Merge commit from fork

Signed-off-by: Jakub Scholz <www@scholzj.com>

Author: scholzj

cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaCluster.java

@@ -1652,14 +1652,19 @@ public Role generateRole() {
             }
         }
 
-        List<PolicyRule> rules = List.of(new PolicyRuleBuilder()
-                .withApiGroups("")
-                .withResources("secrets")
-                .withVerbs("get")
-                .withResourceNames(certSecretNames.stream().toList())
-                .build());
-
-        return RbacUtils.createRole(componentName, namespace, rules, labels, ownerReference, null);
+        if (certSecretNames.isEmpty()) {
+            // This should never happen but just in case it does, we throw an error
+            throw new RuntimeException("No TLS certificate secrets found for the Kafka cluster.");
+        } else {
+            List<PolicyRule> rules = List.of(new PolicyRuleBuilder()
+                    .withApiGroups("")
+                    .withResources("secrets")
+                    .withVerbs("get")
+                    .withResourceNames(certSecretNames.stream().toList())
+                    .build());
+
+            return RbacUtils.createRole(componentName, namespace, rules, labels, ownerReference, null);
+        }
     }
 
     /**

cluster-operator/src/main/java/io/strimzi/operator/cluster/model/KafkaConnectCluster.java

@@ -595,7 +595,6 @@ private List<VolumeMount> getExternalConfigurationVolumeMounts()    {
 
     /**
      * Generates the StrimziPodSet for the Kafka cluster.
-     * enabled.
      *
      * @param replicas                  Number of replicas the StrimziPodSet should have. During scale-ups or scale-downs, node
      *                                  sets with different numbers of pods are generated.
@@ -909,13 +908,11 @@ public ClusterRoleBinding generateClusterRoleBinding() {
     }
 
     /**
-     * Creates a Role for reading TLS certificate secrets in the same namespace as the resource.
-     * This is used for loading certificates from secrets directly.
-     **
-     * @return role for the Kafka Connect
+     * @return  The list of Secrets the Pods will need access to through Kubernetes API to load their values using
+     *          configuration providers.
      */
     @SuppressWarnings("deprecation") // OAuth authentication is deprecated
-    public Role generateRole() {
+    private List<String> secretsToAllowAccessTo() {
         List<String> certSecretNames = new ArrayList<>();
         if (tls != null && tls.getTrustedCertificates() != null && !tls.getTrustedCertificates().isEmpty()) {
             certSecretNames.add(KafkaConnectResources.internalTlsTrustedCertsSecretName(cluster));
@@ -930,14 +927,30 @@ public Role generateRole() {
             }
         }
 
-        List<PolicyRule> rules = List.of(new PolicyRuleBuilder()
-                .withApiGroups("")
-                .withResources("secrets")
-                .withVerbs("get")
-                .withResourceNames(certSecretNames)
-                .build());
+        return certSecretNames;
+    }
+
+    /**
+     * Creates a Role for reading TLS certificate secrets in the same namespace as the resource.
+     * This is used for loading certificates from secrets directly.
+     **
+     * @return role for the Kafka Connect
+     */
+    public Role generateRole() {
+        List<String> certSecretNames = secretsToAllowAccessTo();
 
-        return RbacUtils.createRole(componentName, namespace, rules, labels, ownerReference, null);
+        if (certSecretNames.isEmpty()) {
+            return null;
+        } else {
+            List<PolicyRule> rules = List.of(new PolicyRuleBuilder()
+                    .withApiGroups("")
+                    .withResources("secrets")
+                    .withVerbs("get")
+                    .withResourceNames(certSecretNames)
+                    .build());
+
+            return RbacUtils.createRole(componentName, namespace, rules, labels, ownerReference, null);
+        }
     }
 
