use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.
the class AuthenticationUtils method configureClientAuthenticationVolumeMounts.
/**
* Creates the VolumeMounts used for authentication of Kafka client based components
* @param authentication Authentication object from CRD
* @param volumeMountList List where the volume mounts will be added
* @param tlsVolumeMount Path where the TLS certs should be mounted
* @param passwordVolumeMount Path where passwords should be mounted
* @param oauthCertsVolumeMount Path where the OAuth certificates would be mounted
* @param oauthVolumeNamePrefix Prefix used for OAuth volume names
* @param volumeNamePrefix Prefix used for volume mount names
* @param mountOAuthSecretVolumes Indicates whether OAuth secret volume mounts will be added to the list
* @param oauthSecretsVolumeMount Path where the OAuth secrets would be mounted
*/
public static void configureClientAuthenticationVolumeMounts(KafkaClientAuthentication authentication, List<VolumeMount> volumeMountList, String tlsVolumeMount, String passwordVolumeMount, String oauthCertsVolumeMount, String oauthVolumeNamePrefix, String volumeNamePrefix, boolean mountOAuthSecretVolumes, String oauthSecretsVolumeMount) {
if (authentication != null) {
if (authentication instanceof KafkaClientAuthenticationTls) {
KafkaClientAuthenticationTls tlsAuth = (KafkaClientAuthenticationTls) authentication;
// skipping if a volume mount with same Secret name was already added
if (!volumeMountList.stream().anyMatch(vm -> vm.getName().equals(volumeNamePrefix + tlsAuth.getCertificateAndKey().getSecretName()))) {
volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + tlsAuth.getCertificateAndKey().getSecretName(), tlsVolumeMount + tlsAuth.getCertificateAndKey().getSecretName()));
}
} else if (authentication instanceof KafkaClientAuthenticationPlain) {
KafkaClientAuthenticationPlain passwordAuth = (KafkaClientAuthenticationPlain) authentication;
volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + passwordAuth.getPasswordSecret().getSecretName(), passwordVolumeMount + passwordAuth.getPasswordSecret().getSecretName()));
} else if (authentication instanceof KafkaClientAuthenticationScram) {
KafkaClientAuthenticationScram scramAuth = (KafkaClientAuthenticationScram) authentication;
volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + scramAuth.getPasswordSecret().getSecretName(), passwordVolumeMount + scramAuth.getPasswordSecret().getSecretName()));
} else if (authentication instanceof KafkaClientAuthenticationOAuth) {
KafkaClientAuthenticationOAuth oauth = (KafkaClientAuthenticationOAuth) authentication;
volumeMountList.addAll(configureOauthCertificateVolumeMounts(oauthVolumeNamePrefix, oauth.getTlsTrustedCertificates(), oauthCertsVolumeMount));
if (mountOAuthSecretVolumes) {
if (oauth.getClientSecret() != null) {
volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getClientSecret().getSecretName(), oauthSecretsVolumeMount + oauth.getClientSecret().getSecretName()));
}
if (oauth.getAccessToken() != null) {
volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getAccessToken().getSecretName(), oauthSecretsVolumeMount + oauth.getAccessToken().getSecretName()));
}
if (oauth.getRefreshToken() != null) {
volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getRefreshToken().getSecretName(), oauthSecretsVolumeMount + oauth.getRefreshToken().getSecretName()));
}
}
}
}
}
use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.
the class KafkaConnectAssemblyOperator method generateAuthHash.
/**
* Generates a hash from the trusted TLS certificates that can be used to spot if it has changed.
*
* @param namespace Namespace of the Connect cluster
* @param kafkaConnectSpec KafkaConnectSpec object
* @return Future for tracking the asynchronous result of generating the TLS auth hash
*/
Future<Integer> generateAuthHash(String namespace, KafkaConnectSpec kafkaConnectSpec) {
KafkaClientAuthentication auth = kafkaConnectSpec.getAuthentication();
List<CertSecretSource> trustedCertificates = kafkaConnectSpec.getTls() == null ? Collections.emptyList() : kafkaConnectSpec.getTls().getTrustedCertificates();
return Util.authTlsHash(secretOperations, namespace, auth, trustedCertificates);
}
use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.
the class KafkaMirrorMakerAssemblyOperator method createOrUpdate.
