Search in sources :

Example 11 with KafkaClientAuthentication

use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.

the class AuthenticationUtils method configureClientAuthenticationVolumeMounts.

/**
 * Creates the VolumeMounts used for authentication of Kafka client based components
 * @param authentication    Authentication object from CRD
 * @param volumeMountList    List where the volume mounts will be added
 * @param tlsVolumeMount    Path where the TLS certs should be mounted
 * @param passwordVolumeMount   Path where passwords should be mounted
 * @param oauthCertsVolumeMount Path where the OAuth certificates would be mounted
 * @param oauthVolumeNamePrefix Prefix used for OAuth volume names
 * @param volumeNamePrefix Prefix used for volume mount names
 * @param mountOAuthSecretVolumes Indicates whether OAuth secret volume mounts will be added to the list
 * @param oauthSecretsVolumeMount Path where the OAuth secrets would be mounted
 */
public static void configureClientAuthenticationVolumeMounts(KafkaClientAuthentication authentication, List<VolumeMount> volumeMountList, String tlsVolumeMount, String passwordVolumeMount, String oauthCertsVolumeMount, String oauthVolumeNamePrefix, String volumeNamePrefix, boolean mountOAuthSecretVolumes, String oauthSecretsVolumeMount) {
    if (authentication != null) {
        if (authentication instanceof KafkaClientAuthenticationTls) {
            KafkaClientAuthenticationTls tlsAuth = (KafkaClientAuthenticationTls) authentication;
            // skipping if a volume mount with same Secret name was already added
            if (!volumeMountList.stream().anyMatch(vm -> vm.getName().equals(volumeNamePrefix + tlsAuth.getCertificateAndKey().getSecretName()))) {
                volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + tlsAuth.getCertificateAndKey().getSecretName(), tlsVolumeMount + tlsAuth.getCertificateAndKey().getSecretName()));
            }
        } else if (authentication instanceof KafkaClientAuthenticationPlain) {
            KafkaClientAuthenticationPlain passwordAuth = (KafkaClientAuthenticationPlain) authentication;
            volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + passwordAuth.getPasswordSecret().getSecretName(), passwordVolumeMount + passwordAuth.getPasswordSecret().getSecretName()));
        } else if (authentication instanceof KafkaClientAuthenticationScram) {
            KafkaClientAuthenticationScram scramAuth = (KafkaClientAuthenticationScram) authentication;
            volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + scramAuth.getPasswordSecret().getSecretName(), passwordVolumeMount + scramAuth.getPasswordSecret().getSecretName()));
        } else if (authentication instanceof KafkaClientAuthenticationOAuth) {
            KafkaClientAuthenticationOAuth oauth = (KafkaClientAuthenticationOAuth) authentication;
            volumeMountList.addAll(configureOauthCertificateVolumeMounts(oauthVolumeNamePrefix, oauth.getTlsTrustedCertificates(), oauthCertsVolumeMount));
            if (mountOAuthSecretVolumes) {
                if (oauth.getClientSecret() != null) {
                    volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getClientSecret().getSecretName(), oauthSecretsVolumeMount + oauth.getClientSecret().getSecretName()));
                }
                if (oauth.getAccessToken() != null) {
                    volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getAccessToken().getSecretName(), oauthSecretsVolumeMount + oauth.getAccessToken().getSecretName()));
                }
                if (oauth.getRefreshToken() != null) {
                    volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getRefreshToken().getSecretName(), oauthSecretsVolumeMount + oauth.getRefreshToken().getSecretName()));
                }
            }
        }
    }
}
Also used : VolumeMount(io.fabric8.kubernetes.api.model.VolumeMount) KafkaJmxAuthentication(io.strimzi.api.kafka.model.KafkaJmxAuthentication) EnvVar(io.fabric8.kubernetes.api.model.EnvVar) GenericSecretSource(io.strimzi.api.kafka.model.GenericSecretSource) CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource) KafkaClientAuthenticationScram(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationScram) ServerConfig(io.strimzi.kafka.oauth.server.ServerConfig) HashMap(java.util.HashMap) KafkaClientAuthenticationPlain(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationPlain) ClientConfig(io.strimzi.kafka.oauth.client.ClientConfig) Function(java.util.function.Function) ArrayList(java.util.ArrayList) KafkaJmxAuthenticationPassword(io.strimzi.api.kafka.model.KafkaJmxAuthenticationPassword) List(java.util.List) KafkaClientAuthenticationOAuth(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationOAuth) Locale(java.util.Locale) Map(java.util.Map) Entry(java.util.Map.Entry) KafkaClientAuthenticationTls(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationTls) KafkaClientAuthentication(io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication) Collections(java.util.Collections) Volume(io.fabric8.kubernetes.api.model.Volume) KafkaClientAuthenticationTls(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationTls) KafkaClientAuthenticationOAuth(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationOAuth) KafkaClientAuthenticationScram(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationScram) KafkaClientAuthenticationPlain(io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationPlain)

