Redpanda Operator - Schema Registry Client and Pandaproxy Client mTLS configuration are not created in Redpanda configmap

[ThinkBriK]

Version & Environment

Redpanda version: (use rpk version): v22.1.7

Kubernetes version: v1.22.6

What went wrong?

When trying to setup a full mTLS setup through Redpanda-Operator, ie:

apiVersion: redpanda.vectorized.io/v1alpha1
kind: Cluster
metadata:
  name: redpanda-nonprod
  namespace: redpanda-nonprod
spec:
  image: "vectorized/redpanda"
  version: "latest"
  replicas: 3
  configuration:
    developerMode: false
    autoCreateTopics: true
    rpcServer:
      port: 33145
    kafkaApi:
      - port: 9092
        tls:
          enabled: true
          requireClientAuth: true
    pandaproxyApi:
      - port: 8082
        tls:
          enabled: true
          requireClientAuth: true
    adminApi:
      - port: 9633
        tls:
          enabled: true
          requireClientAuth: true
    schemaRegistry:
      port: 8081
      tls:
        enabled: true
        requireClientAuth: true

The generated configmap for redpanda lack TLS configuration for schema_registry_client:

config_file: /etc/redpanda/redpanda.yaml
redpanda:
    data_directory: /var/lib/redpanda/data
    node_id: 0
    seed_servers:
        - host:
            address: redpanda-nonprod-0.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
            port: 33145
        - host:
            address: redpanda-nonprod-1.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
            port: 33145
        - host:
            address: redpanda-nonprod-2.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
            port: 33145
    rpc_server:
        address: 0.0.0.0
        port: 33145
    kafka_api:
        - address: 0.0.0.0
          port: 9092
          name: kafka
    kafka_api_tls:
        - name: kafka
          key_file: /etc/tls/certs/tls.key
          cert_file: /etc/tls/certs/tls.crt
          truststore_file: /etc/tls/certs/ca/ca.crt
          enabled: true
          require_client_auth: true
    admin:
        - address: 0.0.0.0
          port: 9633
          name: admin
    admin_api_tls:
        - name: admin
          key_file: /etc/tls/certs/admin/tls.key
          cert_file: /etc/tls/certs/admin/tls.crt
          truststore_file: /etc/tls/certs/admin/ca/ca.crt
          enabled: true
          require_client_auth: true
    advertised_rpc_api:
        address: 0.0.0.0
        port: 33145
    developer_mode: false
    auto_create_topics_enabled: true
    default_topic_replications: 3
    id_allocator_replication: 3
    log_segment_size: 536870912
    transaction_coordinator_replication: 3
rpk:
    enable_usage_stats: false
    tune_network: false
    tune_disk_scheduler: false
    tune_disk_nomerges: false
    tune_disk_write_cache: false
    tune_disk_irq: false
    tune_fstrim: false
    tune_cpu: false
    tune_aio_events: false
    tune_clocksource: false
    tune_swappiness: false
    tune_transparent_hugepages: false
    enable_memory_locking: false
    tune_coredump: false
    coredump_dir: /var/lib/redpanda/coredump
    tune_ballast_file: false
    overprovisioned: false
pandaproxy:
    pandaproxy_api:
        - address: 0.0.0.0
          port: 8082
          name: proxy
    pandaproxy_api_tls:
        - name: proxy
          key_file: /etc/tls/certs/pandaproxy/tls.key
          cert_file: /etc/tls/certs/pandaproxy/tls.crt
          truststore_file: /etc/tls/certs/pandaproxy/ca/ca.crt
          enabled: true
          require_client_auth: true
pandaproxy_client:
    brokers:
        - address: redpanda-nonprod-0.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
          port: 9092
        - address: redpanda-nonprod-1.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
          port: 9092
        - address: redpanda-nonprod-2.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
          port: 9092
schema_registry:
    schema_registry_api:
        - address: 0.0.0.0
          port: 8081
          name: schema-registry
    schema_registry_api_tls:
        - name: schema-registry
          key_file: /etc/tls/certs/schema-registry/tls.key
          cert_file: /etc/tls/certs/schema-registry/tls.crt
          truststore_file: /etc/tls/certs/schema-registry/ca/ca.crt
          enabled: true
          require_client_auth: true
schema_registry_client:
    brokers:
        - address: redpanda-nonprod-0.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
          port: 9092
        - address: redpanda-nonprod-1.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
          port: 9092
        - address: redpanda-nonprod-2.redpanda-nonprod.redpanda-nonprod.svc.cluster.local.
          port: 9092

What should have happened instead?

The configmap should have .schema_registry_client.broker_tls.* set.

The error lies in

redpanda/src/go/k8s/pkg/resources/configmap.go

Line 489 in 78365c8

func (r *ConfigMapResource) prepareSchemaRegistryClient(

that doesn't create BrokerTLS property for KafkaClient object.

Same issue with pandaproxy_clientand

redpanda/src/go/k8s/pkg/resources/configmap.go

Line 450 in 78365c8

func (r *ConfigMapResource) preparePandaproxyClient(

[ThinkBriK]

There is a workaround (thanks to @BenPope ) by using .spec.additionalConfiguration in the Cluster CRD

  additionalConfiguration:
    schema_registry_client.broker_tls.enabled: "true"
    schema_registry_client.broker_tls.key_file: /etc/tls/certs/tls.key
    schema_registry_client.broker_tls.cert_file: /etc/tls/certs/tls.crt
    schema_registry_client.broker_tls.truststore_file: /etc/tls/certs/ca/ca.crt
    pandaproxy_client.broker_tls.enabled: "true"
    pandaproxy_client.broker_tls.cert_file: /etc/tls/certs/tls.key
    pandaproxy_client.broker_tls.key_file: /etc/tls/certs/tls.crt
    pandaproxy_client.broker_tls.truststore_file: /etc/tls/certs/ca/ca.crt

will add the missing configuration to the configmap. Still, the operator should do it by itself (and probably also add rpk configuration that match the cluster in the configmap).