Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add Kerberos authentication for Kafka #762

Merged
merged 58 commits into from
Nov 13, 2024
Merged

feat: add Kerberos authentication for Kafka #762

merged 58 commits into from
Nov 13, 2024

Conversation

adwk67
Copy link
Member

@adwk67 adwk67 commented Sep 20, 2024
edited by siegfriedweber
Loading

Fixes #655
Pending decision: https://github.com/stackabletech/decisions/issues/28 ( ✔️ closed/done)

Openshift/OKD tests 🟢 :

--- PASS: kuttl (520.16s)
    --- PASS: kuttl/harness (0.00s)
        --- PASS: kuttl/harness/configuration_kafka-latest-3.7.1_zookeeper-latest-3.9.2_openshift-true (41.05s)
        --- PASS: kuttl/harness/kerberos_kafka-3.8.0_zookeeper-latest-3.9.2_openshift-true_krb5-1.21.1_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (100.10s)
        --- PASS: kuttl/harness/delete-rolegroup_kafka-3.8.0_zookeeper-latest-3.9.2_openshift-true (71.71s)
        --- PASS: kuttl/harness/smoke_kafka-3.8.0_zookeeper-3.9.2_use-client-tls-true_openshift-true (107.86s)
        --- PASS: kuttl/harness/logging_kafka-3.8.0_zookeeper-latest-3.9.2_openshift-true (117.43s)
        --- PASS: kuttl/harness/cluster-operation_kafka-latest-3.7.1_zookeeper-latest-3.9.2_openshift-true (130.04s)
        --- PASS: kuttl/harness/tls_kafka-3.8.0_zookeeper-latest-3.9.2_use-client-tls-true_use-client-auth-tls-true_openshift-true (164.68s)
        --- PASS: kuttl/harness/upgrade_zookeeper-3.9.2_upgrade_old-3.7.1_upgrade_new-3.8.0_use-client-tls-true_use-client-auth-tls-true_openshift-true (151.38s)
PASS

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author

Reviewer

  • Code contains useful comments
  • Code contains useful logging statements
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Feature Tracker has been updated
  • Proper release label has been added
  • Roadmap has been updated

@adwk67 adwk67 mentioned this pull request Sep 27, 2024
Merged
@adwk67
Copy link
Member Author

adwk67 commented Sep 27, 2024

@sbernauer I tried to use one principal for all brokers, as we discussed, but could not quite get it to work.
This variation works with the brokers (they all come up):
principal=\"kafka/test-kafka-broker-default.kuttl-test-glorious-airedale.svc.cluster.local@$KERBEROS_REALM\"
but I was not able to do the same for the client job. I set
BROKER=test-kafka-broker-default.$NAMESPACE.svc.cluster.local:9093
which allows me to query the topics but it fails with authentication errors when in producer/consumer mode.

@adwk67 adwk67 mentioned this pull request Sep 30, 2024
Merged
@adwk67 adwk67 marked this pull request as ready for review September 30, 2024 13:06
@adwk67 adwk67 self-assigned this Sep 30, 2024
sbernauer
sbernauer previously requested changes Oct 8, 2024
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only did a quick review of the code. I can go into more detail when we merged the changes from #443 and I find the proper time

rust/crd/src/authentication.rs Outdated Show resolved Hide resolved
rust/crd/src/authentication.rs Outdated Show resolved Hide resolved
rust/crd/src/authentication.rs Show resolved Hide resolved
rust/crd/src/lib.rs Outdated Show resolved Hide resolved
rust/crd/src/listener.rs Show resolved Hide resolved
rust/crd/src/security.rs Outdated Show resolved Hide resolved
rust/crd/src/security.rs Show resolved Hide resolved
rust/operator-binary/src/kafka_controller.rs Outdated Show resolved Hide resolved
rust/operator-binary/src/kafka_controller.rs Outdated Show resolved Hide resolved
rust/operator-binary/src/kerberos.rs Outdated Show resolved Hide resolved
@adwk67
Copy link
Member Author

