Merge branch 'master' into merge-kraft-2

Author: Daniel Vaseekaran

.github/workflows/build-push-kafka-docker.yml

@@ -24,18 +24,21 @@ jobs:
           echo ::set-output name=version::${VERSION}
           echo ::set-output name=tags::${TAGS}
           echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
         if: startsWith(github.ref, 'refs/tags/')
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Build and push
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: docker/kafka
+          platforms: linux/amd64,linux/arm64
           push: ${{ startsWith(github.ref, 'refs/tags/') }}
           tags: ${{ steps.prep.outputs.tags }}
           labels: |

.github/workflows/codeql-analysis.yml

@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

Makefile

@@ -156,6 +156,20 @@ docker-build: ## Build the operator docker image.
 docker-push: ## Push the operator docker image.
 	docker push ${IMG}
 
+# PLATFORMS defines the target platforms for the manager image be built to provide support to multiple
+# architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to:
+# - be able to use docker buildx. More info: https://docs.docker.com/build/buildx/
+# - have enabled BuildKit. More info: https://docs.docker.com/develop/develop-images/build_enhancements/
+# - be able to push the image to your registry (i.e. if you do not set a valid value via IMG=<myregistry/image:<tag>> then the export will fail)
+# To adequately provide solutions that are compatible with multiple platforms, you should consider using this option.
+PLATFORMS ?= linux/arm64,linux/amd64
+.PHONY: docker-buildx
+docker-buildx: ## Build and push docker image for the manager for cross-platform support
+	- docker buildx create --name koperator-builder
+	docker buildx use koperator-builder
+	docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile .
+	- docker buildx rm koperator-builder
+
 bin/controller-gen: bin/controller-gen-$(CONTROLLER_GEN_VERSION) ## Symlink controller-gen-<version> into versionless controller-gen.
 	@ln -sf controller-gen-$(CONTROLLER_GEN_VERSION) bin/controller-gen
 

api/go.mod

@@ -7,7 +7,7 @@ require (
 	emperror.dev/errors v0.8.1
 	github.com/banzaicloud/istio-client-go v0.0.17
 	github.com/cert-manager/cert-manager v1.13.2
-	github.com/stretchr/testify v1.8.4
+	// github.com/stretchr/testify v1.8.4
 	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
 	gotest.tools v2.2.0+incompatible
 	k8s.io/api v0.28.4
@@ -16,7 +16,7 @@ require (
 )
 
 require (
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	// github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
@@ -25,15 +25,18 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	// github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/net v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	// gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
+
+// remove once https://github.com/cert-manager/cert-manager/issues/5953 is fixed
+replace github.com/Venafi/vcert/v4 => github.com/jetstack/vcert/v4 v4.9.6-0.20230127103832-3aa3dfd6613d

api/v1beta1/kafkacluster_types.go

@@ -178,7 +178,7 @@ type KafkaClusterSpec struct {
 	RollingUpgradeConfig        RollingUpgradeConfig    `json:"rollingUpgradeConfig"`
 	// Selector for broker pods that need to be recycled/reconciled
 	TaintedBrokersSelector *metav1.LabelSelector `json:"taintedBrokersSelector,omitempty"`
-	// +kubebuilder:validation:Enum=envoy;istioingress
+	// +kubebuilder:validation:Enum=envoy;contour;istioingress
 	// IngressController specifies the type of the ingress controller to be used for external listeners. The `istioingress` ingress controller type requires the `spec.istioControlPlane` field to be populated as well.
 	IngressController string `json:"ingressController,omitempty"`
 	// IstioControlPlane is a reference to the IstioControlPlane resource for envoy configuration. It must be specified if istio ingress is used.
@@ -190,13 +190,14 @@ type KafkaClusterSpec struct {
 	// when false, they will be kept so the Kafka cluster remains available for those Kafka clients which are still using the previous ingress setting.
 	// +kubebuilder:default=false
 	// +optional
-	RemoveUnusedIngressResources bool                `json:"removeUnusedIngressResources,omitempty"`
-	PropagateLabels              bool                `json:"propagateLabels,omitempty"`
-	CruiseControlConfig          CruiseControlConfig `json:"cruiseControlConfig"`
-	EnvoyConfig                  EnvoyConfig         `json:"envoyConfig,omitempty"`
-	MonitoringConfig             MonitoringConfig    `json:"monitoringConfig,omitempty"`
-	AlertManagerConfig           *AlertManagerConfig `json:"alertManagerConfig,omitempty"`
-	IstioIngressConfig           IstioIngressConfig  `json:"istioIngressConfig,omitempty"`
+	RemoveUnusedIngressResources bool                 `json:"removeUnusedIngressResources,omitempty"`
+	PropagateLabels              bool                 `json:"propagateLabels,omitempty"`
+	CruiseControlConfig          CruiseControlConfig  `json:"cruiseControlConfig"`
+	EnvoyConfig                  EnvoyConfig          `json:"envoyConfig,omitempty"`
+	ContourIngressConfig         ContourIngressConfig `json:"contourIngressConfig,omitempty"`
+	MonitoringConfig             MonitoringConfig     `json:"monitoringConfig,omitempty"`
+	AlertManagerConfig           *AlertManagerConfig  `json:"alertManagerConfig,omitempty"`
+	IstioIngressConfig           IstioIngressConfig   `json:"istioIngressConfig,omitempty"`
 	// Envs defines environment variables for Kafka broker Pods.
 	// Adding the "+" prefix to the name prepends the value to that environment variable instead of overwriting it.
 	// Add the "+" suffix to append.
@@ -624,6 +625,10 @@ func (c IngressServiceSettings) GetServiceType() corev1.ServiceType {
 	return c.ServiceType
 }
 
