Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Merged by Bors] - Consolidate TLS encryption and authentication #532

Closed
wants to merge 15 commits into from
Closed

[Merged by Bors] - Consolidate TLS encryption and authentication #532

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
a3a8497
consolidated cluster config - compiling
maltesander Dec 23, 2022
483c943
regenerated charts
maltesander Dec 23, 2022
fb8c059
fixed unit tests
maltesander Dec 23, 2022
4855b13
adapted examples
maltesander Dec 23, 2022
4384d52
adapted integration tests
maltesander Dec 23, 2022
090ab77
fixed docs
maltesander Dec 23, 2022
a32441a
fixed test
maltesander Dec 23, 2022
8f434c9
fixed readme
maltesander Dec 23, 2022
57f92b1
adapted changelog
maltesander Dec 23, 2022
c6d506d
more fixes
maltesander Dec 23, 2022
a5fa017
use client / internal port methods instead of hardcoding them for lis…
maltesander Dec 23, 2022
05b8910
adapted to pr review
maltesander Jan 2, 2023
86ca07a
adapted to pr review #2
maltesander Jan 2, 2023
7d2f673
moved opa to spec.cluster_config.authorization.opa, adapted examples
maltesander Jan 2, 2023
f8572ad
renamed KafkaSecurity to KafkaTlsSecurity
maltesander Jan 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 4 additions & 3 deletions .readme/partials/main.md.j2
View file
Open in desktop
Expand Up @@ -30,9 +30,10 @@ spec:
image:
productVersion: 3.3.1
stackableVersion: 0.3.0
zookeeperConfigMapName: simple-kafka-znode
config:
tls: null
clusterConfig:
zookeeperConfigMapName: simple-kafka-znode
tls:
serverSecretClass: null
brokers:
roleGroups:
default:
Expand Down
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Expand Up @@ -12,13 +12,15 @@ All notable changes to this project will be documented in this file.
- Don't run init container as root and avoid chmod and chowning ([#524]).
- [BREAKING] Use Product image selection instead of version. `spec.version` has been replaced by `spec.image` ([#482]).
- [BREAKING]: Removed tools image for init and get-svc container and replaced with Kafka product image. This means the latest stackable version has to be used in the product image selection ([#527])
- [BREAKING] Consolidated top-level configuration. Split up TLS encryption and authentication. Moved all top-level fields except `spec.image` below `spec.clusterConfig` ([#532]).

[#530]: https://github.com/stackabletech/kafka-operator/pull/530
[#482]: https://github.com/stackabletech/kafka-operator/pull/482
[#513]: https://github.com/stackabletech/kafka-operator/pull/513
[#519]: https://github.com/stackabletech/kafka-operator/pull/519
[#524]: https://github.com/stackabletech/kafka-operator/pull/524
[#527]: https://github.com/stackabletech/kafka-operator/pull/527
[#532]: https://github.com/stackabletech/kafka-operator/pull/532

## [0.8.0] - 2022-11-07

Expand Down
7 changes: 4 additions & 3 deletions README.md
View file
Open in desktop
Expand Up @@ -50,9 +50,10 @@ spec:
image:
productVersion: 3.3.1
stackableVersion: 0.3.0
zookeeperConfigMapName: simple-kafka-znode
config:
tls: null
clusterConfig:
zookeeperConfigMapName: simple-kafka-znode
tls:
serverSecretClass: null
brokers:
roleGroups:
default:
Expand Down
86 changes: 44 additions & 42 deletions deploy/crd/kafkacluster.crd.yaml
View file
Open in desktop
Expand Up @@ -523,44 +523,62 @@ spec:
required:
- roleGroups
type: object
config:
default:
tls:
secretClass: tls
internalTls:
secretClass: tls
clusterConfig:
properties:
clientAuthentication:
description: 'Only affects client connections. This setting controls: - If clients need to authenticate themselves against the server via TLS - Which ca.crt to use when validating the provided client certs Defaults to `None`'
authentication:
default: []
description: Authentication class settings for Kafka like mTLS authentication.
items:
properties:
authenticationClass:
description: |-
The AuthenticationClass <https://docs.stackable.tech/home/nightly/concepts/authenticationclass.html> to use.

## mTLS

Only affects client connections. This setting controls: - If clients need to authenticate themselves against the broker via TLS - Which ca.crt to use when validating the provided client certs This will override the server TLS settings (if set) in `spec.clusterConfig.tls.serverSecretClass`.
type: string
required:
- authenticationClass
type: object
type: array
log4j:
nullable: true
properties:
authenticationClass:
type: string
required:
- authenticationClass
type: object
internalTls:
default:
secretClass: tls
description: 'Only affects internal communication. Use mutual verification between Kafka nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server'
type: string
opa:
description: OPA discovery config map name and package (optional) selection.
nullable: true
properties:
secretClass:
configMapName:
type: string
package:
nullable: true
type: string
required:
- secretClass
- configMapName
type: object
tls:
default:
secretClass: tls
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `TlsSecretClass` { secret_class: "tls".to_string() }.'
internalSecretClass: tls
serverSecretClass: tls
description: TLS encryption settings for Kafka (server, internal).
nullable: true
properties:
secretClass:
internalSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for internal broker communication. Use mutual verification between brokers (mandatory). This setting controls: - Which cert the brokers should use to authenticate themselves against other brokers - Which ca.crt to use when validating the other brokers Defaults to `tls`'
type: string
serverSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `tls`.'
nullable: true
type: string
required:
- secretClass
type: object
zookeeperConfigMapName:
description: ZooKeeper discovery config map name.
type: string
required:
- zookeeperConfigMapName
type: object
image:
anyOf:
Expand Down Expand Up @@ -604,28 +622,12 @@ spec:
description: Stackable version of the product, e.g. 2.1.0
type: string
type: object
log4j:
nullable: true
type: string
opa:
nullable: true
properties:
configMapName:
type: string
package:
nullable: true
type: string
required:
- configMapName
type: object
stopped:
nullable: true
type: boolean
zookeeperConfigMapName:
type: string
required:
- clusterConfig
- image
- zookeeperConfigMapName
type: object
required:
- spec
Expand Down
86 changes: 44 additions & 42 deletions deploy/helm/kafka-operator/crds/crds.yaml
View file
Open in desktop
Expand Up @@ -525,44 +525,62 @@ spec:
required:
- roleGroups
type: object
config:
default:
tls:
secretClass: tls
internalTls:
secretClass: tls
clusterConfig:
properties:
clientAuthentication:
description: 'Only affects client connections. This setting controls: - If clients need to authenticate themselves against the server via TLS - Which ca.crt to use when validating the provided client certs Defaults to `None`'
authentication:
default: []
description: Authentication class settings for Kafka like mTLS authentication.
items:
properties:
authenticationClass:
description: |-
The AuthenticationClass <https://docs.stackable.tech/home/nightly/concepts/authenticationclass.html> to use.

