Add docker-compose cluster for use in integration tests

rnpridgeon · Ryan P · commit 18d953abad5e · 2018-12-04T03:12:26.000-05:00
diff --git a/.gitignore b/.gitignore
@@ -21,3 +21,4 @@ dl-*
 *.whl
 .pytest_cache
 staging
+tests/docker/conf/tls/*
diff --git a/tests/docker/.env b/tests/docker/.env
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+export DOCKER_SOURCE="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+export DOCKER_CONTEXT=$DOCKER_SOURCE/docker-compose.yaml
+export DOCKER_BIN=$DOCKER_SOURCE/bin
+export DOCKER_CONF=$DOCKER_SOURCE/conf
+export TLS=$DOCKER_CONF/tls
+
+export MY_BOOTSTRAP_SERVER_ENV=localhost:29092
+export MY_SCHEMA_REGISTRY_URL_ENV=http://$(hostname):8081
+export MY_SCHEMA_REGISTRY_SSL_URL_ENV=https://$(hostname -f):8082
+export MY_SCHEMA_REGISTRY_SSL_CA_LOCATION_ENV=$TLS/ca-cert
+export MY_SCHEMA_REGISTRY_SSL_CERTIFICATE_LOCATION_ENV=$TLS/client.pem
+export MY_SCHEMA_REGISTRY_SSL_KEY_LOCATION_ENV=$TLS/client.key
diff --git a/tests/docker/bin/certify.sh b/tests/docker/bin/certify.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash -eu
+
+DOCKER_BIN="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+export PASS="abcdefgh"
+
+source ${DOCKER_BIN}/../.env
+
+mkdir -p ${TLS}
+
+if [[ -f ${TLS}/ca-cert ]]; then
+    echo "${TLS}/ca-cert found; skipping certificate generation.."
+    exit 0
+fi
+
+HOST=$(hostname -f)
+
+echo "Creating ca-cert..."
+${DOCKER_BIN}/gen-ssl-certs.sh ca ${TLS}/ca-cert ${HOST}
+echo "Creating server cert..."
+${DOCKER_BIN}/gen-ssl-certs.sh -k server ${TLS}/ca-cert  ${TLS}/ ${HOST} ${HOST}
+echo "Creating client cert..."
+${DOCKER_BIN}/gen-ssl-certs.sh client ${TLS}/ca-cert ${TLS}/ ${HOST} ${HOST}
+
+echo "Creating key ..."
+openssl rsa -in ${TLS}/client.key -out ${TLS}/client.key  -passin pass:${PASS}
+
diff --git a/tests/docker/bin/cluster_down.sh b/tests/docker/bin/cluster_down.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -eu
+
+DOCKER_BIN="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+source ${DOCKER_BIN}/../.env
+
+echo "Destroying cluster.."
+docker-compose -f ${DOCKER_CONTEXT} down -v --remove-orphans
diff --git a/tests/docker/bin/cluster_up.sh b/tests/docker/bin/cluster_up.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash -eu
+
+DOCKER_BIN="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
+source ${DOCKER_BIN}/../.env
+
+# Wait for http service listener to come up and start serving
+# $1 http service name
+# $2 http service address
+await_http() {
+    local exit_code
+    local attempt=0
+
+    until curl ${2} || [[ ${attempt} -gt 5 ]]; do
+        echo "awaiting $1..."
+        let "attempt+=1"
+        sleep 6
+    done
+
+    if [[ ${attempt} -lt 5 ]]; then
+        return
+    fi
+
+    echo "$1 readiness test failed: aborting"
+    exit 1
+}
+
+echo "Configuring Environment..."
+source ${DOCKER_SOURCE}/.env
+
+echo "Generating SSL certs..."
+${DOCKER_BIN}/certify.sh
+
+echo "Deploying cluster..."
+docker-compose -f ${DOCKER_CONTEXT} up -d
+
+echo "Setting throttle for throttle test..."
