Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for SASL and SSL #534

Merged
merged 33 commits into from
Jan 27, 2021
Merged

Add support for SASL and SSL #534

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
217e4b3
Add Data plane security module and Kubernetes provider
pierDipi Dec 18, 2020
885bae0
Add Auth configurations to contract
pierDipi Dec 18, 2020
4b6c831
Add contol plane security module
pierDipi Dec 20, 2020
f93d129
Integrate security module in Broker and Sink reconciler
pierDipi Dec 21, 2020
28802a7
Add control plane E2E tests
pierDipi Dec 21, 2020
8e1e702
Update proto schema and use PEM format
pierDipi Dec 22, 2020
6be9d5b
Move data plane to PEM certificates format
pierDipi Dec 23, 2020
41c338c
Extend E2E test by sending events
pierDipi Dec 23, 2020
b6c830e
Run E2E test multiple times to reduce flakiness
pierDipi Dec 24, 2020
5a7f3d4
Improve comment
pierDipi Dec 24, 2020
ae6e778
Refresh third party license list
pierDipi Jan 13, 2021
b2c53ae
Update docs in proto definition
pierDipi Jan 13, 2021
dc2b091
Rename E2E test functions
pierDipi Jan 13, 2021
44fc28e
auth.secret.name -> auth.secret.ref.name
pierDipi Jan 13, 2021
8656664
Add boilerplate to reconciler_test.go
pierDipi Jan 13, 2021
633c250
Lint and update codegen
pierDipi Jan 13, 2021
537a759
Change comment to Kubernetes resource reference
pierDipi Jan 15, 2021
3b312d2
Remove Nullable annotations
pierDipi Jan 18, 2021
ba47c98
Ensure TypeMeta when Tracker OnChanged is called
pierDipi Jan 18, 2021
d8fbee0
Remove unused Sarama logger adapter function
pierDipi Jan 18, 2021
c8079c4
Use symlinks to testdata certs
pierDipi Jan 18, 2021
4eb7b89
KafkaSink supports SASL / SSL
pierDipi Jan 18, 2021
d3cbc35
Move bootstrap servers config in one place
pierDipi Jan 18, 2021
3dd445d
Add KafkaSink E2E tests
pierDipi Jan 18, 2021
e9882f0
Refresh third party file
pierDipi Jan 18, 2021
44b7086
Add Validation test for secret reference
pierDipi Jan 18, 2021
f98026f
Update codegen
pierDipi Jan 18, 2021
b680429
Update KafkaSink CRD schema
pierDipi Jan 19, 2021
0f00ee3
Test security config functions
pierDipi Jan 19, 2021
efdd565
Test security config and scram modules
pierDipi Jan 19, 2021
417c5f7
Rename data plane roles
pierDipi Jan 19, 2021
0ff238d
Maven exclusion directly in parent pom
pierDipi Jan 21, 2021
9836bf6
Refactor credentials fetching
pierDipi Jan 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions control-plane/config/200-controller-cluster-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,15 @@ rules:
- patch
- watch

- apiGroups:
- "*"
resources:
- secrets
verbs:
- list
- get
- watch

# Eventing resources and statuses we care about
- apiGroups:
- "eventing.knative.dev"
Expand Down
19 changes: 19 additions & 0 deletions control-plane/config/sink/100-kafka-sink.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,25 @@ spec:
- structured
- binary
default: structured
auth:
description: 'Auth configurations'
type: object
properties:
secret:
description: 'Auth secret'
type: object
properties:
ref:
# TODO add format in description (?)
description: |
Secret reference.
type: object
required:
- name
properties:
name:
description: 'Secret name'
type: string
status:
description: 'Status represents the current state of the Broker. This data may be out of date.'
type: object
Expand Down
2 changes: 1 addition & 1 deletion control-plane/pkg/apis/eventing/v1alpha1/kafka_sink_defaults.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ func (ks *KafkaSink) SetDefaults(ctx context.Context) {
func (kss *KafkaSinkSpec) SetDefaults(ctx context.Context) {
defaultMode := ModeStructured

if kss.ContentMode == nil {
if kss.ContentMode == nil || *kss.ContentMode == "" {
kss.ContentMode = &defaultMode
}
}
24 changes: 24 additions & 0 deletions control-plane/pkg/apis/eventing/v1alpha1/kafka_sink_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
"knative.dev/pkg/apis"
duckv1 "knative.dev/pkg/apis/duck/v1"
"knative.dev/pkg/kmeta"
)

const (
Expand Down Expand Up @@ -60,6 +61,7 @@ var _ apis.Defaultable = (*KafkaSink)(nil)
var _ runtime.Object = (*KafkaSink)(nil)
var _ duckv1.KRShaped = (*KafkaSink)(nil)
var _ apis.Convertible = (*KafkaSink)(nil)
var _ kmeta.OwnerRefable = (*KafkaSink)(nil)

// KafkaSinkSpec defines the desired state of the Kafka Sink.
type KafkaSinkSpec struct {
Expand Down Expand Up @@ -91,6 +93,24 @@ type KafkaSinkSpec struct {
//
// +optional
ContentMode *string `json:"contentMode,omitempty"`

// Auth configurations.
Auth *Auth `json:"auth,omitempty"`
}

type Auth struct {
// Auth Secret
Secret *Secret `json:"secret,omitempty"`
}

type Secret struct {
// Secret reference for SASL and SSL configurations.
Ref *SecretReference `json:"ref,omitempty"`
}

type SecretReference struct {
// Secret name.
Name string `json:"name"`
}

// KafkaSinkStatus represents the current state of the KafkaSink.
Expand Down Expand Up @@ -129,3 +149,7 @@ func (ks *KafkaSink) GetUntypedSpec() interface{} {
func (ks *KafkaSink) GetStatus() *duckv1.Status {
return &ks.Status.Status
}

func (kss KafkaSinkSpec) HasAuthConfig() bool {
return kss.Auth != nil && kss.Auth.Secret != nil && kss.Auth.Secret.Ref != nil
}
4 changes: 4 additions & 0 deletions control-plane/pkg/apis/eventing/v1alpha1/kafka_sink_validation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ func (kss *KafkaSinkSpec) Validate(ctx context.Context) *apis.FieldError {
errs = errs.Also(apis.ErrInvalidValue(*kss.NumPartitions, "numPartitions"))
}

if kss.HasAuthConfig() && kss.Auth.Secret.Ref.Name == "" {
errs = errs.Also(apis.ErrInvalidValue("", "auth.secret.ref.name"))
}

return errs
}

Expand Down
13 changes: 13 additions & 0 deletions control-plane/pkg/apis/eventing/v1alpha1/kafka_sink_validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,19 @@ func TestKafkaSink_Validate(t *testing.T) {
ctx: context.Background(),
want: apis.ErrInvalidValue("-10", "spec.replicationFactor"),
},
{
name: "invalid secret name",
ks: &KafkaSink{
Spec: KafkaSinkSpec{
Topic: "topic-name-1",
BootstrapServers: []string{"broker-1:9092"},
ContentMode: pointer.StringPtr(ModeStructured),
Auth: &Auth{Secret: &Secret{Ref: &SecretReference{}}},
},
},
ctx: context.Background(),
want: apis.ErrInvalidValue("", "spec.auth.secret.ref.name"),
},
{
name: "immutable replication factor",
ks: &KafkaSink{
Expand Down
63 changes: 63 additions & 0 deletions control-plane/pkg/apis/eventing/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading