properties new file mode 100644 index 000000000..3fa5e6db8 --- /dev/null +++ b/docker/rbac-tls/jvm/security-policy.properties @@ -0,0 +1,6 @@ +jdk.tls.disabledAlgorithms=EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048 +jdk.certpath.disabledAlgorithms=MD2, MD4, MD5, EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048 +jdk.tls.rejectClientInitiatedRenegotiation=true +jdk.tls.ephemeralDHKeySize=2048 +com.sun.security.enableCRLDP=true +com.sun.net.ssl.checkRevocation=true diff --git a/docker/rbac-tls/kafka/client.properties b/docker/rbac-tls/kafka/client.properties new file mode 100644 index 000000000..d821b5518 --- /dev/null +++ b/docker/rbac-tls/kafka/client.properties @@ -0,0 +1,5 @@ +security.protocol=SSL +ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.keystore.password=confluent diff --git a/docker/rbac-tls/kafka/kafka.properties b/docker/rbac-tls/kafka/kafka.properties new file mode 100644 index 000000000..e68dffe8d --- /dev/null +++ b/docker/rbac-tls/kafka/kafka.properties @@ -0,0 +1,97 @@ +confluent.metadata.server.public.key.path=/tmp/conf/public.pem +listener.name.tokene.ssl.keystore.password=confluent +listener.name.tokene.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler +listener.name.tokene.oauthbearer.sasl.jaas.config=\ +org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +publicKeyPath="/tmp/conf/public.pem"; + +confluent.metadata.server.token.max.lifetime.ms=3600000 +ldap.user.search.base=ou=people,dc=planetexpress,dc=com +confluent.metadata.server.ssl.truststore.password=confluent +confluent.metadata.server.ssl.keystore.location=/etc/kafka/secrets/mds.keystore.jks +confluent.metadata.server.advertised.listeners=https://broker:8090 +listener.name.external.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/kafka/ , DEFAULT +ldap.group.name.attribute=cn +broker.id=1 +confluent.metadata.server.authentication.method=BEARER +listener.name.internal.ssl.keystore.password=confluent +listener.name.internal.ssl.key.password=confluent +confluent.metadata.server.listeners=https://0.0.0.0:8090 +sasl.enabled.mechanisms=OAUTHBEARER +ldap.java.naming.security.authentication=simple +listener.name.internal.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +ldap.user.name.attribute=uid +advertised.listeners=INTERNAL://localhost:9093,EXTERNAL://localhost:9092,TOKEN://localhost:9094,TOKENE://thusnelda:9095 +listener.name.token.ssl.truststore.password=confluent +listener.name.tokene.ssl.keystore.location=/etc/kafka/secrets/thusnelda.keystore.jks +listener.name.internal.ssl.truststore.password=confluent +zookeeper.connect=zookeeper:2181 +ldap.group.object.class=group +listener.name.external.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +confluent.authorizer.access.rule.providers=CONFLUENT,ZK_ACL +super.users=User:admin;User:kafka;User:professor;User:ANONYMOUS +ldap.user.object.class=inetOrgPerson +inter.broker.listener.name=INTERNAL +listener.name.internal.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.client.auth=required +ldap.java.naming.provider.url=ldap://openldap:389 +listener.name.tokene.security.protocol=SSL +listener.name.tokene.ssl.key.password=confluent +confluent.metadata.server.token.signature.algorithm=RS256 +listener.name.token.security.protocol=SSL +listener.name.external.security.protocol=SSL +confluent.metadata.server.token.key.path=/tmp/conf/keypair.pem +ldap.java.naming.security.principal=cn=admin,dc=planetexpress,dc=com +listener.name.token.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler +ldap.group.search.base=ou=people,dc=planetexpress,dc=com +listener.name.token.oauthbearer.sasl.jaas.config=\ +org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ +publicKeyPath="/tmp/conf/public.pem"; + +confluent.schema.registry.url=https://schema-registry:8081 +listener.name.internal.ssl.principal.mapping.rules=RULE:^CN=([a-zA-Z0-9.]*).*$/$1/ , DEFAULT +authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer +confluent.metadata.topic.replication.factor=1 +confluent.metadata.server.ssl.keystore.password=confluent +listener.name.token.sasl.enabled.mechanisms=OAUTHBEARER +listener.name.tokene.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler +ldap.user.memberof.attribute=ou +metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter +confluent.metadata.server.authentication.roles=** +confluent.authorizer.group.provider=RBAC +listener.name.tokene.ssl.truststore.password=confluent +confluent.metadata.server.ssl.truststore.location=/etc/kafka/secrets/mds.truststore.jks +listener.name.token.oauthbearer.sasl.login.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler +listener.name.external.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +confluent.metadata.server.ssl.key.password=confluent +listener.name.external.ssl.keystore.password=confluent +offsets.topic.replication.factor=1 +listener.name.external.ssl.truststore.password=confluent +ldap.com.sun.jndi.ldap.read.timeout=3000 +listener.name.internal.security.protocol=SSL +listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL,TOKEN:SASL_SSL,TOKENE:SASL_SSL +listener.name.external.ssl.key.password=confluent +listener.name.token.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +log.dirs=/var/lib/kafka/data +listener.name.tokene.ssl.truststore.location=/etc/kafka/secrets/thusnelda.truststore.jks +listeners=INTERNAL://0.0.0.0:9093,EXTERNAL://0.0.0.0:9092,TOKEN://0.0.0.0:9094,TOKENE://0.0.0.0:9095 +confluent.metadata.server.token.auth.enable=true +ldap.java.naming.security.credentials=GoodNewsEveryone +listener.name.token.ssl.key.password=confluent +ldap.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory +listener.name.token.ssl.keystore.password=confluent +confluent.metadata.server.openapi.enable=true +confluent.license.topic.replication.factor=1 +listener.name.tokene.sasl.enabled.mechanisms=OAUTHBEARER +listener.name.token.