docker-compose.yml

# docker-compose supports environment variable substitution with the ${VARIABLE-NAME} syntax.
# Environment variables can be sourced in a variety of ways.  One of those ways is through
# a well known '.env' file located in the same folder as the docker-compose.yml file.  See the Docker
# documentation for details: https://docs.docker.com/compose/environment-variables/#the-env-file
# 
# This feature is being used to parameterize some values within this file.  In this directory is also
# a .env file, which is actually a symbolic link to <examples-root>/utils/config.env.  That file
# contains values which get substituted here when docker-compose parses this file.
#
# If you'd like to view the docker-compose.yml file rendered with its environment variable substitutions
# you can execute the `docker-compose config` command.  Take note that some demos provide additional 
# environment variable values by exporting them in a script prior to running `docker-compose up`.
---
services:

  zookeeper:
    image: ${REPOSITORY}/cp-zookeeper:${CONFLUENT_DOCKER_TAG}
    restart: always
    hostname: zookeeper
    container_name: zookeeper
    healthcheck:
      test: echo srvr | nc zookeeper 2181 || exit 1
      retries: 20
      interval: 10s
    ports:
      - 2181:2181
      - 2182:2182
    environment:
      ZOOKEEPER_CLIENT_PORT: 2181
      ZOOKEEPER_TICK_TIME: 2000
      ZOOKEEPER_SECURE_CLIENT_PORT: 2182
      ZOOKEEPER_SERVER_CNXN_FACTORY: org.apache.zookeeper.server.NettyServerCnxnFactory
      ZOOKEEPER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.zookeeper.keystore.jks
      ZOOKEEPER_SSL_KEYSTORE_PASSWORD: confluent
      ZOOKEEPER_SSL_KEYSTORE_TYPE: PKCS12
      ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.zookeeper.truststore.jks
      ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: confluent
      ZOOKEEPER_SSL_TRUSTSTORE_TYPE: JKS

      # TLS 1.2 is the tested-default - TLS 1.3 has not been tested for production
      # You can evaluate TLS 1.3 for ZooKeeper by uncommenting the following two properties
      # and setting KAFKA_ZOOKEEPER_SSL_PROTOCOL on brokers
      #ZOOKEEPER_SSL_ENABLED_PROTOCOLS: TLSv1.3,TLSv1.2
      #ZOOKEEPER_SSL_QUORUM_ENABLED_PROTOCOLS: TLSv1.3,TLSv1.2

      ZOOKEEPER_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}
      ZOOKEEPER_SSL_CLIENT_AUTH: need
      ZOOKEEPER_AUTH_PROVIDER_X509: org.apache.zookeeper.server.auth.X509AuthenticationProvider
      ZOOKEEPER_AUTH_PROVIDER_SASL: org.apache.zookeeper.server.auth.SASLAuthenticationProvider
      KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/zookeeper_jaas.conf
    volumes:
      - ./scripts/security:/etc/kafka/secrets

  tools:
    image: cnfldemos/tools:0.3
    hostname: tools
    container_name: tools
    volumes:
      - ./scripts/helper:/tmp/helper
      - ./scripts/security:/etc/kafka/secrets
    entrypoint: /bin/bash
    tty: true
    environment:
      TZ: America/New_York

  openldap:
    image: osixia/openldap:1.3.0
    hostname: openldap
    container_name: openldap
    environment:
        LDAP_ORGANISATION: "ConfluentDemo"
        LDAP_DOMAIN: "confluentdemo.io"
        LDAP_BASE_DN: "dc=confluentdemo,dc=io"
    volumes:
        - ./scripts/security/ldap_users:/container/service/slapd/assets/config/bootstrap/ldif/custom
    command: "--copy-service --loglevel debug"

  kafka1:
    image: ${REPOSITORY}/cp-server:${CONFLUENT_DOCKER_TAG}
    hostname: kafka1
    container_name: kafka1
    healthcheck:
      test: curl --user superUser:superUser -fail --silent --insecure https://kafka1:8091/kafka/v3/clusters/ --output /dev/null || exit 1
      interval: 10s
      retries: 25
      start_period: 20s
    depends_on:
      zookeeper:
        condition: service_healthy
      openldap:
        condition: service_started
    volumes:
      - ./scripts/security/keypair:/tmp/conf
      - ./scripts/helper:/tmp/helper
      - ./scripts/security:/etc/kafka/secrets
    command: "bash -c 'if [ ! -f /etc/kafka/secrets/kafka.kafka1.keystore.jks ]; then echo \"ERROR: Did not find SSL certificates in /etc/kafka/secrets/ (did you remember to run ./scripts/start.sh instead of docker-compose up -d?)\" && exit 1 ; else /etc/confluent/docker/run ; fi'"
    ports:
      - 8091:8091
      - 9091:9091
      - 10091:10091
      - 11091:11091
      - 12091:12091
    environment:
      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2182
      KAFKA_ZOOKEEPER_SSL_CLIENT_ENABLE: 'true'

      # Broker uses TLSv1.2 by-default for ZooKeeper TLS connections
      # See note for ZOOKEEPER_SSL_ENABLED_PROTOCOLS regarding TLS 1.3 support
      # Uncomment the following property to evaluate TLS 1.3 for Broker<->ZooKeeper
      #KAFKA_ZOOKEEPER_SSL_PROTOCOL: TLSv1.3

      KAFKA_ZOOKEEPER_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}
      KAFKA_ZOOKEEPER_CLIENT_CNXN_SOCKET: org.apache.zookeeper.ClientCnxnSocketNetty
      KAFKA_ZOOKEEPER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka1.keystore.jks
      KAFKA_ZOOKEEPER_SSL_KEYSTORE_PASSWORD: confluent
      KAFKA_ZOOKEEPER_SSL_KEYSTORE_TYPE: PKCS12
      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka1.truststore.jks
      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_TYPE: JKS
      KAFKA_ZOOKEEPER_SET_ACL: 'true'
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SASL_PLAINTEXT,TOKEN:SASL_SSL,SSL:SSL,CLEAR:PLAINTEXT
      KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
      KAFKA_ADVERTISED_LISTENERS: INTERNAL://kafka1:9091,TOKEN://kafka1:10091,SSL://kafka1:11091,CLEAR://kafka1:12091
      
      KAFKA_SUPER_USERS: User:admin;User:mds;User:superUser;User:ANONYMOUS
      KAFKA_LOG4J_LOGGERS: "kafka.authorizer.logger=INFO"
      KAFKA_LOG4J_ROOT_LOGLEVEL: INFO

      KAFKA_BROKER_ID: 1
      KAFKA_BROKER_RACK: "r1"
      KAFKA_JMX_PORT: 9991

      KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
      KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, OAUTHBEARER

      KAFKA_LISTENER_NAME_INTERNAL_SASL_ENABLED_MECHANISMS: PLAIN
      KAFKA_LISTENER_NAME_INTERNAL_PLAIN_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.plain.PlainLoginModule required \
              username="admin" \
              password="admin-secret" \
              user_admin="admin-secret" \
              user_mds="mds-secret";

