search

iits-consulting / otc-terraform-template

Template for OTC Terraform Education Purposes
GNU General Public License v3.0
26 stars 13 forks source link

Kafka not initializing & Basic Auth Credentials #5

Closed lenni108 closed 1 year ago

lenni108 commented 1 year ago

I deployed your template and ran into two problems.

  1. The two Kafka Charts are not deploying. I get the following error with the Kafka exporter:

Error Init Kafka Client: kafka: client has run out of available brokers to talk to: dial tcp: lookup kafka-0.kafka-headless.kafka.svc.cluster.local: no such host

EDIT: I found another Error in ArgoCD, originating from the Kafka Exporter Pod itself:

policy restrict-seccomp-strict/check-seccomp-strict fail: validation error: Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, spec.containers[].securityContext.seccompProfile.type, spec.initContainers[].securityContext.seccompProfile.type, and spec.ephemeralContainers[*].securityContext.seccompProfile.type must be set to RuntimeDefault or Localhost. rule check-seccomp-strict[0] failed at path /spec/securityContext/seccompProfile/ rule check-seccomp-strict[1] failed at path /spec/containers/0/securityContext/seccompProfile/

  1. I can not find the correct Basic Auth credentials. When I try to access the admin domain (e.g. admin.may-domain.com) I get a prompt asking me for a username and password. I tried out multiple values such as the ArgoCD credentials and the credentials provided in the Helm Chart for the Basic Auth. Any idea what went wrong here?

Best regards!

victorgetz commented 1 year ago

Hi thank you very much for the report.

Both issues are intentionally build like that. Normally this repo is guided by one of our tutors inside a workshop.

1. It is weird that the kafka from iits-charts does not work out of the box. Bitnami Kafka is intended not to work. It is a part of the workshop where you need to debug the issue and look why it does not work. You found already the "issue". Since we construct a proper setup we enforce by default security best practices. That means all containers by default are forced to run as non root, Seccompprofile is set, no host volumes .... That's why your exporter does not work.

But since Bitnami kafka needs to run as root you need to learn the basics about security enforcement and kyverno and how to make exclusions. The solution to this task would be applying this kubernetes manifest:

apiVersion: kyverno.io/v2alpha1
kind: PolicyException
metadata:
  name: kafka
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-weight": "-5"
spec:
  exceptions:
    - policyName: require-run-as-non-root-user
      ruleNames:
        - run-as-non-root-user
    - policyName: enforce-security-context
      ruleNames:
        - add-pod-security-context
  match:
    any:
      - resources:
          kinds:
            - Pod
            - Deployment
            - ReplicaSet
          names:
            - kafka*
          namespaces:
            - bitnami-kafka

2. This is my bad. I should have auto created the credentials individually for everyone. Normally we tell the clients the credentials during the workshop. I will implement the auto generated method today. Please write a E-Mail to victor.getz@iits-consulting.de i will send you the credentials

victorgetz commented 1 year ago

I added now the auto generated method. Please update the repos on you side for terraform and infrastructure-charts