From ee656809f857fd139c910d645dff67662e664555 Mon Sep 17 00:00:00 2001
From: Pere Urbon-Bayes <pere.urbon@gmail.com>
Date: Sun, 23 Feb 2020 08:08:46 +0100
Subject: [PATCH] cleanup rbac test docker cluster

ammend pom file for proper IT test execution
---
 docker/rbac-sasl/README.md                    |  72 ------
 docker/rbac-sasl/streams/docker-compose.yaml  |  22 --
 docker/rbac-sasl/streams/kafka/Dockerfile     |  22 --
 docker/rbac-sasl/streams/kafka/confluent.repo |  13 --
 .../rbac-sasl/streams/kafka/log4j.properties  | 102 --------
 .../streams/kafka/server-with-ssl.properties  | 218 ------------------
 .../rbac-sasl/streams/kafka/server.properties | 182 ---------------
 docker/rbac-sasl/streams/scripts/.gitignore   |   9 -
 .../rbac-sasl/streams/scripts/certs-create.sh |  74 ------
 .../streams/scripts/kafka-ca1-signed.crt      |  21 ++
 .../streams/scripts/kafka.certificate.pem     |  21 ++
 docker/rbac-sasl/streams/scripts/kafka.csr    |  18 ++
 docker/rbac-sasl/streams/scripts/kafka.der    | Bin 0 -> 873 bytes
 .../streams/scripts/kafka.kafka.keystore.jks  | Bin 0 -> 3945 bytes
 .../scripts/kafka.kafka.truststore.jks        | Bin 0 -> 901 bytes
 docker/rbac-sasl/streams/scripts/kafka.key    |  32 +++
 .../streams/scripts/kafka.keystore.p12        | Bin 0 -> 4525 bytes
 .../streams/scripts/kafka.ldap.keystore.jks   | Bin 0 -> 3941 bytes
 .../streams/scripts/kafka.ldap.truststore.jks | Bin 0 -> 901 bytes
 .../streams/scripts/kafka_keystore_creds      |   1 +
 .../streams/scripts/kafka_sslkey_creds        |   1 +
 .../streams/scripts/kafka_truststore_creds    |   1 +
 .../streams/scripts/ldap-ca1-signed.crt       |  21 ++
 .../streams/scripts/ldap.certificate.pem      |  21 ++
 docker/rbac-sasl/streams/scripts/ldap.csr     |  18 ++
 docker/rbac-sasl/streams/scripts/ldap.der     | Bin 0 -> 871 bytes
 docker/rbac-sasl/streams/scripts/ldap.key     |  32 +++
 .../streams/scripts/ldap.keystore.p12         | Bin 0 -> 4523 bytes
 .../streams/scripts/ldap_keystore_creds       |   1 +
 .../streams/scripts/ldap_sslkey_creds         |   1 +
 .../streams/scripts/ldap_truststore_creds     |   1 +
 .../streams/scripts/snakeoil-ca-1.crt         |  20 ++
 .../streams/scripts/snakeoil-ca-1.key         |  30 +++
 .../streams/scripts/snakeoil-ca-1.srl         |   1 +
 docker/rbac-sasl/streams/up                   |  67 ------
 pom.xml                                       |   2 +-
 36 files changed, 242 insertions(+), 782 deletions(-)
 delete mode 100644 docker/rbac-sasl/README.md
 delete mode 100644 docker/rbac-sasl/streams/docker-compose.yaml
 delete mode 100644 docker/rbac-sasl/streams/kafka/Dockerfile
 delete mode 100644 docker/rbac-sasl/streams/kafka/confluent.repo
 delete mode 100644 docker/rbac-sasl/streams/kafka/log4j.properties
 delete mode 100644 docker/rbac-sasl/streams/kafka/server-with-ssl.properties
 delete mode 100644 docker/rbac-sasl/streams/kafka/server.properties
 delete mode 100644 docker/rbac-sasl/streams/scripts/.gitignore
 delete mode 100755 docker/rbac-sasl/streams/scripts/certs-create.sh
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka-ca1-signed.crt
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.certificate.pem
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.csr
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.der
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.kafka.keystore.jks
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.kafka.truststore.jks
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.key
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.keystore.p12
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.ldap.keystore.jks
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka.ldap.truststore.jks
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka_keystore_creds
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka_sslkey_creds
 create mode 100644 docker/rbac-sasl/streams/scripts/kafka_truststore_creds
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap-ca1-signed.crt
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap.certificate.pem
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap.csr
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap.der
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap.key
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap.keystore.p12
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap_keystore_creds
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap_sslkey_creds
 create mode 100644 docker/rbac-sasl/streams/scripts/ldap_truststore_creds
 create mode 100644 docker/rbac-sasl/streams/scripts/snakeoil-ca-1.crt
 create mode 100644 docker/rbac-sasl/streams/scripts/snakeoil-ca-1.key
 create mode 100644 docker/rbac-sasl/streams/scripts/snakeoil-ca-1.srl
 delete mode 100755 docker/rbac-sasl/streams/up

diff --git a/docker/rbac-sasl/README.md b/docker/rbac-sasl/README.md
deleted file mode 100644
index 9e8b5ed53..000000000
--- a/docker/rbac-sasl/README.md
+++ /dev/null
@@ -1,72 +0,0 @@
-# Confluent RBAC
-
-## Predefined Roles
-
-https://docs.confluent.io/current/security/rbac/rbac-predefined-roles.html#rbac-predefined-roles
-
-*Description*:
-
-* _super.user_: The purpose of super.user is to have a bootstrap user who can initially grant another user the SystemAdmin role.
-* _SystemAdmin_: Provides full access to all scoped resources in the cluster (KSQL cluster, Kafka cluster, or Schema Registry cluster).
-* _ClusterAdmin_: Sets up clusters (KSQL cluster, Kafka cluster, or Schema Registry cluster).
-* _UserAdmin_: Manages role bindings for users and groups in all clusters managed by MDS.
-* _SecurityAdmin_: Enables management of platform-wide security initiatives.
-* _Operator_: Provides operational management of clusters and scale applications as needed.
-* _ResourceOwner_: Transfers the ownership of critical resources and to scale the ability to manage authorizations for those resources.
-* _DeveloperRead, DeveloperWrite, DeveloperManage_: Allows developers to drive the implementation of applications they are working on and manage the content within, especially in development, test, and staging environments.
-
-
-*Examples*:
-
-|  Predefined Role |  Plan |
-|---|---|
-| super.user  |  Sam is granted full access to all project resources and operations. He will create the initial set of roles for the project. |
-| ResourceOwner  | 	Ryan will own all topics with the prefix finance_. He can grant others permission to access and use this resource. In this use case, he is the ResourceOwner for the finance topics.  |
-| UserAdmin  | 	Uri will manage the users and groups for the project.  |
-| Operator  | 	Olivia will be responsible for the operational and health management of the platform and applications. |
-| ClusterAdmin  | 	Cindy is a member of the Kafka cluster central team.  |
-| DeveloperRead, DeveloperWrite, DeveloperManage  | 	David will be responsible for developing and managing the application.  |
-
-## Interesting commands
-
-confluent iam role describe ResourceOwner
-
-confluent iam role list
-
-confluent iam rolebinding [command]
-
-Available Commands:
- create      Create a role binding.
- delete      Delete an existing role binding.
- list        List role bindings.
-
-
-*Get Kafka cluster ID*
- docker-compose exec broker zookeeper-shell zookeeper:2181  get /cluster/id  
-
-
-### using  CLI tools
-
-docker-compose exec broker kafka-topics --bootstrap-server broker:9092 --list --command-config /etc/client-configs/professor.properties
-
-```bash
-docker-compose exec broker kafka-topics --bootstrap-server broker:9092 --create --topic foo --partitions 1 --replication-factor 1   --command-config /etc/client-configs/fry.properties
-
-Error while executing topic command : org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.]
-[2019-08-20 14:29:21,562] ERROR java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.]
-	at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
-	at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
-	at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
-	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
-	at kafka.admin.TopicCommand$AdminClientTopicService.createTopic(TopicCommand.scala:190)
-	at kafka.admin.TopicCommand$TopicService.createTopic(TopicCommand.scala:149)
-	at kafka.admin.TopicCommand$TopicService.createTopic$(TopicCommand.scala:144)
-	at kafka.admin.TopicCommand$AdminClientTopicService.createTopic(TopicCommand.scala:172)
-	at kafka.admin.TopicCommand$.main(TopicCommand.scala:60)
-	at kafka.admin.TopicCommand.main(TopicCommand.scala)
-Caused by: org.apache.kafka.common.errors.TopicAuthorizationException: Not authorized to access topics: [Authorization failed.]
- (kafka.admin.TopicCommand$)
- ```
-
-docker-compose exec broker kafka-console-producer --broker-list broker:9092  --topic source-topic --producer.config /etc/client-configs/professor.properties
-docker-compose exec broker kafka-console-consumer --bootstrap-server broker:9092  --topic target-topic --from-beginning --property print.key=true --consumer.config  /etc/client-configs/professor.properties
diff --git a/docker/rbac-sasl/streams/docker-compose.yaml b/docker/rbac-sasl/streams/docker-compose.yaml
deleted file mode 100644
index 957104914..000000000
--- a/docker/rbac-sasl/streams/docker-compose.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-version: '3'
-services:
-
-    zookeeper:
-      image: confluentinc/cp-zookeeper:5.3.0
-      hostname: zookeeper
-      container_name: zookeeper
-      ports:
-        - "2181:2181"
-      environment:
-        ZOOKEEPER_CLIENT_PORT: 2181
-        ZOOKEEPER_TICK_TIME: 2000
-
-    kafka:
-        build: kafka/
-        container_name: kafka
-        depends_on:
-            - zookeeper
-        ports:
-            - "9093:9093"
-            - "29093:29093"
-        command: ["kafka-server-start", "/etc/kafka/server.properties"]
diff --git a/docker/rbac-sasl/streams/kafka/Dockerfile b/docker/rbac-sasl/streams/kafka/Dockerfile
deleted file mode 100644
index b3115c9b3..000000000
--- a/docker/rbac-sasl/streams/kafka/Dockerfile
+++ /dev/null
@@ -1,22 +0,0 @@
-FROM centos
-MAINTAINER seknop@gmail.com
-ENV container docker
-
-# 1. Adding Confluent repository
-RUN rpm --import https://packages.confluent.io/rpm/5.3/archive.key
-COPY confluent.repo /etc/yum.repos.d/confluent.repo
-RUN yum clean all
-
-# 2. Install zookeeper and kafka
-RUN yum install -y java-1.8.0-openjdk
-RUN yum install -y confluent-kafka-2.12
-RUN yum install -y confluent-security
-
-
-# 3. Configure Kafka and zookeeper for Kerberos
-COPY server.properties /etc/kafka/server.properties
-
-
-EXPOSE 9093
-
-CMD kafka-server-start /etc/kafka/server.properties
diff --git a/docker/rbac-sasl/streams/kafka/confluent.repo b/docker/rbac-sasl/streams/kafka/confluent.repo
deleted file mode 100644
index 6fccc712b..000000000
--- a/docker/rbac-sasl/streams/kafka/confluent.repo
+++ /dev/null
@@ -1,13 +0,0 @@
-[Confluent.dist]
-name=Confluent repository (dist)
-baseurl=https://packages.confluent.io/rpm/5.3/7
-gpgcheck=1
-gpgkey=https://packages.confluent.io/rpm/5.3/archive.key
-enabled=1
-
-[Confluent]
-name=Confluent repository
-baseurl=https://packages.confluent.io/rpm/5.3
-gpgcheck=1
-gpgkey=https://packages.confluent.io/rpm/5.3/archive.key
-enabled=1
diff --git a/docker/rbac-sasl/streams/kafka/log4j.properties b/docker/rbac-sasl/streams/kafka/log4j.properties
deleted file mode 100644
index d6cf8ff0f..000000000
--- a/docker/rbac-sasl/streams/kafka/log4j.properties
+++ /dev/null
@@ -1,102 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Unspecified loggers and loggers with additivity=true output to server.log and stdout
-# Note that INFO only applies to unspecified loggers, the log level of the child logger is used otherwise
-# Sven is here!
-log4j.rootLogger=INFO, stdout, kafkaAppender
-
-log4j.appender.stdout=org.apache.log4j.ConsoleAppender
-log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n
-
-log4j.appender.kafkaAppender=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.kafkaAppender.DatePattern='.'yyyy-MM-dd-HH
-log4j.appender.kafkaAppender.File=${kafka.logs.dir}/server.log
-log4j.appender.kafkaAppender.layout=org.apache.log4j.PatternLayout
-log4j.appender.kafkaAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
-
-log4j.appender.stateChangeAppender=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.stateChangeAppender.DatePattern='.'yyyy-MM-dd-HH
-log4j.appender.stateChangeAppender.File=${kafka.logs.dir}/state-change.log
-log4j.appender.stateChangeAppender.layout=org.apache.log4j.PatternLayout
-log4j.appender.stateChangeAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
-
-log4j.appender.requestAppender=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.requestAppender.DatePattern='.'yyyy-MM-dd-HH
-log4j.appender.requestAppender.File=${kafka.logs.dir}/kafka-request.log
-log4j.appender.requestAppender.layout=org.apache.log4j.PatternLayout
-log4j.appender.requestAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
-
-log4j.appender.cleanerAppender=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.cleanerAppender.DatePattern='.'yyyy-MM-dd-HH
-log4j.appender.cleanerAppender.File=${kafka.logs.dir}/log-cleaner.log
-log4j.appender.cleanerAppender.layout=org.apache.log4j.PatternLayout
-log4j.appender.cleanerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
-
-log4j.appender.controllerAppender=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.controllerAppender.DatePattern='.'yyyy-MM-dd-HH
-log4j.appender.controllerAppender.File=${kafka.logs.dir}/controller.log
-log4j.appender.controllerAppender.layout=org.apache.log4j.PatternLayout
-log4j.appender.controllerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
-
-log4j.appender.authorizerAppender=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.authorizerAppender.DatePattern='.'yyyy-MM-dd-HH
-log4j.appender.authorizerAppender.File=${kafka.logs.dir}/kafka-authorizer.log
-log4j.appender.authorizerAppender.layout=org.apache.log4j.PatternLayout
-log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
-
-log4j.appender.ldapAppender=org.apache.log4j.DailyRollingFileAppender
-log4j.appender.ldapAppender.DatePattern='.'yyyy-MM-dd-HH
-log4j.appender.ldapAppender.File=${kafka.logs.dir}/kafka-ldap.log
-log4j.appender.ldapAppender.layout=org.apache.log4j.PatternLayout
-log4j.appender.ldapAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
-
-# Change the two lines below to adjust ZK client logging
-log4j.logger.org.I0Itec.zkclient.ZkClient=INFO
-log4j.logger.org.apache.zookeeper=INFO
-
-# Change the two lines below to adjust the general broker logging level (output to server.log and stdout)
-log4j.logger.kafka=INFO
-log4j.logger.org.apache.kafka=INFO
-
-# Change to DEBUG or TRACE to enable request logging
-log4j.logger.kafka.request.logger=WARN, requestAppender
-log4j.additivity.kafka.request.logger=false
-
-# Uncomment the lines below and change log4j.logger.kafka.network.RequestChannel$ to TRACE for additional output
-# related to the handling of requests
-#log4j.logger.kafka.network.Processor=TRACE, requestAppender
-#log4j.logger.kafka.server.KafkaApis=TRACE, requestAppender
-#log4j.additivity.kafka.server.KafkaApis=false
-log4j.logger.kafka.network.RequestChannel$=WARN, requestAppender
-log4j.additivity.kafka.network.RequestChannel$=false
-
-log4j.logger.kafka.controller=TRACE, controllerAppender
-log4j.additivity.kafka.controller=false
-
-log4j.logger.kafka.log.LogCleaner=INFO, cleanerAppender
-log4j.additivity.kafka.log.LogCleaner=false
-
-log4j.logger.state.change.logger=TRACE, stateChangeAppender
-log4j.additivity.state.change.logger=false
-
-# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses
-log4j.logger.kafka.authorizer.logger=DEBUG, authorizerAppender
-log4j.additivity.kafka.authorizer.logger=false
-
-# Experimental, add logging for LDAP
-log4j.logger.io.confluent.kafka.security.ldap.authorizer.LdapGroupManager=TRACE, ldapAppender
-
diff --git a/docker/rbac-sasl/streams/kafka/server-with-ssl.properties b/docker/rbac-sasl/streams/kafka/server-with-ssl.properties
deleted file mode 100644
index 369837415..000000000
--- a/docker/rbac-sasl/streams/kafka/server-with-ssl.properties
+++ /dev/null
@@ -1,218 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# see kafka.server.KafkaConfig for additional details and defaults
-
-############################# Server Basics #############################
-
-# The id of the broker. This must be set to a unique integer for each broker.
-broker.id=0
-
-############################# Socket Server Settings #############################
-
-# The address the socket server listens on. It will get the value returned from
-# java.net.InetAddress.getCanonicalHostName() if not configured.
-#   FORMAT:
-#     listeners = listener_name://host_name:port
-#   EXAMPLE:
-#     listeners = PLAINTEXT://your.host.name:9092
-listeners=SASL_PLAINTEXT://kafka:9093
-
-# Hostname and port the broker will advertise to producers and consumers. If not set,
-# it uses the value for "listeners" if configured.  Otherwise, it will use the value
-# returned from java.net.InetAddress.getCanonicalHostName().
-advertised.listeners=SASL_PLAINTEXT://kafka:9093
-
-# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
-#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
-
-security.inter.broker.protocol=SASL_PLAINTEXT
-
-# The number of threads that the server uses for receiving requests from the network and sending responses to the network
-num.network.threads=3
-
-# The number of threads that the server uses for processing requests, which may include disk I/O
-num.io.threads=8
-
-# The send buffer (SO_SNDBUF) used by the socket server
-socket.send.buffer.bytes=102400
-
-# The receive buffer (SO_RCVBUF) used by the socket server
-socket.receive.buffer.bytes=102400
-
-# The maximum size of a request that the socket server will accept (protection against OOM)
-socket.request.max.bytes=104857600
-
-
-############################# Log Basics #############################
-
-# A comma separated list of directories under which to store log files
-log.dirs=/var/lib/kafka
-
-# The default number of log partitions per topic. More partitions allow greater
-# parallelism for consumption, but this will also result in more files across
-# the brokers.
-num.partitions=1
-
-# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
-# This value is recommended to be increased for installations with data dirs located in RAID array.
-num.recovery.threads.per.data.dir=1
-
-############################# Internal Topic Settings  #############################
-# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
-# For anything other than development testing, a value greater than 1 is recommended for to ensure availability such as 3.
-offsets.topic.replication.factor=1
-transaction.state.log.replication.factor=1
-transaction.state.log.min.isr=1
-
-############################# Log Flush Policy #############################
-
-# Messages are immediately written to the filesystem but by default we only fsync() to sync
-# the OS cache lazily. The following configurations control the flush of data to disk.
-# There are a few important trade-offs here:
-#    1. Durability: Unflushed data may be lost if you are not using replication.
-#    2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
-#    3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
-# The settings below allow one to configure the flush policy to flush data after a period of time or
-# every N messages (or both). This can be done globally and overridden on a per-topic basis.
-
-# The number of messages to accept before forcing a flush of data to disk
-#log.flush.interval.messages=10000
-
-# The maximum amount of time a message can sit in a log before we force a flush
-#log.flush.interval.ms=1000
-
-############################# Log Retention Policy #############################
-
-# The following configurations control the disposal of log segments. The policy can
-# be set to delete segments after a period of time, or after a given size has accumulated.
-# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
-# from the end of the log.
-
-# The minimum age of a log file to be eligible for deletion due to age
-log.retention.hours=168
-
-# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
-# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
-#log.retention.bytes=1073741824
-
-# The maximum size of a log segment file. When this size is reached a new log segment will be created.
-log.segment.bytes=1073741824
-
-# The interval at which log segments are checked to see if they can be deleted according
-# to the retention policies
-log.retention.check.interval.ms=300000
-
-############################# Zookeeper #############################
-
-# Zookeeper connection string (see zookeeper docs for details).
-# This is a comma separated host:port pairs, each corresponding to a zk
-# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
-# You can also append an optional chroot string to the urls to specify the
-# root directory for all kafka znodes.
-zookeeper.connect=zookeeper:2181
-
-# Timeout in ms for connecting to zookeeper
-zookeeper.connection.timeout.ms=6000
-
-##################### Confluent Metrics Reporter #######################
-# Confluent Control Center and Confluent Auto Data Balancer integration
-#
-# Uncomment the following lines to publish monitoring data for
-# Confluent Control Center and Confluent Auto Data Balancer
-# If you are using a dedicated metrics cluster, also adjust the settings
-# to point to your metrics kakfa cluster.
-#metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter
-#confluent.metrics.reporter.bootstrap.servers=localhost:9092
-#
-# Uncomment the following line if the metrics cluster has a single broker
-#confluent.metrics.reporter.topic.replicas=1
-
-##################### Confluent Proactive Support ######################
-# If set to true, and confluent-support-metrics package is installed
-# then the feature to collect and report support metrics
-# ("Metrics") is enabled.  If set to false, the feature is disabled.
-#
-confluent.support.metrics.enable=false
-
-
-# The customer ID under which support metrics will be collected and
-# reported.
-#
-# When the customer ID is set to "anonymous" (the default), then only a
-# reduced set of metrics is being collected and reported.
-#
-# Confluent customers
-# -------------------
-# If you are a Confluent customer, then you should replace the default
-# value with your actual Confluent customer ID.  Doing so will ensure
-# that additional support metrics will be collected and reported.
-#
-confluent.support.customer.id=anonymous
-
-############################# Group Coordinator Settings #############################
-
-# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
-# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
-# The default value for this is 3 seconds.
-# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
-# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
-group.initial.rebalance.delay.ms=0
-
-
-# SASL Configuration
-sasl.enabled.mechanisms=SCRAM-SHA-256
-sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
-security.inter.broker.protocol=SASL_PLAINTEXT
-allow.everyone.if.no.acl.found=false
-super.users=User:kafka
-authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
-
-# Configure authorizer
-authorizer.class.name=io.confluent.kafka.security.ldap.authorizer.LdapAuthorizer
-# LDAP provider URL
-ldap.authorizer.java.naming.provider.url=ldaps://ldap:636/DC=CONFLUENT,DC=IO
-# Refresh interval for LDAP cache. If set to zero, persistent search is used.
-ldap.authorizer.refresh.interval.ms=60000
-
-# Lets see if we can connect with TLS to our LDAP server
-ldap.authorizer.java.naming.security.principal=cn=admin,dc=confluent,dc=io
-ldap.authorizer.java.naming.security.credentials=admin
-
-ldap.authorizer.java.naming.security.protocol=SSL
-ldap.authorizer.ssl.keystore.location=/etc/kafka/jks/ldap.keystore.jks
-ldap.authorizer.ssl.keystore.password=confluent
-
-ldap.authorizer.ssl.truststore.location=/etc/kafka/jks/ldap.truststore.jks
-ldap.authorizer.ssl.truststore.password=confluent
-
-# Search base for group-based search
-#ldap.authorizer.group.search.base=ou=groups,dc=confluent,dc=io
-
-# Remember that LDAP works in a context. The search base is ou=groups,dc=confluent,dc=io
-# But since my URL is ldap://ldap:389/DC=CONFLUENT,DC=IO, we are already working in the dc=confluent,dc=io context
-ldap.authorizer.group.search.base=ou=groups
-
-# Object class for groups
-ldap.authorizer.group.object.class=posixGroup
-ldap.authorizer.group.search.scope=2
-# Name of the attribute from which group name used in ACLs is obtained
-ldap.authorizer.group.name.attribute=cn
-# Regex pattern to obtain group name used in ACLs from the attribute `ldap.authorizer.group.name.attribute`
-ldap.authorizer.group.name.attribute.pattern=
-# Name of the attribute from which group members (user principals) are obtained
-ldap.authorizer.group.member.attribute=memberUid
-# Regex pattern to obtain user principal from group member attribute
-ldap.authorizer.group.member.attribute.pattern=cn=(.*),ou=users,dc=confluent,dc=io
diff --git a/docker/rbac-sasl/streams/kafka/server.properties b/docker/rbac-sasl/streams/kafka/server.properties
deleted file mode 100644
index 2ee5193ae..000000000
--- a/docker/rbac-sasl/streams/kafka/server.properties
+++ /dev/null
@@ -1,182 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# see kafka.server.KafkaConfig for additional details and defaults
-
-############################# Server Basics #############################
-
-# The id of the broker. This must be set to a unique integer for each broker.
-broker.id=0
-
-############################# Socket Server Settings #############################
-
-# The address the socket server listens on. It will get the value returned from
-# java.net.InetAddress.getCanonicalHostName() if not configured.
-#   FORMAT:
-#     listeners = listener_name://host_name:port
-#   EXAMPLE:
-#     listeners = PLAINTEXT://your.host.name:9092
-listeners=PLAINTEXT://kafka:9093,LOCAL_PLAINTEXT://:29093
-
-# Hostname and port the broker will advertise to producers and consumers. If not set,
-# it uses the value for "listeners" if configured.  Otherwise, it will use the value
-# returned from java.net.InetAddress.getCanonicalHostName().
-advertised.listeners=PLAINTEXT://kafka:9093,LOCAL_PLAINTEXT://localhost:29093
-
-# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
-#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
-listener.security.protocol.map=LOCAL_PLAINTEXT:PLAINTEXT,PLAINTEXT:PLAINTEXT
-
-security.inter.broker.protocol=PLAINTEXT
-
-# The number of threads that the server uses for receiving requests from the network and sending responses to the network
-num.network.threads=3
-
-# The number of threads that the server uses for processing requests, which may include disk I/O
-num.io.threads=8
-
-# The send buffer (SO_SNDBUF) used by the socket server
-socket.send.buffer.bytes=102400
-
-# The receive buffer (SO_RCVBUF) used by the socket server
-socket.receive.buffer.bytes=102400
-
-# The maximum size of a request that the socket server will accept (protection against OOM)
-socket.request.max.bytes=104857600
-
-
-############################# Log Basics #############################
-
-# A comma separated list of directories under which to store log files
-log.dirs=/var/lib/kafka
-
-# The default number of log partitions per topic. More partitions allow greater
-# parallelism for consumption, but this will also result in more files across
-# the brokers.
-num.partitions=1
-
-# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
-# This value is recommended to be increased for installations with data dirs located in RAID array.
-num.recovery.threads.per.data.dir=1
-
-############################# Internal Topic Settings  #############################
-# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
-# For anything other than development testing, a value greater than 1 is recommended for to ensure availability such as 3.
-offsets.topic.replication.factor=1
-transaction.state.log.replication.factor=1
-transaction.state.log.min.isr=1
-
-############################# Log Flush Policy #############################
-
-# Messages are immediately written to the filesystem but by default we only fsync() to sync
-# the OS cache lazily. The following configurations control the flush of data to disk.
-# There are a few important trade-offs here:
-#    1. Durability: Unflushed data may be lost if you are not using replication.
-#    2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
-#    3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
-# The settings below allow one to configure the flush policy to flush data after a period of time or
-# every N messages (or both). This can be done globally and overridden on a per-topic basis.
-
-# The number of messages to accept before forcing a flush of data to disk
-#log.flush.interval.messages=10000
-
-# The maximum amount of time a message can sit in a log before we force a flush
-#log.flush.interval.ms=1000
-
-############################# Log Retention Policy #############################
-
-# The following configurations control the disposal of log segments. The policy can
-# be set to delete segments after a period of time, or after a given size has accumulated.
-# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
-# from the end of the log.
-
-# The minimum age of a log file to be eligible for deletion due to age
-log.retention.hours=168
-
-# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
-# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
-#log.retention.bytes=1073741824
-
-# The maximum size of a log segment file. When this size is reached a new log segment will be created.
-log.segment.bytes=1073741824
-
-# The interval at which log segments are checked to see if they can be deleted according
-# to the retention policies
-log.retention.check.interval.ms=300000
-
-############################# Zookeeper #############################
-
-# Zookeeper connection string (see zookeeper docs for details).
-# This is a comma separated host:port pairs, each corresponding to a zk
-# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
-# You can also append an optional chroot string to the urls to specify the
-# root directory for all kafka znodes.
-zookeeper.connect=zookeeper:2181
-
-# Timeout in ms for connecting to zookeeper
-zookeeper.connection.timeout.ms=6000
-
-##################### Confluent Metrics Reporter #######################
-# Confluent Control Center and Confluent Auto Data Balancer integration
-#
-# Uncomment the following lines to publish monitoring data for
-# Confluent Control Center and Confluent Auto Data Balancer
-# If you are using a dedicated metrics cluster, also adjust the settings
-# to point to your metrics kakfa cluster.
-#metric.reporters=io.confluent.metrics.reporter.ConfluentMetricsReporter
-#confluent.metrics.reporter.bootstrap.servers=localhost:9092
-#
-# Uncomment the following line if the metrics cluster has a single broker
-#confluent.metrics.reporter.topic.replicas=1
-
-##################### Confluent Proactive Support ######################
-# If set to true, and confluent-support-metrics package is installed
-# then the feature to collect and report support metrics
-# ("Metrics") is enabled.  If set to false, the feature is disabled.
-#
-confluent.support.metrics.enable=false
-
-
-# The customer ID under which support metrics will be collected and
-# reported.
-#
-# When the customer ID is set to "anonymous" (the default), then only a
-# reduced set of metrics is being collected and reported.
-#
-# Confluent customers
-# -------------------
-# If you are a Confluent customer, then you should replace the default
-# value with your actual Confluent customer ID.  Doing so will ensure
-# that additional support metrics will be collected and reported.
-#
-confluent.support.customer.id=anonymous
-
-############################# Group Coordinator Settings #############################
-
-# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
-# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
-# The default value for this is 3 seconds.
-# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
-# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
-group.initial.rebalance.delay.ms=0
-
-
-# SASL Configuration
-#sasl.enabled.mechanisms=SCRAM-SHA-256
-#sasl.mechanism.inter.broker.protocol=SCRAM-SHA-256
-#security.inter.broker.protocol=SASL_PLAINTEXT
-#allow.everyone.if.no.acl.found=false
-#super.users=User:kafka
-authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer
diff --git a/docker/rbac-sasl/streams/scripts/.gitignore b/docker/rbac-sasl/streams/scripts/.gitignore
deleted file mode 100644
index 34d510852..000000000
--- a/docker/rbac-sasl/streams/scripts/.gitignore
+++ /dev/null
@@ -1,9 +0,0 @@
-*.crt
-*.csr
-*_creds
-*.jks
-*.srl
-*.key
-*.pem
-*.der
-*.p12
diff --git a/docker/rbac-sasl/streams/scripts/certs-create.sh b/docker/rbac-sasl/streams/scripts/certs-create.sh
deleted file mode 100755
index 1035968d3..000000000
--- a/docker/rbac-sasl/streams/scripts/certs-create.sh
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/bin/bash
-
-#set -o nounset \
-#    -o errexit \
-#    -o verbose \
-#    -o xtrace
-
-# Cleanup files
-rm -f *.crt *.csr *_creds *.jks *.srl *.key *.pem *.der *.p12
-
-# Generate CA key
-openssl req -new -x509 -keyout snakeoil-ca-1.key -out snakeoil-ca-1.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent
-
-for i in kafka ldap
-do
-	echo "------------------------------- $i -------------------------------"
-
-	# Create host keystore
-	keytool -genkey -noprompt \
-				 -alias $i \
-				 -dname "CN=$i,OU=TEST,O=CONFLUENT,L=PaloAlto,S=Ca,C=US" \
-                                 -ext "SAN=dns:$i,dns:localhost" \
-				 -keystore kafka.$i.keystore.jks \
-				 -keyalg RSA \
-				 -storepass confluent \
-				 -keypass confluent
-
-	# Create the certificate signing request (CSR)
-	keytool -keystore kafka.$i.keystore.jks -alias $i -certreq -file $i.csr -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost"
-        #openssl req -in $i.csr -text -noout
-
-        # Sign the host certificate with the certificate authority (CA)
-        openssl x509 -req -CA snakeoil-ca-1.crt -CAkey snakeoil-ca-1.key -in $i.csr -out $i-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:confluent -extensions v3_req -extfile <(cat <<EOF
-[req]
-distinguished_name = req_distinguished_name
-x509_extensions = v3_req
-prompt = no
-[req_distinguished_name]
-CN = $i
-[v3_req]
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = $i
-DNS.2 = localhost
-EOF
-)
-        #openssl x509 -noout -text -in $i-ca1-signed.crt
-
-        # Sign and import the CA cert into the keystore
-	keytool -noprompt -keystore kafka.$i.keystore.jks -alias CARoot -import -file snakeoil-ca-1.crt -storepass confluent -keypass confluent
-        #keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent
-
-        # Sign and import the host certificate into the keystore
-	keytool -noprompt -keystore kafka.$i.keystore.jks -alias $i -import -file $i-ca1-signed.crt -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost"
-        #keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent
-
-	# Create truststore and import the CA cert
-	keytool -noprompt -keystore kafka.$i.truststore.jks -alias CARoot -import -file snakeoil-ca-1.crt -storepass confluent -keypass confluent
-
-	# Save creds
-  	echo "confluent" > ${i}_sslkey_creds
-  	echo "confluent" > ${i}_keystore_creds
-  	echo "confluent" > ${i}_truststore_creds
-
-	# Create pem files and keys used for Schema Registry HTTPS testing
-	#   openssl x509 -noout -modulus -in client.certificate.pem | openssl md5
-	#   openssl rsa -noout -modulus -in client.key | openssl md5
-    #   echo "GET /" | openssl s_client -connect localhost:8085/subjects -cert client.certificate.pem -key client.key -tls1
-	keytool -export -alias $i -file $i.der -keystore kafka.$i.keystore.jks -storepass confluent
-	openssl x509 -inform der -in $i.der -out $i.certificate.pem
-	keytool -importkeystore -srckeystore kafka.$i.keystore.jks -destkeystore $i.keystore.p12 -deststoretype PKCS12 -deststorepass confluent -srcstorepass confluent -noprompt
-	openssl pkcs12 -in $i.keystore.p12 -nodes -nocerts -out $i.key -passin pass:confluent
-
-done
diff --git a/docker/rbac-sasl/streams/scripts/kafka-ca1-signed.crt b/docker/rbac-sasl/streams/scripts/kafka-ca1-signed.crt
new file mode 100644
index 000000000..c664396d9
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/kafka-ca1-signed.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIJALr3r+X7WPmoMA0GCSqGSIb3DQEBBQUAMGMxHjAcBgNV
+BAMMFWNhMS50ZXN0LmNvbmZsdWVudC5pbzENMAsGA1UECwwEVEVTVDESMBAGA1UE
+CgwJQ09ORkxVRU5UMREwDwYDVQQHDAhQYWxvQWx0bzELMAkGA1UEBhMCVVMwHhcN
+MTkwMzI5MTQ0OTQxWhcNNDYwODEzMTQ0OTQxWjBgMQswCQYDVQQGEwJVUzELMAkG
+A1UECBMCQ2ExETAPBgNVBAcTCFBhbG9BbHRvMRIwEAYDVQQKEwlDT05GTFVFTlQx
+DTALBgNVBAsTBFRFU1QxDjAMBgNVBAMTBWthZmthMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA4CKhW8saH/Nyk8CZ86LunvdKxdhIMvxkvo32EcqRl4tI
+6ATiuJeghQq0h1z4PWT2SaX09X0IYZA1gNI9nut8WBRaPueY9RP0r2y5zsUv7YdG
+9PmpNVUi0gBGLyfBRSUVpqqovZin8Pa3ID3c7T6Sb0Fvg9pK3yCqCr9bMiWIPuLf
++7jhmQt6upHW6GlhV7zq8+gLU114SdIUaOyB/ren1qQatMjsqidpy1v1IPxDmLTZ
+kA6HqNfGFQchvFobakt/LbobFWLhzi2Bnjni4J0IjIEOxN/PmnddunewE45GYYkS
+nAFSmttI2C7ph1wRMWHjEKlfUo8K79tEjI3kyQoE0QIDAQABox8wHTAbBgNVHREE
+FDASggVrYWZrYYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBBQUAA4IBAQAW7dAz1DZI
+cHPkiwpeGFIf5vBsDysWW1fKRS6dXHaO4kvNJKsVcYdluLprnVcCRy5RZikf0Eth
+Yvr6Ji2KOSU0TKiz4cTZPWGfw3czGhrP4e334rAkXsYSMeg0M9mduwr4Yftg+Lwr
+ee7C1c9GV1+ww6pH2VcWTvpMfUHQ0rMdmUc+sSI+cGH5aDHTbik7stSWaMVS+p0h
+LN3qa3Ntxwcw33FD4BhjNeoCL36ZZZoVDB1VVWJls7Lnu7kFSI4o+meMsAq0mh8I
+oY7S3WgcLi8u/KgiFyCMBrnYkqI58zxOVUai4Mfl2F4sShphV941Zuz2H8WkXRMe
+nxxI8dbiaNJC
+-----END CERTIFICATE-----
diff --git a/docker/rbac-sasl/streams/scripts/kafka.certificate.pem b/docker/rbac-sasl/streams/scripts/kafka.certificate.pem
new file mode 100644
index 000000000..c664396d9
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/kafka.certificate.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIJALr3r+X7WPmoMA0GCSqGSIb3DQEBBQUAMGMxHjAcBgNV
+BAMMFWNhMS50ZXN0LmNvbmZsdWVudC5pbzENMAsGA1UECwwEVEVTVDESMBAGA1UE
+CgwJQ09ORkxVRU5UMREwDwYDVQQHDAhQYWxvQWx0bzELMAkGA1UEBhMCVVMwHhcN
+MTkwMzI5MTQ0OTQxWhcNNDYwODEzMTQ0OTQxWjBgMQswCQYDVQQGEwJVUzELMAkG
+A1UECBMCQ2ExETAPBgNVBAcTCFBhbG9BbHRvMRIwEAYDVQQKEwlDT05GTFVFTlQx
+DTALBgNVBAsTBFRFU1QxDjAMBgNVBAMTBWthZmthMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA4CKhW8saH/Nyk8CZ86LunvdKxdhIMvxkvo32EcqRl4tI
+6ATiuJeghQq0h1z4PWT2SaX09X0IYZA1gNI9nut8WBRaPueY9RP0r2y5zsUv7YdG
+9PmpNVUi0gBGLyfBRSUVpqqovZin8Pa3ID3c7T6Sb0Fvg9pK3yCqCr9bMiWIPuLf
++7jhmQt6upHW6GlhV7zq8+gLU114SdIUaOyB/ren1qQatMjsqidpy1v1IPxDmLTZ
+kA6HqNfGFQchvFobakt/LbobFWLhzi2Bnjni4J0IjIEOxN/PmnddunewE45GYYkS
+nAFSmttI2C7ph1wRMWHjEKlfUo8K79tEjI3kyQoE0QIDAQABox8wHTAbBgNVHREE
+FDASggVrYWZrYYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBBQUAA4IBAQAW7dAz1DZI
+cHPkiwpeGFIf5vBsDysWW1fKRS6dXHaO4kvNJKsVcYdluLprnVcCRy5RZikf0Eth
+Yvr6Ji2KOSU0TKiz4cTZPWGfw3czGhrP4e334rAkXsYSMeg0M9mduwr4Yftg+Lwr
+ee7C1c9GV1+ww6pH2VcWTvpMfUHQ0rMdmUc+sSI+cGH5aDHTbik7stSWaMVS+p0h
+LN3qa3Ntxwcw33FD4BhjNeoCL36ZZZoVDB1VVWJls7Lnu7kFSI4o+meMsAq0mh8I
+oY7S3WgcLi8u/KgiFyCMBrnYkqI58zxOVUai4Mfl2F4sShphV941Zuz2H8WkXRMe
+nxxI8dbiaNJC
+-----END CERTIFICATE-----
diff --git a/docker/rbac-sasl/streams/scripts/kafka.csr b/docker/rbac-sasl/streams/scripts/kafka.csr
new file mode 100644
index 000000000..749695039
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/kafka.csr
@@ -0,0 +1,18 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIC8jCCAdoCAQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNhMREwDwYDVQQH
+EwhQYWxvQWx0bzESMBAGA1UEChMJQ09ORkxVRU5UMQ0wCwYDVQQLEwRURVNUMQ4w
+DAYDVQQDEwVrYWZrYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOAi
+oVvLGh/zcpPAmfOi7p73SsXYSDL8ZL6N9hHKkZeLSOgE4riXoIUKtIdc+D1k9kml
+9PV9CGGQNYDSPZ7rfFgUWj7nmPUT9K9suc7FL+2HRvT5qTVVItIARi8nwUUlFaaq
+qL2Yp/D2tyA93O0+km9Bb4PaSt8gqgq/WzIliD7i3/u44ZkLerqR1uhpYVe86vPo
+C1NdeEnSFGjsgf63p9akGrTI7Konactb9SD8Q5i02ZAOh6jXxhUHIbxaG2pLfy26
+GxVi4c4tgZ454uCdCIyBDsTfz5p3Xbp3sBOORmGJEpwBUprbSNgu6YdcETFh4xCp
+X1KPCu/bRIyN5MkKBNECAwEAAaBNMEsGCSqGSIb3DQEJDjE+MDwwGwYDVR0RBBQw
+EoIFa2Fma2GCCWxvY2FsaG9zdDAdBgNVHQ4EFgQUM2bIHirKL7O6ygfyG0MfEbbp
+1SYwDQYJKoZIhvcNAQELBQADggEBAKS3x4VZ1M7lCu5NJiLX/TJoWAjh9TINPgzB
+9HLcviWvwse7xdcdeDI59MSRMXgDKhQ3RPAC6y7WoW8fFB1M5gpQAgzMBXJ+fnLd
+PblNyhI0M6v0jFLMQxSPSJT7mNulR6fZPJ8L+Oxw8DRvca9xgaw83UuX0Mcu25ax
+2emEYqNEMkLtOKcdxhl76aXAFMoXmZ4oCJsp2d9lAWNX1TVEum8PjUa77DIDAoBX
+2flbeF0IYjIgMHWwnMdXOsXYfGdhKxf4uAIS/PDmWJDwEI7UL5JdF0KIZjllJn3R
+V1ZFaUxtw8mz/MgDj+JUTZ5CWTaV8myd/hnykcTFWJNjTMMGZPM=
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/docker/rbac-sasl/streams/scripts/kafka.der b/docker/rbac-sasl/streams/scripts/kafka.der
new file mode 100644
index 0000000000000000000000000000000000000000..108ac8b1cf3f52a1929eced1981533350b735651
GIT binary patch
literal 873
zcmXqLVoo(^V)9+U%*4pV#L2Mh`}(K9BYv(h;AP{~YV&CO&dbQi%F1AnY$#_S!^RxS
z!ptL@oM@<5l3HA%mz<xMmQ$LVSE84hZ^&!F4U*^PVF_^!4lxum5CCzxcsQN?{oH&)
zUHw7~1r7K?V(dH|0f{;JjyWayhTI06AR#tkrqEymIdNV?O9NvgOG6VAOB2H=ab6QM
z0}DfADAynXMLCSaA<X2Q2sc|8VK&SO!bnblxl$P7N<IS~koC;Mtl5ca*@*^Cj7rEp
zXJlnyZerwT0E%-lH8C<WJWyH~eOgNXbJ64jGe0kSH}AXG(HkB{e^U1KeiJ-3aeBAM
z3zkParY~sa+R`5L!#3rc=h81<YdI1pm^NIpo%gyXLL|!W`HZi^U)JaBJa<(8ZM)l-
zpDRs6l`b*3>8l@fRTW*fYQ^3e%RhYEu3&rTt=*)2$Nc77UiTGNaqW*bQthyNbpQ8`
zhcmgWc1^tYA~P|3&#TWbxPxOWJTHl4ylMQmefhN|Qd>^ES*4zNI{K@^ALkicZcgB9
zUvd4ID7)gGDCsQkdfi>pqDc?W={C-@eDq*0M^7W)k^ARomB;QX-yq!Qme?sYhcRf@
zZI2szFWX}T4HF*=tc(xp=X!tJrKk7FNiLR)Ow5c7jEm(BWDTT&;U+7{B4Qxa1PQw)
z&Yb+@#GH)$;u7Q_1STF}5Hd1|y}e+3#mu9i_(?ZcoJ5fPvky7^+G5e+r(E^s#+3Cv
z@;<AwTC}h|b;qvkx#3LidVy)0@)x`llYaeD)9tcUHSt-o`Qee9wu$o(mm5n-oqzcD
z`=bpiamR!VUzix*oV%OrN8;~<AA7Vb-yOPo-Yq<S!{Jr#H^asJe)-foUbwVbcBZ@C
zMkTv~#Ge_4m-95OH(i;QaWv@HTt%I`ud<7CkFy)xFLZt&k!<>kNxyDp>MT(n+0f9W
z)Xkfo@7~Gk(Wmh%y=Md0mRa%~3;QnJ&5+U4*ZZ?VNnD|aZRd?ii!49e_=UPHdT{*d
gjW``Isl@PmrfF}!$sb)3D=ar(#^d9)M;Vu#0F}Q>VgLXD

literal 0
HcmV?d00001

diff --git a/docker/rbac-sasl/streams/scripts/kafka.kafka.keystore.jks b/docker/rbac-sasl/streams/scripts/kafka.kafka.keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..6781e52356fc64ead8e70a669bdf7218790d0002
GIT binary patch
literal 3945
zcmeI#S6I_o769-h1Pp}UTTEzDLgGI(4Js%|2ue``A_0NW1QMhq2zCex(u*QxAV9D{
zR6s<fT4=%`2&fbVB`5<%P!Op>W>I%$-Tn64ecOGRhx>5ueYy91=X~dP*QVE|K_C$1
z&n4tT2@eTjfI#5Dj_HIXkl;bAF@Ohw1PB0Azye@G^dQ2Z&%MJoz4cEt05Kt9y*Ogr
zq8Jzq7X$%5xQ&3SkbpB(Kvd3$g2OWW=nSk+$Ps^9gx?VcHZTMy2Ef0a!$qM^RwO5!
zG$8pc6cH7+bg(DbI$PO0;iLeGZ+ja=Vf!ewkX<xJ2o4Sif7=q0fjE<ZjS6BoJYZ;m
z#~B&njR3NOm;taJZvA`szqtextp4-k!Ga(GCRhRlFu@`aCKwEQV0Scz1b$XdE~7Bi
z2hxj@v`afjzMP24L!b+uu#wo%HM5I0a8Ys6CSw%(geaej4r+gErq(x-Sz-VD&Q(Mr
zF=y*N(T(#FB{9o$l5wH4kyMYazH$Bgi7@osKoQHGZscrANNTaX68FpCS-=){JYa2a
zVdS}ShNIi2_H6lze9bmD9Jg>vfpUXTcD^CJC^0bH#94x!c%r!-Z<~?rpiDMb9S9}2
zAJnpaasOlRZGd_`T5=L~6T=cdOnGIl+wnRDr@%eY=5qr>>gpNGqXp5&M>9`e-@;={
zTQ?C*br~JI%+=y*&LZUt(AEk?y*DCuZ~w56!10ncsEULLfI;A&GqheF>lp%r!keNZ
z2o3qzVvACyiAJ$%9mHeQv$_f0S~9tvq-YbAa91rs=X2PmfvlofFQG4jJN>ixjEZF`
zJXdwAL)V8dq%5OAI$tGEt;D^8I&_5#@sfpPdSBl}+;)0akoeX7z6!Au;ixye1x~c!
z?=Lg3f@lt{{$iaHW2bFtSL-_KyxcC!UKRGW+;7U#H}b1oiH~beH=DX1>o|Ondt@Le
zmm71BnsKlq=8^XMMc35>n}RR9FycH>tf~;)*_Vsgv<R03zNFIc@t4$t!-tjZ(zq@?
