-
Notifications
You must be signed in to change notification settings - Fork 0
/
kpow-dockerhub.yaml
482 lines (467 loc) · 14.8 KB
/
kpow-dockerhub.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
### CloudFormation to deploy kPow for Apache Kafka from Dockerhub.
###
### Dockerhub Profile -> https://hub.docker.com/r/operatr/kpow
###
### This example stack will deploy a kPow container into a ECS-Cluster+VPC/Subnet that you designate.
###
### A new IAM role is created for the task that allows ECS / Logs actions.
###
### A new security group is created for the task with permissive outbound (kafka and ECR) and UI port inbound.
###
### kPow will attempt to connect to your Kafka Cluster on the port of the bootstrap URL, you may need to configure your Kafka Cluster security group to allow ingress on that port.
###
### This CloudFormation is provided for demonstration purposes only and uses only simple configuration options.
###
### For a full list of configuration options and installation details see https://docs.kpow.io
AWSTemplateFormatVersion: 2010-09-09
Description: "Deploy kPow for Apache Kafka to ECS (Dockerhub Container Version)"
Parameters:
ContainerUrl:
Description: "The container image URL"
Type: String
Default: "operatr/kpow:latest"
ClusterName:
Description: "The target ECS cluster name"
Type: String
LaunchType:
Description: "EC2 or FARGATE"
Type: String
Default: FARGATE
AllowedValues:
- FARGATE
- EC2
VpcId:
Description: "The target VPC ID"
Type: AWS::EC2::VPC::Id
KpowSubnet:
Description: "The target Subnet ID"
Type: AWS::EC2::Subnet::Id
PublicIp:
Description: "Auto assign elastic network interface a public IP address (required for private subnet with no NAT)"
Type: String
Default: ENABLED
AllowedValues:
- ENABLED
- DISABLED
UiRange:
Description: "Choose the CIDR range given access to the kPow UI, or use permissive 0.0.0.0/0 at your own risk."
Type: String
Default: "X.X.X.X/X"
EnvironmentName:
Description: "Environment Name"
Type: String
Port:
Description: "kPow UI Port"
Type: Number
Default: 3000
ShowSplash:
Description: "Show new browser sessions the kPow UI Splash overlay"
Type: String
Default: TRUE
AllowedValues:
- TRUE
- FALSE
AllowTopicCreate:
Description: "Enable Topic Create"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowTopicInspect:
Description: "Enable Topic Inspect"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowTopicProduce:
Description: "Enable Topic Produce"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowTopicEdit:
Description: "Enable Topic Edit"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowTopicDelete:
Description: "Enable Topic Delete"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowGroupEdit:
Description: "Enable Group Edit"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowBrokerEdit:
Description: "Enable Broker Edit"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowSchemaCreate:
Description: "Enable Schema Create"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowSchemaEdit:
Description: "Enable Schema Edit"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowConnectCreate:
Description: "Enable Connect Create"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowConnectEdit:
Description: "Enable Connect Edit"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
AllowAclEdit:
Description: "Enable ACL Edit UI"
Type: String
Default: FALSE
AllowedValues:
- FALSE
- TRUE
Bootstrap:
Description: 'A list of host/port pairs to use for establishing the initial connection to the Kafka cluster, e.g. "kafka-1:9092,kafka-2:9092,kafka-3:9092"'
Type: String
SecurityProtocol:
Type: String
Description: "The security protocol Kafka connections. For MSK w/ encrypted connections (default) use SSL."
Default: PLAINTEXT
AllowedValues:
- PLAINTEXT
- SSL
- SASL_SSL
- SASL_PLAINTEXT
SaslMechanism:
Type: String
Description: "SASL mechanism used for client connections."
