search

strimzi / kafka-access-operator

Operator for sharing access to Strimzi clusters across namespaces
Apache License 2.0
17 stars 15 forks source link

Does KafkaAccess currently yield a secret with TLS certificates? #23

Closed jonathansick closed 1 year ago

jonathansick commented 1 year ago

I'm giving the strimzi-access-operator a spin, running it on an image I built from the current main branch. I successfully got a secret generated from a KafkaAccess, and although it has info like bootstrapServers and securityProtocol, the Secret is missing the TLS certs I'd expect for mutual TLS authentication. I was under the impression this was implemented, but if not I totally understand! I can come back later :)

If generating the TLS certs is expected, I wonder if I'm not getting the TLS certs because the KafkaAccess is in a different namespace than the KafkaUser? Perhaps as a security default? One of my usecases for KafkaAccess to make it easier to run Kafka client in their own namespaces, while also using mutual-TLS for all producer/consumers.

Thanks for this project and Strimzi!

Below are the relevant Kubernetes resources

The KafkaAccess resource:

apiVersion: access.strimzi.io/v1alpha1
kind: KafkaAccess
metadata:
  creationTimestamp: '2023-05-10T22:11:49Z'
  generation: 3
  labels:
    argocd.argoproj.io/instance: squarebot
  name: squarebot-kafka
  namespace: squarebot
spec:
  kafka:
    listener: tls
    name: sasquatch
    namespace: sasquatch
  user:
    apiGroup: kafka.strimzi.io
    kind: KafkaUser
    name: squarebot
    namespace: sasquatch
status:
  binding:
    name: squarebot-kafka
  observedGeneration: 3

Here's the squarebot-kafka Secret:

apiVersion: v1
data:
  bootstrap-servers: ++++++++
  bootstrap.servers: ++++++++
  bootstrapServers: ++++++++
  provider: ++++++++
  security.protocol: ++++++++
  securityProtocol: ++++++++
  type: ++++++++
kind: Secret
metadata:
  creationTimestamp: '2023-05-11T16:22:47Z'
  labels:
    app.kubernetes.io/managed-by: kafka-access-operator
  name: squarebot-kafka
  namespace: squarebot
  ownerReferences:
    - apiVersion: access.strimzi.io/v1alpha1
      blockOwnerDeletion: false
      controller: false
      kind: KafkaAccess
      name: squarebot-kafka
      uid: b2ddd23e-23ac-4fff-abbb-5b061ce029e1
  resourceVersion: '94325390'
  uid: 30fff5ab-5642-4090-9eaa-f0e04a0dc2ef
type: servicebinding.io/kafka

The value of securityProtocol is SSL, which I expect.

Here's the KafkaUser, which authenticates with TLS:

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"kafka.strimzi.io/v1beta2","kind":"KafkaUser","metadata":{"annotations":{},"labels":{"argocd.argoproj.io/instance":"sasquatch","strimzi.io/cluster":"sasquatch"},"name":"squarebot","namespace":"sasquatch"},"spec":{"authentication":{"type":"tls"},"authorization":{"acls":[{"host":"*","operations":["Write","Describe"],"resource":{"name":"rubin.square.events.squarebot.slack.app_mention","patternType":"literal","type":"topic"},"type":"allow"},{"host":"*","operations":["Write","Describe"],"resource":{"name":"rubin.square.events.squarebot.slack.message.channels","patternType":"literal","type":"topic"},"type":"allow"},{"host":"*","operations":["Write","Describe"],"resource":{"name":"rubin.square.events.squarebot.slack.message.groups","patternType":"literal","type":"topic"},"type":"allow"},{"host":"*","operations":["Write","Describe"],"resource":{"name":"rubin.square.events.squarebot.slack.message.im","patternType":"literal","type":"topic"},"type":"allow"},{"host":"*","operations":["Write","Describe"],"resource":{"name":"rubin.square.events.squarebot.slack.message.mpim","patternType":"literal","type":"topic"},"type":"allow"},{"host":"*","operations":["Write","Describe"],"resource":{"name":"rubin.square.events.squarebot.slack.interaction","patternType":"literal","type":"topic"},"type":"allow"}],"type":"simple"}}}
  creationTimestamp: "2023-05-10T21:45:49Z"
  generation: 2
  labels:
    argocd.argoproj.io/instance: sasquatch
    strimzi.io/cluster: sasquatch
  name: squarebot
  namespace: sasquatch
  resourceVersion: "93538771"
  uid: 95eb3936-7966-4bab-a16e-7fd7b3764ab2
spec:
  authentication:
    type: tls
  authorization:
    acls:
    - host: '*'
      operations:
      - Write
      - Describe
      resource:
        name: rubin.square.events.squarebot.slack.app_mention
        patternType: literal
        type: topic
      type: allow
    - host: '*'
      operations:
      - Write
      - Describe
      resource:
        name: rubin.square.events.squarebot.slack.message.channels
        patternType: literal
        type: topic
      type: allow
    - host: '*'
      operations:
      - Write
      - Describe
      resource:
        name: rubin.square.events.squarebot.slack.message.groups
        patternType: literal
        type: topic
      type: allow
    - host: '*'
      operations:
      - Write
      - Describe
      resource:
        name: rubin.square.events.squarebot.slack.message.im
        patternType: literal
        type: topic
      type: allow
    - host: '*'
      operations:
      - Write
      - Describe
      resource:
        name: rubin.square.events.squarebot.slack.message.mpim
        patternType: literal
        type: topic
      type: allow
    - host: '*'
      operations:
      - Write
      - Describe
      resource:
        name: rubin.square.events.squarebot.slack.interaction
        patternType: literal
        type: topic
      type: allow
    type: simple
status:
  conditions:
  - lastTransitionTime: "2023-05-10T22:02:13.276129432Z"
    status: "True"
    type: Ready
  observedGeneration: 2
  secret: squarebot
  username: CN=squarebot