@Override
protected Future<KafkaMirrorMakerStatus> createOrUpdate(Reconciliation reconciliation, KafkaMirrorMaker assemblyResource) {
String namespace = reconciliation.namespace();
KafkaMirrorMakerCluster mirror;
KafkaMirrorMakerStatus kafkaMirrorMakerStatus = new KafkaMirrorMakerStatus();
try {
mirror = KafkaMirrorMakerCluster.fromCrd(reconciliation, assemblyResource, versions);
} catch (Exception e) {
LOGGER.warnCr(reconciliation, e);
StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaMirrorMakerStatus, Future.failedFuture(e));
return Future.failedFuture(new ReconciliationException(kafkaMirrorMakerStatus, e));
}
Map<String, String> annotations = new HashMap<>(1);
KafkaClientAuthentication authConsumer = assemblyResource.getSpec().getConsumer().getAuthentication();
List<CertSecretSource> trustedCertificatesConsumer = assemblyResource.getSpec().getConsumer().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getConsumer().getTls().getTrustedCertificates();
KafkaClientAuthentication authProducer = assemblyResource.getSpec().getProducer().getAuthentication();
List<CertSecretSource> trustedCertificatesProducer = assemblyResource.getSpec().getProducer().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getProducer().getTls().getTrustedCertificates();
Promise<KafkaMirrorMakerStatus> createOrUpdatePromise = Promise.promise();
boolean mirrorHasZeroReplicas = mirror.getReplicas() == 0;
LOGGER.debugCr(reconciliation, "Updating Kafka Mirror Maker cluster");
mirrorMakerServiceAccount(reconciliation, namespace, mirror).compose(i -> deploymentOperations.scaleDown(reconciliation, namespace, mirror.getName(), mirror.getReplicas())).compose(i -> Util.metricsAndLogging(reconciliation, configMapOperations, namespace, mirror.getLogging(), mirror.getMetricsConfigInCm())).compose(metricsAndLoggingCm -> {
ConfigMap logAndMetricsConfigMap = mirror.generateMetricsAndLogConfigMap(metricsAndLoggingCm);
annotations.put(Annotations.STRIMZI_LOGGING_ANNOTATION, logAndMetricsConfigMap.getData().get(mirror.ANCILLARY_CM_KEY_LOG_CONFIG));
return configMapOperations.reconcile(reconciliation, namespace, mirror.getAncillaryConfigMapName(), logAndMetricsConfigMap);
}).compose(i -> pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetOperator.reconcile(reconciliation, namespace, mirror.getName(), mirror.generatePodDisruptionBudget()) : Future.succeededFuture()).compose(i -> !pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetV1Beta1Operator.reconcile(reconciliation, namespace, mirror.getName(), mirror.generatePodDisruptionBudgetV1Beta1()) : Future.succeededFuture()).compose(i -> CompositeFuture.join(Util.authTlsHash(secretOperations, namespace, authConsumer, trustedCertificatesConsumer), Util.authTlsHash(secretOperations, namespace, authProducer, trustedCertificatesProducer))).compose(hashFut -> {
if (hashFut != null) {
annotations.put(Annotations.ANNO_STRIMZI_AUTH_HASH, Integer.toString((int) hashFut.resultAt(0) + (int) hashFut.resultAt(1)));
}
return Future.succeededFuture();
}).compose(i -> deploymentOperations.reconcile(reconciliation, namespace, mirror.getName(), mirror.generateDeployment(annotations, pfa.isOpenshift(), imagePullPolicy, imagePullSecrets))).compose(i -> deploymentOperations.scaleUp(reconciliation, namespace, mirror.getName(), mirror.getReplicas())).compose(i -> deploymentOperations.waitForObserved(reconciliation, namespace, mirror.getName(), 1_000, operationTimeoutMs)).compose(i -> mirrorHasZeroReplicas ? Future.succeededFuture() : deploymentOperations.readiness(reconciliation, namespace, mirror.getName(), 1_000, operationTimeoutMs)).onComplete(reconciliationResult -> {
StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaMirrorMakerStatus, reconciliationResult);
kafkaMirrorMakerStatus.setReplicas(mirror.getReplicas());
kafkaMirrorMakerStatus.setLabelSelector(mirror.getSelectorLabels().toSelectorString());
if (reconciliationResult.succeeded()) {
createOrUpdatePromise.complete(kafkaMirrorMakerStatus);
} else {
createOrUpdatePromise.fail(new ReconciliationException(kafkaMirrorMakerStatus, reconciliationResult.cause()));
}
});
return createOrUpdatePromise.future();
}
use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.
the class KafkaBridgeAssemblyOperator method createOrUpdate.
