This is a packaging of Aiven Karapace for use as a REST API for Kafka in the NAIS platform together with Kafkarator.
Aiven uses Karapace to provide a REST API and Schema Registry for their managed Kafka offering. Unfortunately, their setup means that any user with access to the REST API will have full access to all topics regardless of ACLs in use. This is not acceptable for us, so we have created this packaging where teams can deploy Karapace in their own namespaces on the NAIS platform, with credentials that limit it to just the topics they should have access to.
In order to ensure proper access control for the REST API, the application should be deployed to our GCP clusters, with no ingress and strictly configured Access Policies. This is important, as anyone who can call your instance of Karapace will have access to everything you have access to.
apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
name: karapace
namespace: myteam
labels:
team: myteam
spec:
image: ghcr.io/nais/karapace:latest
liveness:
path: "/"
readiness:
path: "/brokers"
replicas:
min: 1
max: 1
cpuThresholdPercentage: 50
prometheus:
enabled: false
resources:
limits:
cpu: "200m"
memory: "256Mi"
requests:
cpu: "200m"
memory: "256Mi"
kafka:
pool: nav-dev
If you want to use a specific version, get the latest karapace image from the Karapace package page.
name: "Deploy Karapace"
on:
push:
branches:
- "main"
jobs:
deploy:
name: "Deploy Karapace"
runs-on: ubuntu-latest
steps:
- uses: "actions/checkout@v2"
- uses: nais/deploy/actions/deploy@v1
env:
CLUSTER: dev-gcp
RESOURCE: nais.yaml
Commit nais.yaml
and .github/workflows/main.yaml
and push to github.
Karapace provides the same API as the Confluent Kafka REST proxy (v1). The Confluent documentation should be fairly accurate, but differences may be documented in the Aiven Karapace project. See also this issue.
Karapace will be available using a service address in the cluster (http://application-name.namespace/), assuming you have set proper access policies.
The image is signed "keylessly" using Sigstore cosign. To verify its authenticity run
cosign verify \
--certificate-identity "https://github.com/nais/karapace/.github/workflows/main.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/nais/karapace@sha256:<shasum>
The images are also attested with SBOMs in the CycloneDX format. You can verify these by running
cosign verify-attestation --type cyclonedx \
--certificate-identity "https://github.com/nais/karapace/.github/workflows/main.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/nais/karapace@sha256:<shasum>