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.cipher.suites=TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +-%} + +confluent.metrics.reporter.ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +confluent.metrics.reporter.topic.replicas=1 +confluent.metrics.reporter.ssl.keystore.password=confluent +confluent.metrics.reporter.ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +confluent.metrics.reporter.ssl.truststore.password=confluent +confluent.metrics.reporter.ssl.key.password=confluent +confluent.metrics.reporter.bootstrap.servers=localhost:9093 +confluent.metrics.reporter.security.protocol=SSL diff --git a/docker/rbac-tls/kafka/log4j.properties b/docker/rbac-tls/kafka/log4j.properties new file mode 100644 index 000000000..13fb80ec2 --- /dev/null +++ b/docker/rbac-tls/kafka/log4j.properties @@ -0,0 +1,16 @@ + +log4j.rootLogger=DEBUG, stdout + +log4j.appender.stdout=org.apache.log4j.ConsoleAppender +log4j.appender.stdout.layout=org.apache.log4j.PatternLayout +log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n + + +log4j.logger.kafka.authorizer.logger=DEBUG +log4j.logger.kafka.log.LogCleaner=INFO +log4j.logger.kafka.producer.async.DefaultEventHandler=DEBUG +log4j.logger.kafka.controller=INFO +log4j.logger.kafka.network.RequestChannel$=WARN +log4j.logger.kafka.request.logger=WARN +log4j.logger.state.change.logger=TRACE +log4j.logger.kafka=INFO diff --git a/docker/rbac-tls/kafka/professor.properties b/docker/rbac-tls/kafka/professor.properties new file mode 100644 index 000000000..4b7cd2a21 --- /dev/null +++ b/docker/rbac-tls/kafka/professor.properties @@ -0,0 +1,10 @@ +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_SSL +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="professor" password="professor" metadataServerUrls="https://localhost:8090"; + + +ssl.truststore.location=/etc/kafka/secrets/kafka.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=/etc/kafka/secrets/kafka.keystore.jks +ssl.keystore.password=confluent diff --git a/docker/rbac-tls/kafka/thusnelda.properties b/docker/rbac-tls/kafka/thusnelda.properties new file mode 100644 index 000000000..8a94a9d65 --- /dev/null +++ b/docker/rbac-tls/kafka/thusnelda.properties @@ -0,0 +1,9 @@ +sasl.mechanism=OAUTHBEARER +security.protocol=SASL_SSL +sasl.login.callback.handler.class=io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler +sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required username="professor" password="professor" metadataServerUrls="https://localhost:8090"; + +ssl.truststore.location=/etc/kafka/secrets/thusnelda.truststore.jks +ssl.truststore.password=confluent +ssl.keystore.location=/etc/kafka/secrets/thusnelda.keystore.jks +ssl.keystore.password=confluent diff --git a/docker/rbac-tls/kafka/tools-log4j.properties b/docker/rbac-tls/kafka/tools-log4j.properties new file mode 100644 index 000000000..a4b57e06d --- /dev/null +++ b/docker/rbac-tls/kafka/tools-log4j.properties @@ -0,0 +1,7 @@ + +log4j.rootLogger=WARN, stderr + +log4j.appender.stderr=org.apache.log4j.ConsoleAppender +log4j.appender.stderr.layout=org.apache.log4j.PatternLayout +log4j.appender.stderr.layout.ConversionPattern=[%d] %p %m (%c)%n +log4j.appender.stderr.Target=System.err \ No newline at end of file diff --git a/docker/rbac-tls/scripts/read-als-kafka.sh b/docker/rbac-tls/scripts/read-als-kafka.sh new file mode 100644 index 000000000..7540fef1b --- /dev/null +++ b/docker/rbac-tls/scripts/read-als-kafka.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9092 \ + --topic test \ + --consumer.config /etc/kafka/client.properties --from-beginning diff --git a/docker/rbac-tls/scripts/read-als-professor.sh b/docker/rbac-tls/scripts/read-als-professor.sh new file mode 100644 index 000000000..62fe59dbf --- /dev/null +++ b/docker/rbac-tls/scripts/read-als-professor.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9094 \ + --topic test \ + --consumer.config /etc/kafka/professor.properties --from-beginning diff --git a/docker/rbac-tls/scripts/read-als-thusnelda.sh b/docker/rbac-tls/scripts/read-als-thusnelda.sh new file mode 100644 index 000000000..dba2863ae --- /dev/null +++ b/docker/rbac-tls/scripts/read-als-thusnelda.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-consumer --bootstrap-server thusnelda:9095 \ + --topic test \ + --consumer.config /etc/kafka/thusnelda.properties --from-beginning diff --git a/docker/rbac-tls/scripts/write-als-kafka.sh b/docker/rbac-tls/scripts/write-als-kafka.sh new file mode 100644 index 000000000..8489659c1 --- /dev/null +++ b/docker/rbac-tls/scripts/write-als-kafka.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-producer --broker-list broker:9092 \ + --topic test \ + --producer.config /etc/kafka/client.properties diff --git a/docker/rbac-tls/scripts/write-als-professor.sh b/docker/rbac-tls/scripts/write-als-professor.sh new file mode 100644 index 000000000..18552be81 --- /dev/null +++ b/docker/rbac-tls/scripts/write-als-professor.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-producer --broker-list broker:9094 \ + --topic test \ + --producer.config /etc/kafka/professor.properties diff --git a/docker/rbac-tls/scripts/write-als-thusnelda.sh b/docker/rbac-tls/scripts/write-als-thusnelda.sh new file mode 100644 index 000000000..9c1a6b817 --- /dev/null +++ b/docker/rbac-tls/scripts/write-als-thusnelda.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +docker-compose exec broker kafka-console-producer --broker-list thusnelda:9095 \ + --topic test-thusnelda \ + --producer.config /etc/kafka/thusnelda.properties diff --git a/docker/rbac-tls/show-kafka-id.sh b/docker/rbac-tls/show-kafka-id.sh new file mode 100644 index 000000000..5d86de617 --- /dev/null +++ b/docker/rbac-tls/show-kafka-id.