search

redpanda-data / helm-charts

Redpanda Helm Chart
http://redpanda.com
Apache License 2.0
77 stars 96 forks source link

🫐 🐛 Operator doesn't seem to be configuring HTTP Proxy listeners, TLS and advertised addresses properties #1158

Closed c4milo closed 7 months ago

c4milo commented 7 months ago

What happened?

❯ curl localhost:9644/v1/node_config | jq . 

{
    "advertised_kafka_api": [
        {
            "name": "internal",
            "address": "redpanda-broker-0.redpanda-broker.redpanda.svc.cluster.local.",
            "port": 9092
        },
        {
            "name": "default",
            "address": "rp0-8d4c486.camilo.panda.dev",
            "port": 31092
        },
        {
            "name": "kafka-api",
            "address": "rp0-8d4c486.camilo.panda.dev",
            "port": 32092
        }
    ],
    "advertised_rpc_api": {
        "address": "redpanda-broker-0.redpanda-broker.redpanda.svc.cluster.local.",
        "port": 33145
    },
    "verbose_logging_timeout_sec_max": null,
    "recovery_mode_enabled": false,
    "storage_failure_injection_enabled": false,
    "crash_loop_limit": 5,
    "emergency_disable_data_transforms": false,
    "admin": [
        {
            "name": "internal",
            "address": "0.0.0.0",
            "port": 9644
        },
        {
            "name": "default",
            "address": "0.0.0.0",
            "port": 9645
        }
    ],
    "kafka_api": [
        {
            "name": "internal",
            "address": "0.0.0.0",
            "port": 9092,
            "authentication_method": "sasl"
        },
        {
            "name": "default",
            "address": "0.0.0.0",
            "port": 9094,
            "authentication_method": "sasl"
        },
        {
            "name": "kafka-api",
            "address": "0.0.0.0",
            "port": 32092,
            "authentication_method": "sasl"
        }
    ],
    "developer_mode": false,
    "admin_api_doc_dir": "/usr/share/redpanda/admin-api-doc",
    "rpc_server_tls": {
        "enabled": true,
        "require_client_auth": false,
        "key_file": "/etc/tls/certs/selfsigned/tls.key",
        "cert_file": "/etc/tls/certs/selfsigned/tls.crt",
        "truststore_file": "/etc/tls/certs/selfsigned/ca.crt"
    },
    "empty_seed_starts_cluster": false,
    "memory_allocation_warning_threshold": 131073,
    "seed_servers": [
        {
            "host": {
                "address": "redpanda-broker-0.redpanda-broker.redpanda.svc.cluster.local.",
                "port": 33145
            }
        },
        {
            "host": {
                "address": "redpanda-broker-1.redpanda-broker.redpanda.svc.cluster.local.",
                "port": 33145
            }
        },
        {
            "host": {
                "address": "redpanda-broker-2.redpanda-broker.redpanda.svc.cluster.local.",
                "port": 33145
            }
        }
    ],
    "upgrade_override_checks": false,
    "rack": "eastus-1",
    "rpc_server": {
        "address": "0.0.0.0",
        "port": 33145
    },
    "admin_api_tls": [],
    "node_id": 0,
    "cloud_storage_cache_directory": null,
    "storage_failure_injection_config_path": null,
    "data_directory": {
        "data_directory": "/var/lib/redpanda/data"
    },
    "kafka_api_tls": [
        {
            "name": "internal",
            "enabled": true,
            "require_client_auth": false,
            "key_file": "/etc/tls/certs/selfsigned/tls.key",
            "cert_file": "/etc/tls/certs/selfsigned/tls.crt",
            "truststore_file": "/etc/tls/certs/selfsigned/ca.crt"
        },
        {
            "name": "default",
            "enabled": true,
            "require_client_auth": false,
            "key_file": "/etc/tls/certs/external/tls.key",
            "cert_file": "/etc/tls/certs/external/tls.crt",
            "truststore_file": "/etc/tls/certs/external/ca.crt"
        },
        {
            "name": "kafka-api",
            "enabled": true,
            "require_client_auth": false,
            "key_file": "/etc/tls/certs/letsencrypt/tls.key",
            "cert_file": "/etc/tls/certs/letsencrypt/tls.crt",
            "truststore_file": "/etc/ssl/certs/ca-certificates.crt"
        }
    ]
}

What did you expect to happen?

I expected node_config returning http proxy listeners and advertised configurations.

