Skip to content

Commit

Permalink
Consolidate TLS encryption and authentication (#532)
Browse files Browse the repository at this point in the history 
# Description

New structure looks like this:
```
apiVersion: kafka.stackable.tech/v1alpha1
kind: KafkaCluster
metadata:
  name: simple-kafka
spec:
  image:
    productVersion: 3.3.1
    stackableVersion: 0.3.0
  clusterConfig:
    authentication:
      - authenticationClass: kafka-client-auth-tls
    tls:
      internalSecretClass: kafka-internal-tls
      serverSecretClass: tls
    zookeeperConfigMapName: simple-kafka-znode
  brokers:
....
```

fixes: #529  

test: https://ci.stackable.tech/view/02%20Operator%20Tests%20(custom)/job/kafka-operator-it-custom/29/



Co-authored-by: Malte Sander <[email protected]>
  • Loading branch information
@maltesander
maltesander and maltesander committed Jan 2, 2023
1 parent 0e58ef2 commit d092e0e
Show file tree
Hide file tree
Showing 33 changed files with 1,292 additions and 986 deletions.
7 changes: 4 additions & 3 deletions .readme/partials/main.md.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,10 @@ spec:
image:
productVersion: 3.3.1
stackableVersion: 0.3.0
zookeeperConfigMapName: simple-kafka-znode
config:
tls: null
clusterConfig:
zookeeperConfigMapName: simple-kafka-znode
tls:
serverSecretClass: null
brokers:
roleGroups:
default:
Expand Down
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,15 @@ All notable changes to this project will be documented in this file.
- Don't run init container as root and avoid chmod and chowning ([#524]).
- [BREAKING] Use Product image selection instead of version. `spec.version` has been replaced by `spec.image` ([#482]).
- [BREAKING]: Removed tools image for init and get-svc container and replaced with Kafka product image. This means the latest stackable version has to be used in the product image selection ([#527])
- [BREAKING] Consolidated top-level configuration. Split up TLS encryption and authentication. Moved all top-level fields except `spec.image` below `spec.clusterConfig` ([#532]).

[#530]: https://github.com/stackabletech/kafka-operator/pull/530
[#482]: https://github.com/stackabletech/kafka-operator/pull/482
[#513]: https://github.com/stackabletech/kafka-operator/pull/513
[#519]: https://github.com/stackabletech/kafka-operator/pull/519
[#524]: https://github.com/stackabletech/kafka-operator/pull/524
[#527]: https://github.com/stackabletech/kafka-operator/pull/527
[#532]: https://github.com/stackabletech/kafka-operator/pull/532

