This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Confluent Cloud

Learn how to use the Jikkou Extensions Provider for Confluent Cloud.

1: Configuration

2: Resources

2.1: Role Bindings for Confluent Cloud

3: Annotations

Here, you will find information to use the Confluent Cloud extensions.

More information:

1 - Configuration

Learn how to configure the extensions for Confluent Cloud.

Here, you will find the configuration for the Confluent Cloud extension.

Configuration

You can configure the properties to connect to Confluent Cloud through the Jikkou client configuration property jikkou.provider.confluent-cloud.

Example:

jikkou {
  provider.confluent-cloud {
    enabled = true
    type = io.streamthoughts.jikkou.extension.confluent.ConfluentCloudExtensionProvider
    config = {
      # URL to the Confluent Cloud REST API (default: https://api.confluent.cloud)
      apiUrl = "https://api.confluent.cloud"
      # Confluent Cloud API Key (must be a Cloud API Key, not a Cluster API Key)
      apiKey = ${CONFLUENT_CLOUD_API_KEY}
      # Confluent Cloud API Secret
      apiSecret = ${CONFLUENT_CLOUD_API_SECRET}
      # CRN pattern used to scope role binding list operations
      crnPattern = ${CONFLUENT_CLOUD_CRN_PATTERN}
      # Enable debug logging (default: false)
      debugLoggingEnabled = false
    }
  }
}

Configuration Properties

Property	Type	Required	Default	Description
`apiUrl`	String	No	`https://api.confluent.cloud`	URL to the Confluent Cloud REST API.
`apiKey`	String	Yes		Cloud API Key. Must be a Cloud API Key, not a Cluster API Key.
`apiSecret`	String	Yes		Cloud API Secret.
`crnPattern`	String	Yes		CRN pattern to scope role binding list operations.
`debugLoggingEnabled`	Boolean	No	`false`	Enable debug logging for REST API calls.

Creating a Cloud API Key

Cloud API Keys can be created using the Confluent Cloud CLI:

confluent api-key create --resource cloud --description "Jikkou role binding management"

Important: You must use a Cloud API Key (organization-level), not a Cluster API Key. Cluster API Keys will result in a 401 Unauthorized error.

CRN Pattern

The crnPattern property is required and scopes all list operations to a specific part of your organization hierarchy. Examples:

Scope	CRN Pattern
Organization	`crn://confluent.cloud/organization=org-abc123`
Environment	`crn://confluent.cloud/organization=org-abc123/environment=env-def456`
Kafka Cluster	`crn://confluent.cloud/organization=org-abc123/environment=env-def456/cloud-cluster=lkc-789`

2 - Resources

Learn about the resources supported by the Confluent Cloud extension.

Here, you will find the list of resources supported by the extension for Confluent Cloud.

2.1 - Role Bindings for Confluent Cloud

Learn how to manage RBAC Role Bindings in Confluent Cloud.

The RoleBinding resources are used to manage RBAC role bindings in Confluent Cloud. A RoleBinding resource defines which role is granted to a principal for a specific scope (identified by a CRN pattern).

`RoleBinding`

Specification

Here is the resource definition file for defining a RoleBinding.

---
apiVersion: "iam.confluent.cloud/v1"    # The api version (required)
kind: "RoleBinding"                     # The resource kind (required)
metadata:
  labels: { }
  annotations: { }
spec:
  principal: <>              # The principal (e.g., User:sa-abc123 or User:u-xyz789)
  roleName: <>               # The role name (e.g., CloudClusterAdmin, DeveloperRead)
  crnPattern: <>             # The Confluent Resource Name pattern (e.g., crn://confluent.cloud/...)

Fields

Field	Type	Required	Description
`principal`	String	Yes	The principal. Pattern: `User:<user-id>` or `Group:<group-name>`.
`roleName`	String	Yes	The role to bind. See Confluent Cloud RBAC roles.
`crnPattern`	String	Yes	The Confluent Resource Name (CRN) pattern defining the scope of the binding.

