diff --git a/portals/kafka/README.md b/portals/kafka/README.md index 476be654..154b5609 100644 --- a/portals/kafka/README.md +++ b/portals/kafka/README.md @@ -25,9 +25,9 @@ To learn how end-to-end trust is established, please read: “[ -Apache KafkaWe send end-to-end encrypted messages through Apache Kafka.apache-kafkaRedpandaWe send end-to-end encrypted messages through Redpanda.redpandaInstaclustrWe send end-to-end encrypted messages through Instaclustr.instaclustrConfluentWe send end-to-end encrypted messages through Confluent.confluentAivenWe send end-to-end encrypted messages through Aiven.aivenWarpstreamWe send end-to-end encrypted messages through Warpstream.Warpstream +InstaclustrWe send end-to-end encrypted messages through Instaclustr.instaclustrConfluentWe send end-to-end encrypted messages through Confluent.confluentAivenWe send end-to-end encrypted messages through Aiven.aivenWarpstreamWe send end-to-end encrypted messages through Warpstream.Warpstream diff --git a/portals/kafka/apache-kafka/README.md b/portals/kafka/apache-kafka/README.md deleted file mode 100644 index 43f99140..00000000 --- a/portals/kafka/apache-kafka/README.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -layout: - title: - visible: true - description: - visible: false - tableOfContents: - visible: true - outline: - visible: true - pagination: - visible: true ---- - -# Apache Kafka - -Create an Ockam **Portal** to send end-to-end encrypted messages through Apache Kafka. - -[Ockam](../../../) encrypts messages from a Producer to a specific Consumer. Only that specific Consumer can decrypt these messages. This guarantees that your data cannot be observed or tampered as it passes through Kafka. Operators of the Kafka cluster only see end-to-end encrypted data. Any compromise of an operator's infrastructure cannot compromise your business data. - -To learn how end-to-end trust is established, please read: “[How does Ockam work?](../../../how-does-ockam-work.md)” - - - -
- -Please select an example to dig in: - -
Apache Kafka - DockerWe send end-to-end encrypted messages through Apache Kafka.
diff --git a/portals/kafka/apache-kafka/docker.md b/portals/kafka/apache-kafka/docker.md deleted file mode 100644 index fc5563a8..00000000 --- a/portals/kafka/apache-kafka/docker.md +++ /dev/null @@ -1,83 +0,0 @@ -# Docker - -In this hands-on example we send end-to-end encrypted messages _through_ Apache Kafka. - -[Ockam](../../../) encrypts messages from a Producer to a specific Consumer. Only that specific Consumer can decrypt these messages. This guarantees that your data cannot be observed or tampered as it passes through Kafka. Operators of the Kafka cluster only see end-to-end encrypted data. Any compromise of an operator's infrastructure cannot compromise your business data. - -To learn how end-to-end trust is established, please read: “[How does Ockam work?](../../../how-does-ockam-work.md)” - -
- -### Run - -This example requires Bash, Git, Curl, Docker, and Docker Compose. Please set up these tools for your operating system, then run the following commands: - -```bash -# Clone the Ockam repo from Github. -git clone --depth 1 https://github.com/build-trust/ockam && cd ockam - -# Navigate to this example’s directory. -cd examples/command/portals/kafka/apache/docker/ - -# Run the example, use Ctrl-C to exit at any point. -./run.sh -``` - -If everything runs as expected, you'll see the message: _The example run was successful 🥳_ - -### Walkthrough - -The [run.sh script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh) that you ran above, and its [accompanying files](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker), are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore. - -#### Administrator - -* The [run.sh script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh) calls the [run function](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L15) which invokes the [enroll command](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L29) to create a new identity, sign in to Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership [credential](../../../reference/protocols/identities.md#credentials). -* The run function then [generates three new enrollment tickets](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L31-L46), each valid for 10 minutes, and can be redeemed only once. The [first ticket](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L31-L38) is meant for the Ockam node that will run in Kafka Operator's network. The [second and third tickets](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L40-L46) are meant for the Ockam node that will run in Application Team’s network. -* In a typical production setup, an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project. It provisions Ockam nodes in [Kafka Operator’s network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L53C31-L53C73) and [Application Team’s network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L60C33-L60C158), passing them their