Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add extra_listeners #269

Merged
merged 15 commits into from
Nov 12, 2024
Merged

feat: add extra_listeners #269

merged 15 commits into from
Nov 12, 2024

Conversation

marcoppenheimer
Copy link
Contributor

@marcoppenheimer marcoppenheimer commented Nov 4, 2024
edited
Loading

Changes Made

refactor: add extra_listeners config, deprecate certificate_extra_sans

  • extra_listeners replaces certificate_extra_sans
  • If user provides value with structure foobar-{unit}.baz:30000, they will get listeners like foobar-0.baz:39092 on unit 0
  • When the charm requests a certificate, still using certificate_extra_sans, they will get a deprecation warning in the logs
  • extra_listeners will be preferred, but default to certificate_extra_sans if unset

refactor: move password actions to actions.py

  • Mostly housekeeping, easier to have most 'non-specific' actions in a single place

feat: add get-listeners Action

  • Outputs data about the current advertised.listeners for the unit the Action runs against
  • Output:
client-sasl-plaintext-scram-sha-512:
  advertised-listener: CLIENT_SASL_PLAINTEXT_SCRAM_SHA_512://10.58.254.50:9092
  auth-mechanism: SCRAM-SHA-512
  name: CLIENT_SASL_PLAINTEXT_SCRAM_SHA_512
  port: "9092"
  protocol: SASL_PLAINTEXT
  scope: CLIENT
extra-sasl-plaintext-scram-sha-512-0:
  advertised-listener: EXTRA_SASL_PLAINTEXT_SCRAM_SHA_512_0://kafka-0.foo-domain.com:39092
  auth-mechanism: SCRAM-SHA-512
  name: EXTRA_SASL_PLAINTEXT_SCRAM_SHA_512_0
  port: "39092"
  protocol: SASL_PLAINTEXT
  scope: EXTRA
extra-sasl-plaintext-scram-sha-512-1:
  advertised-listener: EXTRA_SASL_PLAINTEXT_SCRAM_SHA_512_1://kafka-0.bar-domain.com:49192
  auth-mechanism: SCRAM-SHA-512
  name: EXTRA_SASL_PLAINTEXT_SCRAM_SHA_512_1
  port: "49192"
  protocol: SASL_PLAINTEXT
  scope: EXTRA
internal-sasl-plaintext-scram-sha-512:
  advertised-listener: INTERNAL_SASL_PLAINTEXT_SCRAM_SHA_512://10.58.254.50:19092
  auth-mechanism: SCRAM-SHA-512
  name: INTERNAL_SASL_PLAINTEXT_SCRAM_SHA_512
  port: "19092"
  protocol: SASL_PLAINTEXT
  scope: INTERNAL

Manual Validation

Attempted to verify behavior using the following set-up:

  • Host machine
  • (on host) LXD VM - 10.155.67.110 (enp5s0)
  • (on nested LXD on the VM) Kafka container unit - kafka/0 has IP 10.58.254.246 with hostname juju-ecb145-0

Configured Kafka to expose multiple extra advertised.listeners:

# relevant one is EXTRA_SASL_PLAINTEXT_SCRAM_SHA_512_2://juju-ecb145-0:39292

advertised.listeners=INTERNAL_SASL_PLAINTEXT_SCRAM_SHA_512://10.58.254.247:19092,CLIENT_SASL_PLAINTEXT_SCRAM_SHA_512://10.58.254.247:9092,EXTRA_SASL_PLAINTEXT_SCRAM_SHA_512://kafka-0.foo-domain.com:39092,EXTRA_SASL_PLAINTEXT_SCRAM_SHA_512_1://kafka-0.bar-domain.com:39192,EXTRA_SASL_PLAINTEXT_SCRAM_SHA_512_2://juju-ecb145-0:39292

Edited DNS on the host machine, to point the Kafka unit hostname to point to the Kafka unit IP:

#/etc/hosts
10.58.254.247 juju-ecb145-0 kafka-0
10.58.254.147 juju-ecb145-4 kafka-1

Right now, this isn't resolvable.

Then, manually added an IP route on the host machine, to reach the Kafka unit IP via the enp5s0 LXD VM network:

sudo ip route add 10.58.254.247 via 10.155.67.110
sudo ip route add 10.58.254.147 via 10.155.67.110

Finally, on the host machine, attempted to create a topic on a single Kafka unit, attempting to reach kafka-0:39292 as the bootstrap-server, which succeeded:

# bootstrapping on kafka/0
INFO:kafka.conn:<BrokerConnection node_id=bootstrap-0 host=kafka-0:39292 <connecting> [IPv4 ('10.58.254.247', 39292)]>: connecting to kafka-0:39292 [('10.58.254.247', 39292) IPv4]                               
INFO:kafka.conn:Probing node bootstrap-0 broker version                                                                                                                                                           
WARNING:root:<BrokerConnection node_id=bootstrap-0 host=kafka-0:39292 <authenticating> [IPv4 ('10.58.254.247', 39292)]>: Exchanging credentials in the clear                                                      
INFO:root:<BrokerConnection node_id=bootstrap-0 host=kafka-0:39292 <authenticating> [IPv4 ('10.58.254.247', 39292)]>: Authenticated as admin via SCRAM-SHA-512                                                    
INFO:kafka.conn:<BrokerConnection node_id=bootstrap-0 host=kafka-0:39292 <authenticating> [IPv4 ('10.58.254.247', 39292)]>: Connection complete.                                                                  
INFO:kafka.conn:Broker version identified as 2.6.0                                                                                                                                                                
INFO:kafka.conn:Set configuration api_version=(2, 6, 0) to skip auto check_version requests on startup                                                                                                            
INFO:kafka.conn:Probing node bootstrap-0 broker version                                                                                                                                                           
INFO:kafka.conn:Broker version identified as 2.6.0                                                                                                                                                                
INFO:kafka.conn:Set configuration api_version=(2, 6, 0) to skip auto check_version requests on startup