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +################################## GET KAFKA CLUSTER ID ######################## +ZK_CONTAINER=zookeeper +ZK_PORT=2181 +echo "Retrieving Kafka cluster id from docker-container '$ZK_CONTAINER' port '$ZK_PORT'" +KAFKA_CLUSTER_ID=$(docker exec -it $ZK_CONTAINER zookeeper-shell localhost:$ZK_PORT get /cluster/id 2> /dev/null | grep \"version\" | jq -r .id) +if [ -z "$KAFKA_CLUSTER_ID" ]; then + echo "Failed to retrieve kafka cluster id from zookeeper" + exit 1 +fi + +echo $KAFKA_CLUSTER_ID diff --git a/docker/rbac-tls/start.sh b/docker/rbac-tls/start.sh new file mode 100755 index 000000000..b61b97060 --- /dev/null +++ b/docker/rbac-tls/start.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +docker-compose up -d broker diff --git a/docker/rbac-tls/streams/docker-compose.yaml b/docker/rbac-tls/streams/docker-compose.yaml new file mode 100644 index 000000000..957104914 --- /dev/null +++ b/docker/rbac-tls/streams/docker-compose.yaml @@ -0,0 +1,22 @@ +version: '3' +services: + + zookeeper: + image: confluentinc/cp-zookeeper:5.3.0 + hostname: zookeeper + container_name: zookeeper + ports: + - "2181:2181" + environment: + ZOOKEEPER_CLIENT_PORT: 2181 + ZOOKEEPER_TICK_TIME: 2000 + + kafka: + build: kafka/ + container_name: kafka + depends_on: + - zookeeper + ports: + - "9093:9093" + - "29093:29093" + command: ["kafka-server-start", "/etc/kafka/server.properties"] diff --git a/docker/rbac-tls/streams/kafka/Dockerfile b/docker/rbac-tls/streams/kafka/Dockerfile new file mode 100644 index 000000000..b3115c9b3 --- /dev/null +++ b/docker/rbac-tls/streams/kafka/Dockerfile @@ -0,0 +1,22 @@ +FROM centos +MAINTAINER seknop@gmail.com +ENV container docker + +# 1. Adding Confluent repository +RUN rpm --import https://packages.confluent.io/rpm/5.3/archive.key +COPY confluent.repo /etc/yum.repos.d/confluent.repo +RUN yum clean all + +# 2. Install zookeeper and kafka +RUN yum install -y java-1.8.0-openjdk +RUN yum install -y confluent-kafka-2.12 +RUN yum install -y confluent-security + + +# 3. Configure Kafka and zookeeper for Kerberos +COPY server.properties /etc/kafka/server.properties + + +EXPOSE 9093 + +CMD kafka-server-start /etc/kafka/server.properties diff --git a/docker/rbac-tls/streams/kafka/confluent.repo b/docker/rbac-tls/streams/kafka/confluent.repo new file mode 100644 index 000000000..6fccc712b --- /dev/null +++ b/docker/rbac-tls/streams/kafka/confluent.repo @@ -0,0 +1,13 @@ +[Confluent.dist] +name=Confluent repository (dist) +baseurl=https://packages.confluent.io/rpm/5.3/7 +gpgcheck=1 +gpgkey=https://packages.confluent.io/rpm/5.3/archive.key +enabled=1 + +[Confluent] +name=Confluent repository +baseurl=https://packages.confluent.io/rpm/5.3 +gpgcheck=1 +gpgkey=https://packages.confluent.io/rpm/5.3/archive.key +enabled=1 diff --git a/docker/rbac-tls/streams/kafka/log4j.properties b/docker/rbac-tls/streams/kafka/log4j.properties new file mode 100644 index 000000000..d6cf8ff0f --- /dev/null +++ b/docker/rbac-tls/streams/kafka/log4j.properties @@ -0,0 +1,102 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Unspecified loggers and loggers with additivity=true output to server.log and stdout +# Note that INFO only applies to unspecified loggers, the log level of the child logger is used otherwise +# Sven is here! +log4j.rootLogger=INFO, stdout, kafkaAppender + +log4j.appender.stdout=org.apache.log4j.ConsoleAppender +log4j.appender.stdout.layout=org.apache.log4j.PatternLayout +log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.kafkaAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.kafkaAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.kafkaAppender.File=${kafka.logs.dir}/server.log +log4j.appender.kafkaAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.kafkaAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.stateChangeAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.stateChangeAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.stateChangeAppender.File=${kafka.logs.dir}/state-change.log +log4j.appender.stateChangeAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.stateChangeAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.requestAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.requestAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.requestAppender.File=${kafka.logs.dir}/kafka-request.log +log4j.appender.requestAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.requestAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.cleanerAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.cleanerAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.cleanerAppender.File=${kafka.logs.dir}/log-cleaner.log +log4j.appender.cleanerAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.cleanerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.controllerAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.controllerAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.controllerAppender.File=${kafka.logs.dir}/controller.log +log4j.appender.controllerAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.controllerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.authorizerAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.authorizerAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.authorizerAppender.File=${kafka.logs.dir}/kafka-authorizer.log +log4j.appender.authorizerAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +log4j.appender.ldapAppender=org.apache.log4j.DailyRollingFileAppender +log4j.appender.ldapAppender.DatePattern='.'yyyy-MM-dd-HH +log4j.appender.ldapAppender.File=${kafka.logs.dir}/kafka-ldap.log +log4j.appender.ldapAppender.layout=org.apache.log4j.PatternLayout +log4j.appender.ldapAppender.layout.ConversionPattern=[%d] %p %m (%c)%n + +# Change the two lines below to adjust ZK client logging +log4j.logger.org.I0Itec.zkclient.ZkClient=INFO +log4j.logger.org.apache.zookeeper=INFO + +# Change the two lines