zM(=Wqqihu;YyEh|11&izt6a@BLhl?pX=G-sf<2Re!n}LpXy@>m35ngB>x~8m2~sKk
zRLYMYOY{YS1fc+Py?w-mM9@NDC|D071zxWxC=)t0X|mjFFwOFxkb9%#7CqZofZsR~
zXN4q@KWQYwlxWpp!PdJ^zpiyvF*rAeQf+@%O=4n#UD~3~oyCcJ#yR#ps<n*rdQC3W
zfm@_!-?~J#e>9tMOYd6e>d}6;b8h%8E8g$v2A8E9z}m_$E)1s?7nR$kd*zMe9;DYd
zq8KQBZQkdkPp3SUH~e}mY(uzEtUS-EykEzYQg^3%e%ldZb5kD1?)U5f;pX=jK{K&w
z(ZQJI&vIY)rNzs`w^g3dXOm+mIq6z$On1jdDB;>t<Z{tvvskOw)oqnXu`B5s12b<g
z<O<#~9npj3ATQF6w_cbdN`1U>CmyePEK;uvnlW$xAo}voWedAZy?#RfV;<mic<0j5
z@vyApzd5`*p=+M|F|x!zPtr*;gLYx`tSPnI^Vux~k5*p{lZZ+bOpx4&@N1PP(B6Ta
zwBBaw1*aWWCEb9-&$Os<UFW)$J<D|qC%nZGvJadP*m#veaVy|)Fn>5P#y><>0{2Oy
z#yb9_X>IpPV6f1N0(@8<&Q65}ZL+YE^Wbl7Hd+EH*m_()>AgmaQv9TKAand;w&6=-
zYHMu>HLdf-?vKsIoDZ}x?4fs(85#q<gGwGvQ4j?XN~>t+d~ylF!+y%w%}aNCLwNTs
z<p~vQGw7v{3*FCkkV+Y^+ueERpX$&AK?|T--eIQ3QcFk8<FJZ^hx@nZI3#z^N|5*m
zuG$H~piVjg`R!eU$Ci!pclU$SDy}3fVR^u?pPf*2mS+BJOBM5t^s^zSY-G2m!UrRs
za$j%$&bPeK)boo_%SDWbY#6uM<oq5t1;oM=^Xji0)fS&A-dQqCF4_{CXNbnB?cjLP
zrZm4w$?fWKE}!#4%(v*r)JWRikHu`scQbW0kN`akMVNL&QFmfy${Ocas3WK`NI^aq
z|H9~NS!U4~d)ec1u&%6oVNHH$Wh^K(yxw48ES5DQeu-Fg8%n$qAz_x=$&Z}Tx?!?V
zVQ3X(jRB1_cDzS5Yezgs$-nG)rf>7hD81R0KIAofPdslMmz^>gp~YS(yj2h5B%F3D
zYj+vzNB9XPz+yU3F&h3PIhf)UiEhIe*zV!*TgzNuPa=78a}vRI{;A@MJSM2)nyao^
zxoBvdCxg;P9yENAePCg&ah{_;l;Wl5HCa+xKR0^QuyE~S6=QNVtR0(CkQ^;$(n&H$
z-gc7}P2fCKVqw~eEDxp;h<L1_Zwr5bJr3tCY23R-Pl?13TH7g{ndPrnQuUq5)j|4*
zbCv2WvhUE!k$37McDqj<>$B?@KDt~bepa~A+gs-Do}}j`7tqQB4%e$6{yw<3_o3Dy
zPHp7dKFfU&T)9{j&K!9%*>bO;JA#!&)YT4t?C-7ex;Ja^+2}RRPSw|l#Kr<v(5#q-
ztR>;`=o+2rJJy+hJAVUZ+#pM|awdwb#^-Tu+^eYI(}pe-^iWQ+?E9L~*%YOMN0OYW
zs*{rPqHM`PM^>0gc8OQ~2T0ZtYGZ3#*Fl4;=`W@V-yw1O4q@tAtOUg-MZD5*?2acq
z^qqa1*}h28fLB-B(RZrSrfaPz`~t=5VI6lr>6JzL-O>oc-E3w{%^66~NKCuyUg~~_
zCrUv126<Lvz%V(9q<K{E(jmIO(r3&$5v#jOxFTa#L-cg@pv3dG2ewV$4f3Zq0@uCa
zx9$zQA^`{(vW||r#fowM!R6AQr;6bJ2OYR|bQqZcTXBZp(SaiaUjJm2KLVHx#FFwS
zXk`8Ynm^nl^OJl2ppncE8i@m<-^?Q*^J7@7%i=$aV^qD^ty38}7k=Sk?i~9gYjIEO
zAkkpe_kPNP)UO%YNyJI$SWR}(Ig#pk_oW@a3pQ82%%6f$(v740cCbF2JSa;xo5-1$
z`BFiv?QY#X9Z&eOTxRU7-UlLV)_!EAC3lrm+L&`~X5k)c$MCdSX2`CP*q3|Wpg1BA
z+zhnNn~lBU*Kl*;$LlisCj%)i4ZOKYIO$N7O`mMQRLt7FYyFp%tJ|kI+JT*J^QcwJ
zoa&);@%Yk#Hn|OI4P=#|y=O3WDstZ3ZcGddKQ>wbOO6q5dGj<c@=#r5rA#V;k|3QA
zcFcQ49K^nlcbCFZ-b$8vI;M$ydbK+_<z0sewD-F>N{|2oP+89#LJBGiNHc%rjwwtF
z@uAQHLg<WtDW2~nk)Q4{d~QMvrN2uO@lbR`{x(CCK+C(i{Az_Qa6g(lwzo_3x?EVi
zUrimgzy)HB-S4l9?Ac54URl|MNyKXz*_PhswhZl{6gEd1Dl0$bPA`sCYI?Lu<0g#^
zhYIRNmMDC$r3Un|k4-P05?nkhn>p4)F7oy(wx@RW^xa0}TASTcHw&dK2jHF^(cM<{
z{8B)x<4S>={s@ms4}QD>coSwhs_0|PgKR#X>z5}dig0%J_Pbp*QC}-aOx0OAoLnhV
zori=Kr}m8msA4x`S4-6uP{~5IgPCmn+;)3s0(<oF_@IaW9%YKlYh(YZ1!U{xLoyo+
zRf)6xV*z~@e;NPZe>DDE$Ngpezl{HHjsNoI(>Hm|^8*)C57d>^WX@fkNzD2i@fcqo

literal 0
HcmV?d00001

diff --git a/docker/rbac-sasl/streams/scripts/kafka.kafka.truststore.jks b/docker/rbac-sasl/streams/scripts/kafka.kafka.truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..7181032bafac8225536660ab012c5ed6fceec786
GIT binary patch
literal 901
zcmezO_TO6u1_mY|W(3o0$%#ez`6WPZ=E=9+A`Gk%dZq@J3=GU}22IRP22D&_Oq>j#
zF5dCHxciK<0WTY;R+~rLcV0$DZdL|^WJ5Uv88+rn7G@sN<U~WglGNf7z2yA7w4Bn^
zyb`_4d_!IXZjd}T4@-z^aEPIhfdGih#lz|B@8{+d>gpF_C}_YB5@YA#2uRGycg!it
zH{>?p1PQSTGld2l$cghBS{fJ|SsI#{Seh6_iSrs60J#=WE`1!)#HfVqc}7+S<|amd
z27@L>E~X|%Muz>qWsSj%m)AwDOe|5lK4C$(`ij$czf@PulGUDjW|6#J!9Tkxp4>cq
z!D^-o+SNS2A8Kcvcx<P5>F%WUepj|GlkM`DVX>V@?rZ7d#-E=B+6q3FXUCnr^i*eG
z7l-!e>kH<^6q|%vxpg0LUfMSMMvH+DM^(l@@A>7ePfLQL)lN(oTR%tTShV58`ESG%
z*SM|h*i*EiE3?Qflz&lI_2CniJ`<<=OGVksTrY?^5uxgHb>F+(%?8=48w6e`tks>z
znVxvtUi0L=UPJMR)yI<8=mwv?@Mu;}R`JsZlWJC*zgi^Ze#p&Av*e_sy<*#r7J0F`
z+V0{DF0Ltcv3dQib5(+n(WY`HW<~}^<PZWT4`2u}G87%ED0SO2M{l9iiY7DVg)+OC
z;vU3rIi!7b@e7+^3D2y~ZHk>5p9<BkPhHTQ!1jgJA#LjKlJ!3YEg#BQ_@90KC3vby
zX7O+7S&EBe)@R>b`j9C>glSUJYBdk*x{s_Lf9>~4dz_XH()wu5?cwx0aHWwelgiCM
zv)y|eebt?PcSe2;{dq!U(I3tf=Rm7@Iwq+bezmt9o?!Q8b#u_2h=+OCvt~YQ+@3u#
zVtwO5^_Slx|AeXKE(tGbi&vPpDc`W=*7xPAZqt~*^c8Ra{X;3Y=#Hds|HJSLCQoKA
ztniU2-<kSq;q@akdjC9B`R8`=vv&9050BO_`Y@;3{@nAj(|78h^Sh`xhI~)&7f9%O
Q$oo01siWy<_-T!$0GAb3Gynhq

literal 0
HcmV?d00001

diff --git a/docker/rbac-sasl/streams/scripts/kafka.key b/docker/rbac-sasl/streams/scripts/kafka.key
new file mode 100644
index 000000000..3000074af
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/kafka.key
@@ -0,0 +1,32 @@
+Bag Attributes
+    friendlyName: kafka
+    localKeyID: 54 69 6D 65 20 31 35 35 33 38 37 30 39 38 32 33 33 31 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDgIqFbyxof83KT
+wJnzou6e90rF2Egy/GS+jfYRypGXi0joBOK4l6CFCrSHXPg9ZPZJpfT1fQhhkDWA
+0j2e63xYFFo+55j1E/SvbLnOxS/th0b0+ak1VSLSAEYvJ8FFJRWmqqi9mKfw9rcg
+PdztPpJvQW+D2krfIKoKv1syJYg+4t/7uOGZC3q6kdboaWFXvOrz6AtTXXhJ0hRo
+7IH+t6fWpBq0yOyqJ2nLW/Ug/EOYtNmQDoeo18YVByG8WhtqS38tuhsVYuHOLYGe
+OeLgnQiMgQ7E38+ad126d7ATjkZhiRKcAVKa20jYLumHXBExYeMQqV9Sjwrv20SM
+jeTJCgTRAgMBAAECggEBALMVeG/rm/gjgEzl+xxb9uU1GZ1y7l0upSBMNWyJukKn
+m50nKi/rluo2X4A4nHARl2fJHix3tpadruI7Gdk8tqF5wZG5YtGPHFZ+PQglLeJP
+0DY0tSpT1/qLFYjf7uDcfKwqd6DltGon9rHgPAGjmUUjt4JWjLQzWSo1MxyiOHZl
+OSUojeXJdShLZ0otu0Llq33R7kX1uf5Oy45S+umkywQCHpRFPVvzp6lge1/uaAlm
+r2aMAM2BN4KZrNHafsRsS/lE3ItaqOPoXKeKEcYTaZd/CitprVLe4l3sfIzC3JX9
+WJ2V++i5XmseMCq0egTgb/fiahAGq8Wy49Z5QSCXorECgYEA9//v6I0ZBi1gsUNv
+sxpMAZ/0DoTysmASr+RRklxgfNnIZTXKSt41kVnZVroBsPDLyTYEbSxbeQc+zhIJ
+7pFVGnbbeVbM6CubvVXdTGEyFouUgQXRm+E+4wza9l9YIOt2o8hycFhCyg+w75u2
+0AdjD80e0fFP74jHD1t65aTv/PcCgYEA512czUApyGCGUBxvM5/b4zCmCga8l9wi
+GWtxzhLxKeOCRPZmo6sMK0FsOWB/S7CycREZxUGiJ8M2QCu7+y6ZqOB6wOAqmFqU
+bGuvXAu93KeIewAO9gsFGd/5F9Zvtf288YU+2xHvgGJj6ZFa4bobWjvYI36xgdoI
+QHzxoxWqgncCgYEAlo//qwPeqW1rQrNaYTYZ5vKhTR9R6RGCxt6q11zWB3aAv1GE
+2ydFBlWyKYEL/cxzLFlrHozLjBLmAl3ZQcliDYsTe/tCs8Gl77Dtha2MpztekWZi
+92wsrdPkK6d+7Z2GjbDoKWSsR9h250F2H54cej9h8ru6eAZmM+CqIDmeqckCgYEA
+2nOqFKYLjXWN++ANIwpCPM33SCo6MYyY6bVoO/HooOt+WYzpNonPMJxSCg7Rwm6w
+3U8PLQ+egrqv44Enua+zSB/D548AyN9lmsVGSruPZeMNW02f0rJu+5JdCCPhUE2m
+88gipAfYQjkkKymiTNVC9DzjBAigo4FxHyqZoKlZWFsCgYEA6sYzfqiDZuVOlzMx
+fqtdKmgU4xmvF44tXCOyXWwwb9rBYVNnX+0epABPMJzmHhQhJrjhNNrVm6CqU9Jp
+tmrr1K1lxw7K7lbkTIaCaq6M1HxglhZzuiFs17+A+rQJ/DRsSMsFGlIq7yNmOjQb
+VHG77Y+XKF6GI64TVOKgwcqM+vI=
+-----END PRIVATE KEY-----
diff --git a/docker/rbac-sasl/streams/scripts/kafka.keystore.p12 b/docker/rbac-sasl/streams/scripts/kafka.keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..e43909f1ce22c48337efd3342129909d4cbcb01b
GIT binary patch
literal 4525
zcmY+HWmFXIwuhNv=pF`;hJm4lfxoo$3=E-kcPfIkbax}6Ae~BgsWbvZ2?7o&B@I#z
z9bV5}_nx!Phj+hgJ-@y8$7ih#52vaC0&wBsR5tiTe9@@r3o-x!pfH?D7ZgsV`4_9h
z!||T|SA=H-3dhs?i?#kf4SbUSn<6C!01LxGH}G)K1)LY3`2X?W<%}T6tzgN?tC(E*
z)T_rbfsDZvqwfPefVepQTA*+cTEaLt2_~$ES?S(K3?{SwgF>lHhNQHct#i|rcRUii
z<ebvW5&0PL@_Q#ejhSu`5mB6@N^#wY-o*;6$JoSqE(P~<9~21%2N)WBXBw?{UBW<Q
zpU{wC6&&V$Yg9{j{~`24M{oi4eM6!?iu?6$Us-w`G4Cfg@#Z8o)g@)K*pu=u@?>|e
zVO%Vjf>^#*OrYXLFoTb#@)&eaWE262LOdFPGrf^kYRFO5(Hi*+Hj+u|7iruRZr!&9
zbIwBtG{3Y2$nVZYa2^X@V~h9Z%luY=M|J^Pz5A7ptrKciopBzhwyAclr>dhCsK8(>
z)A8&kb=b#u2QXK_jozCnPfOt4aRJ3SL-R!-H)qq8Y;{9z?|=uk#NEqtkeex6xm}-c
zH@EkqC_!9KL1h-6Y}Ce}Ab}kU%&0NytL=9Zn7|@7q`y~jo!u6(E%7JN(Z&DHRxTRs
zSIN%FUtVsN%?&9c>miB1Pj5GnHa&t(y-@Df*tc2qZ|tuzJy`O4vcpXs)GN~>H{aLB
ze^RAo!&@cG6IBT#My-y)lUIrB9$orNU~8y92d(Tl59w&AmP~mCenv|@=o&1x5Vz`;
zB-HBO_B{${&B%2X8u%%aOPyIr5N4gSMM*X=-kOf~B>5xfEpSYmz~cLbhvD@>n!y7n
zXu;3@$XAO>UW+nBsWV6?bxFc+d9GiMTF&Ub18Zqhe+BL2coq^M!EL6mSGdsp?sa&)
z#3dGjDd&NXKKY!631D#wcNh^$&x*q+#oxF=)2#}XcjZSQJgoGi?}1I_GF6&6v{Vq!
