Prepare v0.11.0 release documentation

Signed-off-by: k-wall <[email protected]>

Author: k-wall

_data/kroxylicious.yml

@@ -1,6 +1,8 @@
 versions:
   - title: 'Development'
     url: '/kroxylicious'
+  - title: 'v0.11.0'
+    url: '/docs/v0.11.0/'
   - title: 'v0.10.0'
     url: '/docs/v0.10.0/'
   - title: 'v0.9.0'

docs/v0.11.0/_files/_assets/attributes.adoc

@@ -0,0 +1,57 @@
+// AsciiDoc settings
+:data-uri!:
+:doctype: book
+:experimental:
+:idprefix:
+:imagesdir: images
+:numbered:
+:sectanchors!:
+:sectnums:
+:source-highlighter: highlight.js
+:toc: left
+:linkattrs:
+:toclevels: 2
+:icons: font
+
+//Latest version
+:KroxyliciousVersion: 0.9
+:gitRef: releases/tag/v0.11.0
+:ApicurioVersion: 2.6.x
+
+//Proxy links
+:github: https://github.com/kroxylicious/kroxylicious
+:github-releases: https://github.com/kroxylicious/kroxylicious/{gitRef}
+:github-issues: https://github.com/kroxylicious/kroxylicious/issues
+:api-javadoc: https://javadoc.io/doc/io.kroxylicious/kroxylicious-api/{KroxyliciousVersion}
+:kms-api-javadoc: https://javadoc.io/doc/io.kroxylicious/kroxylicious-kms/{KroxyliciousVersion}
+:encryption-api-javadoc: https://javadoc.io/doc/io.kroxylicious/kroxylicious-encryption/{KroxyliciousVersion}
+:start-script: https://github.com/kroxylicious/kroxylicious/blob/{gitRef}/kroxylicious-app/src/assembly/kroxylicious-start.sh
+
+//Kafka links
+:ApacheKafkaSite: https://kafka.apache.org[Apache Kafka website^]
+:kafka-protocol: https://kafka.apache.org/protocol.html
+
+//java links
+:java-17-javadoc: https://docs.oracle.com/en/java/javase/17/docs/api
+:java-17-specs: https://docs.oracle.com/en/java/javase/17/docs/specs
+
+//Vault links
+:hashicorp-vault: https://developer.hashicorp.com/vault
+
+//Fortanix DSM links
+:fortanix-dsm: https://www.fortanix.com/platform/data-security-manager
+:fortanix-support: https://support.fortanix.com/
+
+//AWS links
+:aws:  https://docs.aws.amazon.com/
+
+// Apicurio links
+:apicurio-docs: https://www.apicur.io/registry/docs/apicurio-registry/{ApicurioVersion}/
+
+// Conditional inclusion flags
+:include-fortanix-dsm-kms: 1
+:include-aws-kms-service-config-identity-ec2-metadata: 1
+
+//API stability markers.
+:unstable-api-version: denoted by a major version 0
+:stable-api-version: version 1.0.0

docs/v0.11.0/_files/_assets/trademarks.adoc

@@ -0,0 +1,8 @@
+= Trademark notice
+
+* Hashicorp Vault is a registered trademark of HashiCorp, Inc.
+* AWS Key Management Service is a trademark of Amazon.com, Inc. or its affiliates.
+ifdef::include-fortanix-dsm-kms[]
+* Fortanix and Data Security Manager are trademarks of Fortanix, Inc.
+endif::[]
+* Apache Kafka is a registered trademark of The Apache Software Foundation.

docs/v0.11.0/_files/assemblies/assembly-aws-kms.adoc

@@ -0,0 +1,19 @@
+// file included in the following:
+//
+// assembly-record-encryption-filter.adoc
+
+[id='assembly-aws-kms-{context}']
+= Setting up AWS KMS
+
+[role="_abstract"]
+To use {aws}/kms/latest/developerguide/overview.html[AWS Key Management Service] with the Record Encryption filter, use the following setup:
+
+* Establish an AWS KMS aliasing convention for keys
+* Configure the AWS KMS 
+* Create AWS KMS keys
+
+You'll need a privileged AWS user that is capable of creating users and policies to perform the set-up.
+
+include::../modules/record-encryption/aws-kms/con-aws-kms-setup.adoc[leveloffset=+1]
+include::../modules/record-encryption/aws-kms/con-aws-kms-service-config.adoc[leveloffset=+1]
+include::../modules/record-encryption/aws-kms/con-aws-kms-key-creation.adoc[leveloffset=+1]