Example 12 with KafkaClientAuthentication

use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.

the class KafkaConnectAssemblyOperator method generateAuthHash.

/**
 * Generates a hash from the trusted TLS certificates that can be used to spot if it has changed.
 *
 * @param namespace          Namespace of the Connect cluster
 * @param kafkaConnectSpec   KafkaConnectSpec object
 * @return                   Future for tracking the asynchronous result of generating the TLS auth hash
 */
Future<Integer> generateAuthHash(String namespace, KafkaConnectSpec kafkaConnectSpec) {
    KafkaClientAuthentication auth = kafkaConnectSpec.getAuthentication();
    List<CertSecretSource> trustedCertificates = kafkaConnectSpec.getTls() == null ? Collections.emptyList() : kafkaConnectSpec.getTls().getTrustedCertificates();
    return Util.authTlsHash(secretOperations, namespace, auth, trustedCertificates);
}
Also used : KafkaClientAuthentication(io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication) CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)

Example 13 with KafkaClientAuthentication

use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.

the class KafkaMirrorMakerAssemblyOperator method createOrUpdate.

@Override
protected Future<KafkaMirrorMakerStatus> createOrUpdate(Reconciliation reconciliation, KafkaMirrorMaker assemblyResource) {
    String namespace = reconciliation.namespace();
    KafkaMirrorMakerCluster mirror;
    KafkaMirrorMakerStatus kafkaMirrorMakerStatus = new KafkaMirrorMakerStatus();
    try {
        mirror = KafkaMirrorMakerCluster.fromCrd(reconciliation, assemblyResource, versions);
    } catch (Exception e) {
        LOGGER.warnCr(reconciliation, e);
        StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaMirrorMakerStatus, Future.failedFuture(e));
        return Future.failedFuture(new ReconciliationException(kafkaMirrorMakerStatus, e));
    }
    Map<String, String> annotations = new HashMap<>(1);
    KafkaClientAuthentication authConsumer = assemblyResource.getSpec().getConsumer().getAuthentication();
    List<CertSecretSource> trustedCertificatesConsumer = assemblyResource.getSpec().getConsumer().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getConsumer().getTls().getTrustedCertificates();
    KafkaClientAuthentication authProducer = assemblyResource.getSpec().getProducer().getAuthentication();
    List<CertSecretSource> trustedCertificatesProducer = assemblyResource.getSpec().getProducer().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getProducer().getTls().getTrustedCertificates();
    Promise<KafkaMirrorMakerStatus> createOrUpdatePromise = Promise.promise();
    boolean mirrorHasZeroReplicas = mirror.getReplicas() == 0;
    LOGGER.debugCr(reconciliation, "Updating Kafka Mirror Maker cluster");
    mirrorMakerServiceAccount(reconciliation, namespace, mirror).compose(i -> deploymentOperations.scaleDown(reconciliation, namespace, mirror.getName(), mirror.getReplicas())).compose(i -> Util.metricsAndLogging(reconciliation, configMapOperations, namespace, mirror.getLogging(), mirror.getMetricsConfigInCm())).compose(metricsAndLoggingCm -> {
        ConfigMap logAndMetricsConfigMap = mirror.generateMetricsAndLogConfigMap(metricsAndLoggingCm);
        annotations.put(Annotations.STRIMZI_LOGGING_ANNOTATION, logAndMetricsConfigMap.getData().get(mirror.ANCILLARY_CM_KEY_LOG_CONFIG));
        return configMapOperations.reconcile(reconciliation, namespace, mirror.getAncillaryConfigMapName(), logAndMetricsConfigMap);
    }).compose(i -> pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetOperator.reconcile(reconciliation, namespace, mirror.getName(), mirror.generatePodDisruptionBudget()) : Future.succeededFuture()).compose(i -> !pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetV1Beta1Operator.reconcile(reconciliation, namespace, mirror.getName(), mirror.generatePodDisruptionBudgetV1Beta1()) : Future.succeededFuture()).compose(i -> CompositeFuture.join(Util.authTlsHash(secretOperations, namespace, authConsumer, trustedCertificatesConsumer), Util.authTlsHash(secretOperations, namespace, authProducer, trustedCertificatesProducer))).compose(hashFut -> {
