Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use PEM certificates loaded from secrets for KafkaConnect #11198

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Use PEM certificates loaded from secrets for KafkaConnect #11198

wants to merge 9 commits into from
+830 −364

Conversation

tinaselenge
Copy link
Contributor

@tinaselenge tinaselenge commented Feb 27, 2025
edited
Loading

Type of change

Select the type of your PR

  • Refactoring

Description

  • TLS certificates are loaded from secrets directly using KubernetesSecretConfigProvider, therefore also removes the population of the certificate related environment variables and the script for preparing TLS.
  • Use key pattern (*.crt) of KubernetesSecretConfigProvider to load multiple certificates from a single secret for ssl.truststore.certificates configuration. OAuth truststore is however configured differently, because multiline line certificates in Jaas config is not parsed correctly. Instead it will continue to use ssl.truststore.location which maps to the given secret's volume mount path for the certificate in PEM format.
  • Add RBAC right for reading secrets for KafkaConnect service account.

Resolves part of #11294

Checklist

Please go through this checklist and make sure all applicable tasks have been done

  • Write tests
  • Make sure all tests pass
  • Update documentation
  • Check RBAC rights for Kubernetes / OpenShift roles
  • Try your changes from Pod inside your Kubernetes and OpenShift cluster, not just locally
  • Reference relevant issue(s) and close them after merging
  • Update CHANGELOG.md
  • Supply screenshots for visual changes, such as Grafana dashboards

@tinaselenge tinaselenge force-pushed the use-pem branch 2 times, most recently from b26740e to 33a167a Compare February 27, 2025 14:03
@tinaselenge
Copy link
Contributor Author

@scholzj @ppatierno @katheris can one of you please kick off the regression tests? I ran some of the relevant ST locally which seemed to pass, but there are many I haven't run so would like to try running the full suite. Thanks!

@scholzj
Copy link
Member

scholzj commented Feb 27, 2025

/azp run regression

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@tinaselenge
Copy link
Contributor Author

thanks @scholzj for kicking off the tests. Looks like the failing tests are not related to this PR (time out failures in CruiseControlST which doesn't deploy any connect resource).

I will mark this PR ready for review now :) .

@tinaselenge tinaselenge marked this pull request as ready for review February 28, 2025 10:28
@tinaselenge tinaselenge requested review from scholzj, ppatierno and katheris and removed request for scholzj and ppatierno February 28, 2025 10:28
@scholzj scholzj added this to the 0.46.0 milestone Feb 28, 2025
scholzj
scholzj reviewed Feb 28, 2025
View reviewed changes
Copy link
Member

@scholzj scholzj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left some nits, but otherwise it mostly looks good.

@tinaselenge tinaselenge force-pushed the use-pem branch 3 times, most recently from b6cedbf to 5e44da7 Compare March 4, 2025 12:33
@tinaselenge tinaselenge force-pushed the use-pem branch 5 times, most recently from 888109a to 0352e9e Compare March 11, 2025 17:40
@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@im-konge
Copy link
Member

/azp run regression

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@tinaselenge tinaselenge mentioned this pull request Mar 26, 2025
Open
@tinaselenge
Copy link
Contributor Author

I created an issue for this PR to discuss some of the points that would also apply when making the other operands use PEM files as well. I thought it would be easier to discuss in an issue than the PR.

@ppatierno
Copy link
Member

/azp run regression

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

ppatierno
ppatierno previously approved these changes Mar 27, 2025
View reviewed changes
Copy link
Member

@ppatierno ppatierno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks Tina!

@ppatierno ppatierno self-requested a review March 27, 2025 07:54
@ppatierno ppatierno dismissed their stale review March 27, 2025 08:00

sorry If I approved but didn't notice your comment on #11294 so I guess we need more discussion.

@tinaselenge
Copy link
Contributor Author

@ppatierno @katheris @fvaleri I have made a change to create an internal secret for trusted certificates for OAuth server when OAuth is used. Can you please review the new change when you have time? Thank you.

Can someone also please kick off the regression tests? Thanks!

@ppatierno
Copy link
Member

/azp run regression

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@tinaselenge
Copy link
Contributor Author

tinaselenge commented Apr 9, 2025
edited
Loading

I'm having an issue with oauth truststore configuration. It seems like Jaas config for the oauth, doesn't like new lines of PEM format certificates. It wants everything inline I think:

Caused by: java.lang.IllegalArgumentException: Value not specified for key 'MIIDZTCCAk2gAwIBAgIUYB3lcFeRQUakgAHV6ioDogGuHmAwDQYJKoZIhvcNAQEL' in JAAS config

I also hit different issue with kafka-client 4.0 jar:

2025-04-08 23:14:10 DEBUG [main] CompositeStrategy:56 - Unable to load modern Subject methods, relying only on legacy methods
java.lang.NoSuchMethodException: javax.security.auth.Subject.current()
	at java.base/java.lang.Class.getDeclaredMethod(Class.java:2675) ~[?:?]
	at org.apache.kafka.common.internals.ModernStrategy.<init>(ModernStrategy.java:43) ~[kafka-clients-4.0.0.jar:?]
	at org.apache.kafka.common.internals.CompositeStrategy.<init>(CompositeStrategy.java:51) [kafka-clients-4.0.0.jar:?]
	at org.apache.kafka.common.internals.CompositeStrategy.<clinit>(CompositeStrategy.java:39) [kafka-clients-4.0.0.jar:?]
	at org.apache.kafka.common.internals.SecurityManagerCompatibility.get(SecurityManagerCompatibility.java:38) [kafka-clients-4.0.0.jar:?]
	at org.apache.kafka.connect.runtime.isolation.ClassLoaderFactory.newDelegatingClassLoader(ClassLoaderFactory.java:30) [connect-runtime-4.0.0.jar:?]
	at org.apache.kafka.connect.runtime.isolation.Plugins.<init>(Plugins.java:74) [connect-runtime-4.0.0.jar:?]
	at org.apache.kafka.connect.runtime.isolation.Plugins.<init>(Plugins.java:65) [connect-runtime-4.0.0.jar:?]
	at org.apache.kafka.connect.cli.AbstractConnectCli.startConnect(AbstractConnectCli.java:121) [connect-runtime-4.0.0.jar:?]
	at org.apache.kafka.connect.cli.AbstractConnectCli.run(AbstractConnectCli.java:95) [connect-runtime-4.0.0.jar:?]
	at org.apache.kafka.connect.cli.ConnectDistributed.main(ConnectDistributed.java:112) [connect-runtime-4.0.0.jar:?]

Looks it might be Java version incompatibility.

So I'm looking into how to solve this issue. Maybe oauth.ssl.truststore.location in Oauth Jaas config is less complex way to configure it, but we need to combine the trusted certificates into a single file and volume mount it. I don't know if this is too complex, but we could copy oauth trusted cert secrets into an internal secret under a single key and volume mount this internal secret.

@ppatierno ppatierno modified the milestones: 0.46.0, 0.47.0 Apr 10, 2025
@tinaselenge
Use PEM certificates loaded from secrets for KafkaConnect
ce13596 
Signed-off-by: Gantigmaa Selenge <[email protected]>
@tinaselenge
Address review comments from Jakub
9671500 
Signed-off-by: Gantigmaa Selenge <[email protected]>
@tinaselenge
Address review comments
6151a6e 
Remove volume mounts for TLS secrets

Signed-off-by: Gantigmaa Selenge <[email protected]>
@tinaselenge
Create an internal secret for TLS trusted certificates
0012104 
Signed-off-by: Gantigmaa Selenge <[email protected]>
@tinaselenge
Improve internal cert secret name
6fb5443 
Signed-off-by: Gantigmaa Selenge <[email protected]>
@tinaselenge
Fix failing STs due to missing reconcilation of the internal secret f…
a4dce8b 
…or MM2

Signed-off-by: Gantigmaa Selenge <[email protected]>
@tinaselenge
Remove hiding of password as its no longer needed
ca6162a 
Signed-off-by: Gantigmaa Selenge <[email protected]>
@tinaselenge
Create an internal secret for OAuth trusted certificates
14f5d78 
Signed-off-by: Gantigmaa Selenge <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scholzj scholzj scholzj left review comments

@katheris katheris katheris left review comments

@fvaleri fvaleri fvaleri left review comments

@ppatierno ppatierno Awaiting requested review from ppatierno

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.47.0
Development

Successfully merging this pull request may close these issues.
6 participants
@tinaselenge @scholzj @im-konge @ppatierno @katheris @fvaleri