below to adjust the general broker logging level (output to server.log and stdout) +log4j.logger.kafka=INFO +log4j.logger.org.apache.kafka=INFO + +# Change to DEBUG or TRACE to enable request logging +log4j.logger.kafka.request.logger=WARN, requestAppender +log4j.additivity.kafka.request.logger=false + +# Uncomment the lines below and change log4j.logger.kafka.network.RequestChannel$ to TRACE for additional output +# related to the handling of requests +#log4j.logger.kafka.network.Processor=TRACE, requestAppender +#log4j.logger.kafka.server.KafkaApis=TRACE, requestAppender +#log4j.additivity.kafka.server.KafkaApis=false +log4j.logger.kafka.network.RequestChannel$=WARN, requestAppender +log4j.additivity.kafka.network.RequestChannel$=false + +log4j.logger.kafka.controller=TRACE, controllerAppender +log4j.additivity.kafka.controller=false + +log4j.logger.kafka.log.LogCleaner=INFO, cleanerAppender +log4j.additivity.kafka.log.LogCleaner=false + +log4j.logger.state.change.logger=TRACE, stateChangeAppender +log4j.additivity.state.change.logger=false + +# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses +log4j.logger.kafka.authorizer.logger=DEBUG, authorizerAppender +log4j.additivity.kafka.authorizer.logger=false + +# Experimental, add logging for LDAP +log4j.logger.io.confluent.kafka.security.ldap.authorizer.LdapGroupManager=TRACE, ldapAppender + diff --git a/docker/rbac-tls/streams/kafka/server-with-ssl.properties b/docker/rbac-tls/streams/kafka/server-with-ssl.properties new file mode 100644 index 000000000..369837415 --- /dev/null +++ b/docker/rbac-tls/streams/kafka/server-with-ssl.properties @@ -0,0 +1,218 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# see kafka.server.KafkaConfig for additional details and defaults + +############################# Server Basics ############################# + +# The id of the broker. This must be set to a unique integer for each broker. +broker.id=0 + +############################# Socket Server Settings ############################# + +# The address the socket server listens on. It will get the value returned from +# java.net.InetAddress.getCanonicalHostName() if not configured. +# FORMAT: +# listeners = listener_name://host_name:port +# EXAMPLE: +# listeners = PLAINTEXT://your.host.name:9092 +listeners=SASL_PLAINTEXT://kafka:9093 + +# Hostname and port the broker will advertise to producers and consumers. If not set, +# it uses the value for "listeners" if configured. Otherwise, it will use the value +# returned from java.net.InetAddress.getCanonicalHostName(). +advertised.listeners=SASL_PLAINTEXT://kafka:9093 + +# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details +#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL + +security.inter.broker.protocol=SASL_PLAINTEXT + +# The number of threads that the server uses for receiving requests from the network and sending responses to the network +num.network.threads=3 + +# The number of threads that the server uses for processing requests, which may include disk I/O +num.io.threads=8 + +# The send buffer (SO_SNDBUF) used by the socket server +socket.send.buffer.bytes=102400 + +# The receive buffer (SO_RCVBUF) used by the socket server +socket.receive.buffer.bytes=102400 + +# The maximum size of a request that the socket server will accept (protection against OOM) +socket.request.max.bytes=104857600 + + +############################# Log Basics ############################# + +# A comma separated list of directories under which to store log files +log.dirs=/var/lib/kafka + +# The default number of log partitions per topic. More partitions allow greater +# parallelism for consumption, but this will also result in more files across +# the brokers. +num.partitions=1 + +# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown. +# This value is recommended to be increased for installations with data dirs located in RAID array. +num.recovery.threads.per.data.dir=1 + +############################# Internal Topic Settings ############################# +# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state" +# For anything other than development testing, a value greater than 1 is recommended for to ensure availability such as 3. +offsets.topic.replication.factor=1 +transaction.state.log.replication.factor=1 +transaction.state.log.min.isr=1 + +############################# Log Flush Policy ############################# + +# Messages are immediately written to the filesystem but by default we only fsync() to sync +# the OS cache lazily. The following configurations control the flush of data to disk. +# There are a few important trade-offs here: +# 1. Durability: Unflushed data may be lost if you are not using replication. +# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush. +# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks. +# The settings below allow one to configure the flush policy to flush data after a period of time or +# every N messages (or both). This can be done globally and overridden on a per-topic basis. + +# The number of messages to accept before forcing a flush of data to disk +#log.flush.interval.messages=10000 + +# The maximum amount of time a message can sit in a log before we force a flush +#log.flush.interval.ms=1000 + +############################# Log Retention Policy ############################# + +# The following configurations control the disposal of log segments. The policy can +# be set to delete segments after a period of time, or after a given size has accumulated. +# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens +# from the end of the log. + +# The minimum age of a log file to be eligible for deletion due to age +log.retention.hours=168 + +# A size-based retention policy for logs. Segments are pruned from the log unless the remaining +# segments drop below log.retention.bytes. Functions