docs/v0.11.0/_files/assemblies/assembly-built-in-filters.adoc

@@ -0,0 +1,14 @@
+// file included in the following:
+//
+// kroxylicious-proxy/index.adoc
+
+[id='assembly-built-in-filters-{context}']
+= Built-in filters
+
+[role="_abstract"]
+Kroxylicious comes with a suite of built-in filters designed to enhance the functionality and security of your Kafka clusters.
+
+include::assembly-record-encryption-filter.adoc[leveloffset=+1]
+include::assembly-multi-tenancy-filter.adoc[leveloffset=+1]
+include::assembly-record-validation-filter.adoc[leveloffset=+1]
+include::../modules/oauthbearer/con-oauthbearer.adoc[leveloffset=+1]

docs/v0.11.0/_files/assemblies/assembly-configuring-proxy.adoc

@@ -0,0 +1,17 @@
+[id='assembly-configuring-proxy-{context}']
+= Configuring proxies
+
+[role="_abstract"]
+Fine-tune your deployment by configuring proxies to include additional features according to your specific requirements.
+
+include::../modules/configuring/con-configuration-outline.adoc[leveloffset=+1]
+include::../modules/configuring/con-configuring-filters.adoc[leveloffset=+1]
+include::../modules/configuring/con-configuring-virtual-clusters.adoc[leveloffset=+1]
+include::../modules/configuring/con-configuring-vc-gateways.adoc[leveloffset=+1]
+include::../modules/configuring/con-configuring-vc-client-tls.adoc[leveloffset=+1]
+include::../modules/configuring/con-configuring-vc-target-tls.adoc[leveloffset=+1]
+
+include::../modules/configuring/con-configuring-vc-other-settings.adoc[leveloffset=+1]
+include::../modules/configuring/con-configuring-toplevel-other-settings.adoc[leveloffset=+1]
+
+include::../modules/configuring/ref-configuring-proxy-example.adoc[leveloffset=+1]

docs/v0.11.0/_files/assemblies/assembly-fortanix-dsm.adoc

@@ -0,0 +1,17 @@
+// file included in the following:
+//
+// assembly-record-encryption-filter.adoc
+
+[id='assembly-fortanix-dsm-{context}']
+= Setting up Fortanix Data Security Manager (DSM)
+
+[role="_abstract"]
+To use Fortanix Data Security Manager (DSM) with the Record Encryption filter, use the following setup:
+
+* Establish a naming convention for keys and decide in which group the keys will live
+* Create an application identity, with an API key, for use by the Record Encryption filter.
+* Create keys within Fortanix DSM.
+
+include::../modules/record-encryption/fortanix-dsm/con-fortanix-dsm-setup.adoc[leveloffset=+1]
+include::../modules/record-encryption/fortanix-dsm/con-fortanix-dsm-service-config.adoc[leveloffset=+1]
+include::../modules/record-encryption/fortanix-dsm/con-fortanix-dsm-key-creation.adoc[leveloffset=+1]

docs/v0.11.0/_files/assemblies/assembly-hashicorp-vault.adoc

@@ -0,0 +1,17 @@
+// file included in the following:
+//
+// assembly-record-encryption-filter.adoc
+
+[id='assembly-hashicorp-vault-{context}']
+= Setting up HashiCorp Vault
+
+[role="_abstract"]
+To use HashiCorp Vault with the Record Encryption filter, use the following setup:
+
+* Enable the Transit Engine as the Record Encryption filter relies on its APIs.
+* Create a Vault policy specifically for the filter with permissions for generating and decrypting Data Encryption Keys (DEKs) for envelope encryption.
+* Obtain a Vault token that includes the filter policy.
+
+include::../modules/record-encryption/hashicorp-vault/con-vault-setup.adoc[leveloffset=+1]
+include::../modules/record-encryption/hashicorp-vault/con-vault-service-config.adoc[leveloffset=+1]
+include::../modules/record-encryption/hashicorp-vault/con-vault-key-creation.adoc[leveloffset=+1]

docs/v0.11.0/_files/assemblies/assembly-monitoring-proxy.adoc

@@ -0,0 +1,19 @@
+// file included in the following:
+//
+// kroxylicious-proxy/index.adoc
+
+[id='con-operating-{context}']
+= Monitoring proxies
+
+[role="_abstract"]
+Monitoring data allows you to monitor the performance and health of proxy operations. 
+You can configure your deployment to capture metrics data for analysis and notifications.
+
+* Introduce custom logging configurations using `log4j2` and set appropriate root log levels.
+* Set up an admin HTTP endpoint for Prometheus metrics scraping.
+* Integrate Micrometer for enhanced observability.
+* Configure common tags and standard binders for JVM and system metrics to ensure comprehensive monitoring and efficient proxy operation.
+
+include::../modules/monitoring/proc-introducing-metrics.adoc[leveloffset=+1]
+include::../modules/monitoring/con-setting-logs.adoc[leveloffset=+1]
+include::../modules/monitoring/con-integrating-micrometer.adoc[leveloffset=+1]