zoH79Bqq^O}JK#HVGM%12&~f8g5XCUzz#`lOtQfLe-(@=53LF~OaTWR$71gMUOT;>v
z6%i%dNqe%9xZd+K_~lhIR1P+MeeOmjS1sXsA;i|gw&gX@G}3bF)=<dj0Ia?89SmN)
zb1liSvd;NEc$BD+u&A)F!hqFGrGJWA(Wo<&(h;7FPfzhH*9taK+6|lyz-ex3`RW(F
znE|9lvp(W`lt(*Eqox|%bvBKMop?+wW&P`c&vacLE)%;ti)n{^z5r)_>~YMHs1n#5
z#L*3xq^?A7*pAUgZY}BB0p}7)$jNd6+hvz(*fgW7FT`_v7|?!`ct^k2{d#{K4E=jC
z)cGcEoz<%$v*rHIAu#u=<YsFZ@&43gO3K6Er78M7A@_R0uH!^)(589`_R4iFe%oOw
zPs=!}?{VXb55<5}byty%63P)vb5%r|I)tKAadfiE?#GfDft-|s=d%OcJ@inN^~0}7
zowoXT63PXXorb?qAy`e5-=9sTQ%jq}%vo&&&LtSKyw-(%#gA9NtbZwZiHvoh;NaEt
zUXw&gt|kkYd{x<VOTX^*I?v07wr5jh$tVYoj4WVumN@*1sNOUdaJ>Sx2&{*zyh2`0
z5t&H0eBhh-NWbqShyT_tbNej^aZniR@OnP{Yp*B3NBQtRTKKhCij%#@=bZ{C;x(?`
zn6?R%THt+Z&of)EI{&$rp5W@k@*m461H!ccO?3g0S&=70gc_1yvv|`?wEI0oTDzb2
z_u@U@y8+rqII3enFSU~K(*cKy8g=nZbAzCU@&=3Ag#$W_iv4v()q#UOX>6#lES&z|
zsw9F4ld=%wIN@01IQ*-^+5Z#K2tz<%J;#^!Y{H_V|44|#B_%}u`9~NYPO|jxCIbAz
zaFX%AXc!2<`TO<#CjtDIU-AFt*CM!{!?)!>BMWo!zB%n<K7-Kcr~m8M&~TF2s@*~X
zhx3F9%-MUpoAqN={5LgZq^wlc57M?hm8X5lmh!G?Q>{)z+Bllqh#nU0rB;8kjD8Gm
zypqv>_reWKM2Z%C&1wNIdXi*YcGz3d9Ea<Deh^m1I7=lHNgNVd8J;ul+d5Zwtpw2U
zaFXIOL9fVLwtcJFa<S@#^xPjQQ+OSlL_;fs?Do^W+)en+GAf)3Wq81)vm9&(v^Fo%
zWKjZcL2g^2Zl=C9!qUxX<*lPd0WmIYt6Pl4OM@`-OgU7{)<$Tx>?-Wz{0p+=tw=}A
z5oO~RQDJxtPy+Fg&B@@|uyZMd68wGCc@c<**F*i5*;Sf?()yQ#ynk>@;_GI5eCd9!
z_=q~MEVz43-4}8Fhe2F=Jt8NuXJT;q)W>7D9-E_OHJD|StLl}-KSh3SU6ce|%i^dX
zKlI-eCktQLi1lVU74ycff<!Usr}MGd2#;*(eZ2hbXXbK-P6+DHJ~tQ`qWB~VkT-%r
ze!9ud`|zcYc|4yfUJ}cW-{#sF>+farf@F{cmVPm$P5HJ0$F9YACK}^>3MxN4$LjOb
zCZ(_Dsv4lQ)|jM5!D*mLcg`EA3xcWHC$xM<ui>r1fT3ejX8a+7*n+Gq&>`N3X#P1H
zx6>+@a#^6c|JxMAQK+CZ9f7hTY#7~<XDFhuOo@x@wW6fwwhZ~f-)A<rOZ3=jhxe8D
zZnBU=x%=s70#MsMy|uy$CJXyeNXLQ$&(;RzPam>w@?N*wY~J~cM=6pZ_c3FU{Mfj`
z&Fq83?{W#L&$ldcYEN!?L=foway5R?-Wq%hPo%MSO_Ihs8378bDfY%!gwS)7nkml*
z8;WMhAoHY1SuesHsCvgSQIg`@AdP9oSqW4<fxSl++X9g9k!Yp5-+`IMogxc~E&*2^
zEF>UL8~J*KA<NYS8{3q><}in-dl9;xk^?pv*71D|uOCP(U)z&H@O{$7t8T3Fc%nL3
ztcramrUflZc8%=G`kJ+I*)}H5Tp(?(9Sq|alsBIqgdEI2^-j-%6~789G35vry_@9U
zY9_Z%T;FfqZd3SnT{yif`?EMd5OkCwC|SN!BKZxdU+`3LNp7H2rRl<ZI^CGllI1S<
z4J`qKY_gBN56>q%o!+}<`314OnN(O?f$SY6vtiloeohY^Jy9Md#mreN#rJfJ)HSW&
z)v<H66(e1~O~W)&*LU4gxci~8TD&wvf9e^&SQ@piLZ3`di}21FJ$=2ogollQU|N(F
zg}bPJ@P1KFuBC7pXSYhsC)7N5KJ>Rb8^5@7#h7<;TGIf4WII4$gNH<nkH#-4S)lR9
zDYt+@6+MG$0r&V~lizIZc#oK$Y!fRET<T54`(Cz9xrbeR1GJWTF{F(EEj^MWcW*Pl
zo)j}q3ErNYNq^I)>Ma&kc@bqRrPA~K%$@r%$3p(*?sR5=f!Z4PQ-g;W-C*Kb-v)Hz
zodC+?eILLId=a6<ctx7hA^g6(1N5#Or$aPKfpsC{GaKUJT)6x8tJl>ZHuf#<e`!VO
zWUoc1ZthOao>@>vxP!e3hUUjsHfl|URcZXG%gzEh`-<6_$mOnMS?qtQ(?780ssnI6
zl#W9*h0TTE8aVc@Sd-l{(8IjkYOVP=7^dUT?sOSBYMJrRzH5$6Q4k9NzHl-ty(u=C
zapP3cY}|5ey_6MSlcaxwJ%hRybPWCQ=nG*vVZI>u;y~ukZC6reu7}>KBO%xIS%*du
zOblH=Z=1h~OhP(VG<_(y!Be$|-e)vGiL(%~^32sp8mF{<!&)ZQg`@{2>XucCGPIpK
z#EnsfEm&U0mthGx3X#>KvPWtamU~&%_G)4px{$3ET*7^=%w~ge*h=ZzV${i301vsn
z8v-KdX}^P1Py~FO-^w(J(M3<qYl0u1HgOpqMQeySRAAbh)Sro4AuLAVsv?73=%*Rb
z-o_P;mQ6)RCkypJQO|^nPvKfsnj}+n6fR4wj_eZq;B;0w>qDwM=!lz@N__&XDtqEn
zdqstBbkOU}c#rAMHoe?Ay3l^VOx~<m@#QYkTB<PyRTb;V9NDz6l6BJGtw$?MQcc*Y
ztPsAQ$W!=o*DLeFp{VDzwmvr#b8>sZ&p$X1$qRLCPwpK!HU*uGZ(RQ_hy^CZSRThD
z7^1?c&Mcw~u8FVxn#9N7ZW!LveDDba9GZ#a`rASj%McO*&n<N~6h7$O55`lVhRAlK
z^bob3GZYIojifA+YlEO?%n9VHNnk^anp<8m^&c@+J{+OW&6S`Td_{u~CcW2{AA4|M
z%3Z1-Hi!>*?wQZOn4tF(_omcx(L>xiJEP(8?<C1YGK3d8UQyG%$9D>Fw6T{P%Z^<Y
z@lrjOlFTcF6;XC0yB;wMIR!8sa;9k4ZsBJwEwBol5^nd*U5*(+M=lgO5MpZ96T-6%
zrQA9BH$-(4<75H8($u-0>;)uDAsa~P(z(9bH?u#Iq7gR!5wqjeVa%m5i5JIm;;ET3
zdJ)%*-+v&EQ$7O28;vl7J(g5a9oA~pMJ37G6c5r_Dm&TU8~vlxzHmQqN04DArK0l(
zin|nVE1F2uGt)q(WYg-qDWVu8;<gDD)hphS{~_T%g@hr6urx*5?V&d~r;Jmkrk{=J
z>bZVxR(5Q=RPC24K|@KoN>6d1ULT|7$r$92)){6EH1eJ;(fWPcirU~8*G9w7s;zSF
z{pSS>c|kq7zP=bR1X)q|j+gB<sV<tfM4L%M0jJ?<6hZpmONgeXo_0P*$hy}amLW|?
zkqt_>v`G&p+*O0WiH+QsQkju<qWFc8{<#;7xsa(a<t)2@k?c|)!NN*Z*ocg$D^8xZ
z@1A=W1RZN12rBY$->)}3%dC1*t8H$#GTgS@E|=>PTF-A$Z|T>15$}Ac4{8z2v7Jur
zRFbNn1)yT&wM<90gP1<r>5t(g3omc!wz_{QV3=@PNtdeX7%NRRJg^iTNHfd46nG_Z
z^jUy<Sn<}u>LmXs@+`$r>iw&Ov8LO{6PNg%h>c#)N8cIS*%ZROE=w!mbXyLzot3EE
z6%|SB@9QiIT?kf1t>u?*ahh7zDe2;7y&P#i`6Rm!Shjc84I*uxlj-ugJIa{+a*G3y
zS}rtd0m2fr*{UsQIMMD#o)hrQ4_=*j>&7XGkN!$X%6(%(N#AqQ;rw0&4UUwuUZijE
zv59MBw0G!tbx$-5SgWr8^BdH}0jGp=$0l8!9(_JoCf+<N63dZy*&#s#`5RB+eR-he
z`GX5gudPk~@*PbSPZtB!wL8NIa(`q0Q(@vIU*(o%(VR6?U%(Ntj#XnOk=mI3lW6@n
z#+#Dvw5*GF1!k9E)vlyYV<sO>cX0r%{hn*y+l7JjiKj9|&4Glc-WCbd@ZqdtIpy(o
zPCDfU-9Yw2JFYgE=bSLg6&m7Pb%XOTcoW%=Vr8MoB^n#YPhT`|UKZ8kpU>*)Y-0&K
zOqUUntIeQzZcAq^T<4~bDU4}e_kEuv<1z}Pe;2s%^Cj+29Mtjb>nY<39idGgE~$kb
za^oj2uiK}p`m}De*O{C|)g(Lt^SW<T#{Q&cDXBAj%cR$wz(_;4t11H2>FwFJckDoR
zg`-F|tIu!S;;iCqZQ9rk@wiQLAC)hSJ@AJsPsSqI=1JgJ|FrD#40BbB;8d+P?U<U=
zlj<~U$`roH#e?-Fz}d9G?U#8=V_kL<(XK|n;__EDh(8g=Mi>zb2-NGolojF>XoR2|
zyx)v|0Adq=GrIH$e67ivX?~Amz{99Bp+C$Bd1HV3u4|*=lmzlLQaO|O)Wn0|;vFB(
zfXKPoM3K9HUmb&NgzK8U?5=#>LH}OLyD~CGy}rAV$BX8{qP&d838eOT+5)&~dJ)3J
z;!9BN&JI!j8}b`>nZ|@knE@XB&>V_!73MPS4u;T)o=<RDI6IsOACI3L7s!Bz1A;t{
y8-22<i<C4hd(dCl`UkC2O>qu_l*-!Nh*puwe?r4E71*AgEA7)s0C54)h5rM$8GC&I

literal 0
HcmV?d00001

diff --git a/docker/rbac-sasl/streams/scripts/kafka.ldap.keystore.jks b/docker/rbac-sasl/streams/scripts/kafka.ldap.keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..1e3adefad22ec9ea1321b5b93fbc8b7ff3b80914
GIT binary patch
literal 3941
zcmeI#X*`tu8VB%M%$TtxOGK8)62rKM$*$~_v5qB6%VcLJGGi$r6G|alWZz{?qM}72
zvXszb$u?@jBeD;V!BNk0I_L9z&Utsvo9D&-;`jf*x$o<9U7zcFZ_RGaf<Pe1pAX!H
z;P2~80fE3?9kWTBAlPyAAwV4jf*Ju-s2)It$U%^x#opngy^miV065`DxoDGU1}7NI
z4g&!$7*RkN4z*>0a_n&-V9*pdG6n78d)A#8;C7aR_VUGW0_@-K**REj4DmJ?9$@$P
z$i{)xw=g%t*&3SLV7LLU?`NzW2ulLdSC>ff#jpd&??-T6h%Fuv72w3E1IkM37%WyD
z3pfgJDgirD?f3Y<c?l|5;^&VC!$43fm<t3@!E6vJ7z}!578rpCzrEvFMxaRaC*)n1
zDeW3r4hhZ>L1n)x5JUTI9ZosQ&an$GeP}-_gkyt-@^1fhSiEl}soMPA{SuLDCb!fc
za)_=36h^Es?T+?a2=Y1kx{og3cnyJC>d(t@CSz?ijIO`XFOJR}hy-wm3!Yo1xj|8M
zinWt;dm4XrmSmd~hL-zPfKX{vcJ+yW-Zd|O6<e-?YauP|>bS%-3n9lN!u@`Z?Z>5X
z?;GbxwSZ5>rQK8es}ypO9)yoaWIIOVFaorYHkV2T{Og{H45BxgKAv>3LiLvd9^+;s
z4OvQu?h*0m`baVUY?QG;UT<Z9f!54wO!;XZrF%gTC>R9(xk5Ybu~Q*1$iF!_!01U9
zI$y7ps&XJ-_z~pf_^G;PRBPds7Jlzh@0bVTF$WjVN%!B(yL=kH4AXJHxk0I3=T@f)
zt699BS;pVQdXYEwWr!C#SNjYW(;%n$AW3H`q)jx#7GNfuM;iB;bctBYEvT}a=xtb)
zDH%c}2br11aS>)R`eqFd3%2X+d<9ITtG<;+jy%@w?ypy(TM`a`t+;GGe4KW+-#eWa
z@z5vncy+{cnQ4Xt(@vUHWKW4cwLj;cFD7z`aa+nL6}lWxez>tFLGm9KG`m5w@4<df
z&kx4!4Qg=vCBOg0tvDu4a?7Z933YvBexkZyJ}cx%_hew#aQGybf#lAhfk7-pSAySf
zBbM9?0>PjFm1P^)1!qIS!7N}o2se1Ap;)LaGhN1_$)Nt$n^u{``1#3lOV>xC2o@-*
z<Mpw#ar2O<gaWPytt3uiZ?okWbJf}juqg6<4McWq%QC<G%JRI>^JN(F!@QcGYWWF6
z$#D9e_+y<V2Lq?mqk1^c6(rd_Q&?-*A|Dl@#o@)^Y^E`lK@l=aq7!ex^;k!a`LOaj
zr_Y3o+dOvWnxpwOSnIn*`U;YWgsbI3-U>o?eJeALN^9#Wra(E<s8DL0oB!oWP>BF5
z&!mHQ7<4K&N;cRSsWFW5$f#|o(js87p`#}+zp)$9Ygv{jtQsc8j_t20zqMCw`kvpT
zvG}Qa;{9p9+n2&T!1}41O+^}qQ}oeWOXn_hp$9L;Bnf%33_54p&=0n+cOEvdBJBem
zqn8YgcX!od)6^4k^ww)W6Q`bU$`=Q`6D0F8_&d(W`-m-~5G0r~;2h`Z3oCtdphtmi
zB5tm!$i7YNo?WWoR-~Lng;vc6ZMd^X4?l-%mX0NkBGgao2fE(w@ejy!_pyDIE~U#*
zk8J3(LTK^!j_M7(oM8n)+w#mbc|TRET4T^eRF2)5e8D>sw|b^$cn-BZ%S2<>A|Du}
z7e277XV;Mdgsb@Y8@AoF>XA6amf0A@-ptoWk<JXXU)HVIV0PQhml;f1bjGA*?s9#<
zrs}Un+~62^e|CMXOq!LcZNQ5uY?b#kL@BA=4lyJRmCkqGXtE{a#2M2e-Hv&W1*O8d
zf^<Kg;(PeYaCJ0nAdJD)eM&L8P}o0|zNIos<551K16_H%kJ%sEEc-b(T-p9oD?|7y
zHlViZ;IT}_T|HVdYV2G2-SzC7^%0iT)vk2iX9+|Cfzab43+I!2>==xPbVgmEcHGco
zvq+h<uj6|DhAk{sn5r#c_oS{Vwde7qmcea_X?`wA#=vV6Wdo`hiyYyprS>O`&cc<Y
zim#JdCbcI-$A+b?j(n`06q-5qZnKpsWOD&;*4GdJ=zHZ{`@`oDMg4gIlY+)6HqIs<
z^-AwO5&UF!ySaA8J9TM=2PhwvCJ;-S6(tGrv72J;F(niMTeml#Y(9?D>KeLD%jtM-
zhMdx+F4=WawvmhH_Suujv+M<pYm50WPw#fm%yk)Y1y{t>_}orA5Zfpy+PJB2*DV)A
zx@050|1{j88BguY`1N=l<BEUaG46&?K|h>ieJa}*%2-*q#oJ!ymtX9a(5U=%J;`PP
zNJL$=ytxybaF}AILxl1~$$Ny%5PcvGGfWm>fiNi@&zC0DdcncAuqU(nQX^ZM{+~$B