@Override
protected Future<KafkaBridgeStatus> createOrUpdate(Reconciliation reconciliation, KafkaBridge assemblyResource) {
KafkaBridgeStatus kafkaBridgeStatus = new KafkaBridgeStatus();
String namespace = reconciliation.namespace();
KafkaBridgeCluster bridge;
try {
bridge = KafkaBridgeCluster.fromCrd(reconciliation, assemblyResource, versions);
} catch (Exception e) {
LOGGER.warnCr(reconciliation, e);
StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaBridgeStatus, Future.failedFuture(e));
return Future.failedFuture(new ReconciliationException(kafkaBridgeStatus, e));
}
KafkaClientAuthentication auth = assemblyResource.getSpec().getAuthentication();
List<CertSecretSource> trustedCertificates = assemblyResource.getSpec().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getTls().getTrustedCertificates();
Promise<KafkaBridgeStatus> createOrUpdatePromise = Promise.promise();
boolean bridgeHasZeroReplicas = bridge.getReplicas() == 0;
LOGGER.debugCr(reconciliation, "Updating Kafka Bridge cluster");
kafkaBridgeServiceAccount(reconciliation, namespace, bridge).compose(i -> deploymentOperations.scaleDown(reconciliation, namespace, bridge.getName(), bridge.getReplicas())).compose(scale -> serviceOperations.reconcile(reconciliation, namespace, bridge.getServiceName(), bridge.generateService())).compose(i -> Util.metricsAndLogging(reconciliation, configMapOperations, namespace, bridge.getLogging(), null)).compose(metricsAndLogging -> configMapOperations.reconcile(reconciliation, namespace, bridge.getAncillaryConfigMapName(), bridge.generateMetricsAndLogConfigMap(metricsAndLogging))).compose(i -> pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetOperator.reconcile(reconciliation, namespace, bridge.getName(), bridge.generatePodDisruptionBudget()) : Future.succeededFuture()).compose(i -> !pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetV1Beta1Operator.reconcile(reconciliation, namespace, bridge.getName(), bridge.generatePodDisruptionBudgetV1Beta1()) : Future.succeededFuture()).compose(i -> Util.authTlsHash(secretOperations, namespace, auth, trustedCertificates)).compose(hash -> deploymentOperations.reconcile(reconciliation, namespace, bridge.getName(), bridge.generateDeployment(Collections.singletonMap(Annotations.ANNO_STRIMZI_AUTH_HASH, Integer.toString(hash)), pfa.isOpenshift(), imagePullPolicy, imagePullSecrets))).compose(i -> deploymentOperations.scaleUp(reconciliation, namespace, bridge.getName(), bridge.getReplicas())).compose(i -> deploymentOperations.waitForObserved(reconciliation, namespace, bridge.getName(), 1_000, operationTimeoutMs)).compose(i -> bridgeHasZeroReplicas ? Future.succeededFuture() : deploymentOperations.readiness(reconciliation, namespace, bridge.getName(), 1_000, operationTimeoutMs)).onComplete(reconciliationResult -> {
StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaBridgeStatus, reconciliationResult.mapEmpty());
if (!bridgeHasZeroReplicas) {
int port = KafkaBridgeCluster.DEFAULT_REST_API_PORT;
if (bridge.getHttp() != null) {
port = bridge.getHttp().getPort();
}
kafkaBridgeStatus.setUrl(KafkaBridgeResources.url(bridge.getCluster(), namespace, port));
}
kafkaBridgeStatus.setReplicas(bridge.getReplicas());
kafkaBridgeStatus.setLabelSelector(bridge.getSelectorLabels().toSelectorString());
if (reconciliationResult.succeeded()) {
createOrUpdatePromise.complete(kafkaBridgeStatus);
} else {
createOrUpdatePromise.fail(new ReconciliationException(kafkaBridgeStatus, reconciliationResult.cause()));
}
});
return createOrUpdatePromise.future();
}
Aggregations