+func (c ContourIngressConfig) GetBrokerFqdn(brokerId int32) string {
+	return strings.Replace(c.BrokerFQDNTemplate, "%id", strconv.Itoa(int(brokerId)), 1)
+}
+
 // Replace %id in brokerHostnameTemplate with actual broker id
 func (c EnvoyConfig) GetBrokerHostname(brokerId int32) string {
 	return strings.Replace(c.BrokerHostnameTemplate, "%id", strconv.Itoa(int(brokerId)), 1)
@@ -704,7 +709,7 @@ type ExternalListenerConfig struct {
 	// IngressControllerTargetPort defines the container port that the ingress controller uses for handling external traffic.
 	// If not defined, 29092 will be used as the default IngressControllerTargetPort value.
 	IngressControllerTargetPort *int32 `json:"ingressControllerTargetPort,omitempty"`
-	// +kubebuilder:validation:Enum=LoadBalancer;NodePort
+	// +kubebuilder:validation:Enum=LoadBalancer;NodePort;ClusterIP
 	// accessMethod defines the method which the external listener is exposed through.
 	// Two types are supported LoadBalancer and NodePort.
 	// The recommended and default is the LoadBalancer.
@@ -727,8 +732,16 @@ type Config struct {
 
 type IngressConfig struct {
 	IngressServiceSettings `json:",inline"`
-	IstioIngressConfig     *IstioIngressConfig `json:"istioIngressConfig,omitempty"`
-	EnvoyConfig            *EnvoyConfig        `json:"envoyConfig,omitempty"`
+	IstioIngressConfig     *IstioIngressConfig   `json:"istioIngressConfig,omitempty"`
+	EnvoyConfig            *EnvoyConfig          `json:"envoyConfig,omitempty"`
+	ContourIngressConfig   *ContourIngressConfig `json:"contourIngressConfig,omitempty"`
+}
+
+type ContourIngressConfig struct {
+	// TLS secret used for Contour IngressRoute resource
+	TLSSecretName string `json:"tlsSecretName"`
+	// Broker hostname template for Contour IngressRoute resource to generate broker hostnames.
+	BrokerFQDNTemplate string `json:"brokerFQDNTemplate"`
 }
 
 // InternalListenerConfig defines the internal listener config for Kafka
@@ -766,6 +779,9 @@ type CommonListenerSpec struct {
 	// At least one of the listeners should have this flag enabled
 	// +optional
 	UsedForInnerBrokerCommunication bool `json:"usedForInnerBrokerCommunication"`
+	// UsedForKafkaAdminCommunication allows for a different port to be returned when the koperator is checking for the port to use to check if kafka is operating.
+	// +optional
+	UsedForKafkaAdminCommunication bool `json:"usedForKafkaAdminCommunication,omitempty"`
 }
 