      # Configure TOKEN listener for Confluent Platform components and impersonation
      KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
      KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
      KAFKA_LISTENER_NAME_TOKEN_SASL_ENABLED_MECHANISMS: OAUTHBEARER
      KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              publicKeyPath="/tmp/conf/public.pem";

      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 2
      KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR: 2
      KAFKA_CONFLUENT_SECURITY_EVENT_LOGGER_EXPORTER_KAFKA_TOPIC_REPLICAS: 2
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 2
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
      KAFKA_CONFLUENT_BALANCER_TOPIC_REPLICATION_FACTOR: 2
      KAFKA_CONFLUENT_BALANCER_HEAL_BROKER_FAILURE_THRESHOLD_MS: 30000

      KAFKA_DELETE_TOPIC_ENABLE: 'true'
      KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'false'
      KAFKA_DEFAULT_REPLICATION_FACTOR: 2

      # Confluent Health+
      # We recommend using Confluent Health+ to set up fully managed monitoring and alerting for your CP deployment.
      # See https://docs.confluent.io/platform/current/health-plus
      # Uncomment the four lines below and provide your credentials as a part of your Health+ sign-up process
      # KAFKA_METRIC_REPORTERS: io.confluent.telemetry.reporter.TelemetryReporter
      # KAFKA_CONFLUENT_TELEMETRY_ENABLED: 'true'
      # KAFKA_CONFLUENT_TELEMETRY_API_KEY: <your Confluent Health+ api key>
      # KAFKA_CONFLUENT_TELEMETRY_API_SECRET: <your Confluent Health+ api key secret>
      # Now you can now remove the "Confluent Metrics Reporter" section

      # Confluent Metrics Reporter
      KAFKA_METRIC_REPORTERS: io.confluent.metrics.reporter.ConfluentMetricsReporter
      CONFLUENT_METRICS_REPORTER_TOPIC_REPLICAS: 2
      CONFLUENT_METRICS_REPORTER_BOOTSTRAP_SERVERS: kafka1:9091,kafka2:9092
      CONFLUENT_METRICS_REPORTER_SECURITY_PROTOCOL: SASL_PLAINTEXT
      CONFLUENT_METRICS_REPORTER_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.plain.PlainLoginModule required \
        username=\"admin\" \
        password=\"admin-secret\";"
      CONFLUENT_METRICS_REPORTER_SASL_MECHANISM: PLAIN
      CONFLUENT_METRICS_REPORTER_MAX_REQUEST_SIZE: 10485760
      # To avoid race condition with control-center
      # CONFLUENT_METRICS_REPORTER_TOPIC_CREATE: 'false'
      CONFLUENT_METRICS_REPORTER_TOPIC_CREATE: 'true'

      KAFKA_SSL_KEYSTORE_FILENAME: kafka.kafka1.keystore.jks
      KAFKA_SSL_KEYSTORE_CREDENTIALS: kafka1_keystore_creds
      KAFKA_SSL_KEY_CREDENTIALS: kafka1_sslkey_creds
      KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.kafka1.truststore.jks
      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: kafka1_truststore_creds
      KAFKA_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}
      KAFKA_SSL_CLIENT_AUTH: "requested"

      KAFKA_LISTENER_NAME_SSL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT
      KAFKA_LISTENER_NAME_TOKEN_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT

      # Schema Validation
      KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: https://schemaregistry:8085
      KAFKA_CONFLUENT_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
      KAFKA_CONFLUENT_BASIC_AUTH_USER_INFO: 'superUser:superUser'
      KAFKA_CONFLUENT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka1.truststore.jks
      KAFKA_CONFLUENT_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/broker_jaas.conf

      # MDS
      KAFKA_CONFLUENT_METADATA_TOPIC_REPLICATION_FACTOR: 2
      KAFKA_CONFLUENT_METADATA_SERVER_AUTHENTICATION_METHOD: BEARER
      KAFKA_CONFLUENT_METADATA_SERVER_LISTENERS: https://0.0.0.0:8091
      KAFKA_CONFLUENT_METADATA_SERVER_ADVERTISED_LISTENERS: https://kafka1:8091
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.mds.truststore.jks
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.mds.keystore.jks
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_PASSWORD: confluent
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEY_PASSWORD: confluent
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}

      # Configure RBAC token server (authentication)
      KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_MAX_LIFETIME_MS: 3600000
      KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_SIGNATURE_ALGORITHM: RS256
      KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_KEY_PATH: /tmp/conf/keypair.pem

      # Configure Confluent Server Authorizer
      KAFKA_AUTHORIZER_CLASS_NAME: io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
      KAFKA_CONFLUENT_AUTHORIZER_ACCESS_RULE_PROVIDERS: CONFLUENT,ZK_ACL

      # Configure MDS to talk to AD/LDAP
      KAFKA_LDAP_JAVA_NAMING_FACTORY_INITIAL: com.sun.jndi.ldap.LdapCtxFactory
      KAFKA_LDAP_COM_SUN_JNDI_LDAP_READ_TIMEOUT: 3000
      KAFKA_LDAP_JAVA_NAMING_PROVIDER_URL: ldap://openldap:389
      # Authenticate to LDAP
      KAFKA_LDAP_JAVA_NAMING_SECURITY_PRINCIPAL: cn=admin,dc=confluentdemo,dc=io
      KAFKA_LDAP_JAVA_NAMING_SECURITY_CREDENTIALS: admin
      KAFKA_LDAP_JAVA_NAMING_SECURITY_AUTHENTICATION: simple
      # Locate LDAP users and groups
      KAFKA_LDAP_SEARCH_MODE: GROUPS
      KAFKA_LDAP_GROUP_SEARCH_BASE: ou=groups,dc=confluentdemo,dc=io
      KAFKA_LDAP_GROUP_NAME_ATTRIBUTE: cn
      KAFKA_LDAP_GROUP_MEMBER_ATTRIBUTE: memberUid
      KAFKA_LDAP_GROUP_OBJECT_CLASS: posixGroup
      KAFKA_LDAP_GROUP_MEMBER_ATTRIBUTE_PATTERN: cn=(.*),ou=users,dc=confluentdemo,dc=io
      KAFKA_LDAP_USER_SEARCH_BASE: ou=users,dc=confluentdemo,dc=io
      KAFKA_LDAP_USER_NAME_ATTRIBUTE: uid
      KAFKA_LDAP_USER_OBJECT_CLASS: inetOrgPerson

