Allow property security-inter-broker-protocol #85
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dobrerazvan
reviewed
Jun 27, 2024
|
Looks good to me, just to rebase to have the latest changes. |
added 6 commits
June 27, 2024 10:13
…inistration and cc connection
cawright-rh
force-pushed
the
allow-security-inter-broker-protocol
branch
from
51191e5 to
869549e
Compare
dobrerazvan
reviewed
Aug 8, 2024
api/v1beta1/kafkacluster_types.go
Outdated
| @@ -748,6 +748,7 @@ type CommonListenerSpec struct { | |||
| // At least one of the listeners should have this flag enabled | |||
| // +optional | |||
| UsedForInnerBrokerCommunication bool `json:"usedForInnerBrokerCommunication"` | |||
| UsedForKafkaAdminCommunication bool `json:"usedForKafkaAdminCommunication,omitempty"` | |||
There was a problem hiding this comment.
Add description for when this flag is useful.
dobrerazvan
reviewed
Aug 8, 2024
pkg/util/client/common.go
Outdated
| @@ -37,11 +37,18 @@ func UseSSL(cluster *v1beta1.KafkaCluster) bool { | |||
|
|
|||
| func getContainerPortForInnerCom(internalListeners []v1beta1.InternalListenerConfig, extListeners []v1beta1.ExternalListenerConfig) int32 { | |||
| for _, val := range internalListeners { | |||
| if val.UsedForKafkaAdminCommunication { // Cannot Currently update the CRD as I do not have permissions | |||
There was a problem hiding this comment.
CRDs are not updated in all envs, is this still needed?
There was a problem hiding this comment.
I forgot to clean up this comment, the conditional statement is still needed though, I will add a comment explaining the use. The summary is, having a separate flag to indicate which port to use for the koperator and CruiseControl logic is valuable, as, it normally just uses UsedForInnerBrokerCommunication port, which may not be a port CC or Koperator has access to.
dobrerazvan
reviewed
Aug 8, 2024
azun
reviewed
Aug 8, 2024
pkg/resources/kafka/configmap.go
Outdated
| @@ -88,8 +88,10 @@ func (r *Reconciler) getConfigProperties(bConfig *v1beta1.BrokerConfig, id int32 | |||
| } | |||
|
|
|||
| // Add Cruise Control Metrics Reporter configuration | |||
| if err := config.Set(kafkautils.CruiseControlConfigMetricsReporters, "com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter"); err != nil { | |||
| log.Error(err, fmt.Sprintf("setting '%s' in broker configuration resulted an error", kafkautils.CruiseControlConfigMetricsReporters)) | |||
| if !strings.Contains(r.KafkaCluster.Spec.ReadOnlyConfig, kafkautils.KafkaConfigSecurityInterBrokerProtocol+"=") { | |||
There was a problem hiding this comment.
I think you can convert the readonly config to properties using func getBrokerReadOnlyConfig, or some similar logic
There was a problem hiding this comment.
Also, update the comment to reflect that the reported is disabled when inter broker communication is secured
There was a problem hiding this comment.
Updated to use the getBrokerReadOnlyConfig function and added comment.
azun
approved these changes
Aug 9, 2024
pkg/resources/kafka/configmap.go
Outdated
| @@ -88,8 +88,10 @@ func (r *Reconciler) getConfigProperties(bConfig *v1beta1.BrokerConfig, id int32 | |||
| } | |||
|
|
|||
| // Add Cruise Control Metrics Reporter configuration | |||
| if err := config.Set(kafkautils.CruiseControlConfigMetricsReporters, "com.linkedin.kafka.cruisecontrol.metricsreporter.CruiseControlMetricsReporter"); err != nil { | |||
| log.Error(err, fmt.Sprintf("setting '%s' in broker configuration resulted an error", kafkautils.CruiseControlConfigMetricsReporters)) | |||
| if !strings.Contains(r.KafkaCluster.Spec.ReadOnlyConfig, kafkautils.KafkaConfigSecurityInterBrokerProtocol+"=") { | |||
There was a problem hiding this comment.
