New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CC not restarted when API secret changes #9616
Conversation
The user may need to create new CC API credentials because they may have been compromised. This can be done by simply deleting the secret containing CC API credentials, which is then recreated by the CO. The problem is that CC is not restarted, which leads to the following Rebalance error: ```sh 2024-01-29 17:44:08 ERROR KafkaRebalanceAssemblyOperator:483 - Reconciliation strimzi#64(kafkarebalance-watch) KafkaRebalance(test/my-rebalance): Status updated to [NotReady] due to error: Unexpected status code 401 for request to my-cluster-cruise-control.test.svc:9090/kafkacruisecontrol/rebalance?json=true&dryrun=true&verbose=true&skip_hard_goal_check=false&rebalance_disk=false ``` To fix this issue, I'm adding the API secret hash as CC annotation, so that any change will trigger a CC pod restart. Signed-off-by: Federico Valeri <fedevaleri@gmail.com>
...tor/src/main/java/io/strimzi/operator/cluster/operator/assembly/CruiseControlReconciler.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Federico Valeri <fedevaleri@gmail.com>
@scholzj I'm now hashing all passwords in the API secret. Test updated. |
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Fixed
Show fixed
Hide fixed
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
...tor/src/main/java/io/strimzi/operator/cluster/operator/assembly/CruiseControlReconciler.java
Outdated
Show resolved
Hide resolved
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
...tor/src/main/java/io/strimzi/operator/cluster/operator/assembly/CruiseControlReconciler.java
Outdated
Show resolved
Hide resolved
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
...rator/src/main/java/io/strimzi/operator/cluster/operator/assembly/KafkaAssemblyOperator.java
Outdated
Show resolved
Hide resolved
...src/test/java/io/strimzi/operator/cluster/operator/assembly/CruiseControlReconcilerTest.java
Outdated
Show resolved
Hide resolved
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Federico Valeri <fedevaleri@gmail.com>
Signed-off-by: Federico Valeri <fedevaleri@gmail.com>
Signed-off-by: Federico Valeri <fedevaleri@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Just a couple of nits.
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Federico Valeri <fedevaleri@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One nit. LGTM otherwise.
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
/azp run regression |
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work, thanks Fede!
...er-operator/src/main/java/io/strimzi/operator/cluster/operator/assembly/ReconcilerUtils.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Federico Valeri <fedevaleri@gmail.com>
@scholzj I tried |
/azp run regression |
Azure Pipelines successfully started running 1 pipeline(s). |
The user may need to create new CC API credentials because they may have been compromised. This can be done by simply deleting the secret containing CC API credentials, which is then recreated by the CO. The problem is that CC is not restarted, which leads to the following Rebalance error:
2024-01-29 17:44:08 ERROR KafkaRebalanceAssemblyOperator:483 - Reconciliation #64(kafkarebalance-watch) KafkaRebalance(test/my-rebalance): Status updated to [NotReady] due to error: Unexpected status code 401 for request to my-cluster-cruise-control.test.svc:9090/kafkacruisecontrol/rebalance?json=true&dryrun=true&verbose=true&skip_hard_goal_check=false&rebalance_disk=false
To fix this issue, I'm adding the API secret hash as CC annotation, so that any change will trigger a CC pod restart.