Examples with KafkaClientAuthentication io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication used on opensource projects

Example 11 with KafkaClientAuthentication

use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.

the class AuthenticationUtils method configureClientAuthenticationVolumeMounts.

/**
 * Creates the VolumeMounts used for authentication of Kafka client based components
 * @param authentication    Authentication object from CRD
 * @param volumeMountList    List where the volume mounts will be added
 * @param tlsVolumeMount    Path where the TLS certs should be mounted
 * @param passwordVolumeMount   Path where passwords should be mounted
 * @param oauthCertsVolumeMount Path where the OAuth certificates would be mounted
 * @param oauthVolumeNamePrefix Prefix used for OAuth volume names
 * @param volumeNamePrefix Prefix used for volume mount names
 * @param mountOAuthSecretVolumes Indicates whether OAuth secret volume mounts will be added to the list
 * @param oauthSecretsVolumeMount Path where the OAuth secrets would be mounted
 */
public static void configureClientAuthenticationVolumeMounts(KafkaClientAuthentication authentication, List<VolumeMount> volumeMountList, String tlsVolumeMount, String passwordVolumeMount, String oauthCertsVolumeMount, String oauthVolumeNamePrefix, String volumeNamePrefix, boolean mountOAuthSecretVolumes, String oauthSecretsVolumeMount) {
    if (authentication != null) {
        if (authentication instanceof KafkaClientAuthenticationTls) {
            KafkaClientAuthenticationTls tlsAuth = (KafkaClientAuthenticationTls) authentication;
            // skipping if a volume mount with same Secret name was already added
            if (!volumeMountList.stream().anyMatch(vm -> vm.getName().equals(volumeNamePrefix + tlsAuth.getCertificateAndKey().getSecretName()))) {
                volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + tlsAuth.getCertificateAndKey().getSecretName(), tlsVolumeMount + tlsAuth.getCertificateAndKey().getSecretName()));
            }
        } else if (authentication instanceof KafkaClientAuthenticationPlain) {
            KafkaClientAuthenticationPlain passwordAuth = (KafkaClientAuthenticationPlain) authentication;
            volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + passwordAuth.getPasswordSecret().getSecretName(), passwordVolumeMount + passwordAuth.getPasswordSecret().getSecretName()));
        } else if (authentication instanceof KafkaClientAuthenticationScram) {
            KafkaClientAuthenticationScram scramAuth = (KafkaClientAuthenticationScram) authentication;
            volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + scramAuth.getPasswordSecret().getSecretName(), passwordVolumeMount + scramAuth.getPasswordSecret().getSecretName()));
        } else if (authentication instanceof KafkaClientAuthenticationOAuth) {
            KafkaClientAuthenticationOAuth oauth = (KafkaClientAuthenticationOAuth) authentication;
            volumeMountList.addAll(configureOauthCertificateVolumeMounts(oauthVolumeNamePrefix, oauth.getTlsTrustedCertificates(), oauthCertsVolumeMount));
            if (mountOAuthSecretVolumes) {
                if (oauth.getClientSecret() != null) {
                    volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getClientSecret().getSecretName(), oauthSecretsVolumeMount + oauth.getClientSecret().getSecretName()));
                }
                if (oauth.getAccessToken() != null) {
                    volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getAccessToken().getSecretName(), oauthSecretsVolumeMount + oauth.getAccessToken().getSecretName()));
                }
                if (oauth.getRefreshToken() != null) {
                    volumeMountList.add(VolumeUtils.createVolumeMount(volumeNamePrefix + oauth.getRefreshToken().getSecretName(), oauthSecretsVolumeMount + oauth.getRefreshToken().getSecretName()));
                }
            }
        }
    }
}

Example 12 with KafkaClientAuthentication

use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.

the class KafkaConnectAssemblyOperator method generateAuthHash.

/**
 * Generates a hash from the trusted TLS certificates that can be used to spot if it has changed.
 *
 * @param namespace          Namespace of the Connect cluster
 * @param kafkaConnectSpec   KafkaConnectSpec object
 * @return                   Future for tracking the asynchronous result of generating the TLS auth hash
 */
Future<Integer> generateAuthHash(String namespace, KafkaConnectSpec kafkaConnectSpec) {
    KafkaClientAuthentication auth = kafkaConnectSpec.getAuthentication();
    List<CertSecretSource> trustedCertificates = kafkaConnectSpec.getTls() == null ? Collections.emptyList() : kafkaConnectSpec.getTls().getTrustedCertificates();
    return Util.authTlsHash(secretOperations, namespace, auth, trustedCertificates);
}

Example 13 with KafkaClientAuthentication

use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.

the class KafkaMirrorMakerAssemblyOperator method createOrUpdate.