Also, update the comment to reflect that the reported is disabled when inter broker communication is secured
| @@ -292,9 +296,12 @@ func generateListenerSpecificConfig(l *v1beta1.ListenersConfig, serverPasses map | |||
| if err := config.Set(kafkautils.KafkaConfigListenerSecurityProtocolMap, securityProtocolMapConfig); err != nil { | |||
| log.Error(err, fmt.Sprintf("setting '%s' parameter in broker configuration resulted an error", kafkautils.KafkaConfigListenerSecurityProtocolMap)) | |||
| } | |||
| if err := config.Set(kafkautils.KafkaConfigInterBrokerListenerName, interBrokerListenerName); err != nil { | |||
| log.Error(err, fmt.Sprintf("setting '%s' parameter in broker configuration resulted an error", kafkautils.KafkaConfigInterBrokerListenerName)) | |||
| if !strings.Contains(r, kafkautils.KafkaConfigSecurityInterBrokerProtocol+"=") { | |||
There was a problem hiding this comment.
This means the inter broker listener needs to be explicitly specified through the readonly config right?
There was a problem hiding this comment.
yes that is correct, it is a kafka property similar, but conflicting with, inter.broker.listener.name and inter.broker.listener.protocol
dobrerazvan
approved these changes
Aug 14, 2024
added 2 commits
August 14, 2024 09:43
…t test - security_inter_broker_protocol_Set
hvan
pushed a commit
that referenced
this pull request
Nov 13, 2024
* Fix flaky test by deleting nodeports explicitly (#67) * Upgrade Kafka to 3.6.0 (#69) * Upgrade dependencies * Fix wrong port on expectEnvoyWithConfigAz2Tls test (#70) * Upgrade Kafka to 3.6.1 (#71) Co-authored-by: Petruț™ <cpetrache@adobe.com> * Upgrade Kafka image to use Java v21 (#72) * Added arm64 to docker build platforms (#73) * Added arm64 to docker build platforms * Regenerated headers for 2024 * Upgrading Kafka to 3.7.0 (#77) * Update codeql-analysis.yml (#78) * [INTERNAL] Create uniq leader ID per operator deployment (#76) * [INTERNAL] Get watched namespaces from env variable (#75) (cherry picked from commit de6500b) * [CORE-106517] Fix outdated config in the sample (#83) * Cross-compile koperator for arm and intel. (#84) * Adding Contour Ingress support (#82) * Allow property security-inter-broker-protocol (#85) * adding the ability to use security-inter-broker-protocol in koperator * updating util.go to remove _ for generated names * adding replace all for external listener port name * fixing other places where externallistener name is used to not have _ * adding an alternative way to identify which port to use for kafka administration and cc connection * taking out comments for pr push * fixing kafka crd * setting omitempty so it will not be required * adding generated crds * adding comments with context for new flag UsedForKafkaAdminCommunication * Use getBrokerReadOnlyConfig function to get properties and update unit test - security_inter_broker_protocol_Set * Update crds to match generated manifest --------- Co-authored-by: Cameron Wright <red82277@adobe.com> Co-authored-by: Ha Van <red83362@adobe.com> --------- Co-authored-by: ctrlaltluc <96051211+ctrlaltluc@users.noreply.github.com> Co-authored-by: Adi Muraru <amuraru@adobe.com> Co-authored-by: Razvan Dobre <dobre@adobe.com> Co-authored-by: Cristian-Petrut Petrache <cristianpetrache@gmail.com> Co-authored-by: Petruț™ <cpetrache@adobe.com> Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> Co-authored-by: Adrian <1664229+azun@users.noreply.github.com> Co-authored-by: aguzovatii <guzovatii.anatolii@gmail.com> Co-authored-by: cawright-rh <cawright@redhat.com> Co-authored-by: Cameron Wright <red82277@adobe.com> Co-authored-by: Ha Van <red83362@adobe.com> Co-authored-by: Daniel Vaseekaran <red10447@adobe.com>
dvaseekara
added a commit
that referenced
this pull request
Dec 9, 2024
* Fix flaky test by deleting nodeports explicitly (#67) * Upgrade Kafka to 3.6.0 (#69) * Upgrade dependencies * Fix wrong port on expectEnvoyWithConfigAz2Tls test (#70) * Upgrade Kafka to 3.6.1 (#71) Co-authored-by: Petruț™ <cpetrache@adobe.com> * Upgrade Kafka image to use Java v21 (#72) * Added arm64 to docker build platforms (#73) * Added arm64 to docker build platforms * Regenerated headers for 2024 * Upgrading Kafka to 3.7.0 (#77) * Update codeql-analysis.yml (#78) * [INTERNAL] Create uniq leader ID per operator deployment (#76) * [INTERNAL] Get watched namespaces from env variable (#75) (cherry picked from commit de6500b) * [CORE-106517] Fix outdated config in the sample (#83) * Cross-compile