New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding test cases for kafka user issuerRef group #967
Adding test cases for kafka user issuerRef group #967
Conversation
7bdcffe
to
2c26219
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM in general, it'd be great add the missing test cases to the unit tests
pkg/util/pki/pki_common_test.go
Outdated
Kind: "testKind", | ||
Group: "testGroup", | ||
}, | ||
PKIBackend: v1beta1.PKIBackendCertManager, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should also test the case when PKIBackend
is empty
pkg/util/pki/pki_common_test.go
Outdated
Kind: "testKind", | ||
Group: "testGroup", | ||
}, | ||
PKIBackend: v1beta1.PKIBackendCertManager, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above, we should add a test case when PKIBackend
is empty
@@ -121,9 +121,9 @@ func userProvidedIssuerPKI(cluster *v1beta1.KafkaCluster, extListenerStatuses ma | |||
// No need to generate self-signed certs and issuers because the issuer is provided by user | |||
return []runtime.Object{ | |||
// Broker "user" | |||
pkicommon.BrokerUserForCluster(cluster, extListenerStatuses), | |||
pkicommon.BrokerUserForClusterWithPKIBackendSpec(cluster, extListenerStatuses), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realized, these changes are not required, as clusterCertificateForUser()
func will take care if the issuer is provided in cluster.Spec.ListenersConfig.SSLSecrets.IssuerRef
. Can @panyuenlau, @pregnor confirm it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The two functions that you are modifying here are to create KafkaUser
CRs for the broker and the operator (these are fake "users" used within the Koperator to ensure its functionality when the Kafka cluster is configured to enable ssl).
When you create a KafkaUser
CR that is used by an actual Kafka client, the Koperator would first check if the Certificate
for all the KafkaUser
(including the those two "fake" KafkaUser
) exist, and it only calls clusterCertificateForUser()
when the corresponding Certificate
are not present, therefore those Certificate
for the "fake" KafkaUser
are not going to be reconciled
Therefore, the clusterCertificateForUser()
is not going to help us take care of the issuerRef
information
pkg/util/pki/common.go
Outdated
PKIBackendSpec: &v1alpha1.PKIBackendSpec{ | ||
// Not checking IssuerRef for nil as it is checked in caller function kafkapki | ||
IssuerRef: sslConfig.IssuerRef, | ||
PKIBackend: pkiBackend, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently this can be cert-manager only so this modification useless.
We need to extend the k8s api validation here: https://github.com/shubhamcoc/koperator/blob/2c2621944be96aa162024aab581807d4b3f56967/api/v1beta1/kafkacluster_types.go#L491
It need to be "k8s-csr,cert-manager"
Do we really want to this?
If yes then we have to test that case when pkiBackend is k8s-csr in the kafkacluster.spec
We should rename userProvidedPKI function (
return userProvidedPKI(ctx, c.client, c.cluster, extListenerStatuses) |
We should rename the userProvidedIssuerPKI -> userProvidedPKIBackend
We should rename the fullPKI -> generatedCAForPKICertManager
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can do the test after the fixes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did the changes, but since we are changing in the api pkg, we might need to update it in go.mod to use local api.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to create a separate PR for the API change and we need a new tag for the API when it is merged to the master branch. This new tag for the api should be used in this PR in go.mod.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use Go workspaces for local development before putting up the final PRs for the different modules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated the go.mod file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If my understanding is correct (see here), believe the original request is to ask for support to customize the group
field with cert-manager
, instead of asking support for k8s-csr
- which is good to have tho but I don't think supporting k8s-csr
is what this PR is aiming for
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes @panyuenlau you are right, but if the issuerRef is present with create option as true, do we create kafka-server or kafka-client certificates??
Pushed the api/v0.27.0 tag that contains #970. |
9666c07
to
3a6979a
Compare
I looked into deeper today and this will be not good. To support the K8S-CSR will be a bigger change and we should not do this in this PR.
We should support the usage of the Kubernetes CertificateSigningRequests when creating server certificates but we should do this with more caution and planning. Dear @shubhamcoc! The community would be happy for a PR to support k8s-csr. In case when you creating this PR we will help you. Regarding the current PR please:
back to your question:
koperator/pkg/util/pki/common.go Line 192 in 84c4643
|
@bartam1 I have modified the code as per your comments. Kindly review it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Mergable is stuck a bit, I'm trying to get it unstuck so I could merge the PR. Edit: now it did the trick... |
…herrypick-from-banzai-master * banzai/master: Add new CruiseControlTaskOperation to represent Status Cruise Control Operation (banzaicloud#975) Use permanent Slack link in README (banzaicloud#985) update cert-manager dependency libraries to 1.11.2 (banzaicloud#981) Adding test cases for kafka user issuerRef group (banzaicloud#967) fix(cc): re-creation of CC metrics topic (banzaicloud#976) Revert "Enabling k8s-csr for PKIbackend in kafka cluster spec (banzaicloud#970)" (banzaicloud#972) Using gomock to mock sigs.k8s.io/controller-runtime/pkg/client If (banzaicloud#973) # Conflicts: # go.mod # go.sum # pkg/resources/kafka/kafka_test.go
* Adding Affinity for Cruise Control * removing pkg/sdk * Adding api changes for tag * Adding Affinity in Cruise Control implementation * Adding IT for CC affinity * fixing IT for CC affinity * Adding value comparision in CC IT * Adding option to specify group name in kafka cluster * Fixing PKIBackend validation in kafka cluster * using api 0.27.0 tag * fixing review comments --------- Co-authored-by: Darren Lau <panyuenlau@Gmail.com> Co-authored-by: Patrik Egyed <8093632+pregnor@users.noreply.github.com>
Description
Adding test cases for kafka user issuerRef group and rename of related functions
Type of Change
Checklist