@Override
protected Future<KafkaMirrorMakerStatus> createOrUpdate(Reconciliation reconciliation, KafkaMirrorMaker assemblyResource) {
    String namespace = reconciliation.namespace();
    KafkaMirrorMakerCluster mirror;
    KafkaMirrorMakerStatus kafkaMirrorMakerStatus = new KafkaMirrorMakerStatus();
    try {
        mirror = KafkaMirrorMakerCluster.fromCrd(reconciliation, assemblyResource, versions);
    } catch (Exception e) {
        LOGGER.warnCr(reconciliation, e);
        StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaMirrorMakerStatus, Future.failedFuture(e));
        return Future.failedFuture(new ReconciliationException(kafkaMirrorMakerStatus, e));
    }
    Map<String, String> annotations = new HashMap<>(1);
    KafkaClientAuthentication authConsumer = assemblyResource.getSpec().getConsumer().getAuthentication();
    List<CertSecretSource> trustedCertificatesConsumer = assemblyResource.getSpec().getConsumer().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getConsumer().getTls().getTrustedCertificates();
    KafkaClientAuthentication authProducer = assemblyResource.getSpec().getProducer().getAuthentication();
    List<CertSecretSource> trustedCertificatesProducer = assemblyResource.getSpec().getProducer().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getProducer().getTls().getTrustedCertificates();
    Promise<KafkaMirrorMakerStatus> createOrUpdatePromise = Promise.promise();
    boolean mirrorHasZeroReplicas = mirror.getReplicas() == 0;
    LOGGER.debugCr(reconciliation, "Updating Kafka Mirror Maker cluster");
    mirrorMakerServiceAccount(reconciliation, namespace, mirror).compose(i -> deploymentOperations.scaleDown(reconciliation, namespace, mirror.getName(), mirror.getReplicas())).compose(i -> Util.metricsAndLogging(reconciliation, configMapOperations, namespace, mirror.getLogging(), mirror.getMetricsConfigInCm())).compose(metricsAndLoggingCm -> {
        ConfigMap logAndMetricsConfigMap = mirror.generateMetricsAndLogConfigMap(metricsAndLoggingCm);
        annotations.put(Annotations.STRIMZI_LOGGING_ANNOTATION, logAndMetricsConfigMap.getData().get(mirror.ANCILLARY_CM_KEY_LOG_CONFIG));
        return configMapOperations.reconcile(reconciliation, namespace, mirror.getAncillaryConfigMapName(), logAndMetricsConfigMap);
    }).compose(i -> pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetOperator.reconcile(reconciliation, namespace, mirror.getName(), mirror.generatePodDisruptionBudget()) : Future.succeededFuture()).compose(i -> !pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetV1Beta1Operator.reconcile(reconciliation, namespace, mirror.getName(), mirror.generatePodDisruptionBudgetV1Beta1()) : Future.succeededFuture()).compose(i -> CompositeFuture.join(Util.authTlsHash(secretOperations, namespace, authConsumer, trustedCertificatesConsumer), Util.authTlsHash(secretOperations, namespace, authProducer, trustedCertificatesProducer))).compose(hashFut -> {
        if (hashFut != null) {
            annotations.put(Annotations.ANNO_STRIMZI_AUTH_HASH, Integer.toString((int) hashFut.resultAt(0) + (int) hashFut.resultAt(1)));
        }
        return Future.succeededFuture();
    }).compose(i -> deploymentOperations.reconcile(reconciliation, namespace, mirror.getName(), mirror.generateDeployment(annotations, pfa.isOpenshift(), imagePullPolicy, imagePullSecrets))).compose(i -> deploymentOperations.scaleUp(reconciliation, namespace, mirror.getName(), mirror.getReplicas())).compose(i -> deploymentOperations.waitForObserved(reconciliation, namespace, mirror.getName(), 1_000, operationTimeoutMs)).compose(i -> mirrorHasZeroReplicas ? Future.succeededFuture() : deploymentOperations.readiness(reconciliation, namespace, mirror.getName(), 1_000, operationTimeoutMs)).onComplete(reconciliationResult -> {
        StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaMirrorMakerStatus, reconciliationResult);
        kafkaMirrorMakerStatus.setReplicas(mirror.getReplicas());
        kafkaMirrorMakerStatus.setLabelSelector(mirror.getSelectorLabels().toSelectorString());
        if (reconciliationResult.succeeded()) {
            createOrUpdatePromise.complete(kafkaMirrorMakerStatus);
        } else {
            createOrUpdatePromise.fail(new ReconciliationException(kafkaMirrorMakerStatus, reconciliationResult.cause()));
        }
    });
    return createOrUpdatePromise.future();
}

Example 14 with KafkaClientAuthentication

use of io.strimzi.api.kafka.model.authentication.KafkaClientAuthentication in project strimzi-kafka-operator by strimzi.

the class KafkaBridgeAssemblyOperator method createOrUpdate.