     /**
@@ -946,19 +959,23 @@ public Role generateRole() {
      * @return  Role Binding for the Kafka Connect
      */
     public RoleBinding generateRoleBindingForRole() {
-        Subject subject = new SubjectBuilder()
-                .withKind("ServiceAccount")
-                .withName(componentName)
-                .withNamespace(namespace)
-                .build();
-
-        RoleRef roleRef = new RoleRefBuilder()
-                .withName(componentName)
-                .withApiGroup("rbac.authorization.k8s.io")
-                .withKind("Role")
-                .build();
-
-        return RbacUtils.createRoleBinding(getRoleBindingName(), namespace, roleRef, List.of(subject), labels, ownerReference, null);
+        if (secretsToAllowAccessTo().isEmpty()) {
+            return null;
+        } else {
+            Subject subject = new SubjectBuilder()
+                    .withKind("ServiceAccount")
+                    .withName(componentName)
+                    .withNamespace(namespace)
+                    .build();
+
+            RoleRef roleRef = new RoleRefBuilder()
+                    .withName(componentName)
+                    .withApiGroup("rbac.authorization.k8s.io")
+                    .withKind("Role")
+                    .build();
+
+            return RbacUtils.createRoleBinding(getRoleBindingName(), namespace, roleRef, List.of(subject), labels, ownerReference, null);
+        }
     }
 
     /**

cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaConnectClusterTest.java

@@ -46,6 +46,8 @@
 import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule;
 import io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget;
 import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding;
+import io.fabric8.kubernetes.api.model.rbac.Role;
+import io.fabric8.kubernetes.api.model.rbac.RoleBinding;
 import io.strimzi.api.kafka.model.common.CertSecretSource;
 import io.strimzi.api.kafka.model.common.CertSecretSourceBuilder;
 import io.strimzi.api.kafka.model.common.JvmOptions;
@@ -2378,4 +2380,42 @@ public void testOciConnectorPlugins() {
             assertThat(containers.get(0).getVolumeMounts().get(4).getMountPath(), is("/opt/kafka/plugins/second-connector/695ab9d6"));
         });
     }
+
+    @Test
+    public void testRoleAbdRoleBindingNoSecrets() {
+        assertThat(KC.generateRole(), is(nullValue()));
+        assertThat(KC.generateRoleBindingForRole(), is(nullValue()));
+    }
+
+    @Test
+    public void testRoleAbdRoleBindingWithSecrets() {
+        KafkaConnect resource = new KafkaConnectBuilder(RESOURCE)
+                .editSpec()
+                    .withNewTls()
+                        .withTrustedCertificates(new CertSecretSourceBuilder().withSecretName("my-secret").withCertificate("ca.crt").build())
+                    .endTls()
+                .endSpec()
+                .build();
+
+        KafkaConnectCluster kc = KafkaConnectCluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, resource, VERSIONS, SHARED_ENV_PROVIDER);
+
+        Role role = kc.generateRole();
+        assertThat(role.getMetadata().getName(), is(kc.componentName));
+        assertThat(role.getMetadata().getNamespace(), is(NAMESPACE));
+        assertThat(role.getRules().size(), is(1));
+        assertThat(role.getRules().get(0).getApiGroups(), is(List.of("")));
+        assertThat(role.getRules().get(0).getResources(), is(List.of("secrets")));
+        assertThat(role.getRules().get(0).getVerbs(), is(List.of("get")));
+        assertThat(role.getRules().get(0).getResourceNames(), is(List.of(kc.componentName + "-tls-trusted-certs")));
+
+        RoleBinding rb = kc.generateRoleBindingForRole();
+        assertThat(rb.getMetadata().getName(), is(KafkaConnectResources.connectRoleBindingName(NAME)));
+        assertThat(rb.getMetadata().getNamespace(), is(NAMESPACE));
+        assertThat(rb.getSubjects().size(), is(1));
+        assertThat(rb.getSubjects().get(0).getKind(), is("ServiceAccount"));
+        assertThat(rb.getSubjects().get(0).getNamespace(), is(NAMESPACE));
+        assertThat(rb.getSubjects().get(0).getName(), is(kc.componentName));
+        assertThat(rb.getRoleRef().getKind(), is("Role"));
+        assertThat(rb.getRoleRef().getName(), is(kc.componentName));
+    }
 }

cluster-operator/src/test/java/io/strimzi/operator/cluster/model/KafkaMirrorMaker2ClusterTest.java