Default: GSSAPI
AllowedValues:
- GSSAPI
- PLAIN
- SCRAM-SHA-256
- SCRAM-SHA-512
SaslJaasConfig:
Type: String
Description: "Java Authentication and Authorization Service configuration. e.g. org.apache.kafka.common.security.plain.PlainLoginModule required username=\"key\" password=\"secret\";"
NoEcho: "true"
SchemaRegistryUrl:
Type: String
Description: "The URL to your Schema Registry"
SchemaRegistryAuth:
Type: String
Description: "URL, USER_INFO, or SASL_INHERIT"
Default: "USER_INFO"
AllowedValues:
- URL
- USER_INFO
- SASL_INHERIT
SchemaRegistryUser:
Type: String
Description: "The username when using URL / USER_INFO"
NoEcho: "true"
SchemaRegistryPassword:
Type: String
Description: "The password when using URL / USER_INFO"
NoEcho: "true"
ConnectRestUrl:
Type: String
Description: "The client connection URL for your connect cluster"
ConnectAuth:
Type: String
Description: "BASIC if basic authentication is configured"
Default: BASIC
AllowedValues:
- BASIC
ConnectUser:
Type: String
Description: "Username if basic authentication is configured"
NoEcho: "true"
ConnectPassword:
Type: String
Description: "Password if basic authentication is configured"
NoEcho: "true"
ConnectGroupId:
Type: String
Description: "(Optional) Unique string identifying worker cluster group"
ConnectOffsetStorageTopic:
Type: String
Description: "(Optional) Topic that holds connect offsets"
LicenseId:
Type: String
Description: "kPow License ID (e.g. 960f33fd-9d43-395f-34a2-e35bdb36a13e)"
LicenseCode:
Type: String
Description: "kPow License Code (e.g. TRIAL_30D)"
Licensee:
Type: String
Description: "kPow Licensee (e.g. Your Organisation)"
LicenseExpiry:
Type: String
Description: "kPow License Expiry (e.g. 2021-06-25)"
LicenseSignature:
Type: String
Description: "kPow License Signature (e.g. B2127567ED2CF0CE8F8949CA157216D5D...)"
Conditions:
HasSchemaRegistryUrl: !Not [ !Equals [ !Ref SchemaRegistryUrl, "" ] ]
HasConnectRestUrl: !Not [ !Equals [ !Ref ConnectRestUrl, "" ] ]
HasConnectUser: !Not [ !Equals [ !Ref ConnectUser, "" ] ]
HasSaslJaasConfig: !Not [ !Equals [ !Ref SaslJaasConfig, "" ] ]
Resources:
taskdefinition:
Type: AWS::ECS::TaskDefinition
Properties:
TaskRoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/kpow_io_role
ExecutionRoleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/kpow_io_role
RequiresCompatibilities: [ "FARGATE" ]
NetworkMode: awsvpc
Cpu: "1024"
Memory: "2048"
ContainerDefinitions:
- Name: kpow-io
Cpu: 896
Memory: 1792
MemoryReservation: 1792
Environment:
### kPow settings
- Name: ENVIRONMENT_NAME
Value: !Ref EnvironmentName
- Name: PORT
Value: !Ref Port
- Name: ALLOW_TOPIC_CREATE
Value: !Ref AllowTopicCreate
- Name: ALLOW_TOPIC_INSPECT
Value: !Ref AllowTopicInspect
- Name: ALLOW_TOPIC_PRODUCE
Value: !Ref AllowTopicProduce
- Name: ALLOW_TOPIC_EDIT
Value: !Ref AllowTopicEdit
- Name: ALLOW_TOPIC_DELETE
Value: !Ref AllowTopicDelete
- Name: ALLOW_BROKER_EDIT
Value: !Ref AllowBrokerEdit
- Name: ALLOW_GROUP_EDIT
Value: !Ref AllowGroupEdit
- Name: ALLOW_SCHEMA_CREATE
Value: !Ref AllowSchemaCreate
- Name: ALLOW_SCHEMA_EDIT
Value: !Ref AllowSchemaEdit
- Name: ALLOW_CONNECT_CREATE
Value: !Ref AllowConnectCreate
- Name: ALLOW_CONNECT_EDIT
Value: !Ref AllowConnectEdit
- Name: ALLOW_ACL_EDIT
Value: !Ref AllowAclEdit
- Name: SHOW_SPLASH
Value: !Ref ShowSplash
### Kafka Connection settings
- Name: BOOTSTRAP
Value: !Ref Bootstrap
- Name: SECURITY_PROTOCOL
Value: !Ref SecurityProtocol
### SASL Auth Settings
- Name: SASL_MECHANISM
Value: !Ref SaslMechanism
- !If [ HasSaslJaasConfig, { Name: SASL_JAAS_CONFIG, Value: !Ref SaslJaasConfig }, !Ref "AWS::NoValue" ]
### Schema Registry
- !If [ HasConnectRestUrl, { Name: CONNECT_REST_URL, Value: !Ref ConnectRestUrl }, !Ref "AWS::NoValue" ]
- !If [ HasConnectUser, { Name: CONNECT_AUTH, Value: !Ref ConnectAuth }, !Ref "AWS::NoValue" ]
- !If [ HasConnectUser, { Name: CONNECT_USER, Value: !Ref ConnectUser }, !Ref "AWS::NoValue" ]