ztR7B8*7Js>-~}?1+o8<#jl>u-J@|8Nz&S2=RD!U;rlwY9XqkIK6{2+|LMdC(p}|Uv
zV%QKV?|GqVwoG9$s%v)<xj5~Mx!+r8=?mZNZfqyrQ)SQfkKKOerNV_5tav^&r>o$_
z>PTrtj<|*Km`C+FI&+%&YOQ&+`(NBVg^!XHv_3`6(X(pEg53A%4w*5R2XF%Ej?>`m
zw5Fv)l&$AfY8Hx`r+#XGJW*-^(^9IsQB&C=j{T-zh&&<NS20Dgj{R6px7qG)czU;4
zawxUE)okOk(YCG!>9EpM*w7y4%UF`3eLZqy+g=-Aa)y?8exbr^e8q__@iHD=qtldS
z9d7JN6PZJb=aR~`MegL8Yag!UOoT{(SQ|7Rw74kHcCdN--RRXH0{K%L9y{7_+0lk+
z9uxwG?2zLTqnf^Pe7)@FodWy+kVAQg99R`V4Ws;n9LkQssecj59|6G&(I@=L8Qy<#
z<`4Do{-mBiV8r_yjDC+$-XE)ChZX;s8+COxIXYvfRwVQZt8HdaGh5cwBPsBvc0)Q3
zce2>BWlSZz*TGRnyN0xvU+vz~Tk^!LPG@w5$(d~H9$a8?xYJ(U7Sq)mCv?&?fFgqT
zo_lAmBRZP>&1J-1rbCvlbhIa`?q7(sc;PB!pU{MLv&|iQ@#tA<_BO32*4LqC4yLdv
zeLZ@)I`?AaaA+oLPKG{b_;%=amXa9ERHgp?>dpQ}6@#bn54JayDy$YHirnPrcTcZq
zda4B=8+tUwb&sD!5Eid)G|Q{FE`P3#x$;gi`vrym>qbe*P=jWC@!n=-F`jCpzDJOt
zT<NylET{alpUx|yz?inqxHT)je)(@dxKX%+Pe5n~iXz-ByZ|@#N9m|YqOS{q=;=$Q
z{9Eh%;E4R@>H=coEqs@(^Ge;BfMm<o!o;tJy5q1}XQnoK?Xg3Vi2LGh!BHpJRD^-*
zM2g%Uj7Q6~U|sdh{o4Gsly4J*^~Egb;U-TkfCSDjP9gFa4}D9#G*N6@@wr>`{lKC-
zRiK8Ab+F6N=qW5&mj>YOPKj3-F7{XMPVG3BKctOOygJ9X52hjW&gq8KnVqE=2sK#p
zDlbUxy=j?JsC{qsR_pnbQEloJr)!Vv=0mzVZ{g&#yUv}Q3_j6*fvMWCCd!jH$XIBz
z%xA==28~z-HgQb`zo`;zd4lItUR$n5R6H~eKQN%EwmQTQiKSZyUv|??S}H%fUDZ=H
u;4EzSx9|V@C*!{j+~2<c+xLIzd%=fTufb$hYvl|I4|l11PTG0Dxqkqk(`%6c

literal 0
HcmV?d00001

diff --git a/docker/rbac-sasl/streams/scripts/kafka.ldap.truststore.jks b/docker/rbac-sasl/streams/scripts/kafka.ldap.truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..9eb4f01081700986b74b329a32edec8d9f2e4378
GIT binary patch
literal 901
zcmezO_TO6u1_mY|W(3o0$%#ez`6WPZ=E=8HS{Ya)^h^yb85o$|44Rmo44Rm<m^c|e
zUA*IYarYTz170>xtu~Lg@4SqR+^h@+$%b+UGHlGDEX+Kj$%%$~C8@<Fddc~DX*s2-
zc_n(8`G&j(+#q>w9+nW-;1EM00|5}1i-*(M-_Ok_)YUJ<P|$!MB*xCe5s;XZ@0e4P
zZ^&)H2@+xxW(o~9kQ3)Mv@|d_vNSX?u{1G=66ZBC0CFv$T>3boiBSpJ^Ng$v%uS5^
z3<gb%Tue=jj12pI%Nm0jFRzPQnOLH9eZqon^%bY@eyOgQC96I6%p!Tcf`4{XJh^%J
zg4IkFw5xf3Kh(}T@z_rB(%nhx{jO|XCfnsP!(uy++}F~@jXysNv=w|T&yG8L>8Z}X
zE)MO_*B8u-DK-hUa_c_gytHlhjTQqRj;f4*-t)^_pOyqgtDTrGwtkMvv1r4G^WTUk
zu5nx0v8QN3S7wn}DF33a>cb~2eI`!#mx{8Nxn2-;B0|;Y>b`fmn+>v8Hwe5?SgSja
zGd=OPz2?b#y@uistB)nG(G5O(;nA#|tm3B+Ce^Gqf3--+{g9iLX30rMd&RaLE%IV>
zwcW)RTwGJ?V)Oc2=c)uDqfO;Z%!~|-$RPww9>5S{WGFgRQR=p5j^0A26-{Q!3uSgO
z#XX4Ma!C8=;uki-5}sL|+Y~!BJ{786pSqwqf$a;cL)z5eCF_3*T0WGq@IU+dOYl^a
z%;MkDvlJJ{tk1r=^dVD%2-Bpb)oLErbst$h{@U-8_BbsYr1jC9+r#O1;7TJ`CY76i
zX1n(``l>to?u`5x`tyXyqCcD|&Vg3*bWBn={AzDIJi+eG>gJ$35fAgOXU%-rxIKGf
z#QMgA>My@X{s~jdT@qf>7OyaGQ@&x#t?$cK-KH^r=_}s;`-f6)(H%+O{)gcgOrFeK
zSm7g4zBBdJ!s|z7^!|CM^3Uz!XYKC0A0Dk=^kGi5{ki95r|;B1=XX&lKPz~~@zcB*
R8MUVpr$ahxwru>p1pqkxS3Cd!

literal 0
HcmV?d00001

diff --git a/docker/rbac-sasl/streams/scripts/kafka_keystore_creds b/docker/rbac-sasl/streams/scripts/kafka_keystore_creds
new file mode 100644
index 000000000..232122736
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/kafka_keystore_creds
@@ -0,0 +1 @@
+confluent
diff --git a/docker/rbac-sasl/streams/scripts/kafka_sslkey_creds b/docker/rbac-sasl/streams/scripts/kafka_sslkey_creds
new file mode 100644
index 000000000..232122736
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/kafka_sslkey_creds
@@ -0,0 +1 @@
+confluent
diff --git a/docker/rbac-sasl/streams/scripts/kafka_truststore_creds b/docker/rbac-sasl/streams/scripts/kafka_truststore_creds
new file mode 100644
index 000000000..232122736
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/kafka_truststore_creds
@@ -0,0 +1 @@
+confluent
diff --git a/docker/rbac-sasl/streams/scripts/ldap-ca1-signed.crt b/docker/rbac-sasl/streams/scripts/ldap-ca1-signed.crt
new file mode 100644
index 000000000..e9ffaaa87
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/ldap-ca1-signed.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIJALr3r+X7WPmpMA0GCSqGSIb3DQEBBQUAMGMxHjAcBgNV
+BAMMFWNhMS50ZXN0LmNvbmZsdWVudC5pbzENMAsGA1UECwwEVEVTVDESMBAGA1UE
+CgwJQ09ORkxVRU5UMREwDwYDVQQHDAhQYWxvQWx0bzELMAkGA1UEBhMCVVMwHhcN
+MTkwMzI5MTQ0OTQzWhcNNDYwODEzMTQ0OTQzWjBfMQswCQYDVQQGEwJVUzELMAkG
+A1UECBMCQ2ExETAPBgNVBAcTCFBhbG9BbHRvMRIwEAYDVQQKEwlDT05GTFVFTlQx
+DTALBgNVBAsTBFRFU1QxDTALBgNVBAMTBGxkYXAwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC0tLGeQN9f9SJDYfbGTb2bw/g5hHQGwMhF5RIRkx/0UIms
+C2ko3vfIOiZpcLMYqJgsbJzKXC6rSGKdUtBMdqV/WxhBw0v2j11AmZowpGFqFbJi
+iwjJwnJOJx/HmQLzh8nIkTcg8YRPxGQaV5DANGVVn9/Eur+Wnf/h0IxvWbHuBS39
+JouG9K+ffITcfZsHnppDDX//ff+cMh8FSza41faV1742RL0G1lWPMqtR8SKkZSrl
+sGD1O2g4dQm50DshQVheCGHyiPvCLDZk9OSziYfUL53EdOX6+6am2rk7jqUYwjMf
+Eq9G0roCd58mxp+cW6Fu43kvKwExxsqN+FEU1yzvAgMBAAGjHjAcMBoGA1UdEQQT
+MBGCBGxkYXCCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEALP328Qji0wYO
+KVz1tGJ1k1DFo5HsRUHgBe1c/D0u+LtZpB1m8hAZ3lsF6IFEN+KUKq4xZ8PpGbSv
+67WzofiU7+LZuKUEeQZIvE8wkA3mW3ssfDXvkYDipVWr5M471djyZoIXsQoH2ctw
+Rr0Fk0HhMEyw6CGrRfLXrBCWyUqh2j0xL4juFBsFOifUW48lYpKM33YDRPNpqqKT
+0ZVQlKM9svaYxXlehcY5dFuKu7Twe8vKmEwsnctxXud4Xch6/De5+B4SoNn38cZQ
+ofeMlnfdUHbAD+d4z60Zw7xTFDP49LgIq7dHfyPYLzj22hYCjOVSeINlQZLzqkn/
+rdCt2FwcVg==
+-----END CERTIFICATE-----
diff --git a/docker/rbac-sasl/streams/scripts/ldap.certificate.pem b/docker/rbac-sasl/streams/scripts/ldap.certificate.pem
new file mode 100644
index 000000000..e9ffaaa87
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/ldap.certificate.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYzCCAkugAwIBAgIJALr3r+X7WPmpMA0GCSqGSIb3DQEBBQUAMGMxHjAcBgNV
+BAMMFWNhMS50ZXN0LmNvbmZsdWVudC5pbzENMAsGA1UECwwEVEVTVDESMBAGA1UE
+CgwJQ09ORkxVRU5UMREwDwYDVQQHDAhQYWxvQWx0bzELMAkGA1UEBhMCVVMwHhcN
+MTkwMzI5MTQ0OTQzWhcNNDYwODEzMTQ0OTQzWjBfMQswCQYDVQQGEwJVUzELMAkG
+A1UECBMCQ2ExETAPBgNVBAcTCFBhbG9BbHRvMRIwEAYDVQQKEwlDT05GTFVFTlQx
+DTALBgNVBAsTBFRFU1QxDTALBgNVBAMTBGxkYXAwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC0tLGeQN9f9SJDYfbGTb2bw/g5hHQGwMhF5RIRkx/0UIms
+C2ko3vfIOiZpcLMYqJgsbJzKXC6rSGKdUtBMdqV/WxhBw0v2j11AmZowpGFqFbJi
+iwjJwnJOJx/HmQLzh8nIkTcg8YRPxGQaV5DANGVVn9/Eur+Wnf/h0IxvWbHuBS39
+JouG9K+ffITcfZsHnppDDX//ff+cMh8FSza41faV1742RL0G1lWPMqtR8SKkZSrl
+sGD1O2g4dQm50DshQVheCGHyiPvCLDZk9OSziYfUL53EdOX6+6am2rk7jqUYwjMf
+Eq9G0roCd58mxp+cW6Fu43kvKwExxsqN+FEU1yzvAgMBAAGjHjAcMBoGA1UdEQQT
+MBGCBGxkYXCCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQUFAAOCAQEALP328Qji0wYO
+KVz1tGJ1k1DFo5HsRUHgBe1c/D0u+LtZpB1m8hAZ3lsF6IFEN+KUKq4xZ8PpGbSv
+67WzofiU7+LZuKUEeQZIvE8wkA3mW3ssfDXvkYDipVWr5M471djyZoIXsQoH2ctw
+Rr0Fk0HhMEyw6CGrRfLXrBCWyUqh2j0xL4juFBsFOifUW48lYpKM33YDRPNpqqKT
+0ZVQlKM9svaYxXlehcY5dFuKu7Twe8vKmEwsnctxXud4Xch6/De5+B4SoNn38cZQ
+ofeMlnfdUHbAD+d4z60Zw7xTFDP49LgIq7dHfyPYLzj22hYCjOVSeINlQZLzqkn/
+rdCt2FwcVg==
+-----END CERTIFICATE-----
diff --git a/docker/rbac-sasl/streams/scripts/ldap.csr b/docker/rbac-sasl/streams/scripts/ldap.csr
new file mode 100644
index 000000000..c19f3c00e
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/ldap.csr
@@ -0,0 +1,18 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIC8DCCAdgCAQAwXzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNhMREwDwYDVQQH
+EwhQYWxvQWx0bzESMBAGA1UEChMJQ09ORkxVRU5UMQ0wCwYDVQQLEwRURVNUMQ0w
+CwYDVQQDEwRsZGFwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLSx
+nkDfX/UiQ2H2xk29m8P4OYR0BsDIReUSEZMf9FCJrAtpKN73yDomaXCzGKiYLGyc
+ylwuq0hinVLQTHalf1sYQcNL9o9dQJmaMKRhahWyYosIycJyTicfx5kC84fJyJE3
+IPGET8RkGleQwDRlVZ/fxLq/lp3/4dCMb1mx7gUt/SaLhvSvn3yE3H2bB56aQw1/
+/33/nDIfBUs2uNX2lde+NkS9BtZVjzKrUfEipGUq5bBg9TtoOHUJudA7IUFYXghh
+8oj7wiw2ZPTks4mH1C+dxHTl+vumptq5O46lGMIzHxKvRtK6AnefJsafnFuhbuN5
+LysBMcbKjfhRFNcs7wIDAQABoEwwSgYJKoZIhvcNAQkOMT0wOzAaBgNVHREEEzAR
+ggRsZGFwgglsb2NhbGhvc3QwHQYDVR0OBBYEFGOonf9HEP+VeHYhgEiM11KD7Jss
+MA0GCSqGSIb3DQEBCwUAA4IBAQA9S7RVtWRrrN+aj27+HWXazfTzt6u6aKjQAFbb