+docker-compose -f ${DOCKER_CONTEXT} exec kafka sh -c "
+        /usr/bin/kafka-configs  --zookeeper zookeeper:2181 \
+                --alter --add-config 'producer_byte_rate=1,consumer_byte_rate=1,request_percentage=001' \
+                --entity-name throttled_client --entity-type clients"
+
+await_http "schema-registry" "http://localhost:8081"
+await_http "schema-registry-basic-auth" "http://localhost:8083"
+
diff --git a/tests/docker/bin/gen-ssl-certs.sh b/tests/docker/bin/gen-ssl-certs.sh
@@ -0,0 +1,159 @@
+#!/usr/bin/env bash -eu
+#
+#
+# This scripts generates:
+#  - root CA certificate
+#  - server certificate and keystore
+#  - client keys
+#
+# https://cwiki.apache.org/confluence/display/KAFKA/Deploying+SSL+for+Kafka
+#
+
+if [[ "$1" == "-k" ]]; then
+    USE_KEYTOOL=1
+    shift
+else
+    USE_KEYTOOL=0
+fi
+
+OP="${1:-}"
+CA_CERT="${2:-}"
+PFX="${3:-}"
+HOST="${4:-$(hostname -f)}"
+
+C=NN
+ST=NN
+L=NN
+O=NN
+OU=NN
+CN="$HOST"
+
+# Cert validity, in days
+VALIDITY=10000
+
+set -e
+
+export LC_ALL=C
+
+if [[ $OP == "ca" && ! -z "$CA_CERT" && ! -z "$3" ]]; then
+    CN="$3"
+    openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout ${CA_CERT}.key -out $CA_CERT -days $VALIDITY -passin "pass:$PASS" -passout "pass:$PASS" <<EOF
+${C}
+${ST}
+${L}
+${O}
+${OU}
+${CN}
+$USER@${CN}
+.
+.
+EOF
+
+
+
+elif [[ $OP == "server" && ! -z "$CA_CERT" && ! -z "$PFX" && ! -z "$CN" ]]; then
+
+    #Step 1
+    echo "############ Generating key"
+    keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.keystore.jks -alias localhost -validity $VALIDITY -genkey -keyalg RSA <<EOF
+$CN
+$OU
+$O
+$L
+$ST
+$C
+yes
+yes
+EOF
+	
+    #Step 2
+    echo "############ Adding CA"
+    keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.truststore.jks -alias CARoot -import -file $CA_CERT <<EOF
+yes
+EOF
+    
+    #Step 3
+    echo "############ Export certificate"
+    keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.keystore.jks -alias localhost -certreq -file ${PFX}cert-file -ext san=ip:127.0.0.1
+
+    echo "############ Sign certificate"
+    openssl x509 -req -CA $CA_CERT -CAkey ${CA_CERT}.key -in ${PFX}cert-file -out ${PFX}cert-signed -days $VALIDITY -CAcreateserial -passin "pass:$PASS"
+    
+    echo "############ Import CA"
+    keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.keystore.jks -alias CARoot -import -file $CA_CERT <<EOF
+yes
+EOF
+    
+    echo "############ Import signed CA"
+    keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.keystore.jks -alias localhost -import -file ${PFX}cert-signed    
+
+    
+elif [[ $OP == "client" && ! -z "$CA_CERT" && ! -z "$PFX" && ! -z "$CN" ]]; then
+
+    if [[ $USE_KEYTOOL == 1 ]]; then
+	echo "############ Creating client truststore"
+
+	[[ -f ${PFX}client.truststore.jks ]] || keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}client.truststore.jks -alias CARoot -import -file $CA_CERT <<EOF
+yes
+EOF
+
+	echo "############ Generating key"
+	keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}client.keystore.jks -alias localhost -validity $VALIDITY -genkey -keyalg RSA <<EOF
+$CN
+$OU
+$O
+$L
+$ST
+$C
+yes
+yes
+EOF
+	echo "########### Export certificate"
+	keytool -storepass "$PASS" -keystore ${PFX}client.keystore.jks -alias localhost -certreq -file ${PFX}cert-file -ext san=ip:127.0.0.1
+
+	echo "########### Sign certificate"
+	openssl x509 -req -CA ${CA_CERT} -CAkey ${CA_CERT}.key -in ${PFX}cert-file -out ${PFX}cert-signed -days $VALIDITY -CAcreateserial -passin pass:$PASS	
+
+	echo "########### Import CA"
+	keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}client.keystore.jks -alias CARoot -import -file ${CA_CERT} <<EOF
+yes
+EOF
+
+	echo "########### Import signed CA"
+	keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}client.keystore.jks -alias localhost -import -file ${PFX}cert-signed
+
+    else
+	# Standard OpenSSL keys
+	echo "############ Generating key"
+	openssl genrsa -des3 -passout "pass:$PASS" -out ${PFX}client.key 2048 
+	
+	echo "############ Generating request"
+	openssl req -passin "pass:$PASS" -passout "pass:$PASS" -key ${PFX}client.key -new -out ${PFX}client.req \
+		<<EOF
+$C
+$ST
+$L
+$O
+$OU
+$CN
+.