- !If [ HasConnectUser, { Name: CONNECT_PASSWORD, Value: !Ref ConnectPassword }, !Ref "AWS::NoValue" ]
- !If [ HasConnectRestUrl, { Name: CONNECT_GROUP_ID, Value: !Ref ConnectGroupId }, !Ref "AWS::NoValue" ]
- !If [ HasConnectRestUrl, { Name: CONNECT_OFFSET_STORAGE_TOPIC, Value: !Ref ConnectOffsetStorageTopic }, !Ref "AWS::NoValue" ]
### Connect Cluster
- !If [ HasSchemaRegistryUrl, { Name: SCHEMA_REGISTRY_URL, Value: !Ref SchemaRegistryUrl }, !Ref "AWS::NoValue" ]
- !If [ HasSchemaRegistryUrl, { Name: SCHEMA_REGISTRY_AUTH, Value: !Ref SchemaRegistryAuth }, !Ref "AWS::NoValue" ]
- !If [ HasSchemaRegistryUrl, { Name: SCHEMA_REGISTRY_USER, Value: !Ref SchemaRegistryUser }, !Ref "AWS::NoValue" ]
- !If [ HasSchemaRegistryUrl, { Name: SCHEMA_REGISTRY_PASSWORD, Value: !Ref SchemaRegistryPassword }, !Ref "AWS::NoValue" ]
- Name: LICENSE_ID
Value: !Ref LicenseId
- Name: LICENSE_CODE
Value: !Ref LicenseCode
- Name: LICENSEE
Value: !Ref Licensee
- Name: LICENSE_EXPIRY
Value: !Ref LicenseExpiry
- Name: LICENSE_SIGNATURE
Value: !Ref LicenseSignature
Essential: true
Image: !Ref ContainerUrl
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-create-group: 'true'
awslogs-group: kpow-io
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: task
PortMappings:
- ContainerPort: !Ref Port
Family: kpow-io
containerService:
Type: AWS::ECS::Service
Properties:
ServiceName: kpow-io
Cluster: !Ref ClusterName
DesiredCount: 1
NetworkConfiguration:
AwsvpcConfiguration:
SecurityGroups:
- !Ref containersg
Subnets:
- !Ref KpowSubnet
AssignPublicIp: !Ref PublicIp
LaunchType: !Ref LaunchType
TaskDefinition: !Ref 'taskdefinition'
containersg:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: kpow-container
VpcId: !Ref VpcId
GroupDescription: kPow Container Security Group
Tags:
- Key: Name
Value: kpow-container
containeringress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Permit access to kPow UI
IpProtocol: tcp
FromPort: !Ref Port
ToPort: !Ref Port
GroupId: !Ref containersg
CidrIp: !Ref UiRange
containeregress:
Type: AWS::EC2::SecurityGroupEgress
Properties:
Description: Permit access to Kakfa Clusters / ECR
IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
GroupId: !Ref containersg
RoleAppContainer:
Type: AWS::IAM::Role
Properties:
RoleName: kpow_io_role
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- ecs:CreateCluster
- ecs:DeregisterContainerInstance
- ecs:DiscoverPollEndpoint
- ecs:Poll
- ecs:RegisterContainerInstance
- ecs:StartTelemetrySession
- ecs:Submit*
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
Resource: '*'
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: "Deployment Settings"
Parameters:
- ContainerUrl
- ClusterName
- LaunchType
- VpcId
- KpowSubnet
- PublicIp
- UiRange
- Label:
default: "kPow UI Configuration"
Parameters:
- EnvironmentName
- Port
- ShowSplash
- Label:
default: "Global Access Controls"
Parameters:
- AllowTopicCreate
- AllowTopicInspect
- AllowTopicProduce
- AllowTopicEdit
- AllowTopicDelete
- AllowBrokerEdit
- AllowGroupEdit
- AllowSchemaCreate
- AllowSchemaEdit
- AllowConnectCreate
- AllowConnectEdit
- AllowAclEdit
- Label:
default: "Kafka Cluster Configuration (see: https://docs.kpow.io/config/kafka-cluster)"
Parameters:
- Bootstrap
- SecurityProtocol
- SaslMechanism
- SaslJaasConfig
- Label:
default: "Schema Registry (see: https://docs.kpow.io/config/schema-registry)"
Parameters:
- SchemaRegistryUrl
- SchemaRegistryAuth
- SchemaRegistryUser
- SchemaRegistryPassword
- Label:
default: "Kafka Connect (see: https://docs.kpow.io/config/kafka-connect)"
Parameters:
- ConnectRestUrl
- ConnectAuth
- ConnectUser
- ConnectPassword
- ConnectGroupId
- ConnectOffsetStorageTopic
- Label:
default: "License Details (start a free 30-day trial -> https://kpow.io/try)"
Parameters:
- LicenseId
- LicenseCode
- Licensee
- LicenseExpiry
- LicenseSignature