# successful connection to advertised kafka/1                                                                                                     
INFO:kafka.conn:<BrokerConnection node_id=1 host=juju-ecb145-4:39292 <connecting> [IPv4 ('10.58.254.147', 39292)]>: connecting to juju-ecb145-4:39292 [('10.58.254.147', 39292) IPv4]                             
INFO:kafka.conn:Probing node 1 broker version                                                                                                                                                                     
WARNING:root:<BrokerConnection node_id=1 host=juju-ecb145-4:39292 <authenticating> [IPv4 ('10.58.254.147', 39292)]>: Exchanging credentials in the clear                                                          
INFO:root:<BrokerConnection node_id=1 host=juju-ecb145-4:39292 <authenticating> [IPv4 ('10.58.254.147', 39292)]>: Authenticated as admin via SCRAM-SHA-512                                                        
INFO:kafka.conn:<BrokerConnection node_id=1 host=juju-ecb145-4:39292 <authenticating> [IPv4 ('10.58.254.147', 39292)]>: Connection complete.                                                                      
INFO:kafka.conn:<BrokerConnection node_id=bootstrap-0 host=kafka-0:39292 <connected> [IPv4 ('10.58.254.247', 39292)]>: Closing connection.                                                                        
INFO:kafka.conn:Broker version identified as 2.6.0                                                                                                                                                                
INFO:kafka.conn:Set configuration api_version=(2, 6, 0) to skip auto check_version requests on startup

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 7, 2024
View reviewed changes
tests/unit/test_tls.py Dismissed Show dismissed Hide dismissed
tests/unit/test_tls.py Dismissed Show dismissed Hide dismissed
grobbie
grobbie reviewed Nov 8, 2024
View reviewed changes
Copy link

@grobbie grobbie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments. The description is ok. I don't have a problem with a single knob that encapsulates a bunch of complex stuff, personally.

src/events/actions.py Outdated Show resolved Hide resolved
src/managers/config.py Show resolved Hide resolved
src/managers/config.py Show resolved Hide resolved
tests/unit/test_config.py Show resolved Hide resolved
deusebio
deusebio reviewed Nov 8, 2024
View reviewed changes
Copy link
Contributor

@deusebio deusebio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I got a bit confused with the extra_count and a couple of "conflicting" comments, which have probably created some misunderstanding. But I would like to be sure we are on the same page on the UX, and probably simplify the code (skipping the extra_count) which also created a bit of misunderstanding (and I don't think it is clarified in the config option description)

src/managers/config.py Show resolved Hide resolved
src/managers/config.py Outdated Show resolved Hide resolved
deusebio
deusebio approved these changes Nov 8, 2024
View reviewed changes
Copy link
Contributor

@deusebio deusebio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Just some non-blocking suggestions/nipticks attached

src/managers/config.py Show resolved Hide resolved
src/managers/config.py Show resolved Hide resolved
@marcoppenheimer
feat: add extra_listeners config, deprecate certificate_extra_sans
c3913aa
@marcoppenheimer
fix: use ops.main() instead of ops.main.main()?
3d9b6f6
@marcoppenheimer
chore: expose extra_listeners in advertised.listeners properties
ce33ea9
@marcoppenheimer
temp: comment out gethostname extra listener
0dcd844
@marcoppenheimer
temp: stash
791ed92
@marcoppenheimer
style: fiddle with comment
48eb133
@marcoppenheimer
test: add unit-test for extra_listeners
69f4015
@marcoppenheimer
test: update test_extra_sans_config to check extra_listeners+certific…
e34267b 
…ate_extra_sans
@marcoppenheimer
refactor: move password_events to events.py
e35b3b3
@marcoppenheimer
chore: validate extra_listeners ports not too close to eachother
df0a92a
@marcoppenheimer
chore: remove offset for extra_listener port generation
f25c04b
@marcoppenheimer
test: test unhappy path in extra_listeners
ed74aa7
@marcoppenheimer
docs: update Actions event handler docstring
58076bf
@marcoppenheimer
style: fmt
69884e8
@marcoppenheimer
chore: only add 1 unit during storage re-use test
80fd059
@marcoppenheimer marcoppenheimer force-pushed the feat/custom_hostname branch 2 times, most recently from 63659de to 80fd059 Compare November 8, 2024 19:46
@deusebio deusebio removed the request for review from Batalex November 11, 2024 13:42
Batalex
Batalex approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@Batalex Batalex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, a fascinating addition to the charm

src/events/actions.py Show resolved Hide resolved
src/events/tls.py Show resolved Hide resolved
@marcoppenheimer marcoppenheimer merged commit 808c702 into main Nov 12, 2024
21 checks passed
@marcoppenheimer marcoppenheimer deleted the feat/custom_hostname branch November 12, 2024 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deusebio deusebio deusebio approved these changes

@Batalex Batalex Batalex approved these changes

@grobbie grobbie Awaiting requested review from grobbie

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@marcoppenheimer @grobbie @deusebio @Batalex