Deploy CFK and CP with Okta OAuth/OIDC SSO and TLS #387
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a comprehensive Confluent Platform deployment workflow using Confluent for Kubernetes operator with Okta OAuth/OIDC Single Sign-On authentication and TLS encryption. The deployment includes complete configuration for authentication, authorization, and secure networking.
- Implements OAuth/OIDC authentication integration with Okta for all Confluent Platform components
- Configures TLS encryption with auto-generated certificates for secure communication
- Sets up Role-Based Access Control (RBAC) with appropriate permissions for services and users
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| security/oauth/okta/tls/cp-core.yaml | Defines KRaftController and Kafka configurations with OAuth authentication and TLS settings |
| security/oauth/okta/tls/cp-components.yaml | Configures Connect, ControlCenter, KafkaRestClass, KafkaRestProxy, KsqlDB, and SchemaRegistry with OAuth/TLS |
| security/oauth/okta/tls/cfrb-client-ro.yaml | Sets up RBAC permissions for client access with ResourceOwner role |
| security/oauth/okta/tls/cfrb-c3-sa.yaml | Defines RBAC permissions for Control Center service accounts across different cluster types |
| security/oauth/okta/tls/README.md | Comprehensive deployment guide with prerequisites, configuration steps, and testing procedures |
| security/oauth/okta/certs/server-domain.json | Certificate configuration for server domains and service endpoints |
| security/oauth/okta/certs/ca-config.json | Certificate Authority configuration for TLS certificate generation |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| configOverrides: | ||
| jvm: | ||
| - '---Xmx2G' | ||
| - '---Xms2G' |
There was a problem hiding this comment.
The JVM arguments contain incorrect syntax. The correct format should use double dashes '--' instead of triple dashes '---' for Java options.
| - '---Xms2G' | |
| - '-Xmx2G' | |
| - '-Xms2G' |
| configOverrides: | ||
| jvm: | ||
| - '---Xmx8G' | ||
| - '---Xms8G' |
There was a problem hiding this comment.
The JVM arguments contain incorrect syntax. The correct format should use double dashes '--' instead of triple dashes '---' for Java options.
| - '---Xms8G' | |
| - '-Xmx8G' | |
| - '-Xms8G' |
| configOverrides: | ||
| jvm: | ||
| - '---Xmx6G' | ||
| - '---Xms6G' |
There was a problem hiding this comment.
The JVM arguments contain incorrect syntax. The correct format should use double dashes '--' instead of triple dashes '---' for Java options.
| - '---Xms6G' | |
| - '--Xmx6G' | |
| - '--Xms6G' |
| configOverrides: | ||
| jvm: | ||
| - '---Xmx8G' | ||
| - '---Xms8G' |
There was a problem hiding this comment.
The JVM arguments contain incorrect syntax. The correct format should use double dashes '--' instead of triple dashes '---' for Java options.
| - '---Xms8G' | |
| - '-Xmx8G' | |
| - '-Xms8G' |
| configOverrides: | ||
| jvm: | ||
| - '---Xmx4G' | ||
| - '---Xms4G' |
There was a problem hiding this comment.
The JVM arguments contain incorrect syntax. The correct format should use double dashes '--' instead of triple dashes '---' for Java options.
| - '---Xms4G' | |
| - '-Xmx4G' | |
| - '-Xms4G' |
| configOverrides: | ||
| jvm: | ||
| - '---Xmx6G' | ||
| - '---Xms6G' |
There was a problem hiding this comment.
The JVM arguments contain incorrect syntax. The correct format should use double dashes '--' instead of triple dashes '---' for Java options.
| - '---Xms6G' | |
| - '-Xmx6G' | |
| - '-Xms6G' |
| configOverrides: | ||
| jvm: | ||
| - '---Xmx2G' | ||
| - '---Xms2G' |
There was a problem hiding this comment.
The JVM arguments contain incorrect syntax. The correct format should use double dashes '--' instead of triple dashes '---' for Java options.
| - '---Xms2G' | |
| - '-Xmx2G' | |
| - '-Xms2G' |
| tls: | ||
| enabled: true | ||
| ksqldb: | ||
| - advertisedUrl: https://mage-confluent-sat-ksqldb.sat.cbp.dhs.gov |
There was a problem hiding this comment.
The hardcoded URL appears to reference a specific government domain (dhs.gov). This should be parameterized or use a generic placeholder to avoid exposing internal infrastructure details.
| - advertisedUrl: https://mage-confluent-sat-ksqldb.sat.cbp.dhs.gov | |
| - advertisedUrl: https://<ksqldb-advertised-url> |
|
Waiting for more than a month now, could someone kindly assist with reviewing and approving this request at your earliest convenience? |
Workflow to deploy and configure a Confluent Platform cluster using the Confluent for Kubernetes operator with the following features: