Bug Description
Hi,
I updated the Strimzi Helm Chart from 0.49.0 to 0.49.1, with that came the update to CRD API version v1. I am not seeing the RoleBinding for the automatically created ServiceAccount for a KafkaConnect resource anymore. In my case, I am using a KafkaConnector that references a Kubernetes Secret in the namespace of the KafkaConnect Pod. After the update, the KafkaConnect pods is unable to retrieve the Secret content due to missing permissions.
After some more research, I assume, that this is related to GHSA-xrhh-hx36-485q which got addressed with 0.49.1. Am I wrong?
Steps to reproduce
- install Strimzi Helm Chart with version 0.49.1 with watchNamespace on a different namespace
- create a KafkaConnect custom resource in a watched namespace with:
spec:
config:
config.providers: secrets
config.providers.secrets.class: io.strimzi.kafka.KubernetesSecretConfigProvider
- look for the new ServiceAccount in the watched namespace
- look for the missing role and rolebinding in the watched namespace
Expected behavior
with v0.49.0, Role and Rolebinding did exist with
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- getStrimzi version
0.49.1
Kubernetes version
1.32.4
Installation method
Helm Chart
Infrastructure
Azure AKS (should be irrelevant)
Configuration files and logs
Strimzi Helm Chart values:
values:
watchNamespaces:
- kafka-connect-systemKafkaConnect Resource:
apiVersion: kafka.strimzi.io/v1
kind: KafkaConnect
metadata:
annotations:
strimzi.io/use-connector-resources: "true"
name: connect-cluster
namespace: kafka-connect-system
spec:
authentication:
passwordSecret:
password: connection-string
secretName: bootstrap-server-secret
type: plain
username: $ConnectionString
bootstrapServers: [REDACTED]
groupId: connect-cluster-group
configStorageTopic: connect-cluster-configs
offsetStorageTopic: connect-cluster-offsets
statusStorageTopic: connect-cluster-status
config:
config.providers: secrets
config.providers.secrets.class: io.strimzi.kafka.KubernetesSecretConfigProvider
config.storage.replication.factor: 1
key.converter: org.apache.kafka.connect.json.JsonConverter
key.converter.schemas.enable: true
offset.flush.interval.ms: 10000
offset.storage.replication.factor: 1
status.storage.replication.factor: 1
value.converter: org.apache.kafka.connect.json.JsonConverter
value.converter.schemas.enable: true
replicas: 1
tls:
trustedCertificates: []
version: 4.0.0Additional context
https://strimzi.io/docs/operators/0.49.1/deploying#assembly-loading-config-with-providers-str
Bug Description
Hi,
I updated the Strimzi Helm Chart from 0.49.0 to 0.49.1, with that came the update to CRD API version v1. I am not seeing the RoleBinding for the automatically created ServiceAccount for a KafkaConnect resource anymore. In my case, I am using a KafkaConnector that references a Kubernetes Secret in the namespace of the KafkaConnect Pod. After the update, the KafkaConnect pods is unable to retrieve the Secret content due to missing permissions.
After some more research, I assume, that this is related to GHSA-xrhh-hx36-485q which got addressed with 0.49.1. Am I wrong?
Steps to reproduce
Expected behavior
with v0.49.0, Role and Rolebinding did exist with
Strimzi version
0.49.1
Kubernetes version
1.32.4
Installation method
Helm Chart
Infrastructure
Azure AKS (should be irrelevant)
Configuration files and logs
Strimzi Helm Chart values:
KafkaConnectResource:Additional context
https://strimzi.io/docs/operators/0.49.1/deploying#assembly-loading-config-with-providers-str