koperator for arm and intel. (#84) * Adding Contour Ingress support (#82) * Allow property security-inter-broker-protocol (#85) * adding the ability to use security-inter-broker-protocol in koperator * updating util.go to remove _ for generated names * adding replace all for external listener port name * fixing other places where externallistener name is used to not have _ * adding an alternative way to identify which port to use for kafka administration and cc connection * taking out comments for pr push * fixing kafka crd * setting omitempty so it will not be required * adding generated crds * adding comments with context for new flag UsedForKafkaAdminCommunication * Use getBrokerReadOnlyConfig function to get properties and update unit test - security_inter_broker_protocol_Set * Update crds to match generated manifest --------- Co-authored-by: Cameron Wright <red82277@adobe.com> Co-authored-by: Ha Van <red83362@adobe.com> * Revert "Allow concurrent broker restarts from same AZ (broker rack) (#62)" This reverts commit 514fa07. * Fixed build issues * Fix TestGenerateBrokerConfig * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added watch namesapces * Added tmate for debugging * Added tmate for debugging * Added tmate for debugging * Added enabled projectcontour helm install * Enabled cloud-provider-kind * Added ProjectContour cluster role * updated certificate name * updated certificate name * Run without SSL * Removing Project Contour * Adding cloud-provider-kind * Removing cloud-provider - manually adding during test * trigger test * Remove SnpshotClusterAndCompare * Increased log length for Snapshot and Compare * Re-Add Snapshot and compare * Increased log length for Snapshot and Compare * Increased log length even more * Add Uninstall Contour CRDs * Re-Add KafkaCluster_SSL Tests * Removing BanzaiCloud Helm Chart from list of repos * pushing up latest go.sum * Clean up Merge * Enabling Tmate to debug e2e Test * Revert Cert Changes * Revert "Revert Cert Changes" This reverts commit 5c5b19c. * Enable sslClientAuth * trigger test * WIP: Fix Listener Config * Clean up test case results - tc-1 * Clean up test case results - tc-2 * Updated Kraft Test Cases * Cleanup Linting Issues * Remove Tmate Debugger * Run Kraft CLuster E2E * Add kraft e2e test * Revert Test --------- Co-authored-by: ctrlaltluc <96051211+ctrlaltluc@users.noreply.github.com> Co-authored-by: Adi Muraru <amuraru@adobe.com> Co-authored-by: Razvan Dobre <dobre@adobe.com> Co-authored-by: Cristian-Petrut Petrache <cristianpetrache@gmail.com> Co-authored-by: Petruț™ <cpetrache@adobe.com> Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> Co-authored-by: Adrian <1664229+azun@users.noreply.github.com> Co-authored-by: aguzovatii <guzovatii.anatolii@gmail.com> Co-authored-by: cawright-rh <cawright@redhat.com> Co-authored-by: Cameron Wright <red82277@adobe.com> Co-authored-by: Ha Van <red83362@adobe.com> Co-authored-by: Daniel Vaseekaran <red10447@adobe.com>
dvaseekara
added a commit
that referenced
this pull request
Dec 11, 2024
* Fix flaky test by deleting nodeports explicitly (#67) * Upgrade Kafka to 3.6.0 (#69) * Upgrade dependencies * Fix wrong port on expectEnvoyWithConfigAz2Tls test (#70) * Upgrade Kafka to 3.6.1 (#71) Co-authored-by: Petruț™ <cpetrache@adobe.com> * Upgrade Kafka image to use Java v21 (#72) * Added arm64 to docker build platforms (#73) * Added arm64 to docker build platforms * Regenerated headers for 2024 * Upgrading Kafka to 3.7.0 (#77) * Update codeql-analysis.yml (#78) * [INTERNAL] Create uniq leader ID per operator deployment (#76) * [INTERNAL] Get watched namespaces from env variable (#75) (cherry picked from commit de6500b) * [CORE-106517] Fix outdated config in the sample (#83) * Cross-compile koperator for arm and intel. (#84) * Adding Contour Ingress support (#82) * Allow property security-inter-broker-protocol (#85) * adding the ability to use security-inter-broker-protocol in koperator * updating util.go to remove _ for generated names * adding replace all for external listener port name * fixing other places where externallistener name is used to not have _ * adding an alternative way to identify which port to use for kafka administration and cc connection * taking out comments for pr push * fixing kafka crd * setting omitempty so it will not be required * adding generated crds * adding comments with context for new flag UsedForKafkaAdminCommunication * Use getBrokerReadOnlyConfig