+/E2I0LEdYlIWRHw+FSap8Y5ZsSR180eFs50K0+C7UmbEEeEsz110sosAFK5hWBL9
+steSmhq07+Q/ni03fjWzfAQxp9HqHqwpgHTnRumOOsHKlyD8jnaM43J2rvUcjX9a
+YCxIZNztN8ZBJRNKltmVEgqPhwI4UYiM3Bj+IPFAQIRyPrnpduzA5TwdPV8s1lFW
+cUNgnTQbIZ1QWH79UPNGlljHOzjgFYy/xbrhXTZnXCsw5UoqcmAJLjmACu8N2Ne7
+4QRrwMihPFJkVgRt851lvU4leh4augcVwFa1di+f98wxn7am
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/docker/rbac-sasl/streams/scripts/ldap.der b/docker/rbac-sasl/streams/scripts/ldap.der
new file mode 100644
index 0000000000000000000000000000000000000000..aad591f448a198c8916849a536900bdba3e7e095
GIT binary patch
literal 871
zcmXqLVoo+_V)9<V%*4pV#L2Mh`}(K9BYv(l;AP{~YV&CO&dbQi%F1AnY$#_S!^RxS
z!ptL@oM@<5l3HA%mz<xMmQ$LVSE84hZ^&!F4U*^PVF_^!4lxum5CCzxcsQN?{oH&)
zUHw7~1r7K?V(dH|0f{;JjyWayhTI06AR#tkrqEymIdNV?O9NvgOG6VAOB3TLab6QM
z0}DfADAyn!MLCSaA<X2Q2sc|8VK&SO!bnblxl$P7N+_3Em?bAAvB02-Q3=`OjI0dI
zO^o~uKyfanCPqevEn7CubGRS>RmnN=+cDq0vk(8UY$;(oaKiPekl<wbF9DrvxHC2G
zeLrEPmRYb_V#N%doH?gr^j3Q$%?-NXQ?|4|TEg+L_qYC7hncesmLz70Zc6IrIC-eZ
zPhI}_Os3E6Cr?Z?SNPcCe<VdJe8K^f)X@3&kL=n%ZSMbv7kcs|H@;)l{j1j9_GSJ2
znwC4Yv)Sj(a^|i7U;BTKkvyxn*^aB<re5D?=CYUVT4=w~>cEdmOH#F-Zb<lQoncYR
zx$}axqGLoHN8+cB--mR}QocOd+}VCbf9{czr@wwLTXt)wb>C8nL&ow#>)kHxVk)1n
zc5MEf=!JQYEA_P*4Ue7b{Shc~UFSU$Gb01zVqi)zkOIb<tRRc9fnXCj=$bfl@{<#D
zGV+T{kV6odbbukq$e{E0+eeN^m)ZC<W4>-lDxDl~bn(PDu8t2_-^Tp0)%&qKa*1r(
zCjrTO(X1~TUCbX%(OPGie)y&2mi4c<ZeI9f%KJw*cPwS8Wb@eLZ!m%PS#-5djp_S|
z4Ud+Fu6}aP`s$5OX-(oAx!7->E^yn+I@$4|fzO5)imP2eU0)+G?WEVjTegP!9q&Y>
zS*_HsME9#EP3pN{#_aMrbJe2B7pDeHS!}!M+l-@?ajnNJOQO4WZ~0Jt`qT^`ow=tA
z<DOT<o~Zg`zVnBi(1M%aKOPHM_`PRZ`Q3oB1N_e`&aag`yeC-1_{WzW9ILmx*DK%9
exA=BTjH%~oP(^d9<D}24JpZq~u=YlbOc(&Cn^UI%

literal 0
HcmV?d00001

diff --git a/docker/rbac-sasl/streams/scripts/ldap.key b/docker/rbac-sasl/streams/scripts/ldap.key
new file mode 100644
index 000000000..49ae01262
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/ldap.key
@@ -0,0 +1,32 @@
+Bag Attributes
+    friendlyName: ldap
+    localKeyID: 54 69 6D 65 20 31 35 35 33 38 37 30 39 38 34 38 30 39 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC0tLGeQN9f9SJD
+YfbGTb2bw/g5hHQGwMhF5RIRkx/0UImsC2ko3vfIOiZpcLMYqJgsbJzKXC6rSGKd
+UtBMdqV/WxhBw0v2j11AmZowpGFqFbJiiwjJwnJOJx/HmQLzh8nIkTcg8YRPxGQa
+V5DANGVVn9/Eur+Wnf/h0IxvWbHuBS39JouG9K+ffITcfZsHnppDDX//ff+cMh8F
+Sza41faV1742RL0G1lWPMqtR8SKkZSrlsGD1O2g4dQm50DshQVheCGHyiPvCLDZk
+9OSziYfUL53EdOX6+6am2rk7jqUYwjMfEq9G0roCd58mxp+cW6Fu43kvKwExxsqN
++FEU1yzvAgMBAAECggEBAIn+CjztESb3zMhkAMyCBS7zwZQ6n1eg0878FIYzMY2i
+Ct/EfvNlARZ3wWl3VGyaIkqaTkkBh+nohtXYrZQWbl8Is0dU2adY5z8zjNlkTbdz
+BhvWTEm2IQ+pNM14/RX3NZHhwpV3mTBIqqCrCbCc0l1GjtxuN2vPD93jIbrOZd95
+8BR1oizNx3xi8z0HfU3BJdrjy77Cit6nOV2FoRDfJIdpfKDS4IPJtiYY9YB4K2TU
+KPOcx9SxP0OMO+7ap1/EkCGArQVQauHrZcWbfIIjc0u/iHmEFYxxxtmKWrB7OYg/
+CpfAz0K+CW05KCVRXzNYOXkW5pE6xtmEOnW9IfdPLOECgYEA46rBVxYDGrzdCNKc
+SHIVXm3hIUDrURDEhOsRS42DSij8QjKF2IIneL1hcWGBWXd84HoarVrTfIsarlDi
+Pti/TdaWzlfBkRjd1v6Afp644hiI1nhBvCrNGRv21uK/Uh/g9iGcjqKfp2kBLku5
+vx+xFRvDEc6CPuF8rB4T2qCMsJkCgYEAyzHNWVc2x6DMEkPAOZWdmDb4I8MiZI0I
+qrksfjs6/ieQxS6lIqpsK3FRFHzqH7iZHgfo1pLxPFybAb5SQ7ilURQxJEPiG3RU
+qoIPg6uK4K+N/7bHfb4ECcar6/L8OeEXPcDZJ4dkzXxC9rhxVBGI0E97iiaSw0tV
+GLAKUUDq1scCgYEAnAIN3MxDslXLLVmNKIOsqvmmtO/UkMdpsx+VyW0ek3oEaqRO
+Xa/Kto0nsdc8GP+tPfHOSA6eL5Du5pacgq5qYT90Nc+i3/fnRIU/rgS78osXccgU
+W4oE43jrLBNTQUaBFIixzHgZ6VEmMwBHN3XTFgDhKlmVnNtNYHB38G/mGLkCgYAS
+gbGzTmc13WZYz4TlecQFxhPppe8u+01rxzvPL3PbDB16aBowQxdhCYwZ8pqcUwLX
+Il9Jk86W8dRIX148vseHz+/93pTsbTb85KWnF2uptTOYs7wNrs3NWiP0dIgWeXLV
+dAgTOpiqwoOS1w+zWXl9h4+38HVzhhv1CKuX5PK+pwKBgQCIF0rj0KVIMa9Aho+n
+NsOYPN7cIlatP/lG/9wKyv4Ii9NGCzlkzMBRoXTHJ6EIQTqP1cbnRwrkoTHY0drP
+IA+LM8lMsghEa5jIWMs1R/Mm0muS8FWULsswWLHWr8SmttcWo2C1V9w3W0dN7BsC
+4BU84/sa22ldacQQ1LS9XYxY3Q==
+-----END PRIVATE KEY-----
diff --git a/docker/rbac-sasl/streams/scripts/ldap.keystore.p12 b/docker/rbac-sasl/streams/scripts/ldap.keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..2a804a659f4ad83c86c27e82e0cad44490ca0438
GIT binary patch
literal 4523
zcmY+IWmFXIwufP6V2Gg^>6RJ<hLQ#u>FyFxT9D3B$@v3AgLF!F4M>R~DB&PTx4;O}
zAdR#f?_Kwvv(ATi?X{lY-uuJ;@O*gTD5?qoJ`j$gdPYbLi&Bp|C&LHh7ow;PKqxAm
zzgPo~B5?e#h`<ztA~5`mb^kt1Lel@6f{@??3Q?eII0|$Q=O-ljfBbhj6NolWI6s-Q
z;7*)Pb?~uo!&lMm7lXb4AYQLN2nE8jt<L$;ddfP(5tdG9ziEwl56ves!(yN>FJ&@U
zN!3So=Ih#Ih+ZtL3yd%{FY8O&v?aT}KL!w;3OEHpMyKg-q4PlvZko8=6E8;6tLHhC
z>GX!QwiUJQavx4Ve?Iu}RELO>Lgp3la_-VdXT~~&M}VorNTqTTO#<R4LZpqDFS(z^
z^?ti|^!auA{7^zn9o#5~F}Ak6mU(N>)1-oKjo={?W;ww+8U0pLm)-j{62b2}WLdm~
z{kc?!M*D8LG+BSGoFnIZX%{!$v$f=Up5l|&6DVqxqO9hfuz(rm{ZW{hh8p+H@}^t1
zzQdU7OMFS4<t6Ic=Poa%E*ECcKy&8>c5-NA%qQ0@f55(EYh}BuiA;Ym4#_~i+`*aa
zo0+om5fxY;PB2$doTC{m`hI|lzhinBa!t?+^)iD;y<DkU>hk$}Z{>H6O+vT2cB==#
zGieZTgTK@Ew&j!X@&IkDM-WZ)NNIM4DdLLUo%<xNgfP?g<Ok3A1k^`N?c~e)gJ6pQ
zguP8%BJYN)4kpyEcm0vUBoQ-{qDNSm<Ax!p^~w)HzyQCrOLq%jnDlVuZU>Ge?3s1;
zOP&3H2HOu4paPPQu=)ypuNOjHfj1)RvD5<4i|uaJn>V%^Zb{kP!2@%HqSP7yw?hp&
z&DJ5!{1(B1oYbHs4cZnG`j`}^t4CbTc6B!=NlpW77rbdFQ+H#}o^<Z~v*&C9c55%(
zy&PqWCGCZX9wM;m8aa#vTta#e?}MA|O-N7R_Xv&IqbB2XTZ*f3nI4#jOyt^#VVXm@
ziDTZrx$boC`7be@EICroFs9e%dvxaX?UR?7#3<G*cN|X1ipN$^>70-*Fn9Psf3@Yz
zyUA;Ct{VZ~6ZK^VU8#XOU+m?PojoQW=m+Ese}tx(-u-mkUVK<1mzr=9uRKuf!EE~U
zUJz_8nS3u}m!Z>_Rn9oNfO_L4Sfcoq_pn)Ij)Hlu{HzQ<m*Rb-RsXE8qIU$?&8wKp
zLI810&Jhyd|Jdc{T){7UO;(X5z6i<e*yyO1?_GPEgTThTpi?#JUA|FNrGWadbkV~G
z)(cY=?@wh$B3|s3r-gLC{Kk4cvV4w!TLl}iwZ>z2V-w{v6v3eyi{FfOgPE&RmIq|G
z-zESXsN7r7tU9aw#JCD-qIh*Ay%X-H!7)b)``yM49kH|I)ZI}fpDmaLC(1k!T~V;^
z>A@cBI{iLG)fkL3Qa~yC)Fo|uZX+SXG6&HF|3LUjf%j83fzWV!mWf61N4l9N&x}}F
z`6eviTHbPn#AGGYN_SGIc;D|jp$n}SLY6{l_4Vp35JCOffXTZPGmzPzC2i_9!GY3J
z@)Np(XbG>656Uz-riGfH@Lp}%okri8iU;>QToTK_JNYVTXd{`M3(0V9BpZqvVo0u;
zvG`3EleSGxd^JB`MZsqOV&vGY!lv9yH=lzD-qfRL?0Fk+iBsa@Ye`DxIQA@svZQ6^
zZWVb+4J+fTha^WmJ<6w>6}qc^LS6Wb`21?@ZS>Ytqo0rOWbu4rFP<Bzl)l!X3cKB;
zmM~WcZax0Z`0+FYf<*V~j~yM-ylYUMdqZ9}znLYw!+aU0MbZ&@B)#<G*{FQiyNv1s
z5ji;Bzg0<0D?-9bgy)9mfM<*61?Tur02QGHQ5(CsJF<&NNQg;E!lk9erQp(V6zSr>
zo4|yHDAI3#(I5aH?{E41p9KHE>`M4QcEwnEMx9&qzsMvhN8W3Uid7MVivO=&!%(Er
zc8FvSgQdszfif=w^S?{VO}5O;*`@oZj0YD=R*r?Wz`a#ikJ3jK<<2q$^v}!vhg*qc
zy0tg>!#k@Fk8Qm0q;eTQg$3uWWlb=y-LqE2c#q_0y3j+he1$1v&OR}PkuN}Z7i5BL
zywVA(Tie%MQS>^=_mvHHcVA7M)#~0~7Jk}elkQX;#z^n2h-m{v&K)%+z<O%fuURmh
z&sd~=pTImV^(bpU+sG9d9w#YbD96|d;H)x(O$f@>)0<!2_B!qHBWENZ4;o9w+4v^)
zUm*!<zmmOUt(hImTR;;PjQV!>O9P%A?79w&^I5OTC}0KmNg<H{Z>rnSa8~aiXGhJ)
zAqYJ6^$(dsqNYrOg?Zu0h`o2$Wl&!WW9W9?c)?BrtLNc^^E9TtgfxS^5XSx5V%5mC
z0jvV0!-MhSbH+fOVAfVVyL;WOv}W$|6}dc#5=?!LJ-1V?zvVK^BgN+iZzXl_tsnF=
zJO;`l!&UihZU^twrN*QIzVpNK9>T0H<~a>*o4>X)HS`&fF2Sb8bJyW?OA2%N3~c0d
zgbNUYJnX_ZSDtNoS)+w;6qwANm@`ZHlw~4iAaLTHo+_D9AAU6D=6#Qok-Ivoz(ch>
z<NNJLfmUzybVc6Rx|<96izcn41|0!bAthlS6-V_=>uB5EAEb$<wS?_lznCa*n+(e#
z4PR#eMw-R_0+z-vk)ql645ia;W48X`)ResiTUXRDdpt^)2IEox5Wj#8*#B0B8;h<d
zUhTZ(&;9eUGN9N?aJ^u;KOt3bH5*5cu`k(H0Z$<<|H(!_qtE9yBx$!;mt5RI#D<uV
zD<5Uq0yIYu@QJS2h@0WF#FR(_-=^xiYcjFX!St@Dx%`{_$&+3*qp97nvv|hCh1Ije
zYjNJh)G9)--lmask+?k+7eiCuCO}JNZTJvn9^*qM;jovyo#9n!FXl}wcBr}t-ycXW
zSX-&H=)KYz?I^y4WOdXjWNR#%Na28LcAf=xmv+#Y-?X(?(EB4u`%gY$sQysc_gbX{
zVoAx;R}dQc?_6FS93x}IS`W(8t}bEcBI|RWXsPApO6fIUgxhG*fr26z|Eqd!RuwwP
zr^NRzbrD-N_e94et=nJ}vNpnGd0pn<fCIhkQ;Cs=`r6>!l(c*kZkN_fvJxj;1RgNX
zm7c9Ji90L(4|+Q^+PrT#@TGWOiJ;2j=M`TIp(TSE(oLuOcs0T9qYhr3P3+FNglk{t
zfDqC~9>S~RV6)#N*BP|`C+P}(71xIE{|TaK?oB;o;iZ0ulas#VaZg-+yFJL<<t#a6
zIr;1drpHZzYMbRB_)Nnd^4vRCcthqiQM6#85x5+PNahY_esb<08sarKLr1e{vf*fv
zP4+Pu=i{G7qrybG0<Dl}lO7z&y+-NyLm4PYr*D0Fos|goz`^)AEaZZIbx(RF3*Q?Z
z+Bx@atU`^+X_VX2b$J-7gK!t?5$e~+z3ukaR!OP#v=3B5vpECb=$E(BHU;V4ZuQ`|
zmW705YrV?i{}mWNY5ns>(h)}XP0?G1a(e;?;kv~A?6+=jn<pUFxis9Fohi$+qbdG?