Common Role Names

Role	Description
`OrganizationAdmin`	Full access to the organization.
`EnvironmentAdmin`	Full access to an environment.
`CloudClusterAdmin`	Full access to a Kafka cluster.
`DeveloperManage`	Manage topics and schemas.
`DeveloperRead`	Read from topics and view schemas.
`DeveloperWrite`	Write to topics and manage schemas.
`ResourceOwner`	Full access to a specific resource.

Example

Here is a simple example that shows how to define a single role binding using the RoleBinding resource type.

file: role-binding.yaml

---
apiVersion: "iam.confluent.cloud/v1"
kind: "RoleBinding"
metadata:
  labels: { }
  annotations: { }
spec:
  principal: "User:sa-abc123"
  roleName: "CloudClusterAdmin"
  crnPattern: "crn://confluent.cloud/organization=org-123/environment=env-456/cloud-cluster=lkc-789"

Usage

# List all role bindings
jikkou get ccloud-rbs

# Apply role bindings from a file
jikkou apply --files ./role-binding.yaml

# Delete orphan role bindings not defined in the file
jikkou apply --files ./role-binding.yaml -o delete-orphans=true

# Dry-run to preview changes without applying
jikkou diff --files ./role-binding.yaml

Metadata Labels

When listing role bindings, Jikkou automatically enriches each resource with metadata labels to help identify principals:

Label	Description
`confluent.cloud/principal-name`	The display name of the user or service account.
`confluent.cloud/principal-email`	The email of the user (not set for service accounts).

Example output:

apiVersion: "iam.confluent.cloud/v1"
kind: "RoleBinding"
metadata:
  labels:
    confluent.cloud/principal-name: "Florian Hussonnois"
    confluent.cloud/principal-email: "florian@example.com"
  annotations:
    confluent.cloud/role-binding-id: "rb-NBl9kE"
spec:
  principal: "User:u-rrnm2g9"
  roleName: "OrganizationAdmin"
  crnPattern: "crn://confluent.cloud/organization=d497af93-23f5-434a-a008-0547797be410"

`RoleBindingList`

If you need to define multiple role bindings (e.g., using a template), it may be easier to use a RoleBindingList resource.

Specification

Here is the resource definition file for defining a RoleBindingList.

---
apiVersion: "iam.confluent.cloud/v1"    # The api version (required)
kind: "RoleBindingList"                 # The resource kind (required)
metadata: # (optional)
  labels: { }
  annotations: { }
items: [ ]                             # An array of RoleBinding

Example

---
apiVersion: "iam.confluent.cloud/v1"
kind: "RoleBindingList"
items:
  - spec:
      principal: "User:sa-abc123"
      roleName: "CloudClusterAdmin"
      crnPattern: "crn://confluent.cloud/organization=org-123/environment=env-456/cloud-cluster=lkc-789"
  - spec:
      principal: "User:sa-abc123"
      roleName: "DeveloperRead"
      crnPattern: "crn://confluent.cloud/organization=org-123/environment=env-456/cloud-cluster=lkc-789/kafka=lkc-789/topic=my-topic"
  - spec:
      principal: "User:u-xyz789"
      roleName: "OrganizationAdmin"
      crnPattern: "crn://confluent.cloud/organization=org-123"

Note: Role bindings are immutable in the Confluent Cloud API. If you need to change a role binding, delete the old one and create a new one. Jikkou only supports CREATE and DELETE operations (no UPDATE).

3 - Annotations

Learn how to use the metadata annotations provided by the extensions for Confluent Cloud.

Here, you will find information about the annotations provided by the Confluent Cloud extension for Jikkou.

List of built-in annotations

`confluent.cloud/role-binding-id`

Used by Jikkou.

The annotation is automatically added by Jikkou to store the Confluent Cloud role binding ID (e.g., rb-NBl9kE). This ID is used internally when deleting role bindings.