function to get properties and update unit test - security_inter_broker_protocol_Set * Update crds to match generated manifest --------- Co-authored-by: Cameron Wright <red82277@adobe.com> Co-authored-by: Ha Van <red83362@adobe.com> * Revert "Allow concurrent broker restarts from same AZ (broker rack) (#62)" This reverts commit 514fa07. * Fixed build issues * Fix TestGenerateBrokerConfig * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added LoadBalancer for Kind E2E test cluster * Added watch namesapces * Added tmate for debugging * Added tmate for debugging * Added tmate for debugging * Added enabled projectcontour helm install * Enabled cloud-provider-kind * Added ProjectContour cluster role * updated certificate name * updated certificate name * Run without SSL * Removing Project Contour * Adding cloud-provider-kind * Removing cloud-provider - manually adding during test * trigger test * Remove SnpshotClusterAndCompare * Increased log length for Snapshot and Compare * Re-Add Snapshot and compare * Increased log length for Snapshot and Compare * Increased log length even more * Add Uninstall Contour CRDs * Re-Add KafkaCluster_SSL Tests * Removing BanzaiCloud Helm Chart from list of repos * pushing up latest go.sum * Clean up Merge * Enabling Tmate to debug e2e Test * Revert Cert Changes * Revert "Revert Cert Changes" This reverts commit 5c5b19c. * Enable sslClientAuth * trigger test * WIP: Fix Listener Config * Clean up test case results - tc-1 * Clean up test case results - tc-2 * Updated Kraft Test Cases * Cleanup Linting Issues * Remove Tmate Debugger * Run Kraft CLuster E2E * Increate Timeout to allow pod termination * Trigger Test * Added Debugger * Fix App Labels for Controllers * Revert image upate * Revert "Fix App Labels for Controllers" This reverts commit a3cf8a5. * Include Broker/Controller Labels for Headless SVC Selector * Logic for controller listener * add controller service * Added Headless-Controller-SVC Labels * Fix controller addresses and labels for brokers * Empty commit to trigger e2e * Set up kafka-3 as controller only for troubleshooting * Empty commit to trigger e2e * Use controller address for JMXTemplate * Update uninstall timeout to 600s * fix lint * fix lint * fix lint * Enable TMate Debugger * Trigger E2E * Updated BrokerIdLabelkey * Updated BrokerIdLabelkey * Check for Kraft mode when setting the controller listener * Check for Kraft mode when setting the controller listener * Disable tmate from e2e test * adding //nolint:unparam to testProduceConsumeInternal func now that it is used twice * moving the //nolint:unparam to the none-ssl version * Fixed BrokerLabel Test * Add additional test cases for TestGetBrokerLabels * Add additional test cases for TestGetBrokerLabels * commenting out broker-1 in test to fix kraft test * adding conditional to check if kraft mode is enabled before selecting which expected results in test --------- Co-authored-by: ctrlaltluc <96051211+ctrlaltluc@users.noreply.github.com> Co-authored-by: Adi Muraru <amuraru@adobe.com> Co-authored-by: Razvan Dobre <dobre@adobe.com> Co-authored-by: Cristian-Petrut Petrache <cristianpetrache@gmail.com> Co-authored-by: Petruț™ <cpetrache@adobe.com> Co-authored-by: Adrian Muraru <adi.muraru@gmail.com> Co-authored-by: Adrian <1664229+azun@users.noreply.github.com> Co-authored-by: aguzovatii <guzovatii.anatolii@gmail.com> Co-authored-by: cawright-rh <cawright@redhat.com> Co-authored-by: Cameron Wright <red82277@adobe.com> Co-authored-by: Ha Van <red83362@adobe.com> Co-authored-by: Daniel Vaseekaran <red10447@adobe.com> Co-authored-by: Ha Van <168012087+musubi7726@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Please provide a meaningful description of what this change will do, or is for. Bonus points for including links to
related issues, other PRs, or technical references.
This change is to allow for the kafka property
security.inter.broker.protocolto be used by the broker pods. Currently, koperator will create the propertyinter.broker.listener.name,which is mutually exclusive withsecurity.inter.broker.protocol.see kafka documentation on the property: https://kafka.apache.org/documentation/#brokerconfigs_security.inter.broker.protocol
Note that by not including a description, you are asking reviewers to do extra work to understand the context of this
change, which may lead to your PR taking much longer to review, or result in it not being reviewed at all.
Type of Change
Checklist