+$PASS
+.
+EOF
+
+	echo "########### Signing key"
+	openssl x509 -req -passin "pass:$PASS" -in ${PFX}client.req -CA $CA_CERT -CAkey ${CA_CERT}.key -CAserial ${CA_CERT}.srl -out ${PFX}client.pem -days $VALIDITY
+
+    fi
+
+    
+    
+
+else
+    echo "Usage: $0 ca <ca-cert-file> <CN>"
+    echo "       $0 [-k] server|client <ca-cert-file> <file_prefix> <hostname>"
+    echo ""
+    echo "       -k = Use keytool/Java Keystore, else standard SSL keys"
+    exit 1
+fi
+
diff --git a/tests/docker/conf/schema-registry/login.properties b/tests/docker/conf/schema-registry/login.properties
@@ -0,0 +1 @@
+ckp_tester:test_secret, Testers
diff --git a/tests/docker/conf/schema-registry/schema-registry.jaas b/tests/docker/conf/schema-registry/schema-registry.jaas
@@ -0,0 +1,4 @@
+SchemaRegistry {
+    org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
+    file="/conf/schema-registry/login.properties";
+  };
diff --git a/tests/docker/docker-compose.yaml b/tests/docker/docker-compose.yaml
@@ -0,0 +1,68 @@
+version: '3'
+services:
+  zookeeper:
+    image: confluentinc/cp-zookeeper:5.0.0
+    ports:
+      - 2181:2181
+    environment:
+      ZOOKEEPER_CLIENT_PORT: 2181
+  kafka:
+    image: confluentinc/cp-kafka
+    depends_on:
+      - zookeeper
+    ports:
+      - 29092:29092
+    environment:
+      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT, PLAINTEXT_HOST:PLAINTEXT
+      KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092, PLAINTEXT_HOST://localhost:29092
+      KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
+      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
+      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
+  schema-registry:
+    image: confluentinc/cp-schema-registry:5.0.0
+    depends_on:
+    - zookeeper
+    - kafka
+    ports:
+    - 8081:8081
+    - 8082:8082
+    volumes:
+    - ./conf:/conf
+    environment:
+      SCHEMA_REGISTRY_HOST_NAME: schema-registry
+      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: PLAINTEXT://kafka:9092
+      SCHEMA_REGISTRY_LISTENERS: http://0.0.0.0:8081, https://0.0.0.0:8082
+      SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: https
+      SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /conf/tls/server.keystore.jks
+      SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: ${PASS:-abcdefgh}
+      SCHEMA_REGISTRY_SSL_KEY_PASSWORD: ${PASS:-abcdefgh}
+      SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /conf/tls/server.truststore.jks
+      SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: abcdefgh
+      SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: zookeeper:2181
+  schema-registry-basic-auth:
+    image: confluentinc/cp-schema-registry:5.0.0
+    depends_on:
+      - zookeeper
+      - kafka
+    ports:
+      - 8083:8083
+      - 8084:8084
+    volumes:
+      - ./conf:/conf
+    environment:
+      SCHEMA_REGISTRY_HOST_NAME: schema-registry2
+      SCHEMA_REGISTRY_KAFKASTORE_TOPIC: _schemas2
+      SCHEMA_REGISTRY_SCHEMA_REGISTRY_ZK_NAMESPACE: schema_registry2
+      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: PLAINTEXT://kafka:9092
+      SCHEMA_REGISTRY_LISTENERS: http://0.0.0.0:8083, https://0.0.0.0:8084
+      SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: https
+      SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /conf/tls/server.keystore.jks
+      SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: ${PASS:-abcdefgh}
+      SCHEMA_REGISTRY_SSL_KEY_PASSWORD: ${PASS:-abcdefgh}
+      SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /conf/tls/server.truststore.jks
+      SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: abcdefgh
+      SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL: zookeeper:2181
+      SCHEMA_REGISTRY_AUTHENTICATION_METHOD: BASIC
+      SCHEMA_REGISTRY_AUTHENTICATION_REALM: SchemaRegistry
+      SCHEMA_REGISTRY_AUTHENTICATION_ROLES: Testers
+      SCHEMA_REGISTRY_OPTS: -Djava.security.auth.login.config=/conf/schema-registry/schema-registry.jaas