      # EmbeddedKafkaRest: Kafka Client Configuration
      KAFKA_KAFKA_REST_BOOTSTRAP_SERVERS: SASL_SSL://kafka1:10091,SASL_SSL://kafka2:10092
      KAFKA_KAFKA_REST_CLIENT_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_KAFKA_REST_CLIENT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka1.truststore.jks
      KAFKA_KAFKA_REST_CLIENT_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_KAFKA_REST_CLIENT_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka1.keystore.jks
      KAFKA_KAFKA_REST_CLIENT_SSL_KEYSTORE_PASSWORD: confluent
      KAFKA_KAFKA_REST_CLIENT_SSL_KEY_PASSWORD: confluent
      # EmbeddedKafkaRest: HTTP Auth Configuration
      KAFKA_KAFKA_REST_KAFKA_REST_RESOURCE_EXTENSION_CLASS: io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension
      KAFKA_KAFKA_REST_REST_SERVLET_INITIALIZOR_CLASSES: io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
      KAFKA_KAFKA_REST_PUBLIC_KEY_PATH: /tmp/conf/public.pem
      # EmbeddedKafkaRest: MDS Client configuration
      KAFKA_KAFKA_REST_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://kafka1:8091,https://kafka2:8092
      KAFKA_KAFKA_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka1.truststore.jks
      KAFKA_KAFKA_REST_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_KAFKA_REST_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: BASIC
      KAFKA_KAFKA_REST_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: 'restAdmin:restAdmin'
      KAFKA_KAFKA_REST_CONFLUENT_METADATA_SERVER_URLS_MAX_AGE_MS: 60000
      KAFKA_KAFKA_REST_CLIENT_CONFLUENT_METADATA_SERVER_URLS_MAX_AGE_MS: 60000

      # Configure Cluster Link
      # Encrypt credentials stored in Cluster Link
      KAFKA_PASSWORD_ENCODER_SECRET: encoder-secret

      # Enable Consumer Lag emitter
      KAFKA_CONFLUENT_CONSUMER_LAG_EMITTER_ENABLED: 'true'

  kafka2:
    image: ${REPOSITORY}/cp-server:${CONFLUENT_DOCKER_TAG}
    hostname: kafka2
    container_name: kafka2
    healthcheck:
      test: curl -u superUser:superUser -fail --silent --insecure https://kafka2:8092/kafka/v3/clusters/ --output /dev/null || exit 1
      interval: 10s
      retries: 25
      start_period: 20s
    depends_on:
      zookeeper:
        condition: service_started
      openldap:
        condition: service_started
    volumes:
      - ./scripts/security/keypair:/tmp/conf
      - ./scripts/helper:/tmp/helper
      - ./scripts/security:/etc/kafka/secrets
    command: "bash -c 'if [ ! -f /etc/kafka/secrets/kafka.kafka2.keystore.jks ]; then echo \"ERROR: Did not find SSL certificates in /etc/kafka/secrets/ (did you remember to run ./scripts/start.sh instead of docker-compose up -d?)\" && exit 1 ; else /etc/confluent/docker/run ; fi'"
    ports:
      - 8092:8092
      - 9092:9092
      - 10092:10092
      - 11092:11092
      - 12092:12092
    environment:
      KAFKA_ZOOKEEPER_CONNECT: zookeeper:2182
      KAFKA_ZOOKEEPER_SSL_CLIENT_ENABLE: 'true'

      # Broker uses TLSv1.2 by-default for ZooKeeper TLS connections
      # See note for ZOOKEEPER_SSL_ENABLED_PROTOCOLS regarding TLS 1.3 support
      # Uncomment the following property to evaluate TLS 1.3 for Broker<->ZooKeeper
      #KAFKA_ZOOKEEPER_SSL_PROTOCOL: TLSv1.3

      KAFKA_ZOOKEEPER_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}
      KAFKA_ZOOKEEPER_CLIENT_CNXN_SOCKET: org.apache.zookeeper.ClientCnxnSocketNetty
      KAFKA_ZOOKEEPER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka2.keystore.jks
      KAFKA_ZOOKEEPER_SSL_KEYSTORE_PASSWORD: confluent
      KAFKA_ZOOKEEPER_SSL_KEYSTORE_TYPE: PKCS12
      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka2.truststore.jks
      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_TYPE: JKS
      KAFKA_ZOOKEEPER_SET_ACL: 'true'
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SASL_PLAINTEXT,TOKEN:SASL_SSL,SSL:SSL,CLEAR:PLAINTEXT
      KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
      KAFKA_ADVERTISED_LISTENERS: INTERNAL://kafka2:9092,TOKEN://kafka2:10092,SSL://kafka2:11092,CLEAR://kafka2:12092
      
      KAFKA_SUPER_USERS: User:admin;User:mds;User:superUser;User:ANONYMOUS
      KAFKA_LOG4J_LOGGERS: "kafka.authorizer.logger=INFO"
      KAFKA_LOG4J_ROOT_LOGLEVEL: INFO

      KAFKA_BROKER_ID: 2
      KAFKA_BROKER_RACK: "r2"
      KAFKA_JMX_PORT: 9992

      KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
      KAFKA_SASL_ENABLED_MECHANISMS: PLAIN, OAUTHBEARER

      KAFKA_LISTENER_NAME_INTERNAL_SASL_ENABLED_MECHANISMS: PLAIN
      KAFKA_LISTENER_NAME_INTERNAL_PLAIN_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.plain.PlainLoginModule required \
              username="admin" \
              password="admin-secret" \
              user_admin="admin-secret" \
              user_mds="mds-secret";

      # Configure TOKEN listener for Confluent Platform components and impersonation
      KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerValidatorCallbackHandler
      KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.server.plugins.auth.token.TokenBearerServerLoginCallbackHandler
      KAFKA_LISTENER_NAME_TOKEN_SASL_ENABLED_MECHANISMS: OAUTHBEARER
      KAFKA_LISTENER_NAME_TOKEN_OAUTHBEARER_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              publicKeyPath="/tmp/conf/public.pem";

      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 2
      KAFKA_CONFLUENT_LICENSE_TOPIC_REPLICATION_FACTOR: 2
      KAFKA_CONFLUENT_SECURITY_EVENT_LOGGER_EXPORTER_KAFKA_TOPIC_REPLICAS: 2
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 2
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
      KAFKA_CONFLUENT_BALANCER_TOPIC_REPLICATION_FACTOR: 2
      KAFKA_CONFLUENT_BALANCER_HEAL_BROKER_FAILURE_THRESHOLD_MS: 30000

      KAFKA_DELETE_TOPIC_ENABLE: 'true'
      KAFKA_AUTO_CREATE_TOPICS_ENABLE: 'false'
      KAFKA_DEFAULT_REPLICATION_FACTOR: 2

      # Confluent Metrics Reporter
      KAFKA_METRIC_REPORTERS: io.confluent.metrics.reporter.ConfluentMetricsReporter
      CONFLUENT_METRICS_REPORTER_TOPIC_REPLICAS: 2
      CONFLUENT_METRICS_REPORTER_BOOTSTRAP_SERVERS: kafka1:9091,kafka2:9092
      CONFLUENT_METRICS_REPORTER_SECURITY_PROTOCOL: SASL_PLAINTEXT
      CONFLUENT_METRICS_REPORTER_SASL_JAAS_CONFIG: "org.apache.kafka.common.security.plain.PlainLoginModule required \
        username=\"admin\" \
        password=\"admin-secret\";"
      CONFLUENT_METRICS_REPORTER_SASL_MECHANISM: PLAIN
      CONFLUENT_METRICS_REPORTER_MAX_REQUEST_SIZE: 10485760
      # To avoid race condition with control-center
      # CONFLUENT_METRICS_REPORTER_TOPIC_CREATE: 'false'
      CONFLUENT_METRICS_REPORTER_TOPIC_CREATE: 'true'

      KAFKA_SSL_KEYSTORE_FILENAME: kafka.kafka2.keystore.jks
      KAFKA_SSL_KEYSTORE_CREDENTIALS: kafka2_keystore_creds
      KAFKA_SSL_KEY_CREDENTIALS: kafka2_sslkey_creds
      KAFKA_SSL_TRUSTSTORE_FILENAME: kafka.kafka2.truststore.jks
      KAFKA_SSL_TRUSTSTORE_CREDENTIALS: kafka2_truststore_creds
      KAFKA_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}
      KAFKA_SSL_CLIENT_AUTH: "requested"

      KAFKA_LISTENER_NAME_SSL_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT
      KAFKA_LISTENER_NAME_TOKEN_SSL_PRINCIPAL_MAPPING_RULES: RULE:^CN=([a-zA-Z0-9.]*).*$$/$$1/ , DEFAULT

      # Schema Validation
      KAFKA_CONFLUENT_SCHEMA_REGISTRY_URL: https://schemaregistry:8085
      KAFKA_CONFLUENT_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
      KAFKA_CONFLUENT_BASIC_AUTH_USER_INFO: 'superUser:superUser'
      KAFKA_CONFLUENT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka2.truststore.jks
      KAFKA_CONFLUENT_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/broker_jaas.conf

      # MDS
      KAFKA_CONFLUENT_METADATA_TOPIC_REPLICATION_FACTOR: 2
      KAFKA_CONFLUENT_METADATA_SERVER_AUTHENTICATION_METHOD: BEARER
      KAFKA_CONFLUENT_METADATA_SERVER_LISTENERS: https://0.0.0.0:8092
      KAFKA_CONFLUENT_METADATA_SERVER_ADVERTISED_LISTENERS: https://kafka2:8092
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.mds.truststore.jks
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.mds.keystore.jks
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEYSTORE_PASSWORD: confluent
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_KEY_PASSWORD: confluent
      KAFKA_CONFLUENT_METADATA_SERVER_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}

      # Configure RBAC token server (authentication)
      KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_MAX_LIFETIME_MS: 3600000
      KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_SIGNATURE_ALGORITHM: RS256
      KAFKA_CONFLUENT_METADATA_SERVER_TOKEN_KEY_PATH: /tmp/conf/keypair.pem

      # Configure Confluent Server Authorizer
      KAFKA_AUTHORIZER_CLASS_NAME: io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
      KAFKA_CONFLUENT_AUTHORIZER_ACCESS_RULE_PROVIDERS: CONFLUENT,ZK_ACL

      # Configure MDS to talk to AD/LDAP
      KAFKA_LDAP_JAVA_NAMING_FACTORY_INITIAL: com.sun.jndi.ldap.LdapCtxFactory
      KAFKA_LDAP_COM_SUN_JNDI_LDAP_READ_TIMEOUT: 3000
      KAFKA_LDAP_JAVA_NAMING_PROVIDER_URL: ldap://openldap:389
      # Authenticate to LDAP
      KAFKA_LDAP_JAVA_NAMING_SECURITY_PRINCIPAL: cn=admin,dc=confluentdemo,dc=io
      KAFKA_LDAP_JAVA_NAMING_SECURITY_CREDENTIALS: admin
      KAFKA_LDAP_JAVA_NAMING_SECURITY_AUTHENTICATION: simple
      # Locate LDAP users and groups
      KAFKA_LDAP_SEARCH_MODE: GROUPS
      KAFKA_LDAP_GROUP_SEARCH_BASE: ou=groups,dc=confluentdemo,dc=io
      KAFKA_LDAP_GROUP_NAME_ATTRIBUTE: cn
      KAFKA_LDAP_GROUP_MEMBER_ATTRIBUTE: memberUid
      KAFKA_LDAP_GROUP_OBJECT_CLASS: posixGroup
      KAFKA_LDAP_GROUP_MEMBER_ATTRIBUTE_PATTERN: cn=(.*),ou=users,dc=confluentdemo,dc=io
      KAFKA_LDAP_USER_SEARCH_BASE: ou=users,dc=confluentdemo,dc=io
      KAFKA_LDAP_USER_NAME_ATTRIBUTE: uid
      KAFKA_LDAP_USER_OBJECT_CLASS: inetOrgPerson

      # EmbeddedKafkaRest: Kafka Client Configuration
      KAFKA_KAFKA_REST_BOOTSTRAP_SERVERS: SASL_SSL://kafka1:10091,SASL_SSL://kafka2:10092
      KAFKA_KAFKA_REST_CLIENT_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_KAFKA_REST_CLIENT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka2.truststore.jks
      KAFKA_KAFKA_REST_CLIENT_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_KAFKA_REST_CLIENT_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka2.keystore.jks
      KAFKA_KAFKA_REST_CLIENT_SSL_KEYSTORE_PASSWORD: confluent
      KAFKA_KAFKA_REST_CLIENT_SSL_KEY_PASSWORD: confluent
      # EmbeddedKafkaRest: HTTP Auth Configuration
      KAFKA_KAFKA_REST_KAFKA_REST_RESOURCE_EXTENSION_CLASS: io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension
      KAFKA_KAFKA_REST_REST_SERVLET_INITIALIZOR_CLASSES: io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
      KAFKA_KAFKA_REST_PUBLIC_KEY_PATH: /tmp/conf/public.pem
      # EmbeddedKafkaRest: MDS Client configuration
      KAFKA_KAFKA_REST_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://kafka1:8091,https://kafka2:8092
      KAFKA_KAFKA_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.kafka2.truststore.jks
      KAFKA_KAFKA_REST_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_KAFKA_REST_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: BASIC
      KAFKA_KAFKA_REST_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: 'restAdmin:restAdmin'
      KAFKA_KAFKA_REST_CONFLUENT_METADATA_SERVER_URLS_MAX_AGE_MS: 60000
      KAFKA_KAFKA_REST_CLIENT_CONFLUENT_METADATA_SERVER_URLS_MAX_AGE_MS: 60000

      # Configure Cluster Linking
      # Encrypt credentials stored in Cluster Link
      KAFKA_PASSWORD_ENCODER_SECRET: encoder-secret

      # Enable Consumer Lag emitter
      KAFKA_CONFLUENT_CONSUMER_LAG_EMITTER_ENABLED: 'true'

        
  connect:
    image: localbuild/connect:${CONFLUENT_DOCKER_TAG}-${CONNECTOR_VERSION}
    container_name: connect
    restart: always
    build:
      context: .
      dockerfile: Dockerfile
    healthcheck:
      interval: 10s
      retries: 20
      test: curl --user connectAdmin:connectAdmin --fail --silent --insecure https://connect:8083/ --output /dev/null || exit 1
    depends_on:
      schemaregistry:
        condition: service_healthy
    volumes:
      - ./scripts/security:/etc/kafka/secrets
      - ./scripts/security/keypair:/tmp/conf
    ports:
      - 8083:8083
    environment:
      CUB_CLASSPATH: '/usr/share/java/confluent-security/connect/*:/usr/share/java/kafka/*:/usr/share/java/cp-base-new/*'

      CONNECT_BOOTSTRAP_SERVERS: kafka1:10091,kafka2:10092
      CONNECT_LISTENERS: https://0.0.0.0:8083
      CONNECT_GROUP_ID: "connect-cluster"
      CONNECT_PRODUCER_CLIENT_ID: "connect-worker-producer"
      CONNECT_PRODUCER_ENABLE_IDEMPOTENCE: 'true'

      CONNECT_CONFIG_STORAGE_TOPIC: connect-configs
      CONNECT_OFFSET_STORAGE_TOPIC: connect-offsets
      CONNECT_STATUS_STORAGE_TOPIC: connect-statuses

      CONNECT_REPLICATION_FACTOR: 2
      CONNECT_CONFIG_STORAGE_REPLICATION_FACTOR: 2
      CONNECT_OFFSET_STORAGE_REPLICATION_FACTOR: 2
      CONNECT_STATUS_STORAGE_REPLICATION_FACTOR: 2

      CONNECT_KEY_CONVERTER: "org.apache.kafka.connect.storage.StringConverter"
      CONNECT_VALUE_CONVERTER: "org.apache.kafka.connect.json.JsonConverter"

      CONNECT_REST_ADVERTISED_HOST_NAME: connect
      CONNECT_PLUGIN_PATH: "/usr/share/java,/usr/share/confluent-hub-components"
      CONNECT_LOG4J_ROOT_LOGLEVEL: INFO
      CONNECT_LOG4J_LOGGERS: org.reflections=ERROR
      CLASSPATH: "/usr/share/java/monitoring-interceptors/*"

      # Connect Worker
      CONNECT_SECURITY_PROTOCOL: SASL_SSL
      CONNECT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.truststore.jks
      CONNECT_SSL_TRUSTSTORE_PASSWORD: confluent
      CONNECT_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.keystore.jks
      CONNECT_SSL_KEYSTORE_PASSWORD: confluent
      CONNECT_SSL_KEY_PASSWORD: confluent

      # Connect Producer
      CONNECT_PRODUCER_SECURITY_PROTOCOL: SASL_SSL
      CONNECT_PRODUCER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.truststore.jks
      CONNECT_PRODUCER_SSL_TRUSTSTORE_PASSWORD: confluent
      CONNECT_PRODUCER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.keystore.jks
      CONNECT_PRODUCER_SSL_KEYSTORE_PASSWORD: confluent
      CONNECT_PRODUCER_SSL_KEY_PASSWORD: confluent
      CONNECT_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor"
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.truststore.jks
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_PASSWORD: confluent
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.keystore.jks
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_PASSWORD: confluent
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEY_PASSWORD: confluent

      # Connect Consumer
      CONNECT_CONSUMER_SECURITY_PROTOCOL: SASL_SSL
      CONNECT_CONSUMER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.truststore.jks
      CONNECT_CONSUMER_SSL_TRUSTSTORE_PASSWORD: confluent
      CONNECT_CONSUMER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.keystore.jks
      CONNECT_CONSUMER_SSL_KEYSTORE_PASSWORD: confluent
      CONNECT_CONSUMER_SSL_KEY_PASSWORD: confluent
      CONNECT_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor"
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.truststore.jks
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_PASSWORD: confluent
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.keystore.jks
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_PASSWORD: confluent
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEY_PASSWORD: confluent

      # RBAC
      CONNECT_SASL_MECHANISM: 'OAUTHBEARER'
      CONNECT_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler'
      CONNECT_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="connectAdmin" \
              password="connectAdmin" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";

      # Allow overriding configs on the connector level
      CONNECT_CONNECTOR_CLIENT_CONFIG_OVERRIDE_POLICY: 'All'

      # Producer
      CONNECT_PRODUCER_SASL_MECHANISM: 'OAUTHBEARER'
      CONNECT_PRODUCER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler'
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: 'OAUTHBEARER'
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler'
      CONNECT_PRODUCER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="connectAdmin" \
              password="connectAdmin" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";

      # Consumer
      CONNECT_CONSUMER_SASL_MECHANISM: 'OAUTHBEARER'
      CONNECT_CONSUMER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler'
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: 'OAUTHBEARER'
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler'
      CONNECT_CONSUMER_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="connectAdmin" \
              password="connectAdmin" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";

      # Default admin config
      CONNECT_ADMIN_SECURITY_PROTOCOL: SASL_SSL
      CONNECT_ADMIN_SASL_MECHANISM: 'OAUTHBEARER'
      CONNECT_ADMIN_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler'
      CONNECT_ADMIN_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.truststore.jks
      CONNECT_ADMIN_SSL_TRUSTSTORE_PASSWORD: confluent
      CONNECT_ADMIN_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.keystore.jks
      CONNECT_ADMIN_SSL_KEYSTORE_PASSWORD: confluent
      CONNECT_ADMIN_SSL_KEY_PASSWORD: confluent

      # io.confluent.connect.security.ConnectSecurityExtension - RBAC
      # io.confluent.connect.secretregistry.ConnectSecretRegistryExtension - Secret Registry
      CONNECT_REST_EXTENSION_CLASSES: io.confluent.connect.security.ConnectSecurityExtension,io.confluent.connect.secretregistry.ConnectSecretRegistryExtension
      CONNECT_REST_SERVLET_INITIALIZOR_CLASSES: 'io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler'
      CONNECT_PUBLIC_KEY_PATH: /tmp/conf/public.pem

      # Used by Connect's REST layer to connect to MDS to verify tokens and authenticate clients
      CONNECT_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://kafka1:8091,https://kafka2:8092
      CONNECT_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: 'connectAdmin:connectAdmin'
      CONNECT_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: 'BASIC'

      # Secret Registry
      CONNECT_CONFIG_PROVIDERS: 'secret'
      CONNECT_CONFIG_PROVIDERS_SECRET_CLASS: 'io.confluent.connect.secretregistry.rbac.config.provider.InternalSecretConfigProvider'
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_MASTER_ENCRYPTION_KEY: 'password1234'
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_BOOTSTRAP_SERVERS: kafka1:10091,kafka2:10092
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_TOPIC_REPLICATION_FACTOR: 2
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SECURITY_PROTOCOL: SASL_SSL
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.truststore.jks
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: confluent
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.connect.keystore.jks
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEYSTORE_PASSWORD: confluent
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SSL_KEY_PASSWORD: confluent
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_MECHANISM: 'OAUTHBEARER'
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_LOGIN_CALLBACK_HANDLER_CLASS: 'io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler'
      CONNECT_CONFIG_PROVIDERS_SECRET_PARAM_KAFKASTORE_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="connectAdmin" \
              password="connectAdmin" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";

      CONNECT_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}

      # Reduce Connect memory utilization
      KAFKA_JVM_PERFORMANCE_OPTS: -server -XX:+UseG1GC -XX:GCTimeRatio=1
                  -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20
                  -XX:MaxGCPauseMillis=10000 -XX:InitiatingHeapOccupancyPercent=35 -XX:+ExplicitGCInvokesConcurrent
                  -XX:MaxInlineLevel=15 -Djava.awt.headless=true


  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.0
    container_name: elasticsearch
    #restart: always
    healthcheck:
      start_period: 10s
      interval: 10s
      retries: 20
      test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'
    ports:
      - 9200:9200
      - 9300:9300
    environment:
      discovery.type: "single-node"
      ES_JAVA_OPTS: "-Xms1g -Xmx1g"
      cluster.name: "elasticsearch-cp-demo"

  kibana:
    image: docker.elastic.co/kibana/kibana-oss:7.10.0
    container_name: kibana
    restart: always
    healthcheck:
      interval: 10s
      retries: 20
      test: curl --write-out 'HTTP %{http_code}' --fail --silent --output /dev/null http://kibana:5601/api/status || exit 1
    depends_on:
      elasticsearch:
        condition: service_healthy
    ports:
      - 5601:5601
    environment:
      NEWSFEED_ENABLED: 'false'
      TELEMETRY_OPTIN: 'false'
      TELEMETRY_ENABLED: 'false'
      SERVER_MAXPAYLOADBYTES: 4194304
      KIBANA_AUTOCOMPLETETIMEOUT: 3000
      KIBANA_AUTOCOMPLETETERMINATEAFTER: 2500000

  control-center:
    image: ${REPOSITORY}/cp-enterprise-control-center:${CONFLUENT_DOCKER_TAG}
    hostname: control-center
    container_name: control-center
    healthcheck:
      start_period: 10s
      interval: 10s
      retries: 20
      test: curl --fail --silent http://control-center:9021 --output /dev/null || exit 1
    depends_on:
      schemaregistry:
        condition: service_healthy
    volumes:
      - ./scripts/security/keypair:/tmp/conf
      - ./scripts/security:/etc/kafka/secrets
    ports:
      - 9021:9021
      - 9022:9022
    environment:
      CUB_CLASSPATH: '/usr/share/java/confluent-control-center/*:/usr/share/java/rest-utils/*:/usr/share/java/confluent-common/*:/usr/share/java/confluent-security/kafka-rest/*:/usr/share/java/kafka-rest/:/usr/share/java/cp-base-new/*'

      # If using Confluent Health+ for monitoring and alerting, uncomment the line below to run in management mode.
      # CONTROL_CENTER_MODE_ENABLE: "management"
      # You can now remove all Control Center "STREAMS", "MONITORING", and "METRICS" configurations
      
      # general settings
      CONTROL_CENTER_BOOTSTRAP_SERVERS: SASL_SSL://kafka1:10091,SASL_SSL://kafka2:10092
      CONTROL_CENTER_REPLICATION_FACTOR: 2
      CONTROL_CENTER_INTERNAL_TOPICS_PARTITIONS: 1

      # Control Center uses Kafka Streams to process metrics
      CONTROL_CENTER_STREAMS_SECURITY_PROTOCOL: SASL_SSL
      CONTROL_CENTER_STREAMS_SASL_MECHANISM: OAUTHBEARER
      CONTROL_CENTER_STREAMS_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
      CONTROL_CENTER_STREAMS_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="controlcenterAdmin" \
              password="controlcenterAdmin" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";
      CONTROL_CENTER_STREAMS_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}

      CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_REPLICATION: 2
      CONTROL_CENTER_MONITORING_INTERCEPTOR_TOPIC_PARTITIONS: 1
      CONTROL_CENTER_METRICS_TOPIC_REPLICATION: 2
      CONTROL_CENTER_METRICS_TOPIC_PARTITIONS: 1

      # Amount of heap to use for internal caches. Increase for better throughput
      CONTROL_CENTER_STREAMS_CACHE_MAX_BYTES_BUFFERING: 100000000
      CONTROL_CENTER_STREAMS_CONSUMER_REQUEST_TIMEOUT_MS: "960032"
      CONTROL_CENTER_STREAMS_NUM_STREAM_THREADS: 1

      CONTROL_CENTER_STREAMS_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.truststore.jks
      CONTROL_CENTER_STREAMS_SSL_TRUSTSTORE_PASSWORD: confluent
      CONTROL_CENTER_STREAMS_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.keystore.jks
      CONTROL_CENTER_STREAMS_SSL_KEYSTORE_PASSWORD: confluent
      CONTROL_CENTER_STREAMS_SSL_KEY_PASSWORD: confluent

      # HTTP and HTTPS to Control Center UI 
      CONTROL_CENTER_REST_LISTENERS: http://0.0.0.0:9021,https://0.0.0.0:9022
      CONTROL_CENTER_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.truststore.jks
      CONTROL_CENTER_REST_SSL_TRUSTSTORE_PASSWORD: confluent
      CONTROL_CENTER_REST_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.keystore.jks
      CONTROL_CENTER_REST_SSL_KEYSTORE_PASSWORD: confluent
      CONTROL_CENTER_REST_SSL_KEY_PASSWORD: confluent
      CONTROL_CENTER_REST_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}
      PORT: 9021

      # Connect
      CONTROL_CENTER_CONNECT_CONNECT1_CLUSTER: https://connect:8083

      # ksqlDB
      # Communication between Control Center and ksqlDB Docker containers
      CONTROL_CENTER_KSQL_WIKIPEDIA_URL: ${CONTROL_CENTER_KSQL_WIKIPEDIA_URL}
      # Communication from web browser running on localhost to ksqlDB
      CONTROL_CENTER_KSQL_WIKIPEDIA_ADVERTISED_URL: ${CONTROL_CENTER_KSQL_WIKIPEDIA_ADVERTISED_URL}

      # Schema Registry
      CONTROL_CENTER_SCHEMA_REGISTRY_SR1_URL: https://schemaregistry:8085
      CONTROL_CENTER_SCHEMA_REGISTRY_SR1_SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.client.truststore.jks
      CONTROL_CENTER_SCHEMA_REGISTRY_SR1_SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: confluent
      CONTROL_CENTER_SCHEMA_REGISTRY_SR1_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.truststore.jks
      CONTROL_CENTER_SCHEMA_REGISTRY_SR1_SSL_TRUSTSTORE_PASSWORD: confluent

      # RBAC
      CONTROL_CENTER_REST_AUTHENTICATION_METHOD: BEARER
      PUBLIC_KEY_PATH: /tmp/conf/public.pem
      
      # Used by Control Center to connect to MDS to verify tokens and authenticate clients
      CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://kafka1:8091,https://kafka2:8092
      CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: controlcenterAdmin:controlcenterAdmin

      # Used by Control Center to connect to the Admin API for Self Balancing Clusters
      CONTROL_CENTER_STREAMS_CPREST_URL: "https://kafka1:8091,https://kafka2:8092"

  schemaregistry:
    image: ${REPOSITORY}/cp-schema-registry:${CONFLUENT_DOCKER_TAG}
    container_name: schemaregistry
    restart: always
    healthcheck:
      start_period: 10s
      interval: 10s
      retries: 20
      test: curl --user superUser:superUser --fail --silent --insecure https://schemaregistry:8085/subjects --output /dev/null || exit 1
    depends_on:
      kafka1:
        condition: service_healthy
      kafka2:
        condition: service_healthy
    volumes:
      - ./scripts/security:/etc/kafka/secrets
      - ./scripts/security/keypair:/tmp/conf
    ports:
      - 8085:8085
    environment:
      CUB_CLASSPATH: '/usr/share/java/confluent-security/schema-registry/*:/usr/share/java/schema-registry/*:/usr/share/java/schema-registry-plugins/*:/usr/share/java/cp-base-new/*'