@Override
protected Future<KafkaBridgeStatus> createOrUpdate(Reconciliation reconciliation, KafkaBridge assemblyResource) {
    KafkaBridgeStatus kafkaBridgeStatus = new KafkaBridgeStatus();
    String namespace = reconciliation.namespace();
    KafkaBridgeCluster bridge;
    try {
        bridge = KafkaBridgeCluster.fromCrd(reconciliation, assemblyResource, versions);
    } catch (Exception e) {
        LOGGER.warnCr(reconciliation, e);
        StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaBridgeStatus, Future.failedFuture(e));
        return Future.failedFuture(new ReconciliationException(kafkaBridgeStatus, e));
    }
    KafkaClientAuthentication auth = assemblyResource.getSpec().getAuthentication();
    List<CertSecretSource> trustedCertificates = assemblyResource.getSpec().getTls() == null ? Collections.emptyList() : assemblyResource.getSpec().getTls().getTrustedCertificates();
    Promise<KafkaBridgeStatus> createOrUpdatePromise = Promise.promise();
    boolean bridgeHasZeroReplicas = bridge.getReplicas() == 0;
    LOGGER.debugCr(reconciliation, "Updating Kafka Bridge cluster");
    kafkaBridgeServiceAccount(reconciliation, namespace, bridge).compose(i -> deploymentOperations.scaleDown(reconciliation, namespace, bridge.getName(), bridge.getReplicas())).compose(scale -> serviceOperations.reconcile(reconciliation, namespace, bridge.getServiceName(), bridge.generateService())).compose(i -> Util.metricsAndLogging(reconciliation, configMapOperations, namespace, bridge.getLogging(), null)).compose(metricsAndLogging -> configMapOperations.reconcile(reconciliation, namespace, bridge.getAncillaryConfigMapName(), bridge.generateMetricsAndLogConfigMap(metricsAndLogging))).compose(i -> pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetOperator.reconcile(reconciliation, namespace, bridge.getName(), bridge.generatePodDisruptionBudget()) : Future.succeededFuture()).compose(i -> !pfa.hasPodDisruptionBudgetV1() ? podDisruptionBudgetV1Beta1Operator.reconcile(reconciliation, namespace, bridge.getName(), bridge.generatePodDisruptionBudgetV1Beta1()) : Future.succeededFuture()).compose(i -> Util.authTlsHash(secretOperations, namespace, auth, trustedCertificates)).compose(hash -> deploymentOperations.reconcile(reconciliation, namespace, bridge.getName(), bridge.generateDeployment(Collections.singletonMap(Annotations.ANNO_STRIMZI_AUTH_HASH, Integer.toString(hash)), pfa.isOpenshift(), imagePullPolicy, imagePullSecrets))).compose(i -> deploymentOperations.scaleUp(reconciliation, namespace, bridge.getName(), bridge.getReplicas())).compose(i -> deploymentOperations.waitForObserved(reconciliation, namespace, bridge.getName(), 1_000, operationTimeoutMs)).compose(i -> bridgeHasZeroReplicas ? Future.succeededFuture() : deploymentOperations.readiness(reconciliation, namespace, bridge.getName(), 1_000, operationTimeoutMs)).onComplete(reconciliationResult -> {
        StatusUtils.setStatusConditionAndObservedGeneration(assemblyResource, kafkaBridgeStatus, reconciliationResult.mapEmpty());
        if (!bridgeHasZeroReplicas) {
            int port = KafkaBridgeCluster.DEFAULT_REST_API_PORT;
            if (bridge.getHttp() != null) {
                port = bridge.getHttp().getPort();
            }
            kafkaBridgeStatus.setUrl(KafkaBridgeResources.url(bridge.getCluster(), namespace, port));
        }
        kafkaBridgeStatus.setReplicas(bridge.getReplicas());
        kafkaBridgeStatus.setLabelSelector(bridge.getSelectorLabels().toSelectorString());
        if (reconciliationResult.succeeded()) {
            createOrUpdatePromise.complete(kafkaBridgeStatus);
        } else {
            createOrUpdatePromise.fail(new ReconciliationException(kafkaBridgeStatus, reconciliationResult.cause()));
        }
    });
    return createOrUpdatePromise.future();
}