independently of log.retention.hours. +#log.retention.bytes=1073741824 + +# The maximum size of a log segment file. When this size is reached a new log segment will be created. +log.segment.bytes=1073741824 + +# The interval at which log segments are checked to see if they can be deleted according +# to the retention policies +log.retention.check.interval.ms=300000 + +############################# Zookeeper ############################# + +# Zookeeper connection string (see zookeeper docs for details). +# This is a comma separated host:port pairs, each corresponding to a zk +# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002". +# You can also append an optional chroot string to the urls to specify the +# root directory for all kafka znodes. +zookeeper.connect=zookeeper:2181 + +# Timeout in ms for connecting to zookeeper +zookeeper.connection.timeout.ms=6000 + +##################### Confluent Metrics Reporter ####################### +# Confluent Control Center and Confluent Auto Data Balancer integration +# +# Uncomment the following lines to publish monitoring data for +# Confluent Control Center and Confluent Auto Data Balancer +# If you are using a dedicated metrics cluster, also adjust the settings +# to point to your metrics kakfa cluster. +#metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter +#confluent.metrics.reporter.bootstrap.servers=localhost:9092 +# +# Uncomment the following line if the metrics cluster has a single broker +#confluent.metrics.reporter.topic.replicas=1 + +##################### Confluent Proactive Support ###################### +# If set to true, and confluent-support-metrics package is installed +# then the feature to collect and report support metrics +# ("Metrics") is enabled. If set to false, the feature is disabled. +# +confluent.support.metrics.enable=false + + +# The customer ID under which support metrics will be collected and +# reported. +# +# When the customer ID is set to "anonymous" (the default), then only a +# reduced set of metrics is being collected and reported. +# +# Confluent customers +# ------------------- +# If you are a Confluent customer, then you should replace the default +# value with your actual Confluent customer ID. Doing so will ensure +# that additional support metrics will be collected and reported. +# +confluent.support.customer.id=anonymous + +############################# Group Coordinator Settings ############################# + +# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance. +# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms. +# The default value for this is 3 seconds. +# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing. +# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup. +group.initial.rebalance.delay.ms=0 + + +# SASL Configuration +sasl.enabled.mechanisms=SCRAM-SHA-256 +sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 +security.inter.broker.protocol=SASL_PLAINTEXT +allow.everyone.if.no.acl.found=false +super.users=User:kafka +authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer + +# Configure authorizer +authorizer.class.name=io.confluent.kafka.security.ldap.authorizer.LdapAuthorizer +# LDAP provider URL +ldap.authorizer.java.naming.provider.url=ldaps://ldap:636/DC=CONFLUENT,DC=IO +# Refresh interval for LDAP cache. If set to zero, persistent search is used. +ldap.authorizer.refresh.interval.ms=60000 + +# Lets see if we can connect with TLS to our LDAP server +ldap.authorizer.java.naming.security.principal=cn=admin,dc=confluent,dc=io +ldap.authorizer.java.naming.security.credentials=admin + +ldap.authorizer.java.naming.security.protocol=SSL +ldap.authorizer.ssl.keystore.location=/etc/kafka/jks/ldap.keystore.jks +ldap.authorizer.ssl.keystore.password=confluent + +ldap.authorizer.ssl.truststore.location=/etc/kafka/jks/ldap.truststore.jks +ldap.authorizer.ssl.truststore.password=confluent + +# Search base for group-based search +#ldap.authorizer.group.search.base=ou=groups,dc=confluent,dc=io + +# Remember that LDAP works in a context. The search base is ou=groups,dc=confluent,dc=io +# But since my URL is ldap://ldap:389/DC=CONFLUENT,DC=IO, we are already working in the dc=confluent,dc=io context +ldap.authorizer.group.search.base=ou=groups + +# Object class for groups +ldap.authorizer.group.object.class=posixGroup +ldap.authorizer.group.search.scope=2 +# Name of the attribute from which group name used in ACLs is obtained +ldap.authorizer.group.name.attribute=cn +# Regex pattern to obtain group name used in ACLs from the attribute `ldap.authorizer.group.name.attribute` +ldap.authorizer.group.name.attribute.pattern= +# Name of the attribute from which group members (user principals) are obtained +ldap.authorizer.group.member.attribute=memberUid +# Regex pattern to obtain user principal from group member attribute +ldap.authorizer.group.member.attribute.pattern=cn=(.*),ou=users,dc=confluent,dc=io diff --git a/docker/rbac-tls/streams/kafka/server.properties b/docker/rbac-tls/streams/kafka/server.properties new file mode 100644 index 000000000..2ee5193ae --- /dev/null +++ b/docker/rbac-tls/streams/kafka/server.properties @@ -0,0 +1,182 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# see kafka.server.KafkaConfig for additional details and defaults + +############################# Server Basics ############################# + +# The id of the broker. This must be set to a unique integer for each broker. +broker.id=0 + +############################# Socket Server Settings ############################# + +# The address the socket server listens on. It will get the value returned from +# java.net.InetAddress.getCanonicalHostName() if not configured. +# FORMAT: +# listeners = listener_name://host_name:port +# EXAMPLE: +# listeners = PLAINTEXT://your.host.name:9092 +listeners=PLAINTEXT://kafka:9093,LOCAL_PLAINTEXT://:29093 + +# Hostname and port the broker will advertise to producers and consumers. If not set, +# it uses the value for "listeners" if configured. Otherwise, it will use the value +# returned from java.net.InetAddress.getCanonicalHostName(). +advertised.listeners=PLAINTEXT://kafka:9093,LOCAL_PLAINTEXT://localhost:29093 + +# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details +#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL +listener.security.protocol.map=LOCAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT + +security.inter.broker.protocol=PLAINTEXT + +# The number of threads that the server uses for receiving requests from the network and sending responses to the network +num.network.threads=3 + +# The number of threads that the server uses for processing requests, which may include disk I/O +num.io.threads=8 + +# The send buffer (SO_SNDBUF) used by the socket server +socket.send.buffer.bytes=102400 + +# The receive buffer (SO_RCVBUF) used by the socket server +socket.receive.buffer.bytes=102400 + +# The maximum size of a request that the socket server will accept (protection against OOM) +socket.request.max.bytes=104857600 + + +############################# Log Basics ############################# + +# A comma separated list of directories under which to store log files +log.dirs=/var/lib/kafka + +# The default number of log partitions per topic. More partitions allow greater +# parallelism for consumption, but this will also result in more files across +# the brokers. +num.partitions=1 + +# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown. +# This value is recommended to be increased for installations with data dirs located in RAID array. +num.recovery.threads.per.data.dir=1 + +############################# Internal Topic Settings ############################# +# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state" +# For anything other than development testing, a value greater than 1 is recommended for to ensure availability such as 3. +offsets.topic.replication.factor=1 +transaction.state.log.replication.factor=1 +transaction.state.log.min.isr=1 + +############################# Log Flush Policy ############################# + +# Messages are immediately written to the filesystem but by default we only fsync() to sync +# the OS cache lazily. The following configurations control the flush of data to disk. +# There are a few important trade-offs here: +# 1. Durability: Unflushed data may be lost if you are not using replication. +# 2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush. +# 3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks. +# The settings below allow one to configure the flush policy to flush data after a period of time or +# every N messages (or both). This can be done globally and overridden on a per-topic basis. + +# The number of messages to accept before forcing a flush of data to disk +#log.flush.interval.messages=10000 + +# The maximum amount of time a message can sit in a log before we force a flush +#log.flush.interval.ms=1000 + +############################# Log Retention Policy ############################# + +# The following configurations control the disposal of log segments. The policy can +# be set to delete segments after a period of time, or after a given size has accumulated. +# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens +# from the end of the log. + +# The minimum age of a log file to be eligible for deletion due to age +log.retention.hours=168 + +# A size-based retention policy for logs. Segments are pruned from the log unless the remaining +# segments drop below log.retention.bytes. Functions independently of log.retention.hours. +#log.retention.bytes=1073741824 + +# The maximum size of a log segment file. When this size is reached a new log segment will be created. +log.segment.bytes=1073741824 + +# The interval at which log segments are checked to see if they can be deleted according +# to the retention policies +log.retention.check.interval.ms=300000 + +############################# Zookeeper ############################# + +# Zookeeper connection string (see zookeeper docs for details). +# This is a comma separated host:port pairs, each corresponding to a zk +# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002". +# You can also append an optional chroot string to the urls to specify the +# root directory for all kafka znodes. +zookeeper.connect=zookeeper:2181 + +# Timeout in ms for connecting to zookeeper +zookeeper.connection.timeout.ms=6000 + +##################### Confluent Metrics Reporter ####################### +# Confluent Control Center and Confluent Auto Data Balancer integration +# +# Uncomment the following lines to publish monitoring data for +# Confluent Control Center and Confluent Auto Data Balancer +# If you are using a dedicated metrics cluster, also adjust the settings +# to point to your metrics kakfa cluster. +#metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter +#confluent.metrics.reporter.bootstrap.servers=localhost:9092 +# +# Uncomment the following line if the metrics cluster has a single broker +#confluent.metrics.reporter.topic.replicas=1 + +##################### Confluent Proactive Support ###################### +# If set to true, and confluent-support-metrics package is installed +# then the feature to collect and report support metrics +# ("Metrics") is enabled. If set to false, the feature is disabled. +# +confluent.support.metrics.enable=false + + +# The customer ID under which support metrics will be collected and +# reported. +# +# When the customer ID is set to "anonymous" (the default), then only a +# reduced set of metrics is being collected and reported. +# +# Confluent customers +# ------------------- +# If you are a Confluent customer, then you should replace the default +# value with your actual Confluent customer ID. Doing so will ensure +# that additional support metrics will be collected and reported. +# +confluent.support.customer.id=anonymous + +############################# Group Coordinator Settings ############################# + +# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance. +# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms. +# The default value for this is 3 seconds. +# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing. +# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup. +group.initial.rebalance.delay.ms=0 + + +# SASL Configuration +#sasl.enabled.mechanisms=SCRAM-SHA-256 +#sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256 +#security.inter.broker.protocol=SASL_PLAINTEXT +#allow.everyone.if.no.acl.found=false +#super.users=User:kafka +authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer diff --git a/docker/rbac-tls/streams/scripts/.gitignore b/docker/rbac-tls/streams/scripts/.gitignore new file mode 100644 index 000000000..34d510852 --- /dev/null +++ b/docker/rbac-tls/streams/scripts/.gitignore @@ -0,0 +1,9 @@ +*.crt +*.csr +*_creds +*.jks +*.srl +*.key +*.pem +*.der +*.p12 diff --git a/docker/rbac-tls/streams/scripts/certs-create.sh b/docker/rbac-tls/streams/scripts/certs-create.sh new file mode 100755 index 000000000..1035968d3 --- /dev/null +++ b/docker/rbac-tls/streams/scripts/certs-create.sh @@ -0,0 +1,74 @@ +#!/bin/bash + +#set -o nounset \ +# -o errexit \ +# -o verbose \ +# -o xtrace + +# Cleanup files +rm -f *.crt *.csr *_creds *.jks *.srl *.key *.pem *.der *.p12 + +# Generate CA key +openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent + +for i in kafka ldap +do + echo "------------------------------- $i -------------------------------" + + # Create host keystore + keytool -genkey -noprompt \ + -alias $i \ + -dname "CN=$i,OU=TEST,O=CONFLUENT,L=PaloAlto,S=Ca,C=US" \ + -ext "SAN=dns:$i,dns:localhost" \ + -keystore kafka.$i.keystore.jks \ + -keyalg RSA \ + -storepass confluent \ + -keypass confluent + + # Create the certificate signing request (CSR) + keytool -keystore kafka.$i.keystore.jks -alias $i -certreq -file $i.csr -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost" + #openssl req -in $i.csr -text -noout + + # Sign the host certificate with the certificate authority (CA) + openssl x509 -req -CA snakeoil-ca-1.crt -CAkey snakeoil-ca-1.key -in $i.csr -out $i-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:confluent -extensions v3_req -extfile <(cat < ${i}_sslkey_creds + echo "confluent" > ${i}_keystore_creds + echo "confluent" > ${i}_truststore_creds + + # Create pem files and keys used for Schema Registry HTTPS testing + # openssl x509 -noout -modulus -in client.certificate.pem | openssl md5 + # openssl rsa -noout -modulus -in client.key | openssl md5 + # echo "GET /" | openssl s_client -connect localhost:8085/subjects -cert client.certificate.pem -key client.key -tls1 + keytool -export -alias $i -file $i.der -keystore kafka.$i.keystore.jks -storepass confluent + openssl x509 -inform der -in $i.der -out $i.certificate.pem + keytool -importkeystore -srckeystore kafka.$i.keystore.jks -destkeystore $i.keystore.p12 -deststoretype PKCS12 -deststorepass confluent -srcstorepass confluent -noprompt + openssl pkcs12 -in $i.keystore.p12 -nodes -nocerts -out $i.key -passin pass:confluent + +done diff --git a/docker/rbac-tls/streams/up b/docker/rbac-tls/streams/up new file mode 100755 index 000000000..e591bc804 --- /dev/null +++ b/docker/rbac-tls/streams/up @@ -0,0 +1,67 @@ +#!/bin/sh + +usage() { echo "Usage: $0 [--ssl] " 1>&2; exit 1; } + +ssl=0 +while getopts ":s-:" opt; do + case $opt in + -) + case "${OPTARG}" in + ssl) + ssl=1 + ;; + *) + usage + exit 1 + ;; + esac;; + *) + usage + exit 1 + ;; + esac +done + +## Select to run with security or not + +DOCKER_COMPOSE_FILE="$PWD/docker-compose.yaml" + +if [ $ssl -eq 1 ]; then + echo "Running with SSL enabled between the brokers and the LDAP server" + # Generate the certificates + cd scripts + ./certs-create.sh + + ## Copy the necessary broker JKS stores + cp kafka.kafka.keystore.jks ../kafka/jks/ldap.keystore.jks + cp kafka.kafka.truststore.jks ../kafka/jks/ldap.truststore.jks + + ## copy the LDAP server certificates + cp ldap-ca1-signed.crt ../ldap/certs/my-ldap.crt + cp ldap.key ../ldap/certs/my-ldap.key + cp snakeoil-ca-1.crt ../ldap/certs/my-ca.crt + cd .. + DOCKER_COMPOSE_FILE="$PWD/docker-compose-with-ssl.yaml" +fi + +## start docker-compose up to and including kafka +docker-compose -f $DOCKER_COMPOSE_FILE up -d --build kafka + +# Creating the users +# kafka is configured as a super user +docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=kafka],SCRAM-SHA-512=[password=kafka]' --entity-type users --entity-name kafka +docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=alice-secret],SCRAM-SHA-512=[password=alice-secret]' --entity-type users --entity-name alice +docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=barnie-secret],SCRAM-SHA-512=[password=barnie-secret]' --entity-type users --entity-name barnie +docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=charlie-secret],SCRAM-SHA-512=[password=charlie-secret]' --entity-type users --entity-name charlie + +docker-compose up -d + +echo "Example configuration:" +echo "Should succeed (barnie is in group)" +echo "-> docker-compose exec kafka kafka-console-producer --broker-list kafka:9093 --topic test-topic --producer.config=/etc/kafka/barnie.properties" +echo "Should fail (charlie is NOT in group)" +echo "-> docker-compose exec kafka kafka-console-producer --broker-list kafka:9093 --topic test-topic --producer.config=/etc/kafka/charlie.properties" +echo "Should succeed (alice is in group)" +echo "-> docker-compose exec kafka kafka-console-consumer --bootstrap-server kafka:9093 --consumer.config /etc/kafka/alice.properties --topic test-topic --from-beginning" +echo "List ACLs" +echo "-> docker-compose exec kafka kafka-acls --bootstrap-server kafka:9093 --list --command-config /etc/kafka/kafka.properties" diff --git a/docker/tls/.gitignore b/docker/tls/.gitignore index b2290143a..93786be76 100644 --- a/docker/tls/.gitignore +++ b/docker/tls/.gitignore @@ -1 +1 @@ -certs +../rbac-sasl/certs diff --git a/example/jks/client.keystore.jks b/example/jks/client.keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..6e70b0c3b017382eb7de62842dfb376ec28f2cb1 GIT binary patch literal 4677 zcmY+EXEYp)wuZ;(4AILFHF_|k#^?