## mTLS

Only affects client connections. This setting controls: - If clients need to authenticate themselves against the broker via TLS - Which ca.crt to use when validating the provided client certs This will override the server TLS settings (if set) in `spec.clusterConfig.tls.serverSecretClass`.
type: string
required:
- authenticationClass
type: object
type: array
log4j:
nullable: true
properties:
authenticationClass:
type: string
required:
- authenticationClass
type: object
internalTls:
default:
secretClass: tls
description: 'Only affects internal communication. Use mutual verification between Kafka nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server'
type: string
opa:
description: OPA discovery config map name and package (optional) selection.
nullable: true
properties:
secretClass:
configMapName:
type: string
package:
nullable: true
type: string
required:
- secretClass
- configMapName
type: object
tls:
default:
secretClass: tls
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `TlsSecretClass` { secret_class: "tls".to_string() }.'
internalSecretClass: tls
serverSecretClass: tls
description: TLS encryption settings for Kafka (server, internal).
nullable: true
properties:
secretClass:
internalSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for internal broker communication. Use mutual verification between brokers (mandatory). This setting controls: - Which cert the brokers should use to authenticate themselves against other brokers - Which ca.crt to use when validating the other brokers Defaults to `tls`'
type: string
serverSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `tls`.'
nullable: true
type: string
required:
- secretClass
type: object
zookeeperConfigMapName:
description: ZooKeeper discovery config map name.
type: string
required:
- zookeeperConfigMapName
type: object
image:
anyOf:
Expand Down Expand Up @@ -606,28 +624,12 @@ spec:
description: Stackable version of the product, e.g. 2.1.0
type: string
type: object
log4j:
nullable: true
type: string
opa:
nullable: true
properties:
configMapName:
type: string
package:
nullable: true
type: string
required:
- configMapName
type: object
stopped:
nullable: true
type: boolean
zookeeperConfigMapName:
type: string
required:
- clusterConfig
- image
- zookeeperConfigMapName
type: object
required:
- spec
Expand Down
86 changes: 44 additions & 42 deletions deploy/manifests/crds.yaml
View file
Open in desktop
Expand Up @@ -526,44 +526,62 @@ spec:
required:
- roleGroups
type: object
config:
default:
tls:
secretClass: tls
internalTls:
secretClass: tls
clusterConfig:
properties:
clientAuthentication:
description: 'Only affects client connections. This setting controls: - If clients need to authenticate themselves against the server via TLS - Which ca.crt to use when validating the provided client certs Defaults to `None`'
authentication:
default: []
description: Authentication class settings for Kafka like mTLS authentication.
items:
properties:
authenticationClass:
description: |-
The AuthenticationClass <https://docs.stackable.tech/home/nightly/concepts/authenticationclass.html> to use.

## mTLS

Only affects client connections. This setting controls: - If clients need to authenticate themselves against the broker via TLS - Which ca.crt to use when validating the provided client certs This will override the server TLS settings (if set) in `spec.clusterConfig.tls.serverSecretClass`.
type: string
required:
- authenticationClass
type: object
type: array
log4j:
nullable: true
properties:
authenticationClass:
type: string
required:
- authenticationClass
type: object
internalTls:
default:
secretClass: tls
description: 'Only affects internal communication. Use mutual verification between Kafka nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server'
type: string
opa:
description: OPA discovery config map name and package (optional) selection.
nullable: true
properties:
secretClass:
configMapName:
type: string
package:
nullable: true
type: string
required:
- secretClass
- configMapName
type: object
tls:
default:
secretClass: tls
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `TlsSecretClass` { secret_class: "tls".to_string() }.'
internalSecretClass: tls
serverSecretClass: tls
description: TLS encryption settings for Kafka (server, internal).
nullable: true
properties:
secretClass:
internalSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for internal broker communication. Use mutual verification between brokers (mandatory). This setting controls: - Which cert the brokers should use to authenticate themselves against other brokers - Which ca.crt to use when validating the other brokers Defaults to `tls`'
type: string
serverSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `tls`.'
nullable: true
type: string
required:
- secretClass
type: object
zookeeperConfigMapName:
description: ZooKeeper discovery config map name.
type: string
required:
- zookeeperConfigMapName
type: object
image:
anyOf:
Expand Down Expand Up @@ -607,28 +625,12 @@ spec:
description: Stackable version of the product, e.g. 2.1.0
type: string
type: object
log4j:
nullable: true
type: string
opa:
nullable: true
properties:
configMapName:
type: string
package:
nullable: true
type: string
required:
- configMapName
type: object
stopped:
nullable: true
type: boolean
zookeeperConfigMapName:
type: string
required:
- clusterConfig
- image
- zookeeperConfigMapName
type: object
required:
- spec
Expand Down