adwk67 commented Oct 23, 2024

Ran nightly suite again locally following latest changes 🟢

--- PASS: kuttl (884.94s)
    --- PASS: kuttl/harness (0.00s)
        --- PASS: kuttl/harness/delete-rolegroup_kafka-3.8.0_zookeeper-latest-3.9.2_openshift-false (73.35s)
        --- PASS: kuttl/harness/tls_kafka-3.8.0_zookeeper-latest-3.9.2_use-client-tls-true_use-client-auth-tls-false_openshift-false (177.87s)
        --- PASS: kuttl/harness/upgrade_zookeeper-3.9.2_upgrade_old-3.7.1_upgrade_new-3.8.0_use-client-tls-true_use-client-auth-tls-false_openshift-false (178.71s)
        --- PASS: kuttl/harness/kerberos_kafka-3.8.0_zookeeper-latest-3.9.2_openshift-false_krb5-1.21.1_kerberos-realm-PROD.MYCORP_kerberos-backend-mit (95.47s)
        --- PASS: kuttl/harness/kerberos_kafka-3.8.0_zookeeper-latest-3.9.2_openshift-false_krb5-1.21.1_kerberos-realm-CLUSTER.LOCAL_kerberos-backend-mit (105.52s)
        --- PASS: kuttl/harness/upgrade_zookeeper-3.9.2_upgrade_old-3.7.1_upgrade_new-3.8.0_use-client-tls-true_use-client-auth-tls-true_openshift-false (125.30s)
        --- PASS: kuttl/harness/smoke_kafka-3.8.0_zookeeper-3.9.2_use-client-tls-true_openshift-false (141.44s)
        --- PASS: kuttl/harness/tls_kafka-3.8.0_zookeeper-latest-3.9.2_use-client-tls-false_use-client-auth-tls-true_openshift-false (148.59s)
        --- PASS: kuttl/harness/tls_kafka-3.8.0_zookeeper-latest-3.9.2_use-client-tls-false_use-client-auth-tls-false_openshift-false (65.18s)
        --- PASS: kuttl/harness/logging_kafka-3.8.0_zookeeper-latest-3.9.2_openshift-false (91.36s)
        --- PASS: kuttl/harness/cluster-operation_kafka-latest-3.7.1_zookeeper-latest-3.9.2_openshift-false (88.81s)
        --- PASS: kuttl/harness/configuration_kafka-latest-3.7.1_zookeeper-latest-3.9.2_openshift-false (28.44s)
        --- PASS: kuttl/harness/smoke_kafka-3.8.0_zookeeper-3.9.2_use-client-tls-false_openshift-false (58.76s)
        --- PASS: kuttl/harness/upgrade_zookeeper-3.9.2_upgrade_old-3.7.1_upgrade_new-3.8.0_use-client-tls-false_use-client-auth-tls-false_openshift-false (120.38s)
        --- PASS: kuttl/harness/tls_kafka-3.8.0_zookeeper-latest-3.9.2_use-client-tls-true_use-client-auth-tls-true_openshift-false (160.60s)
        --- PASS: kuttl/harness/upgrade_zookeeper-3.9.2_upgrade_old-3.7.1_upgrade_new-3.8.0_use-client-tls-false_use-client-auth-tls-true_openshift-false (82.92s)

@adwk67
Copy link
Member Author

adwk67 commented Nov 6, 2024

Re-tested 🟢

@adwk67 adwk67 mentioned this pull request Nov 6, 2024
Open
siegfriedweber
siegfriedweber requested changes Nov 6, 2024
View reviewed changes
tests/templates/kuttl/kerberos/30-access-kafka.txt.j2 Outdated Show resolved Hide resolved
rust/crd/src/security.rs Show resolved Hide resolved
siegfriedweber
siegfriedweber previously approved these changes Nov 8, 2024
View reviewed changes
Copy link
Member

@siegfriedweber siegfriedweber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

siegfriedweber
siegfriedweber requested changes Nov 12, 2024
View reviewed changes
Copy link
Member

@siegfriedweber siegfriedweber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good explanation!

docs/modules/kafka/pages/usage-guide/security.adoc Outdated Show resolved Hide resolved
docs/modules/kafka/pages/usage-guide/security.adoc Outdated Show resolved Hide resolved
@adwk67 adwk67 dismissed sbernauer’s stale review November 13, 2024 10:48

All changes implemented and/or discussed in planning (will merge as experimental).

@adwk67
Copy link
Member Author

adwk67 commented Nov 13, 2024
edited
Loading

Re-testing before merge:

@adwk67 adwk67 added this pull request to the merge queue Nov 13, 2024
Merged via the queue into main with commit e259a61 Nov 13, 2024
16 of 17 checks passed
@adwk67 adwk67 deleted the feat/kafka-kerberos branch November 13, 2024 11:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@siegfriedweber siegfriedweber siegfriedweber approved these changes

@sbernauer sbernauer Awaiting requested review from sbernauer

Assignees

@adwk67 adwk67

Labels
None yet
Projects
Stackable Engineering
Status: Development: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support Kerberos authentication in Kafka
3 participants
@adwk67 @siegfriedweber @sbernauer