Skip to content

nais/karapace

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

81 Commits
.github
.github
 
 
nais
nais
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CODEOWNERS
CODEOWNERS
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
karapace_config.json
karapace_config.json
 
 
launcher.sh
launcher.sh
 
 

Repository files navigation

Karapace

This is a packaging of Aiven Karapace for use as a REST API for Kafka in the NAIS platform together with Kafkarator.

Aiven uses Karapace to provide a REST API and Schema Registry for their managed Kafka offering. Unfortunately, their setup means that any user with access to the REST API will have full access to all topics regardless of ACLs in use. This is not acceptable for us, so we have created this packaging where teams can deploy Karapace in their own namespaces on the NAIS platform, with credentials that limit it to just the topics they should have access to.

Access control

⚠️⚠️⚠️ NOTE ⚠️⚠️⚠️

In order to ensure proper access control for the REST API, the application should be deployed to our GCP clusters, with no ingress and strictly configured Access Policies. This is important, as anyone who can call your instance of Karapace will have access to everything you have access to.

Deploy

1. Create a new repository with a nais.yaml file:

apiVersion: "nais.io/v1alpha1"
kind: "Application"
metadata:
  name: karapace
  namespace: myteam
  labels:
    team: myteam
spec:
  image: ghcr.io/nais/karapace:latest
  liveness:
    path: "/"
  readiness:
    path: "/brokers"
  replicas:
    min: 1
    max: 1
    cpuThresholdPercentage: 50
  prometheus:
    enabled: false
  resources:
    limits:
      cpu: "200m"
      memory: "256Mi"
    requests:
      cpu: "200m"
      memory: "256Mi"
  kafka:
    pool: nav-dev

If you want to use a specific version, get the latest karapace image from the Karapace package page.

2. Create a workflow to deploy the application and configmap

name: "Deploy Karapace"
on:
  push:
    branches:
    - "main"
jobs:
  deploy:
    name: "Deploy Karapace"
    runs-on: ubuntu-latest
    steps:
      - uses: "actions/checkout@v2"
      - uses: nais/deploy/actions/deploy@v1
        env:
          CLUSTER: dev-gcp
          RESOURCE: nais.yaml

3. Commit and push

Commit nais.yaml and .github/workflows/main.yaml and push to github.

Usage

Karapace provides the same API as the Confluent Kafka REST proxy (v1). The Confluent documentation should be fairly accurate, but differences may be documented in the Aiven Karapace project. See also this issue.

Karapace will be available using a service address in the cluster (http://application-name.namespace/), assuming you have set proper access policies.

Verifying the Karapace image and its contents

The image is signed "keylessly" using Sigstore cosign. To verify its authenticity run

cosign verify \
--certificate-identity "https://github.com/nais/karapace/.github/workflows/main.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/nais/karapace@sha256:<shasum>

The images are also attested with SBOMs in the CycloneDX format. You can verify these by running

cosign verify-attestation --type cyclonedx \
--certificate-identity "https://github.com/nais/karapace/.github/workflows/main.yaml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/nais/karapace@sha256:<shasum>

About

No description or website provided.

Topics

nais-features

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

8 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 5

Languages