This repository offers an automated solution for deploying the Confluent Platform. It leverages Vagrant to provision a virtual machine and Ansible playbooks to automatically install and configure all Confluent Platform components, including Apache Kafka®.
Optionally, this setup includes configurations for integrating Confluent Platform security with Keycloak and LDAP for robust authentication and authorization.
This automated deployment is designed for local development, testing environments, and proof-of-concept (POC) deployments, providing a quick and reliable way to get a Confluent Platform instance running with essential security features.
This repository is intended for LOCAL DEVELOPMENT and TESTING ONLY.
All configuration files use placeholder values for passwords and secrets. You MUST configure your own credentials before use. Never use default or example credentials in production environments.
- Automated VM provisioning with Vagrant
- Automated Confluent Platform installation and configuration with Ansible
- Optional integration with Keycloak for OIDC/OAuth2 authentication
- Optional integration with LDAP for user/group synchronization
- Ideal for local development, testing, and POCs
- Vagrant 2.4.3 or higher
- Virtualization Provider: VMware Fusion/Workstation OR VirtualBox
- Ansible [core 2.18.3] or higher
- Python 3.13+
- Java OpenJDK 21+ (for running Confluent Platform)
- System Resources: 8GB RAM, 4 CPU cores, 100GB disk space (for the VM)
macOS 15
Vagrant 2.4.3
VMware Fusion 13.6.2 (or VirtualBox 7.0+)
Java openjdk version "21.0.5" 2024-10-15 LTS
ansible [core 2.18.3]
Python 3.13.2
Before starting, you need to configure your credentials. This repository includes example files with placeholder values that you must customize.
Create your vault password file:
cp password.txt.example password.txt
# Edit password.txt and replace 'your-vault-password-here' with a strong passwordCreate your variables file:
cp vars.yaml.example vars.yaml
# Edit vars.yaml and set your LDAP passwordNavigate to the keycloakLdap directory and create your environment file:
cd keycloakLdap
cp .env.example .env
# Edit .env and replace all placeholder values with your own credentialsImportant: Make sure to set strong, unique passwords for:
MARIADB_USERandMARIADB_PASSWORDMARIADB_ROOT_PASSWORDKEYCLOAK_ADMINandKEYCLOAK_ADMIN_PASSWORD
Edit keycloakLdap/ldif/02.ldif and replace the placeholder passwords ({SSHA}changeme) with properly hashed LDAP passwords for the users (alice, charlie, superUser).
If you plan to use the Keycloak realm configuration, edit keycloakLdap/keycloak/realm/realm-export.json and replace the following placeholders with your own secrets:
**REPLACE_WITH_YOUR_CLIENT_SECRET****REPLACE_WITH_YOUR_CONTROL_CENTER_CLIENT_SECRET****REPLACE_WITH_YOUR_HS512_SECRET****REPLACE_WITH_YOUR_HMAC_SECRET**
brew tap hashicorp/tap
brew install hashicorp/tap/hashicorp-vagrant
https://developer.hashicorp.com/vagrant/install/vmware
This will install the Vagrant VMware Utility on your system. After installing the Vagrant VMware Utility, the service will not be started until VMware Fusion has been installed. Once the service is started, Vagrant will be able to interact with the service via the Vagrant VMware Desktop plugin. To install the Vagrant VMware Desktop plugin into Vagrant run:
vagrant plugin install vagrant-vmware-desktop
This repository supports both VMware and VirtualBox as virtualization providers.
VMware Fusion (macOS) or VMware Workstation (Linux) provides better performance but requires a license.
Start Vagrant with VMware:
VAGRANT_VAGRANTFILE=./vagrant/Vagrantfile vagrant up --provider=vmware_desktop --no-ttyVirtualBox is free and works on macOS, Linux, and Windows.
Install VirtualBox:
# macOS
brew install --cask virtualbox
# Linux (Ubuntu/Debian)
sudo apt-get install virtualbox
# Or download from: https://www.virtualbox.org/wiki/DownloadsStart Vagrant with VirtualBox:
VAGRANT_VAGRANTFILE=./vagrant/Vagrantfile vagrant up --provider=virtualbox --no-ttyNote: If you don't specify --provider, Vagrant will automatically use the first available provider on your system.
VAGRANT_VAGRANTFILE=./vagrant/Vagrantfile vagrant ssh default
brew install ansible
Prerequisites for Installing Confluent Platform with Ansible Playbooks
ansible-galaxy collection install confluent.platform --upgrade
## or if you want to install a specific version
ansible-galaxy collection install confluent.platform==7.8.0 --upgrade
After configuring your vars.yaml file with your credentials, encrypt it using Ansible Vault:
ansible-vault encrypt vars.yaml --output=vars.encrypted.yaml --vault-password-file=password.txtThis command:
- Encrypts the
vars.yamlfile using Ansible Vault - Outputs the encrypted content to
vars.encrypted.yaml - Uses the password from
password.txtto avoid interactive prompts - Leaves the original
vars.yamlfile unchanged (which is ignored by git)
Note: Only vars.encrypted.yaml should be committed to the repository. The vars.yaml file containing plain-text secrets is automatically ignored by .gitignore.
./certs/up.sh
You may need to add the following to the ansible.cfg file
[defaults]
hash_behavior = merge
and run ansible
ansible-playbook -i inventories/hosts.simple.yaml confluent.platform.all -e @vars.encrypted.yaml --vault-password-file=password.txt -e "ansible_ssh_private_key_file=.vagrant/machines/default/vmware_desktop/private_key"
or set the variable ANSIBLE_HASH_BEHAVIOUR=merge at runtime as the following
ANSIBLE_HASH_BEHAVIOUR=merge ansible-playbook -i inventories/hosts.simple.yaml confluent.platform.all -e @vars.encrypted.yaml --vault-password-file=password.txt -e "ansible_ssh_private_key_file=.vagrant/machines/default/vmware_desktop/private_key"
There are different types of inventory:
- hosts.simple.yaml
- hosts.ccloud.yaml
- hosts.yaml with zookeeper and multiple listeners
- hosts.kraft.yaml with kraft and multiple listeners
- hosts.kraft.sso.yaml with kraft and OIDC/mTLS
- hosts.mTLS.C3sso.yaml with mTLS and Control Center using SSO
VAGRANT_VAGRANTFILE=./vagrant/Vagrantfile vagrant destroy
or forcefully destroys the virtual machine managed by Vagrant without prompting for confirmation.
VAGRANT_VAGRANTFILE=./vagrant/Vagrantfile vagrant destroy --force
The following files contain sensitive information and are automatically ignored by .gitignore:
password.txt- Your Ansible Vault passwordvars.yaml- Unencrypted variables with credentialskeycloakLdap/.env- Database and Keycloak credentials- Any
*.key,*.pem,*.crtfiles - Private keys and certificates
*.examplefiles - These contain only placeholder valuesvars.encrypted.yaml- Encrypted variables (safe as long aspassword.txtis not exposed)- Configuration files with placeholders
- LDIF files with
{SSHA}changemeplaceholders
- Never use default passwords - Always generate strong, unique passwords for each service
- Keep
password.txtsecure - This file decrypts your vault. Never share it or commit it to version control - Local development only - This setup is NOT hardened for production use
- Rotate credentials regularly - Especially if you suspect any credential has been compromised
- Review before committing - Always check what you're about to commit with
git statusandgit diff
If you accidentally committed sensitive data:
- Do NOT just delete the file - It remains in git history
- Use
git-filter-repoor similar tools to remove it from history - Rotate all exposed credentials immediately
- Consider the exposed data as compromised
See LICENSE file for details.