And here's the Kafka resource:

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  creationTimestamp: "2023-05-08T20:10:15Z"
  generation: 1
  labels:
    argocd.argoproj.io/instance: sasquatch
  name: sasquatch
  namespace: sasquatch
  resourceVersion: "91407025"
  uid: 29593ee8-92f9-483b-991c-c5143cae66f9
spec:
  entityOperator:
    topicOperator: {}
    userOperator: {}
  kafka:
    authorization:
      superUsers:
      - kafka-admin
      type: simple
    config:
      default.replication.factor: 3
      log.retention.bytes: 429496729600
      log.retention.hours: 72
      message.max.bytes: 10485760
      min.insync.replicas: 3
      offsets.retention.minutes: 4320
      offsets.topic.replication.factor: 3
      replica.fetch.max.bytes: 10485760
      replica.lag.time.max.ms: 120000
      transaction.state.log.min.isr: 3
      transaction.state.log.replication.factor: 3
    listeners:
    - authentication:
        type: tls
      name: tls
      port: 9093
      tls: true
      type: internal
    replicas: 3
    storage:
      type: jbod
      volumes:
      - class: premium-rwo
        deleteClaim: false
        id: 0
        size: 100Gi
        type: persistent-claim
    template:
      persistentVolumeClaim:
        metadata:
          annotations:
            argocd.argoproj.io/compare-options: IgnoreExtraneous
            argocd.argoproj.io/sync-options: Prune=false
      pod:
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: roundtable.lsst.cloud/pool
                  operator: In
                  values:
                  - kafka
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                - key: strimzi.io/cluster
                  operator: In
                  values:
                  - sasquatch
              topologyKey: kubernetes.io/hostname
        tolerations:
        - effect: NoExecute
          key: dedicated
          operator: Equal
          value: kafka
    version: 3.3.1
  zookeeper:
    replicas: 3
    storage:
      class: premium-rwo
      deleteClaim: false
      size: 100Gi
      type: persistent-claim
    template:
      persistentVolumeClaim:
        metadata:
          annotations:
            argocd.argoproj.io/compare-options: IgnoreExtraneous
            argocd.argoproj.io/sync-options: Prune=false
      pod:
        affinity:
          nodeAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
              nodeSelectorTerms:
              - matchExpressions:
                - key: roundtable.lsst.cloud/pool
                  operator: In
                  values:
                  - zookeeper
          podAntiAffinity:
            requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                - key: strimzi.io/cluster
                  operator: In
                  values:
                  - sasquatch
              topologyKey: kubernetes.io/hostname
        tolerations:
        - effect: NoExecute
          key: dedicated
          operator: Equal
          value: zookeeper
status:
  clusterId: 4ABh50JtTQSok7sFBvX-XA
  conditions:
  - lastTransitionTime: "2023-05-08T20:15:57.002249422Z"
    status: "True"
    type: Ready
  listeners:
  - addresses:
    - host: sasquatch-kafka-bootstrap.sasquatch.svc
      port: 9093
    bootstrapServers: sasquatch-kafka-bootstrap.sasquatch.svc:9093
    certificates:
    - |
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----
    name: tls
    type: tls
  observedGeneration: 1
scholzj commented 1 year ago

Please be aware that there is no release of the Kafka Access Operator yet and it is still work in progress. So not everything is working and bug and missing features are to be expected.

jonathansick commented 1 year ago

No worries at all. Thanks again!