        if (hashFut != null) {
            annotations.put(Annotations.ANNO_STRIMZI_AUTH_HASH, Integer.toString((int) hashFut.resultAt(0) + (int) hashFut.resultAt(1)));
        }
        return Future.succeededFuture();
    }).compose(i -> deploymentOperations.reconcile(reconciliation, namespace, mirror.getName(), mirror.generateDeployment(annotations, pfa.isOpenshift(), imagePullPolicy, imagePullSecrets))).compose(i -> deploymentOperations.scaleUp(reconciliation, namespace, mirror.getName(), mirror.getReplicas())).compose(i -> deploymentOperations.waitForObserved(reconciliation, namespace, mirror.getName(), 1_000, operationTimeoutMs)).compose(i -> mirrorHasZeroReplicas ? Future.succeededFuture() : deploymentOperations.readiness(reconciliation, namespace, mirror.getName(), 1_000, operationTimeoutMs)).onComplete(reconciliationResult -> {
        StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaMirrorMakerStatus, reconciliationResult);
        kafkaMirrorMakerStatus.setReplicas(mirror.getReplicas());
        kafkaMirrorMakerStatus.setLabelSelector(mirror.getSelectorLabels().toSelectorString());
        if (reconciliationResult.succeeded()) {
            createOrUpdatePromise.complete(kafkaMirrorMakerStatus);
        } else {
            createOrUpdatePromise.fail(new ReconciliationException(kafkaMirrorMakerStatus, reconciliationResult.cause()));
        }
    });
    return createOrUpdatePromise.future();
}
Also used : ReconciliationException(io.strimzi.operator.common.ReconciliationException) KafkaMirrorMakerResources(io.strimzi.api.kafka.model.KafkaMirrorMakerResources) KafkaMirrorMakerList(io.strimzi.api.kafka.KafkaMirrorMakerList) CertManager(io.strimzi.certs.CertManager) Annotations(io.strimzi.operator.common.Annotations) HashMap(java.util.HashMap) CompositeFuture(io.vertx.core.CompositeFuture) Resource(io.fabric8.kubernetes.client.dsl.Resource) Map(java.util.Map) KafkaMirrorMakerSpec(io.strimzi.api.kafka.model.KafkaMirrorMakerSpec) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ReconciliationException(io.strimzi.operator.common.ReconciliationException) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) StatusUtils(io.strimzi.operator.common.operator.resource.StatusUtils) ReconciliationLogger(io.strimzi.operator.common.ReconciliationLogger) CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource) KafkaMirrorMaker(io.strimzi.api.kafka.model.KafkaMirrorMaker) DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator) Promise(io.vertx.core.Promise) KafkaVersion(io.strimzi.operator.cluster.model.KafkaVersion) Vertx(io.vertx.core.Vertx) Future(io.vertx.core.Future) ConfigMap(io.fabric8.kubernetes.api.model.ConfigMap) Reconciliation(io.strimzi.operator.common.Reconciliation) List(java.util.List) Util(io.strimzi.operator.common.Util) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) KubernetesClient(io.fabric8.kubernetes.client.KubernetesClient) KafkaMirrorMakerCluster(io.strimzi.operator.cluster.model.KafkaMirrorMakerCluster) KafkaMirrorMakerStatus(io.strimzi.api.kafka.model.status.KafkaMirrorMakerStatus) ServiceAccount(io.fabric8.kubernetes.api.model.ServiceAccount) KafkaClientAuthentication(io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Collections(java.util.Collections) ClusterOperatorConfig(io.strimzi.operator.cluster.ClusterOperatorConfig) KafkaMirrorMakerStatus(io.strimzi.api.kafka.model.status.KafkaMirrorMakerStatus) ConfigMap(io.fabric8.kubernetes.api.model.ConfigMap) HashMap(java.util.HashMap) KafkaMirrorMakerCluster(io.strimzi.operator.cluster.model.KafkaMirrorMakerCluster) ReconciliationException(io.strimzi.operator.common.ReconciliationException) KafkaClientAuthentication(io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication) CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource)

Example 14 with KafkaClientAuthentication

use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.

the class KafkaBridgeAssemblyOperator method createOrUpdate.