z>J7I^@9;n3HR0q&>t2h^?34*=C9^PQKpci+XOqa`t%{C=QZ>JY@v)N+K+g`-3riJ2
zl89ACllUmC7L^P+S!4hrTb3E<PwN4U9lLwnH{G_qc`{Q`8g>UR$8kZ?Te9Klm_G`2
zB#X7fanMvI0#V;OXLOuzUT9LRgg42;k*+)IWIKI3a*Fz;ZG-#7-wSnxPqKVXNWp}(
z$7p?QF+({5{iA#;@|<_9Qa}G1GX@3uot2xlk=93Utm|I~i}|~1>B;8*QupVIm^vX_
zq!NEPl_T&xOoE0{bU6Wk&Q;XXiI=SOvb&y#-Jx3WJR>>UM3%kE!;R&iurF0<lJp7)
z`;VKFQ8NRu@1RQ7^$)uX8Q3A73-b_iW+H(#tg)R8_tdO{=XGpZXfn!wYk1a+*_f0t
zfA5mj_7N*1ndVlTp0Gi50B~p22FzUdx@DQn_P4%Zm1@@F<7R#EK$(k$0WkeT-bLRi
zjoYs9h4V&|1^YzV&8iwSmF1da`XTl6#HH4<(DnAAjRRWSb~5cWF`LZjUMX5+$|L8-
zo1c1ra9f){tzKIxX?xsW=0O6RW-1FR%{$<zr%44Y(_y%HJ;5&}tWs~hX9<!be{+JL
zy!Jdgl!H0u6#&5+oZDlx1&juYPljXKs^)c0l`;E$fRu+t*4CMq6Bic&R(InDMZGjf
zF8-;^o!N*+&aDVO+2T{bz^9orp`)H*EVl!tR}&4kor+QK^fdh5<@HY9QInC?5Nr_7
z0%L;;i8kmyMA3Eo7;2}HC_<-&(@~Ig+*!i;#`0rT;bh7w{$`92csl($l!B&eK06=F
zhFT2C>?Qh|bTM`pRX!2cx-dI3O<aLavUHkyq%g=ZHC2_Jf4?qpr-HRrk`iYHUm__B
zMZRBCn_8ICNMR^T^gQvoF;dEnXCQ?IN9iTaz|pe!2y7=vCY79k1NSA6AM%^IAiOwS
z0U#H*66VXr)0}HYy$3aw4bGs1<Fh&GV^g0V{VKb;G_beZ`K!e-De*T2OAqC-GZ}Pj
zFVhJ^-+P?tRJ-HzZ(QD9dOiB`E>Bc)zF+-$!<%iEmtFUMy~9Jq5D^qlKl*O%myqoz
zgkkZ-<5;zD;K|_%C!UX<DWdKYyanSllv))ah>JFTS%)BUJ!b~?qx27!=x((c6}kC)
zyQa!#Ktt+CfLu96jtJ{8z@ZQ!pVEN4P%d`V6Qjm7awPWH@s03RmUxC2BDdL>Zfi<n
z-jWa+Q1^Q`zHh$i*8K9UtugBKC5(r95acEvKsMBQtt(6S6SO&Ss|?(9oM!CXup(Ew
z?#!<#KxZ^CTXQxh!hTcaa=vO{xp{gQT~<<4E`UfOx5(k#IO?Qr?8B7zJ{LMoz5U}q
zE#XtdHIsmRZzvc>9~<+=Dz+zLZYls*PFJ<+a!g?QKI6)>|FQ0Uv+1d>$$4I|KtC}(
zRl9b_LDlil%0Hqr6t`TTS;WpF#%1^dQXzdSgmWaOwZ~Tw*tZwJuW=QTNdxi~%7R@h
z95(NZ(4Ss`Q(;$M(2rxzB3!v!AO86R&iI*}nT;E5@?bGw0THwVnxop3vk)qM&Z%o}
z<b+QQC*OIAgnERAY>4uKE9zo%2~=x8m}t(^B1Q{bs}s751-2OOu?^0oBaw*UtXL(o
zCUukXvyjw4WW{uBCzD@nRxg9adF>>ndqo8f*s3Z_3VQC(FO)!2=wy@7L8qX7XW^h$
z_1-!=7uRUt|J9EjJ=HSLTKb5{SDKa<qSTDDYz?@-yczrDUJ28Ft=89??VFZ@Gcd><
zVBGLsg;dMBDF0VQXsHzT4HYMLnA}Gs&UHk82<sQm*V=s(D|pHGA@w^h8xTosxQZu$
z!dH~!@T3fi(A3_|(PE%ssxDzskZ-@n?Q3>c6;e{+%|3d$&7@kMG#Xq{uNEeg8=bZ+
z6JjR6ocZb?rQGEio!)og?S?^qRf@{n3(lX0?_bN!VA7Wune^uB`{&9WQ$Nl`cu1g=
zgJJ-79?Ihlp$C6(gTQ4Dx)olKk0kv!zQd%TGkb||1oWHHJQSK2ME6Mr)2ey7Z#LT$
zkL7Lnyq1jolRC1z{lZRk2>BqY8s|0RDnV#d{CJZ?EEi~Kg2Sq`%ySQhO4-=;PGI&E
zxISB5Mlvk}SK<WQAY#0C<yVuO&b<q2up#8C5E}XIGJ&nuS-xJ2S=lsCs#!>PnbKeJ
zWd`6PBUoGpdr|eL_~t7L=pOw_oNaqmuX|f5sLB3omClxIM?xK+R>!ysHtEw&=F)0s
z4C%+D5@3{NGscBXg~My?Xcz7AVXO14QRb)L?J5V`2bA(1a0NIAoS2Y6fE);5B*6Ro
zCnE4XFq}Edr!Xc|GG%0|^73&l8bm9P-I6Px8xRTkMq}K(9d`vF0)7Di@uLd=1+=<{
Apa1{>

literal 0
HcmV?d00001

diff --git a/docker/rbac-sasl/streams/scripts/ldap_keystore_creds b/docker/rbac-sasl/streams/scripts/ldap_keystore_creds
new file mode 100644
index 000000000..232122736
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/ldap_keystore_creds
@@ -0,0 +1 @@
+confluent
diff --git a/docker/rbac-sasl/streams/scripts/ldap_sslkey_creds b/docker/rbac-sasl/streams/scripts/ldap_sslkey_creds
new file mode 100644
index 000000000..232122736
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/ldap_sslkey_creds
@@ -0,0 +1 @@
+confluent
diff --git a/docker/rbac-sasl/streams/scripts/ldap_truststore_creds b/docker/rbac-sasl/streams/scripts/ldap_truststore_creds
new file mode 100644
index 000000000..232122736
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/ldap_truststore_creds
@@ -0,0 +1 @@
+confluent
diff --git a/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.crt b/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.crt
new file mode 100644
index 000000000..31686dc5d
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQjCCAioCCQDy0dxJ0bvMIzANBgkqhkiG9w0BAQsFADBjMR4wHAYDVQQDDBVj
+YTEudGVzdC5jb25mbHVlbnQuaW8xDTALBgNVBAsMBFRFU1QxEjAQBgNVBAoMCUNP
+TkZMVUVOVDERMA8GA1UEBwwIUGFsb0FsdG8xCzAJBgNVBAYTAlVTMB4XDTE5MDMy
+OTE0NDk0MFoXDTIwMDMyODE0NDk0MFowYzEeMBwGA1UEAwwVY2ExLnRlc3QuY29u
+Zmx1ZW50LmlvMQ0wCwYDVQQLDARURVNUMRIwEAYDVQQKDAlDT05GTFVFTlQxETAP
+BgNVBAcMCFBhbG9BbHRvMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAL9NdoFTAdOuWqlhdCLXkKCLJ6jL3fR7eJodK53Moh8ucP4+
+lEkLDA5TJjUgK3sM++ErasjjPiHS3ZKvTtS1ph2KSJg4twwe9XWjgfnzEIZw8Xdr
+Xs3S5Sy+iggr89egnlxzNFU6RovEQ6WGm9iEMEwIemj+S593heV0UlsmyJcWr5wk
+xlsx4Z/sF2GsRqmIvHKgimlyNlUPoop7w8g5TJGXTxpaPxzXcFrIWCVM1b7ubbMw
+a6uAEOggrS2eCWdh2z8pyd6NMRfhe8ZjrC1TzdDimmxqc+XgknyrN+qiEkfCRjop
+dMlBPyGGuIQfFp0rRxeg0ax1RDzr9omqYBIysncCAwEAATANBgkqhkiG9w0BAQsF
+AAOCAQEAcsJ4dUa8nC6hQqiCNiOhHLoCXuBftMIrxaPoPFMYSWqJtiGJKPJxJteV
+oINgBvQFQGaV+3Sv+RE54Rw4T83r9FOVNGlz+xuaIaNcr2vZpeECYBQCkmKrJkg7
+fvEFSP0/vhtIyx1SKvE3C0hC+1GpMkUCJNn8m0eNgU0nQ025WfFV+cgUovwJZENR
+Op4sNGWw+oeGw5A+7KuDUtxY4W7XapnhgbdrkVivgcEn6fdZ/FYmbaRXdIZfIJ6y
+bzGE2venJUaWA/SOc7f7+CJtctwZTY/hV9A05JmheEwYd7ll6qHXxJiN/OEk/kbR
+8yuL3fDir6LwnHs/zud2y9x/5w9EJA==
+-----END CERTIFICATE-----
diff --git a/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.key b/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.key
new file mode 100644
index 000000000..e65b664b8
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.key
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI3trrFQeDxqwCAggA
+MB0GCWCGSAFlAwQBKgQQtwp2JdF+xxRsaEjHw2f9ZwSCBNCMq1P2HOK3C8JzQJS8
+sOXGk5eeW7/+cwUuWA1iqyGCDduV3hZuZb7GJqCBDJwUw4Yi2tms0boB4GY1Ov7J
+UFUpyzliQxjSc1Edl3a2+iayqUuWHqso36wV63n3ZbhsMf4MGtrvfkS3M6wYj2Cn
+V49NZYSLHoCLQV4CUvW1OF+gtogLQs7YDyTvZmzkxI33kNcAnNSSHRPe4/h3YrTJ
+7e4napas+Q0jFYKSQXI4MONASBsQ3V8/kUwkhdme4QOHEVuevC16SpaBE0ESWmcT
+94wb3IHfa+2o+gwUS3o0iUvk7rBSYJR3YEkJ6KncBjtUplBcb5D4Hu3T5PtQmw2d
+CTlJuhwVAGg462ZZfJMW5zTnghU6UHsrUYRKxOkU8cc4GnSUXbbDPxLpVyfIws80
+kL8lb9W6CuZg/B1S88zEoMdN8aBr3TYO/M6jO/n/d9eRKNUpzWsgDIgeTR34MAvm
+UGHzQ5v0RLH+KII4PGJ3Zu5nzuz96J5x3lp7JNiEWj8HtJkFVFovcY2R/ci9zUp9
+3LxbMrgTiZH8makDeY49GoYkSUY19ANboCUlDmEkpseefibPMLWs54TFW/dbEgcz
+vNcQPm31W7jrw+ve6df3CUdhGYBLpEesj77YHHT5013XG4sLA2/w9yCyxubFXiU3
+e2tYWLnS2Cm5u/Zjy6RDuhxCA0ewitKU00cMNgSh5olbkLFS8j27o6zcgKs9/esw
+uxhC/VcEstveBOuVMqXn7uxR031wy6AQNQg7dqwvZv93KcS+CHNICQhK7h0G2CBm
+i0XmYVLuh3vKiKkaglpRXbs01OkTB2ytAFluv8oXCdgNl/Jjc6gN8KJ7LyKYNJIT
+R7qvu3DSxm0Q1O9lKJBKlwFiYX1ATyH9HxC6DWamVNb+lULS7h2Kpl0ppnD1CrBz
+bJLX0K7nNfukv21GXTvg39z1AFEgN3gjKZZavoljaiW9GRXlLxuogiUrt+LrpIqt
+JMt9BZTf7zWF3UP1Yrsydf3I1Bl7ye1qrImtOpCktr9h+ZTIcdXYgSwVM7vWS9qN
+rDg5lXRj3Q8uvX1zl8F/EMSRY3O/iDQB1O7a2a2+FO1zirULrG5HQvFIwdX0E+CY
+unuuterFU4fso8SAm+KiDwJ/ofpxL8etrJEOZnFaC31gxfpfNWjK4ucA3qpxkoe/
+aCFasij6S2DDhCAmvTX3HLbihmLzfM5YD4SCJLgMZSkFJ3A/P7HYgnTKr2oWDxDI
+GTkw2vu4ttbQ5mLWthXm9m24YWlvsnRZtjxAfUgP5iBxi2d9GhumJc61UTHAMRES
+cy+f3SMtL1AOI6aLpb9YN9jWBBsXfsI/mIVKygtmPSGb98mxKlYLhfe/EOexuWdJ
+L5z/cp/FXZ64By+0hX9K6GOo/kjnQzyVrCw/uXDzuZ02kKK2Ud7id9tv0WWBqeXk
+US6yUalc1DZb6d6MNZXlAtJJH1AOwqJX+1JQVYlefP4UEBKo8wMCNqnLhN/V7h64
+N5gEWahtCjhRp29MZShmSeFG1AVN6kMIXtif5k8c5+XnItUq6sSLZlyQ4CX0gzM5
+g/AmnJA//e8v6PUBqeEOBMVQtBsN2RuaOEuYVvsJDnLS5HaQrTf63p/BtR4LWGft
+ueCNHgkGBRVah9Ad6DOh+RlWdw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.srl b/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.srl
new file mode 100644
index 000000000..8be7b981b
--- /dev/null
+++ b/docker/rbac-sasl/streams/scripts/snakeoil-ca-1.srl
@@ -0,0 +1 @@
+BAF7AFE5FB58F9A9
diff --git a/docker/rbac-sasl/streams/up b/docker/rbac-sasl/streams/up
deleted file mode 100755
index e591bc804..000000000
--- a/docker/rbac-sasl/streams/up
+++ /dev/null
@@ -1,67 +0,0 @@
-#!/bin/sh
-
-usage() { echo "Usage: $0 [--ssl] " 1>&2; exit 1; }
-
-ssl=0
-while getopts ":s-:" opt; do
-  case $opt in
-    -)
-      case "${OPTARG}" in
-        ssl)
-         ssl=1
-         ;;
-        *)
-          usage
-          exit 1
-          ;;
-      esac;;
-    *)
-      usage
-      exit 1
-      ;;
-  esac
-done
-
-## Select to run with security or not
-
-DOCKER_COMPOSE_FILE="$PWD/docker-compose.yaml"
-
-if [ $ssl -eq 1 ]; then
-    echo "Running with SSL enabled between the brokers and the LDAP server"
-    # Generate the certificates
-    cd scripts
-    ./certs-create.sh
-
-    ## Copy the necessary broker JKS stores
-    cp kafka.kafka.keystore.jks ../kafka/jks/ldap.keystore.jks
-    cp kafka.kafka.truststore.jks ../kafka/jks/ldap.truststore.jks
-
-    ## copy the LDAP server certificates
-    cp ldap-ca1-signed.crt ../ldap/certs/my-ldap.crt
-    cp ldap.key ../ldap/certs/my-ldap.key
-    cp snakeoil-ca-1.crt ../ldap/certs/my-ca.crt
-    cd ..
-    DOCKER_COMPOSE_FILE="$PWD/docker-compose-with-ssl.yaml"
-fi
-
-## start docker-compose up to and including kafka
-docker-compose -f $DOCKER_COMPOSE_FILE up -d --build kafka
-
-# Creating the users
-# kafka is configured as a super user
-docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=kafka],SCRAM-SHA-512=[password=kafka]' --entity-type users --entity-name kafka
-docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=alice-secret],SCRAM-SHA-512=[password=alice-secret]' --entity-type users --entity-name alice
-docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=barnie-secret],SCRAM-SHA-512=[password=barnie-secret]' --entity-type users --entity-name barnie
-docker-compose exec kafka kafka-configs --zookeeper zookeeper:2181 --alter --add-config 'SCRAM-SHA-256=[password=charlie-secret],SCRAM-SHA-512=[password=charlie-secret]' --entity-type users --entity-name charlie
-
-docker-compose up -d
-
-echo "Example configuration:"
-echo "Should succeed (barnie is in group)"
-echo "-> docker-compose exec kafka kafka-console-producer --broker-list kafka:9093 --topic test-topic --producer.config=/etc/kafka/barnie.properties"
-echo "Should fail (charlie is NOT in group)"
-echo "-> docker-compose exec kafka kafka-console-producer --broker-list kafka:9093 --topic test-topic --producer.config=/etc/kafka/charlie.properties"
-echo "Should succeed (alice is in group)"
-echo "-> docker-compose exec kafka kafka-console-consumer --bootstrap-server kafka:9093 --consumer.config /etc/kafka/alice.properties --topic test-topic --from-beginning"
-echo "List ACLs"
-echo "-> docker-compose exec  kafka kafka-acls --bootstrap-server kafka:9093 --list --command-config /etc/kafka/kafka.properties"
diff --git a/pom.xml b/pom.xml
index 208addf5a..5ff270223 100644
--- a/pom.xml
+++ b/pom.xml
@@ -61,7 +61,7 @@
                 <configuration>
                   <trimStackTrace>false</trimStackTrace>
                   <excludes>
-                    <exclude>none</exclude>
+                    <exclude>**/*RbacIT</exclude>
                   </excludes>
                   <includes>
                     <include>**/*IT</include>