tickets using environment variables. -* The run function invokes docker-compose for both [Kafka Operator's network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L53C74-L53C94) and [Application Team's network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L60C159-L60C176). - -#### Kafka Operator - -```yaml -# Create a dedicated and isolated virtual network for kafka_operator. -networks: - kafka_operator: - driver: bridge -``` - - -* Kafka Operator’s [docker-compose configuration](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka_operator/docker-compose.yml) is used when run.sh invokes docker-compose. It creates an [isolated virtual network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka_operator/docker-compose.yml#L4-L7) for Kafka Operator. -* In this network, docker compose starts a [container with an Apache Kafka server](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka_operator/docker-compose.yml#L9-L21). This container becomes available at kafka:9092 in the Kafka Operator's network. -* Once the Kafka container [is ready](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka_operator/docker-compose.yml#L28C17-L28C24), docker compose starts an [Ockam node in a container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka_operator/docker-compose.yml#L23-L36) as a companion to the Kafka container described by `ockam.yaml`, [embedded in the script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka_operator/run_ockam.sh#L8-L22). The node will automatically create an identity, [enroll with your project](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka_operator/run_ockam.sh#L8-L22) using the ticket [passed to the container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka_operator/docker-compose.yml#L33), and set up Kafka outlet. -* The Ockam node then uses this identity and membership credential to authenticate and create a relay in the project, back to the node, at relay: kafka. The run function [gave the enrollment ticket permission](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/run.sh#L38C81-L38C94) to use this relay address. - -#### Application Team - -```yaml -# Create a dedicated and isolated virtual network for application_team. -networks: - application_team: - driver: bridge -``` - -* Application Team’s [docker-compose configuration](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/docker-compose.yml) is used when run.sh invokes docker-compose. It creates an [isolated virtual network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/docker-compose.yml#L2-L4) for Application Team. In this network, docker compose starts a [Kafka Consumer container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/docker-compose.yml#L6-L36) and a [Kafka Producer container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/docker-compose.yml#L38-L68). -* The Kafka consumer container is created using [a dockerfile](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/kafka\_ockam.dockerfile) and an [entrypoint script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/run_ockam.sh). The consumer enrollment ticket from run.sh is [passed to the container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/docker-compose.yml#L15) via an environment variable. -* When the Kafka consumer node container starts in the Application Team's network, it runs [its entrypoint](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/run_ockam.sh), creating the Ockam node described by `ockam.yaml`, [embedded in the script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/run_ockam.sh#L7-L15). The node will automatically create an identity, enroll with your project, and set up the Kafka inlet. -* Next, the entrypoint at the end executes the [command present in the docker-compose configuration](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/docker-compose.yml#L17-L36), which launches a Kafka consumer waiting for messages in the demo topic. Once the messages are received, they are printed out. -* In the producer container, the process is analogous. Once the Ockam node is setup, the [command within docker-compose configuration](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/apache/docker/application_team/docker-compose.yml#L47-L68) launches a Kafka producer that sends messages. - -### Recap - -We sent end-to-end encrypted messages _through_ Apache Kafka. - -Messages are encrypted with strong forward secrecy as soon as they leave a Producer, and only the intended Consumer can decrypt those messages. Kafka brokers and other Consumers can only see encrypted messages. - -All communication is mutually authenticated and authorized. Keys and credentials are automatically rotated. Access can be easily revoked. - -### Cleanup - -To delete all containers and images: - -```sh -./run.sh cleanup -``` diff --git a/portals/kafka/apache-kafka/page.md b/portals/kafka/apache-kafka/page.md deleted file mode 100644 index 5c4b4d58..00000000 --- a/portals/kafka/apache-kafka/page.md +++ /dev/null @@ -1,2 +0,0 @@ -# Page - diff --git a/portals/kafka/redpanda/README.md b/portals/kafka/redpanda/README.md deleted file mode 100644 index de40d4a4..00000000 --- a/portals/kafka/redpanda/README.