docs/v0.11.0/_files/assemblies/assembly-multi-tenancy-filter.adoc

@@ -0,0 +1,31 @@
+// file included in the following:
+//
+// assembly-built-in-filters.adoc
+
+[id='assembly-multi-tenancy-filter-{context}']
+= (Preview) Multi-tenancy filter
+
+[role="_abstract"]
+Kroxylicious’s Multi-tenancy filter presents a single Kafka cluster to tenants as if it were multiple clusters.
+Operations are isolated to a single tenant by prefixing resources with an identifier.
+
+NOTE: This filter is currently in incubation and available as a preview. 
+We would not recommend using it in a production environment.
+
+The Multi-tenancy filter works by intercepting all Kafka RPCs (remote procedure calls) that reference resources, such as topic names and consumer group names:
+
+Request path:: On the request path, resource names are prefixed with a tenant identifier.
+Response path:: On the response path, the prefix is removed.
+
+Kafka RPCs that list resources are filtered so that only resources belonging to the tenant are returned, effectively creating a private cluster experience for each tenant.
+
+To set up the filter, configure it in Kroxylicious.
+
+IMPORTANT: While the Multi-tenancy filter isolates operations on resources, it does not isolate user identities across tenants. 
+User authentication and ACLs (Access Control Lists) are shared across all tenants, meaning that identity is not scoped to individual tenants. 
+For more information on open issues related to this filter, see {github-issues}[Kroxylicious issues^].
+
+NOTE: For more information on Kafka's support for multi-tenancy, see the {ApacheKafkaSite}.
+
+//configuring the multi-tenancy filter
+include::../modules/multi-tenancy/proc-multi-tenancy.adoc[leveloffset=+1]

docs/v0.11.0/_files/assemblies/assembly-overview.adoc

@@ -0,0 +1,21 @@
+// file included in the following:
+//
+// kroxylicious-proxy/index.adoc
+
+[id='assembly-overview-{context}']
+= Kroxylicious overview
+
+[role="_abstract"]
+Kroxylicious is an Apache Kafka protocol-aware ("Layer 7") proxy designed to enhance Kafka-based systems.
+Through its filter mechanism it allows additional behavior to be introduced into a Kafka-based system without requiring changes to either your applications or the Kafka cluster itself. 
+Built-in filters are provided as part of the solution.
+
+Functioning as an intermediary, the Kroxylicious mediates communication between a Kafka cluster and its clients. 
+It takes on the responsibility of receiving, filtering, and forwarding messages.
+
+An API provides a convenient means for implementing custom logic within the proxy.
+
+[role="_additional-resources"]
+.Additional resources
+
+* {ApacheKafkaSite}

docs/v0.11.0/_files/assemblies/assembly-record-encryption-filter.adoc

@@ -0,0 +1,35 @@
+// file included in the following:
+//
+// assembly-built-in-filters.adoc
+
+[id='assembly-record-encryption-filter-{context}']
+= Record Encryption filter
+
+[role="_abstract"]
+Kroxylicious's Record Encryption filter enhances the security of Kafka messages.
+The filter uses industry-standard cryptographic techniques to apply encryption to Kafka messages, ensuring the confidentiality of data stored in the Kafka Cluster.
+Kroxylicious centralizes topic-level encryption, ensuring streamlined encryption across Kafka clusters.
+
+There are three steps to using the filter:
+
+1. Setting up a Key Management System (KMS).
+2. Establishing the encryption keys within the KMS that will be used to encrypt the topics.
+3. Configuring the filter within Kroxylicious.
+
+The filter integrates with a Key Management Service (KMS), which has ultimate responsibility for the safe storage of sensitive key material.
+The filter relies on a KMS implementation. 
+Currently, Kroxylicious integrates with either HashiCorp Vault or AWS Key Management Service. 
+You can provide implementations for your specific KMS systems. 
+Additional KMS support will be added based on demand.
+
+//overview of the record encryption process
+include::../modules/record-encryption/con-record-encryption-overview.adoc[leveloffset=+1]
+//setting up hashicorp vault
+include::assembly-hashicorp-vault.adoc[leveloffset=+1]
+//setting up AWS KMS
+include::assembly-aws-kms.adoc[leveloffset=+1]
+ifdef::include-fortanix-dsm-kms[]
+include::assembly-fortanix-dsm.adoc[leveloffset=+1]
+endif::[]
+//configuring the record encryption filter
+include::../modules/record-encryption/proc-configuring-record-encryption-filter.adoc[leveloffset=+1]

docs/v0.11.0/_files/assemblies/assembly-record-validation-filter.adoc

@@ -0,0 +1,27 @@
+// file included in the following:
+//
+// assembly-built-in-filters.adoc
+
+[id='assembly-record-validation-filter-{context}']
+= (Preview) Record Validation filter
+
+[role="_abstract"]
+The Record Validation filter validates records sent by a producer.
+Only records that pass the validation are sent to the broker.
+This filter can be used to prevent _poison messages_—such as those containing corrupted data or invalid formats—from entering the Kafka system, which may otherwise lead to consumer failure.
+
+The filter currently supports two modes of operation:
+
+1. Schema Validation ensures the content of the record conforms to a schema stored in an https://www.apicur.io/registry/[Apicurio Registry].
+2. JSON Syntax Validation ensures the content of the record contains syntactically valid JSON.
+
+Validation rules can be applied to check the content of the Kafka record key or value.
+
+If the validation fails, the product request is rejected and the producing application receives an error response.  The broker
+will not receive the rejected records.
+
+NOTE: This filter is currently in incubation and available as a preview.
+We would not recommend using it in a production environment.
+
+//configuring the record-validation filter
+include::../modules/record-validation/proc-record-validation.adoc[leveloffset=+1]

docs/v0.11.0/_files/index.adoc

@@ -0,0 +1,9 @@
+= Kroxylicious guides
+
+This release of Kroxylicious is documented in the following guides:
+
+link:kroxylicious-proxy/[Proxy guide]:: Covers using the proxy, including configuration, security and operation.
+
+// Developer's guide:: Covers writing plugins for the proxy in the Java programming language
+
+// Operator for Kubernetes:: Covers the operator for running the proxy on Kubernetes

docs/v0.11.0/_files/kroxylicious-proxy/_assets

@@ -0,0 +1 @@
+../_assets

docs/v0.11.0/_files/kroxylicious-proxy/assemblies

@@ -0,0 +1 @@
+../assemblies

docs/v0.11.0/_files/kroxylicious-proxy/index.adoc

@@ -0,0 +1,30 @@
+:experimental:
+include::_assets/attributes.adoc[]
+
+:context: proxy
+
+[id="using-book-{context}"]
+= Kroxylicious
+
+include::assemblies/assembly-overview.adoc[leveloffset=+1]
+//broker config
+include::modules/con-proxy-overview.adoc[leveloffset=+2]
+include::modules/con-api-compatability.adoc[leveloffset=+2]
+
+//built-in filters
+include::assemblies/assembly-built-in-filters.adoc[leveloffset=+1]
+
+//community filters
+include::modules/con-community-filters.adoc[leveloffset=+1]
+
+//custom filters
+include::modules/con-custom-filters.adoc[leveloffset=+1]
+
+//configuring
+include::assemblies/assembly-configuring-proxy.adoc[leveloffset=+1]
+
+//monitoring
+include::assemblies/assembly-monitoring-proxy.adoc[leveloffset=+1]
+
+//trademark notices
+include::_assets/trademarks.adoc[leveloffset=+1]

docs/v0.11.0/_files/kroxylicious-proxy/modules

@@ -0,0 +1 @@
+../modules

docs/v0.11.0/_files/modules/con-api-compatability.adoc

@@ -0,0 +1,27 @@
+// Module included in the following:
+//
+// assembly-overview.adoc
+
+[id='con-api-compatibility{context}']
+= Compatibility
+
+[id='con-api-compatibility-api{context}']
+== APIs
+
+Kroxylicious follows https://semver.org/#semantic-versioning-200[Semantic Versioning] rules. While we are still in the initial development phase ({unstable-api-version}), we still take API compatibility very seriously. We aim to provide at least two minor releases between deprecation and the removal of that deprecated item.
+
+We also consider our configuration file syntax a public API (though not the Java model backing it). As such, the syntax follows the same Semantic Versioning and deprecation rules.
+
+Kubernetes custom resources are a public API, and we are making every effort to evolve Kroxylicious custom resources in line with https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/[Kubernetes best practices]. Kubernetes resources have their own versioning scheme, which is independent of the Kroxylicious proxy service version. As a result, we may reach {stable-api-version} of Kroxylicious while still using alpha or beta versions of the custom resources.
+
+[id='con-api-compatibility-third-party{context}']
+=== Third-party plugins
+
+Kroxylicious supports loading third-party plugins to extend the core functionality of the project. While these plugins are configured and loaded as first-class entities within Kroxylicious, we cannot guarantee the compatibility of their APIs or configuration properties.
+
+We do however hold filters and plugins provided by the project to the same standards as the rest of the public API.
+
+[id='con-api-compatibility-wire-protocol{context}']
+== Wire protocol
+
+Kroxylicious offers the same backwards and forwards compatibility guarantees as https://kafka.apache.org/protocol#protocol_compatibility[Apache Kafka]. We support the same range of client and broker versions as the official Apache Kafka Java client.