@@ -42,6 +42,8 @@
 import io.fabric8.kubernetes.api.model.networking.v1.NetworkPolicyIngressRule;
 import io.fabric8.kubernetes.api.model.policy.v1.PodDisruptionBudget;
 import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding;
+import io.fabric8.kubernetes.api.model.rbac.Role;
+import io.fabric8.kubernetes.api.model.rbac.RoleBinding;
 import io.strimzi.api.kafka.model.common.CertSecretSource;
 import io.strimzi.api.kafka.model.common.CertSecretSourceBuilder;
 import io.strimzi.api.kafka.model.common.JvmOptions;
@@ -2498,4 +2500,51 @@ public void testLoggingWithLog4j2() {
         ConfigMap cm = KMM2.generateConnectConfigMap(new MetricsAndLogging(METRICS_CONFIG, null));
         assertThat(cm.getData().get(LoggingModel.LOG4J2_CONFIG_MAP_KEY), is(notNullValue()));
     }
+
+    @Test
+    public void testRoleAbdRoleBindingNoSecrets() {
+        assertThat(KMM2.generateRole(), is(nullValue()));
+        assertThat(KMM2.generateRoleBindingForRole(), is(nullValue()));
+    }
+
+    @Test
+    public void testRoleAbdRoleBindingWithSecrets() {
+        KafkaMirrorMaker2 resource = new KafkaMirrorMaker2Builder(RESOURCE)
+                .editSpec()
+                    .editTarget()
+                        .withNewTls()
+                            .withTrustedCertificates(new CertSecretSourceBuilder().withSecretName("my-secret").withCertificate("ca.crt").build())
+                        .endTls()
+                    .endTarget()
+                    .editFirstMirror()
+                        .editSource()
+                            .withNewTls()
+                                .withTrustedCertificates(new CertSecretSourceBuilder().withSecretName("my-source-secret").withCertificate("ca.crt").build())
+                            .endTls()
+                        .endSource()
+                    .endMirror()
+                .endSpec()
+                .build();
+
+        KafkaMirrorMaker2Cluster kmm2 = KafkaMirrorMaker2Cluster.fromCrd(Reconciliation.DUMMY_RECONCILIATION, resource, VERSIONS, SHARED_ENV_PROVIDER);
+
+        Role role = kmm2.generateRole();
+        assertThat(role.getMetadata().getName(), is(kmm2.componentName));
+        assertThat(role.getMetadata().getNamespace(), is(NAMESPACE));
+        assertThat(role.getRules().size(), is(1));
+        assertThat(role.getRules().get(0).getApiGroups(), is(List.of("")));
+        assertThat(role.getRules().get(0).getResources(), is(List.of("secrets")));
+        assertThat(role.getRules().get(0).getVerbs(), is(List.of("get")));
+        assertThat(role.getRules().get(0).getResourceNames(), is(List.of(KafkaConnectResources.componentName(NAME) + "-tls-trusted-certs")));
+
+        RoleBinding rb = kmm2.generateRoleBindingForRole();
+        assertThat(rb.getMetadata().getName(), is(KafkaMirrorMaker2Resources.mm2RoleBindingName(NAME)));
+        assertThat(rb.getMetadata().getNamespace(), is(NAMESPACE));
+        assertThat(rb.getSubjects().size(), is(1));
+        assertThat(rb.getSubjects().get(0).getKind(), is("ServiceAccount"));
+        assertThat(rb.getSubjects().get(0).getNamespace(), is(NAMESPACE));
+        assertThat(rb.getSubjects().get(0).getName(), is(kmm2.componentName));
+        assertThat(rb.getRoleRef().getKind(), is("Role"));
+        assertThat(rb.getRoleRef().getName(), is(kmm2.componentName));
+    }
 }