How can we reproduce it (as minimally and precisely as possible)?. Please include values file.

```console apiVersion: v1 items: - apiVersion: cluster.redpanda.com/v1alpha1 kind: Redpanda metadata: annotations: cluster.redpanda.com/force-helm-update: "1.712029689e+09" cluster.redpanda.com/managed: "true" meta.helm.sh/release-name: redpanda meta.helm.sh/release-namespace: redpanda creationTimestamp: "2024-04-05T20:35:59Z" finalizers: - operator.redpanda.com/finalizer generation: 1 labels: app.kubernetes.io/managed-by: Helm name: redpanda-broker namespace: redpanda resourceVersion: "13517697" uid: 5fb38417-ab27-46fd-a842-c5889b45f6f6 spec: clusterSpec: auth: sasl: enabled: true mechanism: SCRAM-SHA-512 secretRef: redpanda-superusers users: [] clusterDomain: cluster.local commonLabels: azure.workload.identity/use: "true" config: cluster: default_topic_replications: 3 minimum_topic_replications: 3 node: {} tunable: {} connectors: enabled: false console: enabled: false enterprise: licenseSecretRef: key: license name: redpanda-license external: addresses: - $PREFIX_TEMPLATE domain: camilo.panda.dev enabled: true externalDns: enabled: true prefixTemplate: rp${POD_ORDINAL}-$(echo -n $HOST_IP_ADDRESS | sha256sum | head -c 7) service: enabled: true type: NodePort image: repository: docker.redpanda.com/redpandadata/redpanda tag: v23.3.7 listeners: admin: external: admin-api: advertisedPorts: - 30644 authenticationMethod: sasl enabled: false port: 30644 tls: cert: letsencrypt enabled: true requireClientAuth: false port: 9644 tls: cert: selfsigned enabled: false requireClientAuth: false http: authenticationMethod: http_basic external: http-proxy: advertisedPorts: - 31082 authenticationMethod: http_basic enabled: true port: 31082 tls: cert: letsencrypt enabled: true requireClientAuth: false port: 8082 prefixTemplate: http-proxy$POD_ORDINAL tls: cert: selfsigned enabled: true requireClientAuth: false kafka: authenticationMethod: sasl external: kafka-api: advertisedPorts: - 32092 authenticationMethod: sasl enabled: true port: 32092 tls: cert: letsencrypt requireClientAuth: false port: 9092 prefixTemplate: kafka-api$POD_ORDINAL tls: cert: selfsigned requireClientAuth: false rpc: port: 33145 tls: cert: selfsigned requireClientAuth: false schemaRegistry: authenticationMethod: http_basic external: schema-registry: advertisedPorts: - 31081 authenticationMethod: http_basic enabled: true port: 31081 tls: cert: letsencrypt requireClientAuth: false port: 8081 tls: cert: selfsigned requireClientAuth: false logging: logLevel: debug usageStats: clusterId: 9m4e2mr0ui3e8a215n4g enabled: true rackAwareness: enabled: true rbac: enabled: true resources: cpu: cores: 15 memory: container: max: 107520Mi min: 107520Mi enable_memory_locking: true serviceAccount: annotations: azure.workload.identity/client-id: 7bef7aa7-cb90-4860-834f-6d92e070cffc create: true name: id-rpcloud-9m4e2mr0ui3e8a215n4 statefulset: additionalRedpandaCmdFlags: - --abort-on-seastar-bad-alloc - --dump-memory-diagnostics-on-alloc-failure-kind=all budget: maxUnavailable: 1 initContainers: fsValidator: enabled: true setDataDirOwnership: enabled: true nodeSelector: cloud.redpanda.com/role: redpanda replicas: 3 securityContext: allowPrivilegeEscalation: false runAsGroup: 65530 runAsNonRoot: true runAsUser: 65530 tolerations: - effect: NoSchedule key: cloud.redpanda.com/role operator: Equal value: redpanda storage: persistentVolume: enabled: true size: 4096Gi storageClass: local-path tiered: mountType: persistentVolume persistentVolume: storageClass: local-path tls: certs: letsencrypt: caEnabled: false duration: 43800h issuerRef: kind: ClusterIssuer name: letsencrypt-dns selfsigned: caEnabled: true duration: 43800h issuerRef: kind: ClusterIssuer name: redpanda.local enabled: true tuning: tune_aio_events: false status: conditions: - lastTransitionTime: "2024-04-05T20:37:20Z" message: Redpanda reconciliation succeeded reason: RedpandaClusterDeployed status: "True" type: Ready helmRelease: redpanda-broker helmReleaseReady: true helmRepository: redpanda-repository helmRepositoryReady: true observedGeneration: 1 kind: List metadata: resourceVersion: "" ```

Anything else we need to know?

No response

Which are the affected charts?

Redpanda, Operator

Chart Version(s)

```console ❯ helm -n redpanda list NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION redpanda redpanda 1 2024-04-05 16:35:59.323258 -0400 EDT deployed redpanda-0.1.1 0.1.0 redpanda-broker redpanda 1 2024-04-05 20:36:41.021226462 +0000 UTC deployed redpanda-5.7.37 v23.3.10 redpanda-operator redpanda 2 2024-04-05 13:29:48.869211 -0400 EDT deployed operator-0.4.20 v2.1.15-23.3.7 ```

Cloud provider

Azure / AKS
RafalKorepta commented 7 months ago

It's not helm chart problem. You need to ask Core Redpanda to fix that.

c4milo commented 7 months ago

What do you mean? How were we able to configure it here then? https://github.com/redpanda-data/redpanda-operator/pull/21/files

image

chrisseto commented 7 months ago

@c4milo I think cating the redpanda YAML and calling out the stanza of the CRD/values that you expect to set advertised_* fields might help indicate the issue here?

At first glance it does seem like this issue is asking for new API fields but I'm guessing node_config returns those fields provided they're set?

RafalKorepta commented 7 months ago

The problem is Core redpanda RESTful'ish API does not return HTTP proxy configuration (panda proxy) from the v1/node_config

c4milo commented 7 months ago

@RafalKorepta, thanks for elaborating further. I've created https://github.com/redpanda-data/redpanda/issues/17814 to track that one up!