Adding test cases for kafka user issuerRef group #967
Conversation
shubhamcoc
force-pushed
the
kafka-cluster-custom-issuer
branch
from
7bdcffe
to
2c26219
Compare
pkg/util/pki/pki_common_test.go
Outdated
| Kind: "testKind", | ||
| Group: "testGroup", | ||
| }, | ||
| PKIBackend: v1beta1.PKIBackendCertManager, |
There was a problem hiding this comment.
I think we should also test the case when PKIBackend is empty
pkg/util/pki/pki_common_test.go
Outdated
| Kind: "testKind", | ||
| Group: "testGroup", | ||
| }, | ||
| PKIBackend: v1beta1.PKIBackendCertManager, |
There was a problem hiding this comment.
Same as above, we should add a test case when PKIBackend is empty
| @@ -121,9 +121,9 @@ func userProvidedIssuerPKI(cluster *v1beta1.KafkaCluster, extListenerStatuses ma | |||
| // No need to generate self-signed certs and issuers because the issuer is provided by user | |||
| return []runtime.Object{ | |||
| // Broker "user" | |||
| pkicommon.BrokerUserForCluster(cluster, extListenerStatuses), | |||
| pkicommon.BrokerUserForClusterWithPKIBackendSpec(cluster, extListenerStatuses), | |||
There was a problem hiding this comment.
I realized, these changes are not required, as clusterCertificateForUser() func will take care if the issuer is provided in cluster.Spec.ListenersConfig.SSLSecrets.IssuerRef. Can @panyuenlau, @pregnor confirm it?
There was a problem hiding this comment.
The two functions that you are modifying here are to create KafkaUser CRs for the broker and the operator (these are fake "users" used within the Koperator to ensure its functionality when the Kafka cluster is configured to enable ssl).
When you create a KafkaUser CR that is used by an actual Kafka client, the Koperator would first check if the Certificate for all the KafkaUser (including the those two "fake" KafkaUser) exist, and it only calls clusterCertificateForUser() when the corresponding Certificate are not present, therefore those Certificate for the "fake" KafkaUser are not going to be reconciled
Therefore, the clusterCertificateForUser() is not going to help us take care of the issuerRef information
pkg/util/pki/common.go
Outdated
| PKIBackendSpec: &v1alpha1.PKIBackendSpec{ | ||
| // Not checking IssuerRef for nil as it is checked in caller function kafkapki | ||
| IssuerRef: sslConfig.IssuerRef, | ||
| PKIBackend: pkiBackend, |
There was a problem hiding this comment.
Currently this can be cert-manager only so this modification useless.
We need to extend the k8s api validation here: https://github.com/shubhamcoc/koperator/blob/2c2621944be96aa162024aab581807d4b3f56967/api/v1beta1/kafkacluster_types.go#L491
It need to be "k8s-csr,cert-manager"
Do we really want to this?
If yes then we have to test that case when pkiBackend is k8s-csr in the kafkacluster.spec
We should rename userProvidedPKI function (
) to userProvidedCAforPKICertManagerWe should rename the userProvidedIssuerPKI -> userProvidedPKIBackend
We should rename the fullPKI -> generatedCAForPKICertManager
There was a problem hiding this comment.
I can do the test after the fixes.
There was a problem hiding this comment.
I did the changes, but since we are changing in the api pkg, we might need to update it in go.mod to use local api.
There was a problem hiding this comment.
We need to create a separate PR for the API change and we need a new tag for the API when it is merged to the master branch. This new tag for the api should be used in this PR in go.mod.
There was a problem hiding this comment.
You can use Go workspaces for local development before putting up the final PRs for the different modules.
There was a problem hiding this comment.
updated the go.mod file
There was a problem hiding this comment.
If my understanding is correct (see here), believe the original request is to ask for support to customize the group field with cert-manager, instead of asking support for k8s-csr - which is good to have tho but I don't think supporting k8s-csr is what this PR is aiming for
There was a problem hiding this comment.
Yes @panyuenlau you are right, but if the issuerRef is present with create option as true, do we create kafka-server or kafka-client certificates??
|
Pushed the api/v0.27.0 tag that contains #970. |
shubhamcoc
force-pushed
the
kafka-cluster-custom-issuer
branch
from
9666c07
to
3a6979a
Compare
|
I looked into deeper today and this will be not good. To support the K8S-CSR will be a bigger change and we should not do this in this PR.
We should support the usage of the Kubernetes CertificateSigningRequests when creating server certificates but we should do this with more caution and planning. Dear @shubhamcoc! The community would be happy for a PR to support k8s-csr. In case when you creating this PR we will help you. Regarding the current PR please:
back to your question: koperator/pkg/util/pki/common.go Line 192 in 84c4643 |
shubhamcoc
changed the title
|
@bartam1 I have modified the code as per your comments. Kindly review it. |
|
Mergable is stuck a bit, I'm trying to get it unstuck so I could merge the PR. Edit: now it did the trick... |
…herrypick-from-banzai-master * banzai/master: Add new CruiseControlTaskOperation to represent Status Cruise Control Operation (banzaicloud#975) Use permanent Slack link in README (banzaicloud#985) update cert-manager dependency libraries to 1.11.2 (banzaicloud#981) Adding test cases for kafka user issuerRef group (banzaicloud#967) fix(cc): re-creation of CC metrics topic (banzaicloud#976) Revert "Enabling k8s-csr for PKIbackend in kafka cluster spec (banzaicloud#970)" (banzaicloud#972) Using gomock to mock sigs.k8s.io/controller-runtime/pkg/client If (banzaicloud#973) # Conflicts: # go.mod # go.sum # pkg/resources/kafka/kafka_test.go
* Adding Affinity for Cruise Control * removing pkg/sdk * Adding api changes for tag * Adding Affinity in Cruise Control implementation * Adding IT for CC affinity * fixing IT for CC affinity * Adding value comparision in CC IT * Adding option to specify group name in kafka cluster * Fixing PKIBackend validation in kafka cluster * using api 0.27.0 tag * fixing review comments --------- Co-authored-by: Darren Lau <panyuenlau@Gmail.com> Co-authored-by: Patrik Egyed <8093632+pregnor@users.noreply.github.com>
Description
Adding test cases for kafka user issuerRef group and rename of related functions
Type of Change
Checklist