#rqxU{~^iB|r-br*(M~hyfj4pc1=p^{`PK4-! zn{(H_=dAN%@4eRZ?!A9L5CoYl5Cao}Aic%G=Z;j2yduKD#VA0K9%3O#cmLu|2m;&g zzane{ECjaBU##)BRB;IZ?+QeK0W3gZ-9ZpoR}d~7g8#>VpVMJc2y?5gk=a{Na#Mf6 zvpAqbP~4HQ12F-88dwOd;p0&eb15y2iKi%1!m$`9`M%%Dyt5w@Z1pYGOSCa=8`=?t zny+j(`PlT3iqHmAj-#j8d!{pfhy1(p$rwrJ-yS#2cq{y6TSERck8(;m(MYbBQvg!T z&%&Hh+~KIo-PFvvqM|HM*gT#Prk6G3)0*>T<+c9i+gh`>5;FZb zvej{~T{XeHx6_;VDXt0k>M}Dc!_Nvw9yiY50sYWY`O6M_UpEQZG9&5vP8H4@Hr$wc zx1Hc6hFWZQ`*-6y^t#V}F?10mZ`OB`NHwx1g|ff32%Bp(CL)`hnwJP@v`)-e((kk~c{us+Bc#C$7sA!~lCHv}M-;bkgxE%YE%bVEN%ZZM6^Dg8Ka=_D&g z457257mL@2e?@Q2Sxdy4by)wtoBU9hcXSYxkY4_^;BIt~d~xJhQ%1ipXH z@bomp#;owi1HSnU**UFz`U?BK*qt^oQ(GA1{Egm`3a^a!(Mq|2pR0k(EWCTfC z{uWDujTwh}G=y>w0B6q@c2HfxyY(m4 zFHzGUN(I+gHR@G!2R5k*Vvc4OX_JX76kR8TIILK2>Y~LrbKpLCiQcox!y!0=W&;%1 zZ;nQ5eimJyNr@VUY4H~Z&}+KLM6BH2tFz-0PiPpdJX?YZl|Qjt)ldJrs{nLR_64N9 zwU;Te(DORsQ=A4aC+_2(*$vq$q+wFhI+K`a|c`Rvrw zI>tg3QFF2gb};?m@ZL&VA~i{9L{gI=V-Dn6roZO+JCDO zp8^VEAOJW5ECIIv>JaAtM3hhpEHWJjXB#G{2vkf+SU_0pg|M(F1Of8;_Yy8n0Rm+6 z7g+)^0Dp(ke-e!U@+;22{OU-fL3 z?(;#s&b2A|o}^Q^H0l!>P5vj0%Uv7-HLt|fF^ezCthwfW`!RpGbY*MwTF})8RF#F9 zcq+>I8xUaVkCySs>(1xjwNcecN5I|l`%@8jX-~%YohlXKmu?kDrXp&xpT8)q#Tay)rdK^@)*T1nezUDpaNyU ze^=1lGTma#sL2qol!^pgykIuCVipTJ2{&`MGCgtu(iy6*S(?PEB72`mG4A#lN4pO% z$?Imi!p_cOx`TY^RUcUVBgfl@j19F24hwY1z-hUyzN>p>r=M-TOx#0{PS?a19U?YX zN}Y6jC7qTUGdM`QN(PBL1Dk^67?|#TbEE4s_ zh~90a0lBn~s_R=$e+QFa((JoT{!Uum`c##qj2#otg7sM-Z7M+DhgufzpFwV+kprz7 z0R?))T95(ND++$Fp{HYw!hK1;Tjb z-VYmX1p?sWxC?uv9&n0xy_mL5b7A-EN#lKcQloecj?@#JdaHCOG-LGMQ7H%{86Q0F zO*c}TJNtdgPw<`f1JWKeu<}*%cwOykoIQeMF%#OPioYY^yJ^Eg-0$`k`6%cQ@=Y!*uM+n7_+hnpI&z6_T}5LV6O z*8~X`BweSIx0Iup%W=LjmYukvousSpZVAD{R6dp)fYchjPYb$bHNx7iX7N@3XzPvk zhTgIZe zu=}Ms@}(@FRQGc>p$yNDU@Vm@g&3aAQ;GZyj1b$+!jA%OTIqL%8VbA(g9Ri&2;AOp z!Qk4ru1S1#oopa{f>+SMW5RW=y?x}LQef()18wl+VkkhE#-fh3GfS6Sjns2#qev(1 zk4X))TqOv-N; z%)1lymUi_Ll!zaF`mJ*uYyQ?)Jd2R`# zrDmT&F|DNG2XQBf)6U#!XiCZt6?o9~_yJ1!XHGxi#7xKc+o#*OuI0!J0+VV35-|Zr zd5jpbmH-EC%he5JiXm89nwcH}S@e^x!;Pi!4&&oDJrJ7bc;j#ytHkL&h$q989)iy5 zELfMx(=1QPl%@_F>K>_9aS^pTc(w8r_wYK1dVxsMs}Q%Dv)9WnH&S3;fZU6|H-4)g zeyggT3{37nywoGY;w*vZ{IPTI`@k~~|0-{+YnThk$OtYV**4hl9IMzphL@SlH>{49 z2|-%M`mC)R-}${T;V@X)7SU}D1SNag5-fn_NC|F{>K&%qGWR%~kxmmf-tLSFS|9U> zp|1;O#mbI;_%8dhk-i;i{gvl5Op2?nW~q0zBcpOlXc}RD_iDaaq*#9@W1rW5;Iz47 zgR#ojaPsEk=(-Qfd)d~WTN&fEb}DDk$q(bs>w7B`F^v*{g?hG60CT9_mZhU6Ee27; z_x)lwYP|C9No@bsMoMIuo3QNri85K|nhbHc6eVlo;R84eorOO5k=*9h5Obo9^{KCD z!+Aw^oJvFep}dfWFw)-jBb{B2OUQBv39@ug*7v~K|9T^4VcAOD#;@$qU_peA<@45B zbB{`D_EUsvn9rjLC3vi(e&*}r2G|=-;7-g=<*)fo%q4g&_&!Nzn8#*ikNUNsMC(j% zpJpRVBQts2QHGhLX;`AlIT^2H6gD)X8C>qnvEQg@?x(IilDF0CfRF~=3+1XK8D&T* zGh`Hg4@X(PBH)Gjl~-KC#T!b^MsR5crEcjxD+3q*apj-2G=;HTHS-M?Hny-PAo>}07<7tS7T4PE5>79knHlVjftmX`OtXIIUz~Yz6!Zt zZr>y)wTbF6&OUFWSYX#2)zWMT#P4OwVBpuZG8ZqOfaw)V7Hc?nUdapx8ZUP7g*=qs4FV zoLvlwrs9z8{Tn$>DnYj@#n^V;lPd*3o&lb7ZfMW!LTD`p#OKyY$sQD zN2@b;sKZ5#F~|FfJuPo8C@C`trb6$jklpHo+>OmD462{bdPM^!(%WKwHv|m(vep-C zJ?lgGULdQU)Q%;gb}1r+jf($D!TScz-}{pLRjA9;I!q-Mr)Z%_t?WSEjChdKw8i)R z+d#oRt}vwp`q%d$Pk7x`8|xXib+iJ-XL4BdpZ04M;PN1F$}I@VZF#NCs=)b_IPpSNcv z&H_?{ZyYKF6uR+%sfw58n=fi=}IbAC~6p{Q zWgycFOwKmOPn8u>W5@^!BYfj4v*;@~BAWrBrk(Vz*>Z0gr~{x}1hy%29>a!bcktcz zL9MrK6Bk(5Q@|!`TiahWP#8#ahnTdsRIGqVL6{-;n literal 0 HcmV?d00001 diff --git a/example/jks/client.truststore.jks b/example/jks/client.truststore.jks new file mode 100644 index 0000000000000000000000000000000000000000..89bb13651de6696a0cb1b1638781e7ead51678e7 GIT binary patch literal 1170 zcmV;D1a12;f&`8N0Ru3C1V;u5Duzgg_YDCD0ic2eI0S+OG%$h$Fff7yECvZGhDe6@ z4FLxRpn?P)FoFab0s#Opf&>x<2`Yw2hW8Bt2LUiC1_~;MNQU70mX)W888JQM-Mi^bjrkd)r8n! zR~v1#?ch@iM{Zm&pXY!O%w$5Uk0j)wocKVG(M?Mx71t_dY?uXWcfmq3FLN)_@RnXJ zw14qq{9x<{g4NiS*U+0=DcgiSXpQ+dZU%W_mo8C~*LAm1#IA7X?&SNb;vFR;&WCmd z|9CjsO&Lu?ykkCdo|346TWo&Sm6_C+)t~IwM4Z+_a&D$XRy7Id<7Xr8KgX&-R+368;8#spvv-V)Ebumm2^i!M4MmR;73vnZWzvY6f9owR3z1Z1ZsQWMOO z_@4zGO3@!M)z3<`M7Tmw8m8F#vFKL;Da3pkYl3?ZT?_n14zE=H^L3gq|D+hTx`q+c z@V{ zG8=PjVaYL8*DFKh%TIa)_Ef#IM4RcV^JgmF=E-vMUR=3 zydb5yt?gzRWX*aJed<@>xhSXt#dKTOhmdJgu0jJNU^vI12Yhn}L)VGx-fvIK$I`%^ z+H8q^RG21TnB)5{p^Q_l(7;q&txXEZ66U(m4f=EhB5O6HFj?&8A4@*0*cuXxa8(4t-<_g$PK?SyxxnBC1pqU%G=P z0sLlvMRMjTRiFtbK%*F_Kha58LE5I&@L%7YYarNk3w*^Ch}UiA=c|%7FLG9&;`?D-AkNO>b+Ys0MOOywY^UK^GB53XK^JUjbU+UAg z#p|$_+n&ptl58MoiOrb&cBHl@YAFvi5De4JVC;K3vq#-&9FLFuWn>gnoA#r5DQ1$D zP(m|{5{5x1xqxpu!pUx>d~BRETrfT`AutIB1uG5%0vZJX1Qb9}X7;$#7=TNW8=s)u kiHmM9iM<3A|52.22.2 2.12.1 - 2.7.0 2.13.3 3.5.7 1.4 @@ -497,12 +496,12 @@ org.apache.kafka kafka-clients - ${kafka.version} + ${confluent-ce.version} org.apache.kafka kafka-streams - ${kafka.version} + ${confluent-ce.version} test diff --git a/src/test/java/com/purbon/kafka/topology/integration/RBACPRoviderRbacIT.java b/src/test/java/com/purbon/kafka/topology/integration/RBACPRoviderRbacIT.java index 4ca4fccaa..0de130056 100644 --- a/src/test/java/com/purbon/kafka/topology/integration/RBACPRoviderRbacIT.java +++ b/src/test/java/com/purbon/kafka/topology/integration/RBACPRoviderRbacIT.java @@ -313,6 +313,7 @@ public void testRoleDeleteFlow() throws IOException { Properties props = new Properties(); props.put(TOPOLOGY_STATE_FROM_CLUSTER, true); props.put(ALLOW_DELETE_TOPICS, true); + props.put(ALLOW_DELETE_BINDINGS, true); HashMap cliOps = new HashMap<>(); cliOps.put(BROKERS_OPTION, "");