search

bf2fc6cc711aee1a0c2a / kas-fleetshard

The kas-fleetshard-operator is responsible for provisioning and managing instances of kafka on a cluster. The kas-fleetshard-synchronizer synchronizes the state of a fleet shard with the kas-fleet-manager.
Apache License 2.0
7 stars 20 forks source link

MGDSTRM-10438: allow operator overrides to express listener authentication overrides #909

Closed k-wall closed 1 year ago

k-wall commented 1 year ago

Use case is to allow the tuning of JWKS cert refresh defaults

k-wall commented 1 year ago

@grdryn I took a different approach, please take another look

k-wall commented 1 year ago

I verified the changes end to end and confirm that overridden jwks parameters are appearing in the kafka resource.

oc get kafka -n kafka-cguqa11h2qfcuvj135i0 -o json kwall-penguin| jq '.spec.kafka.listeners[0].authentication'
{
  "accessTokenIsJwt": true,
  "checkAccessTokenType": true,
  "checkIssuer": true,
  "customClaimCheck": "@.rh-org-id == '13639843'|| @.org_id == '13639843'",
  "enableOauthBearer": true,
  "enablePlain": true,
  "fallbackUserNameClaim": "preferred_username",
  "jwksEndpointUri": "https://sso-keycloak.apps.kwall-kafka.nvee.s1.devshift.org/auth/realms/rhoas/protocol/openid-connect/certs",
  "jwksExpirySeconds": 3600,
  "jwksMinRefreshPauseSeconds": 5,
  "jwksRefreshSeconds": 900,
  "tlsTrustedCertificates": [
    {
      "certificate": "keycloak.crt",
      "secretName": "kwall-penguin-sso-cert"
    }
  ],
  "tokenEndpointUri": "https://sso-keycloak.apps.kwall-kafka.nvee.s1.devshift.org/auth/realms/rhoas/protocol/openid-connect/token",
  "type": "oauth",
  "userNameClaim": "clientId",
  "validIssuerUri": "https://sso-keycloak.apps.kwall-kafka.nvee.s1.devshift.org/auth/realms/rhoas"
}
sonarcloud[bot] commented 1 year ago

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

78.3% 78.3% Coverage
0.0% 0.0% Duplication