 func (c *CommonListenerSpec) GetServerSSLCertSecretName() string {

api/v1beta1/zz_generated.deepcopy.go

@@ -12919,6 +12919,19 @@ spec:
                 type: string
               clusterWideConfig:
                 type: string
+              contourIngressConfig:
+                properties:
+                  brokerFQDNTemplate:
+                    description: Broker hostname template for Contour IngressRoute
+                      resource to generate broker hostnames.
+                    type: string
+                  tlsSecretName:
+                    description: TLS secret used for Contour IngressRoute resource
+                    type: string
+                required:
+                - brokerFQDNTemplate
+                - tlsSecretName
+                type: object
               cruiseControlConfig:
                 description: CruiseControlConfig defines the config for Cruise Control
                 properties:
@@ -18837,6 +18850,7 @@ spec:
                   as well.
                 enum:
                 - envoy
+                - contour
                 - istioingress
                 type: string
               istioControlPlane:
@@ -19197,6 +19211,7 @@ spec:
                           enum:
                           - LoadBalancer
                           - NodePort
+                          - ClusterIP
                           type: string
                         anyCastPort:
                           description: configuring AnyCastPort allows kafka cluster
@@ -19216,6 +19231,21 @@ spec:
                             ingressConfig:
                               additionalProperties:
                                 properties:
+                                  contourIngressConfig:
+                                    properties:
+                                      brokerFQDNTemplate:
+                                        description: Broker hostname template for
+                                          Contour IngressRoute resource to generate
+                                          broker hostnames.
+                                        type: string
+                                      tlsSecretName:
+                                        description: TLS secret used for Contour IngressRoute
+                                          resource
+                                        type: string
+                                    required:
+                                    - brokerFQDNTemplate
+                                    - tlsSecretName
+                                    type: object
                                   envoyConfig:
                                     description: EnvoyConfig defines the config for
                                       Envoy
@@ -21673,6 +21703,11 @@ spec:
                           description: At least one of the listeners should have this
                             flag enabled
                           type: boolean
+                        usedForKafkaAdminCommunication:
+                          description: UsedForKafkaAdminCommunication allows for a
+                            different port to be returned when the koperator is checking
+                            for the port to use to check if kafka is operating.
+                          type: boolean
                       required:
                       - containerPort
                       - externalStartingPort
@@ -21749,6 +21784,11 @@ spec:
                           description: At least one of the listeners should have this
                             flag enabled
                           type: boolean
+                        usedForKafkaAdminCommunication:
+                          description: UsedForKafkaAdminCommunication allows for a
+                            different port to be returned when the koperator is checking
+                            for the port to use to check if kafka is operating.
+                          type: boolean
                       required:
                       - containerPort
                       - name

charts/kafka-operator/crds/kafkaclusters.yaml

@@ -12919,6 +12919,19 @@ spec:
                 type: string
               clusterWideConfig:
                 type: string
+              contourIngressConfig:
+                properties:
+                  brokerFQDNTemplate:
+                    description: Broker hostname template for Contour IngressRoute
+                      resource to generate broker hostnames.
+                    type: string
+                  tlsSecretName:
+                    description: TLS secret used for Contour IngressRoute resource
+                    type: string
+                required:
+                - brokerFQDNTemplate
+                - tlsSecretName
+                type: object
               cruiseControlConfig:
                 description: CruiseControlConfig defines the config for Cruise Control
                 properties:
@@ -18837,6 +18850,7 @@ spec:
                   as well.
                 enum:
                 - envoy
+                - contour
                 - istioingress
                 type: string
               istioControlPlane:
@@ -19197,6 +19211,7 @@ spec:
                           enum:
                           - LoadBalancer
                           - NodePort
+                          - ClusterIP
                           type: string
                         anyCastPort:
                           description: configuring AnyCastPort allows kafka cluster
@@ -19216,6 +19231,21 @@ spec:
                             ingressConfig:
                               additionalProperties:
                                 properties:
+                                  contourIngressConfig:
+                                    properties:
+                                      brokerFQDNTemplate:
+                                        description: Broker hostname template for
+                                          Contour IngressRoute resource to generate
+                                          broker hostnames.
+                                        type: string
+                                      tlsSecretName:
+                                        description: TLS secret used for Contour IngressRoute
+                                          resource
+                                        type: string
+                                    required:
+                                    - brokerFQDNTemplate
+                                    - tlsSecretName
+                                    type: object
                                   envoyConfig:
                                     description: EnvoyConfig defines the config for
                                       Envoy
@@ -21673,6 +21703,11 @@ spec:
                           description: At least one of the listeners should have this
                             flag enabled
                           type: boolean
+                        usedForKafkaAdminCommunication:
+                          description: UsedForKafkaAdminCommunication allows for a
+                            different port to be returned when the koperator is checking
+                            for the port to use to check if kafka is operating.
+                          type: boolean
                       required:
                       - containerPort
                       - externalStartingPort
@@ -21749,6 +21784,11 @@ spec:
                           description: At least one of the listeners should have this
                             flag enabled
                           type: boolean
+                        usedForKafkaAdminCommunication:
+                          description: UsedForKafkaAdminCommunication allows for a
+                            different port to be returned when the koperator is checking
+                            for the port to use to check if kafka is operating.
+                          type: boolean
                       required:
                       - containerPort
                       - name