@Override
protected Future<KafkaBridgeStatus> createOrUpdate(Reconciliation reconciliation, KafkaBridge assemblyResource) {
    KafkaBridgeStatus kafkaBridgeStatus = new KafkaBridgeStatus();
    String namespace = reconciliation.namespace();
    KafkaBridgeCluster bridge;
    try {
        bridge = KafkaBridgeCluster.fromCrd(reconciliation, assemblyResource, versions);
    } catch (Exception e) {
        LOGGER.warnCr(reconciliation, e);
        StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaBridgeStatus, Future.failedFuture(e));
        return Future.failedFuture(new ReconciliationException(kafkaBridgeStatus, e));
    }
    KafkaClientAuthentication auth = assemblyResource.getSpec().getAuthentication();
    List<CertSecretSource> trustedCertificates = assemblyResource.getSpec().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getTls().getTrustedCertificates();
    Promise<KafkaBridgeStatus> createOrUpdatePromise = Promise.promise();
    boolean bridgeHasZeroReplicas = bridge.getReplicas() == 0;
    LOGGER.debugCr(reconciliation, "Updating Kafka Bridge cluster");
    kafkaBridgeServiceAccount(reconciliation, namespace, bridge).compose(i -> deploymentOperations.scaleDown(reconciliation, namespace, bridge.getName(), bridge.getReplicas())).compose(scale -> serviceOperations.reconcile(reconciliation, namespace, bridge.getServiceName(), bridge.generateService())).compose(i -> Util.metricsAndLogging(reconciliation, configMapOperations, namespace, bridge.getLogging(), null)).compose(metricsAndLogging -> configMapOperations.reconcile(reconciliation, namespace, bridge.getAncillaryConfigMapName(), bridge.generateMetricsAndLogConfigMap(metricsAndLogging))).compose(i -> pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetOperator.reconcile(reconciliation, namespace, bridge.getName(), bridge.generatePodDisruptionBudget()) : Future.succeededFuture()).compose(i -> !pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetV1Beta1Operator.reconcile(reconciliation, namespace, bridge.getName(), bridge.generatePodDisruptionBudgetV1Beta1()) : Future.succeededFuture()).compose(i -> Util.authTlsHash(secretOperations, namespace, auth, trustedCertificates)).compose(hash -> deploymentOperations.reconcile(reconciliation, namespace, bridge.getName(), bridge.generateDeployment(Collections.singletonMap(Annotations.ANNO_STRIMZI_AUTH_HASH, Integer.toString(hash)), pfa.isOpenshift(), imagePullPolicy, imagePullSecrets))).compose(i -> deploymentOperations.scaleUp(reconciliation, namespace, bridge.getName(), bridge.getReplicas())).compose(i -> deploymentOperations.waitForObserved(reconciliation, namespace, bridge.getName(), 1_000, operationTimeoutMs)).compose(i -> bridgeHasZeroReplicas ? Future.succeededFuture() : deploymentOperations.readiness(reconciliation, namespace, bridge.getName(), 1_000, operationTimeoutMs)).onComplete(reconciliationResult -> {
        StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaBridgeStatus, reconciliationResult.mapEmpty());
        if (!bridgeHasZeroReplicas) {
            int port = KafkaBridgeCluster.DEFAULT_REST_API_PORT;
            if (bridge.getHttp() != null) {
                port = bridge.getHttp().getPort();
            }
            kafkaBridgeStatus.setUrl(KafkaBridgeResources.url(bridge.getCluster(), namespace, port));
        }
        kafkaBridgeStatus.setReplicas(bridge.getReplicas());
        kafkaBridgeStatus.setLabelSelector(bridge.getSelectorLabels().toSelectorString());
        if (reconciliationResult.succeeded()) {
            createOrUpdatePromise.complete(kafkaBridgeStatus);
        } else {
            createOrUpdatePromise.fail(new ReconciliationException(kafkaBridgeStatus, reconciliationResult.cause()));
        }
    });
    return createOrUpdatePromise.future();
}
Also used : KafkaBridgeCluster(io.strimzi.operator.cluster.model.KafkaBridgeCluster) ReconciliationException(io.strimzi.operator.common.ReconciliationException) KafkaClientAuthentication(io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication) CertManager(io.strimzi.certs.CertManager) Annotations(io.strimzi.operator.common.Annotations) Resource(io.fabric8.kubernetes.client.dsl.Resource) KafkaBridge(io.strimzi.api.kafka.model.KafkaBridge) ConfigMapOperator(io.strimzi.operator.common.operator.resource.ConfigMapOperator) ResourceOperatorSupplier(io.strimzi.operator.cluster.operator.resource.ResourceOperatorSupplier) ReconciliationException(io.strimzi.operator.common.ReconciliationException) ReconcileResult(io.strimzi.operator.common.operator.resource.ReconcileResult) KafkaBridgeResources(io.strimzi.api.kafka.model.KafkaBridgeResources) StatusUtils(io.strimzi.operator.common.operator.resource.StatusUtils) ReconciliationLogger(io.strimzi.operator.common.ReconciliationLogger) ExternalLogging(io.strimzi.api.kafka.model.ExternalLogging) CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource) DeploymentOperator(io.strimzi.operator.common.operator.resource.DeploymentOperator) Promise(io.vertx.core.Promise) KafkaVersion(io.strimzi.operator.cluster.model.KafkaVersion) Vertx(io.vertx.core.Vertx) KafkaBridgeSpec(io.strimzi.api.kafka.model.KafkaBridgeSpec) KafkaBridgeList(io.strimzi.api.kafka.KafkaBridgeList) Future(io.vertx.core.Future) ConfigMap(io.fabric8.kubernetes.api.model.ConfigMap) KafkaBridgeCluster(io.strimzi.operator.cluster.model.KafkaBridgeCluster) KafkaBridgeStatus(io.strimzi.api.kafka.model.status.KafkaBridgeStatus) Reconciliation(io.strimzi.operator.common.Reconciliation) List(java.util.List) Util(io.strimzi.operator.common.Util) PasswordGenerator(io.strimzi.operator.common.PasswordGenerator) KubernetesClient(io.fabric8.kubernetes.client.KubernetesClient) ServiceAccount(io.fabric8.kubernetes.api.model.ServiceAccount) KafkaClientAuthentication(io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication) PlatformFeaturesAvailability(io.strimzi.operator.PlatformFeaturesAvailability) Collections(java.util.Collections) ClusterOperatorConfig(io.strimzi.operator.cluster.ClusterOperatorConfig) CertSecretSource(io.strimzi.api.kafka.model.CertSecretSource) ReconciliationException(io.strimzi.operator.common.ReconciliationException) KafkaBridgeStatus(io.strimzi.api.kafka.model.status.KafkaBridgeStatus)

Aggregations

KafkaClientAuthentication (io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication)14 CertSecretSource (io.strimzi.api.kafka.model.CertSecretSource)12 GenericSecretSource (io.strimzi.api.kafka.model.GenericSecretSource)6 Collections (java.util.Collections)6 List (java.util.List)6 ConfigMap (io.fabric8.kubernetes.api.model.ConfigMap)4 EnvVar (io.fabric8.kubernetes.api.model.EnvVar)4 Secret (io.fabric8.kubernetes.api.model.Secret)4 SecretBuilder (io.fabric8.kubernetes.api.model.SecretBuilder)4 ServiceAccount (io.fabric8.kubernetes.api.model.ServiceAccount)4 KubernetesClient (io.fabric8.kubernetes.client.KubernetesClient)4 Resource (io.fabric8.kubernetes.client.dsl.Resource)4 CertSecretSourceBuilder (io.strimzi.api.kafka.model.CertSecretSourceBuilder)4 GenericSecretSourceBuilder (io.strimzi.api.kafka.model.GenericSecretSourceBuilder)4 KafkaClientAuthenticationOAuth (io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationOAuth)4 KafkaClientAuthenticationOAuthBuilder (io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationOAuthBuilder)4 KafkaClientAuthenticationPlain (io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationPlain)4 KafkaClientAuthenticationScram (io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationScram)4 KafkaClientAuthenticationTls (io.strimzi.api.kafka.model.authentication.KafkaClientAuthenticationTls)4 CertManager (io.strimzi.certs.CertManager)4