      SCHEMA_REGISTRY_HOST_NAME: schemaregistry

      SCHEMA_REGISTRY_KAFKASTORE_BOOTSTRAP_SERVERS: kafka1:10091,kafka2:10092
      SCHEMA_REGISTRY_LISTENERS: https://0.0.0.0:8085
      SCHEMA_REGISTRY_KAFKASTORE_SECURITY_PROTOCOL: SASL_SSL

      SCHEMA_REGISTRY_KAFKASTORE_SASL_MECHANISM: OAUTHBEARER
      SCHEMA_REGISTRY_KAFKASTORE_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
      SCHEMA_REGISTRY_KAFKASTORE_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="schemaregistryUser" \
              password="schemaregistryUser" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";
      SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.schemaregistry.truststore.jks
      SCHEMA_REGISTRY_KAFKASTORE_SSL_TRUSTSTORE_PASSWORD: confluent
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.schemaregistry.keystore.jks
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEYSTORE_PASSWORD: confluent
      SCHEMA_REGISTRY_KAFKASTORE_SSL_KEY_PASSWORD: confluent

      SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.schemaregistry.truststore.jks
      SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: confluent
      SCHEMA_REGISTRY_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.schemaregistry.keystore.jks
      SCHEMA_REGISTRY_SSL_KEYSTORE_PASSWORD: confluent
      SCHEMA_REGISTRY_SSL_KEY_PASSWORD: confluent
      SCHEMA_REGISTRY_SSL_CLIENT_AUTHENTICATION: 'NONE'

      SCHEMA_REGISTRY_SCHEMA_REGISTRY_INTER_INSTANCE_PROTOCOL: "https"
      SCHEMA_REGISTRY_LOG4J_ROOT_LOGLEVEL: INFO
      SCHEMA_REGISTRY_KAFKASTORE_TOPIC: _schemas
      SCHEMA_REGISTRY_KAFKASTORE_TOPIC_REPLICATION_FACTOR: 2
      SCHEMA_REGISTRY_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}

      SCHEMA_REGISTRY_DEBUG: 'true'

      # Enable security extension for RBAC and exporter extension for schema linking
      SCHEMA_REGISTRY_SCHEMA_REGISTRY_RESOURCE_EXTENSION_CLASS: io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension,io.confluent.schema.exporter.SchemaExporterResourceExtension
      # Enable bearer token authentication which allows the identity of the Schema Registry end user to be propagated to Kafka for authorization
      SCHEMA_REGISTRY_CONFLUENT_SCHEMA_REGISTRY_AUTHORIZER_CLASS: io.confluent.kafka.schemaregistry.security.authorizer.rbac.RbacAuthorizer
      SCHEMA_REGISTRY_REST_SERVLET_INITIALIZOR_CLASSES: io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
      SCHEMA_REGISTRY_PUBLIC_KEY_PATH: /tmp/conf/public.pem

      # Used by Schema Registry to connect to MDS to authenticate and authorize clients
      SCHEMA_REGISTRY_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://kafka1:8091,https://kafka2:8092
      SCHEMA_REGISTRY_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: BASIC
      SCHEMA_REGISTRY_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: schemaregistryUser:schemaregistryUser

      # Enable Schema Linking
      SCHEMA_REGISTRY_PASSWORD_ENCODER_SECRET: encoder-secret
      # Already included above, but including comment here for emphasis
      # SCHEMA_REGISTRY_RESOURCE_EXTENSION_CLASS: io.confluent.schema.exporter.SchemaExporterResourceExtension
      SCHEMA_REGISTRY_KAFKASTORE_UPDATE_HANDLERS: io.confluent.schema.exporter.storage.SchemaExporterUpdateHandler

  ksqldb-server:
    image: ${REPOSITORY}/cp-ksqldb-server:${CONFLUENT_DOCKER_TAG}
    hostname: ksqldb-server
    container_name: ksqldb-server
    restart: always
    healthcheck:
      start_period: 10s
      interval: 10s
      retries: 20
      test: curl --user ksqlDBUser:ksqlDBUser -fail --silent http://ksqldb-server:8088/info | grep RUNNING 1>/dev/null || exit 1
    depends_on:
      schemaregistry:
        condition: service_healthy
    volumes:
      - ./scripts/security/keypair:/tmp/conf
      - ./scripts/helper:/tmp/helper
      - ./scripts/security:/etc/kafka/secrets
    ports:
      - 8088:8088
      - 8089:8089
    environment:
      CUB_CLASSPATH: '/usr/share/java/confluent-security/ksql/*:/usr/share/java/ksqldb-server/*:/usr/share/java/cp-base-new/*'

      KSQL_LOG4J_ROOT_LOGLEVEL: INFO

      KSQL_KSQL_SERVICE_ID: "ksql-cluster"
      KSQL_KSQL_STREAMS_REPLICATION_FACTOR: 2
      KSQL_KSQL_INTERNAL_TOPIC_REPLICAS: 2

      # For Demo purposes: improve resource utilization and avoid timeouts
      KSQL_KSQL_STREAMS_NUM_STREAM_THREADS: 1

      KSQL_LOG4J_OPTS: "-Dlog4j.configuration=file:/tmp/helper/log4j-secure.properties"
      KSQL_KSQL_LOGGING_PROCESSING_TOPIC_REPLICATION_FACTOR: 2
      KSQL_KSQL_LOGGING_PROCESSING_TOPIC_AUTO_CREATE: 'true'
      KSQL_KSQL_LOGGING_PROCESSING_STREAM_AUTO_CREATE: 'true'

      KSQL_PRODUCER_ENABLE_IDEMPOTENCE: 'true'

      KSQL_BOOTSTRAP_SERVERS: kafka1:10091,kafka2:10092
      KSQL_HOST_NAME: ksqldb-server
      KSQL_LISTENERS: "http://0.0.0.0:8088,https://0.0.0.0:8089"
      KSQL_CACHE_MAX_BYTES_BUFFERING: 0
      
      KSQL_KSQL_SECURITY_EXTENSION_CLASS: io.confluent.ksql.security.KsqlConfluentSecurityExtension

      # Enable bearer token authentication which allows the identity of the ksqlDB end user to be propagated to Kafka for authorization
      KSQL_KSQL_AUTHENTICATION_PLUGIN_CLASS: io.confluent.ksql.security.VertxBearerOrBasicAuthenticationPlugin
      KSQL_PUBLIC_KEY_PATH: /tmp/conf/public.pem

      # Used by ksqlDB's REST layer to connect to MDS to verify tokens and authenticate clients
      KSQL_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://kafka1:8091,https://kafka2:8092
      KSQL_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: BASIC
      KSQL_CONFLUENT_METADATA_BASIC_AUTH_CREDENTIALS_PROVIDER: USER_INFO
      KSQL_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: ksqlDBAdmin:ksqlDBAdmin