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -layout: - title: - visible: true - description: - visible: false - tableOfContents: - visible: true - outline: - visible: true - pagination: - visible: true ---- - -# Redpanda - -Create an Ockam **Portal** to send end-to-end encrypted messages _through_ Redpanda. - -[Ockam](../../../) encrypts messages from a Producer all-of-the-way to a _specific_ Consumer. Only that _specific_ Consumer can decrypt these messages. This guarantees that your data cannot be observed or tampered with as it passes through Redpanda or the network where it is hosted. The operators of Redpanda can only see encrypted data in the network and in service that they operate. Thus, a compromise of the operator's infrastructure will not compromise the data stream's security, privacy, or integrity. - -To learn how end-to-end trust is established, please read: “[How does Ockam work?](../../../how-does-ockam-work.md)” - -
- -Please select an example to dig in: - -
Redpanda - Self HostedSend end-to-end encrypted messages through Redpanda.
diff --git a/portals/kafka/redpanda/self_hosted.md b/portals/kafka/redpanda/self_hosted.md deleted file mode 100644 index f067962d..00000000 --- a/portals/kafka/redpanda/self_hosted.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -layout: - title: - visible: true - description: - visible: false - tableOfContents: - visible: true - outline: - visible: true - pagination: - visible: true ---- - -# Self Hosted - -In this hands-on example we send end-to-end encrypted messages _through_ Redpanda. - -[Ockam](../../../) encrypts messages from a Producer all-of-the-way to a _specific_ Consumer. Only that _specific_ Consumer can decrypt these messages. This guarantees that your data cannot be observed or tampered with as it passes through Redpanda or the network where it is hosted. The operators of Redpanda can only see encrypted data in the network and in service that they operate. Thus, a compromise of the operator's infrastructure will not compromise the data stream's security, privacy, or integrity. - -To learn how end-to-end trust is established, please read: “[How does Ockam work?](../../../how-does-ockam-work.md)” - -
- -### Run - -This example requires Bash, Git, Curl, Docker, and Docker Compose. Please set up these tools for your operating system, then run the following commands: - -```bash -# Clone the Ockam repo from Github. -git clone --depth 1 https://github.com/build-trust/ockam && cd ockam - -# Navigate to this example’s directory. -cd examples/command/portals/kafka/redpanda/docker/ - -# Run the example, use Ctrl-C to exit at any point. -./run.sh -``` - -If everything runs as expected, you'll see the message: _The example run was successful 🥳_ - -### Walkthrough - -The [run.sh script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh), that you ran above, and its [accompanying files](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker) are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore. - -#### Administrator - -* The [run.sh script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh) calls the [run function](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L15) which invokes the [enroll command](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L29) to create an new identity, sign in to Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership [credential](../../../reference/protocols/identities.md#credentials). -* The run function then [generates three new enrollment tickets](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L31-L46), each valid for 10 minutes, and can be redeemed only once. The [first ticket](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L30-L39) is meant for the Ockam node that will run in Redpanda Operator’s network. The [second and third tickets](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L41-L48) are meant for the Consumer and Producer, in the Ockam node that will run in Application Team’s network. -* In a typical production setup, an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project. It provisions Ockam nodes in [Redpanda Operator’s network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L53C31-L53C73) and [Application Team’s network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L60C33-L60C158), passing them their tickets using environment variables. -* The run function takes the enrollment tickets, sets them as the value of an [environment variable](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L53C36-L53C53), and [invokes docker-compose](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L48-L60) to create Redpanda Operator’s and Application Team’s networks. - -#### Redpanda Operator - -```yaml -# Create a dedicated and isolated virtual network for redpanda_operator. -networks: - redpanda_operator: - driver: bridge -``` - -* Redpanda Operator’s [docker-compose configuration](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/redpanda\_operator/docker-compose.yml) is used when run.sh invokes docker-compose. It creates an [isolated virtual network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/redpanda\_operator/docker-compose.yml#L3-L5) for Redpanda Operator. -* In this network, docker compose starts a [container with a Redpanda event store ](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/redpanda\_operator/docker-compose.yml#L21-L56). This container becomes available at redpanda:9092 in the Redpanda Operator network. -* In the same network, docker compose also starts a [Redpanda console ](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/redpanda\_operator/docker-compose.yml#L57-L79), connecting directly to redpanda:9092. The console will be reachable throughout the example at http://127.0.0.1:8080. -* Once the Redpanda container [is ready](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/redpanda\_operator/docker-compose.yml#L12C5-L12C27), docker compose starts an [Ockam node in a container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/redpanda\_operator/docker-compose.yml#L11-L20) as a companion to the Redpanda container described by `ockam.yaml`, [embedded in the script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/redpanda\_operator/run\_ockam.sh#L7-L17). The node will automatically create an identity, [enroll with your project](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/run\_ockam.sh#L6-L15) using the ticket [passed to the container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/redpanda\_operator/docker-compose.yml#L17), and set up Kafka outlet. -* The Ockam node then uses this identity and membership credential to authenticate and create a relay in the project, back to the node, at relay: redpanda. The run function [gave the enrollment ticket permission](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/run.sh#L38C86-L38C102) to use this relay address. - -#### Application Team - -```yaml -# Create a dedicated and isolated virtual network for application_team. -networks: - application_team: - driver: bridge -``` - -* Application Team’s [docker-compose configuration](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/docker-compose.yml) is used when run.sh invokes docker-compose. It creates an [isolated virtual network](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/docker-compose.yml#L3-L5) for the Application Team. In this network, docker compose starts a [Kafka Consumer container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/docker-compose.yml#L7-L38) and a [Kafka Producer container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/docker-compose.yml#L39-L69). -* The Kafka consumer node container is created using [this dockerfile](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/kafka\_client.dockerfile) and this [entrypoint script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/run\_ockam.sh). The consumer enrollment ticket from run.sh is [passed to the container](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/docker-compose.yml#L16) via environment variable. -* When the Kafka consumer node container starts in the Application Team's network, it runs [its entrypoint](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/run\_ockam.sh). The entrypoint creates the Ockam node described by `ockam.yaml`, [embedded in the script](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/run\_ockam.sh#L7-L15). The node will automatically create an identity, [enroll with your project](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/run\_ockam.sh#L6-L15), and setup Kafka inlet. -* Next, the entrypoint at the end executes the [command present in the docker-compose configuration](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/docker-compose.yml#L20-L38), which launches a Kafka consumer waiting for messages in the demo topic. Once the messages are received, they are printed out. -* In the producer container, the process is analogous, once the Ockam node is set up the [command within docker-compose configuration](https://github.com/build-trust/ockam/blob/develop/examples/command/portals/kafka/redpanda/docker/application\_team/docker-compose.yml#L51-L69) launches a Kafka producer that sends messages. -* You can view the Redpanda console available at http://127.0.0.1:8080 to see the encrypted messages - -### Recap - -We sent end-to-end encrypted messages _through_ Redpanda. - -Messages are encrypted with strong forward secrecy as soon as they leave a Producer, and only the intended Consumer can decrypt those messages. Redpanda and other Consumers can only see encrypted messages. - -All communication is mutually authenticated and authorized. Keys and credentials are automatically rotated. Access can be easily revoked. - -### Cleanup - -To delete all containers and images: - -```sh -./run.sh cleanup -```