## [0.8.0] - 2022-11-07

Expand Down
7 changes: 4 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,10 @@ spec:
image:
productVersion: 3.3.1
stackableVersion: 0.3.0
zookeeperConfigMapName: simple-kafka-znode
config:
tls: null
clusterConfig:
zookeeperConfigMapName: simple-kafka-znode
tls:
serverSecretClass: null
brokers:
roleGroups:
default:
Expand Down
98 changes: 53 additions & 45 deletions deploy/crd/kafkacluster.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -523,44 +523,68 @@ spec:
required:
- roleGroups
type: object
config:
default:
tls:
secretClass: tls
internalTls:
secretClass: tls
clusterConfig:
properties:
clientAuthentication:
description: 'Only affects client connections. This setting controls: - If clients need to authenticate themselves against the server via TLS - Which ca.crt to use when validating the provided client certs Defaults to `None`'
nullable: true
properties:
authenticationClass:
type: string
required:
- authenticationClass
type: object
internalTls:
authentication:
default: []
description: Authentication class settings for Kafka like mTLS authentication.
items:
properties:
authenticationClass:
description: |-
The AuthenticationClass <https://docs.stackable.tech/home/nightly/concepts/authenticationclass.html> to use.
## TLS provider
Only affects client connections. This setting controls: - If clients need to authenticate themselves against the broker via TLS - Which ca.crt to use when validating the provided client certs This will override the server TLS settings (if set) in `spec.clusterConfig.tls.serverSecretClass`.
type: string
required:
- authenticationClass
type: object
type: array
authorization:
default:
secretClass: tls
description: 'Only affects internal communication. Use mutual verification between Kafka nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server'
nullable: true
opa: null
description: Authorization settings for Kafka like OPA.
properties:
secretClass:
type: string
required:
- secretClass
opa:
nullable: true
properties:
configMapName:
type: string
package:
nullable: true
type: string
required:
- configMapName
type: object
type: object
log4j:
description: Log4j configuration
nullable: true
type: string
tls:
default:
secretClass: tls
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `TlsSecretClass` { secret_class: "tls".to_string() }.'
internalSecretClass: tls
serverSecretClass: tls
description: TLS encryption settings for Kafka (server, internal).
nullable: true
properties:
secretClass:
internalSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for internal broker communication. Use mutual verification between brokers (mandatory). This setting controls: - Which cert the brokers should use to authenticate themselves against other brokers - Which ca.crt to use when validating the other brokers Defaults to `tls`'
type: string
serverSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `tls`.'
nullable: true
type: string
required:
- secretClass
type: object
zookeeperConfigMapName:
description: ZooKeeper discovery config map name.
type: string
required:
- zookeeperConfigMapName
type: object
image:
anyOf:
Expand Down Expand Up @@ -604,28 +628,12 @@ spec:
description: Stackable version of the product, e.g. 2.1.0
type: string
type: object
log4j:
nullable: true
type: string
opa:
nullable: true
properties:
configMapName:
type: string
package:
nullable: true
type: string
required:
- configMapName
type: object
stopped:
nullable: true
type: boolean
zookeeperConfigMapName:
type: string
required:
- clusterConfig
- image
- zookeeperConfigMapName
type: object
required:
- spec
Expand Down
98 changes: 53 additions & 45 deletions deploy/helm/kafka-operator/crds/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -525,44 +525,68 @@ spec:
required:
- roleGroups
type: object
config:
default:
tls:
secretClass: tls
internalTls:
secretClass: tls
clusterConfig:
properties:
clientAuthentication:
description: 'Only affects client connections. This setting controls: - If clients need to authenticate themselves against the server via TLS - Which ca.crt to use when validating the provided client certs Defaults to `None`'
nullable: true
properties:
authenticationClass:
type: string
required:
- authenticationClass
type: object
internalTls:
authentication:
default: []
description: Authentication class settings for Kafka like mTLS authentication.
items:
properties:
authenticationClass:
description: |-
The AuthenticationClass <https://docs.stackable.tech/home/nightly/concepts/authenticationclass.html> to use.
## TLS provider
Only affects client connections. This setting controls: - If clients need to authenticate themselves against the broker via TLS - Which ca.crt to use when validating the provided client certs This will override the server TLS settings (if set) in `spec.clusterConfig.tls.serverSecretClass`.
type: string
required:
- authenticationClass
type: object
type: array
authorization:
default:
secretClass: tls
description: 'Only affects internal communication. Use mutual verification between Kafka nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server'
nullable: true
opa: null
description: Authorization settings for Kafka like OPA.
properties:
secretClass:
type: string
required:
- secretClass
opa:
nullable: true
properties:
configMapName:
type: string
package:
nullable: true
type: string
required:
- configMapName
type: object
type: object
log4j:
description: Log4j configuration
nullable: true
type: string
tls:
default:
secretClass: tls
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `TlsSecretClass` { secret_class: "tls".to_string() }.'
internalSecretClass: tls
serverSecretClass: tls
description: TLS encryption settings for Kafka (server, internal).
nullable: true
properties:
secretClass:
internalSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for internal broker communication. Use mutual verification between brokers (mandatory). This setting controls: - Which cert the brokers should use to authenticate themselves against other brokers - Which ca.crt to use when validating the other brokers Defaults to `tls`'
type: string
serverSecretClass:
default: tls
description: 'The <https://docs.stackable.tech/secret-operator/stable/secretclass.html> to use for client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `tls`.'
nullable: true
type: string
required:
- secretClass
type: object
zookeeperConfigMapName:
description: ZooKeeper discovery config map name.
type: string
required:
- zookeeperConfigMapName
type: object
image:
anyOf:
Expand Down Expand Up @@ -606,28 +630,12 @@ spec:
description: Stackable version of the product, e.g. 2.1.0
type: string
type: object
log4j:
nullable: true
type: string
opa:
nullable: true
properties:
configMapName:
type: string
package:
nullable: true
type: string
required:
- configMapName
type: object
stopped:
nullable: true
type: boolean
zookeeperConfigMapName:
type: string
required:
- clusterConfig
- image
- zookeeperConfigMapName
type: object
required:
- spec
Expand Down
Loading

0 comments on commit d092e0e

Please sign in to comment.