Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Merged by Bors] - Consolidate encryption and auth #366

Closed
wants to merge 21 commits into from
Closed

[Merged by Bors] - Consolidate encryption and auth #366

wants to merge 21 commits into from

Conversation

vsupalov
Copy link
Contributor

@vsupalov vsupalov commented Jan 4, 2023
edited by sbernauer

Description

Fixes #365

Changes, heavily inspired by the consolidation which recently happened for the kafka-operator. Relates to stackabletech/issues#293

The new structure was guided by this snippet:

apiVersion: druid.stackable.tech/v1alpha1
kind: DruidCluster
metadata:
  name: derby-druid
spec:
  image:
    productVersion: 24.0.0
    stackableVersion: 0.3.0
  clusterConfig:
    authentication:
      - authenticationClass: druid-tls-authentication-class (tls) # String
      - authenticationClass: druid-ldap-authentication-class (ldap) # String
    authorization:
      opa:
        configMapName: test-opa
        package: druid
    zookeeperConfigMapName: druid-znode
    metadataStorageDatabase:
      dbType: derby
      connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true
      host: localhost
      port: 1527
    deepStorage:
      hdfs:
        configMapName: druid-hdfs
        directory: /druid
    tls:
      serverSecretClass: secret_class # Option<String>. *In general* defaults to "tls"
      internalSecretClass: secret_class # Option<String>. *In general* defaults to "tls"

Overview of introduced changes

While working on the main issue, adjacent and somewhat-related refactorings/changes were introduced as well:

  • Prefer not to disable TLS for integration tests, where possible (justification: while the complexity is slightly higher, we are tested the recommended codepath more, as TLS is on by default)
  • Introduce dedicated authorization and security rust files
  • Adjustments to test helper scripts (mostly regarding uniformity and ergonomics)

Highlight

Security-validation logic is well tested!

Review Checklist

  • Code contains useful comments
  • CRD change approved (or not applicable)
  • (Integration-)Test cases added (or not applicable)
  • Documentation added (or not applicable)
  • Changelog updated (or not applicable)
  • Cargo.toml only contains references to git tags (not specific commits or branches)
  • Helm chart can be installed and deployed operator works (or not applicable)

Once the review is done, comment bors r+ (or bors merge) to merge. Further information

@vsupalov
Copy link
Contributor Author

vsupalov commented Jan 5, 2023
edited

test run: https://ci.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/druid-operator-it-custom/65/

@sbernauer sbernauer force-pushed the 365-consolidate-encryption-and-auth branch from 1525ae0 to d4477a5 Compare January 5, 2023 10:17
@vsupalov vsupalov marked this pull request as ready for review January 5, 2023 10:26
@sbernauer sbernauer requested a review from a team January 5, 2023 10:28
@maltesander maltesander self-requested a review January 6, 2023 14:36
@maltesander maltesander mentioned this pull request Jan 9, 2023
Closed
maltesander
maltesander requested changes Jan 9, 2023
View reviewed changes
Copy link
Member

@maltesander maltesander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just minor things. LGTM otherwise!

docs/modules/getting_started/examples/code/druid.yaml Outdated Show resolved Hide resolved
rust/crd/src/authentication.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/operator-binary/src/druid_controller.rs Outdated Show resolved Hide resolved
rust/crd/src/tls.rs Outdated Show resolved Hide resolved
tests/templates/kuttl/authorizer/authcheck.py Show resolved Hide resolved
tests/templates/kuttl/ingestion-no-s3-ext/healthcheck.py Outdated Show resolved Hide resolved
@sbernauer
Copy link
Member

Started new test: https://ci.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/druid-operator-it-custom/66/console

maltesander
maltesander reviewed Jan 10, 2023
View reviewed changes
tests/templates/kuttl/commons/ingestioncheck-tls.py Outdated Show resolved Hide resolved
tests/templates/kuttl/hdfs-deep-storage/04-healthcheck.yaml Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/authentication.rs Show resolved Hide resolved
@sbernauer
Copy link
Member

Started test on Azure https://ci.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/druid-operator-it-custom/67/console

maltesander
maltesander approved these changes Jan 10, 2023
View reviewed changes
Copy link
Member

@maltesander maltesander left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if test passes!

@sbernauer
Copy link
Member

Thx! https://ci.stackable.tech/job/druid-operator-it-custom/68 passed

@sbernauer
Copy link
Member

bors r+

bors bot pushed a commit that referenced this pull request Jan 10, 2023
@sbernauer
Consolidate encryption and auth (#366)
eacc322 
# Description

Fixes #365

Changes, heavily inspired by the [consolidation which recently happened for the kafka-operator](stackabletech/kafka-operator#532). Relates to stackabletech/issues#293

The new structure was guided by this snippet:
```
apiVersion: druid.stackable.tech/v1alpha1
kind: DruidCluster
metadata:
  name: derby-druid
spec:
  image:
    productVersion: 24.0.0
    stackableVersion: 0.3.0
  clusterConfig:
    authentication:
      - authenticationClass: druid-tls-authentication-class (tls) # String
      - authenticationClass: druid-ldap-authentication-class (ldap) # String
    authorization:
      opa:
        configMapName: test-opa
        package: druid
    zookeeperConfigMapName: druid-znode
    metadataStorageDatabase:
      dbType: derby
      connString: jdbc:derby://localhost:1527/var/druid/metadata.db;create=true
      host: localhost
      port: 1527
    deepStorage:
      hdfs:
        configMapName: druid-hdfs
        directory: /druid
    tls:
      serverSecretClass: secret_class # Option<String>. *In general* defaults to "tls"
      internalSecretClass: secret_class # Option<String>. *In general* defaults to "tls"
```

## Overview of introduced changes

While working on the main issue, adjacent and somewhat-related refactorings/changes were introduced as well:

* Prefer not to disable TLS for integration tests, where possible (justification: while the complexity is slightly higher, we are tested the recommended codepath more, as TLS is on by default)
* Introduce dedicated authorization and security rust files
* Adjustments to test helper scripts (mostly regarding uniformity and ergonomics)

## Highlight

Security-validation logic is well tested!



Co-authored-by: Vladislav Supalov <vladislav.supalov@stackable.de>
@bors
Copy link
Contributor

bors bot commented Jan 10, 2023

Pull request successfully merged into main.

Build succeeded:

@bors bors bot changed the title Consolidate encryption and auth [Merged by Bors] - Consolidate encryption and auth Jan 10, 2023
@bors bors bot closed this Jan 10, 2023
@bors bors bot deleted the 365-consolidate-encryption-and-auth branch January 10, 2023 11:36
@sbernauer sbernauer mentioned this pull request Jan 10, 2023
Closed
7 tasks
bors bot pushed a commit that referenced this pull request Jan 10, 2023
@sbernauer
Add Changelog entry for #366 (#375)
03ab2b8 
Add Changelog entry for #366
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbernauer sbernauer sbernauer left review comments

@maltesander maltesander maltesander approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consolidate encryption, authentication and authorization
3 participants
@vsupalov @sbernauer @maltesander