      # Authenticate to brokers
      KSQL_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.truststore.jks
      KSQL_SSL_TRUSTSTORE_PASSWORD: confluent
      KSQL_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.keystore.jks
      KSQL_SSL_KEYSTORE_PASSWORD: confluent
      KSQL_SSL_KEY_PASSWORD: confluent
      # Before v6.1.0: disabling TLSv1.x is required 
      KSQL_SSL_ENABLED_PROTOCOLS: "TLSv1.3,TLSv1.2"
      KSQL_SSL_CIPHER_SUITES: "TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

      # Schema Registry using HTTPS
      KSQL_KSQL_SCHEMA_REGISTRY_URL: https://schemaregistry:8085
      KSQL_KSQL_SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: "/etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.truststore.jks"
      KSQL_KSQL_SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: "confluent"

      # Enable OAuth for ksqlDB's embedded Kafka clients that access and manage consumer groups and topics
      KSQL_SECURITY_PROTOCOL: SASL_SSL
      KSQL_SASL_MECHANISM: OAUTHBEARER
      KSQL_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
      KSQL_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="ksqlDBAdmin" \
              password="ksqlDBAdmin" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";

      KSQL_KSQL_SCHEMA_REGISTRY_BASIC_AUTH_CREDENTIALS_SOURCE: USER_INFO
      KSQL_KSQL_SCHEMA_REGISTRY_BASIC_AUTH_USER_INFO: ksqlDBAdmin:ksqlDBAdmin

      # Confluent Monitoring Interceptors for Control Center streams monitoring
      KSQL_PRODUCER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringProducerInterceptor"
      KSQL_CONSUMER_INTERCEPTOR_CLASSES: "io.confluent.monitoring.clients.interceptor.MonitoringConsumerInterceptor"    
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.truststore.jks
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SSL_TRUSTSTORE_PASSWORD: confluent
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.controlCenterAndKsqlDBServer.keystore.jks
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEYSTORE_PASSWORD: confluent
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SSL_KEY_PASSWORD: confluent
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SECURITY_PROTOCOL: SASL_SSL
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SASL_MECHANISM: OAUTHBEARER
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
      KSQL_CONFLUENT_MONITORING_INTERCEPTOR_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="ksqlDBAdmin" \
              password="ksqlDBAdmin" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";

  ksqldb-cli:
    image: ${REPOSITORY}/cp-ksqldb-cli:${CONFLUENT_DOCKER_TAG}
    container_name: ksqldb-cli
    depends_on:
      ksqldb-server:
        condition: service_healthy
    volumes:
      - ./scripts/ksqlDB/statements.sql:/tmp/statements.sql
    entrypoint: /bin/sh
    tty: true

  restproxy:
    image: ${REPOSITORY}/cp-kafka-rest:${CONFLUENT_DOCKER_TAG}
    restart: always
    depends_on:
      schemaregistry:
        condition: service_healthy
    hostname: restproxy
    container_name: restproxy
    volumes:
      - ./scripts/security:/etc/kafka/secrets
      - ./scripts/app:/etc/kafka/app
      - ./scripts/security/keypair:/tmp/conf
    ports:
      - 8086:8086
    environment:
      KAFKA_REST_HOST_NAME: restproxy
      KAFKA_REST_BOOTSTRAP_SERVERS: SASL_SSL://kafka1:10091,SASL_SSL://kafka2:10092
      KAFKA_REST_LISTENERS: https://0.0.0.0:8086

      KAFKA_REST_SCHEMA_REGISTRY_URL: https://schemaregistry:8085
      KAFKA_REST_SCHEMA_REGISTRY_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.client.truststore.jks
      KAFKA_REST_SCHEMA_REGISTRY_SSL_TRUSTSTORE_PASSWORD: confluent

      KAFKA_REST_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.restproxy.truststore.jks
      KAFKA_REST_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_REST_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.restproxy.keystore.jks
      KAFKA_REST_SSL_KEYSTORE_PASSWORD: confluent
      KAFKA_REST_SSL_KEY_PASSWORD: confluent
      KAFKA_REST_SSL_CLIENT_AUTHENTICATION: 'NONE'

      KAFKA_REST_CLIENT_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/kafka.restproxy.truststore.jks
      KAFKA_REST_CLIENT_SSL_TRUSTSTORE_PASSWORD: confluent
      KAFKA_REST_CLIENT_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/kafka.restproxy.keystore.jks
      KAFKA_REST_CLIENT_SSL_KEYSTORE_PASSWORD: confluent
      KAFKA_REST_CLIENT_SSL_KEY_PASSWORD: confluent

      # Credentials and classpath for cub kafka-ready
      CUB_CLASSPATH: '/usr/share/java/confluent-security/kafka-rest/*:/usr/share/java/kafka-rest/*:/usr/share/java/cp-base-new/*'
      
      # Enable OAuth for REST Proxy's embedded Kafka client that accesses and manages consumer groups and topics
      KAFKA_REST_CLIENT_SECURITY_PROTOCOL: SASL_SSL
      KAFKA_REST_CLIENT_SASL_MECHANISM: OAUTHBEARER
      KAFKA_REST_CLIENT_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.confluent.kafka.clients.plugins.auth.token.TokenUserLoginCallbackHandler
      KAFKA_REST_CLIENT_SASL_JAAS_CONFIG: |
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
              username="restAdmin" \
              password="restAdmin" \
              metadataServerUrls="https://kafka1:8091,https://kafka2:8092";
      KAFKA_REST_SSL_CIPHER_SUITES: ${SSL_CIPHER_SUITES}

      # Enable bearer token authentication which allows the identity of the REST Proxy end user to be propagated to Kafka for authorization
      KAFKA_REST_KAFKA_REST_RESOURCE_EXTENSION_CLASS: io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension
      KAFKA_REST_REST_SERVLET_INITIALIZOR_CLASSES: io.confluent.common.security.jetty.initializer.InstallBearerOrBasicSecurityHandler
      KAFKA_REST_PUBLIC_KEY_PATH: /tmp/conf/public.pem

      # Used by REST Proxy to connect to MDS to verify tokens and authenticate clients
      KAFKA_REST_CONFLUENT_METADATA_SERVER_URLS_MAX_AGE_MS: 60000
      KAFKA_REST_CLIENT_CONFLUENT_METADATA_SERVER_URLS_MAX_AGE_MS: 60000
      KAFKA_REST_CONFLUENT_METADATA_BOOTSTRAP_SERVER_URLS: https://kafka1:8091,https://kafka2:8092
      KAFKA_REST_CONFLUENT_METADATA_HTTP_AUTH_CREDENTIALS_PROVIDER: BASIC
      KAFKA_REST_CONFLUENT_METADATA_BASIC_AUTH_USER_INFO: 'restAdmin:restAdmin'


  streams-demo:
    image: cnfldemos/cp-demo-kstreams:0.0.11
    restart: always
    depends_on:
      schemaregistry:
        condition: service_healthy
    hostname: streams-demo
    container_name: streams-demo
    volumes:
      - ./scripts/security:/etc/kafka/secrets
    env_file:
      - ./env_files/streams-demo.env
    environment:
      KAFKA_REPLICATION_FACTOR: 2