-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow pandaproxy and schemaregistry to connect to kafka api over tls #7820
Conversation
06d17f8
to
c507712
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have few question around:
- How we recognise kafka internal listener self signed certificates in various setup?
- Are we limiting
NodeSecretRef
usage with Panda Proxy and Schema Registry? - Why private client keys are included in Redpanda volume mounts?
curl -s -v -X POST "http://cluster-tls-0.cluster-tls.$POD_NAMESPACE.svc.cluster.local:8082/topics/test" \ | ||
-H "Content-Type: application/vnd.kafka.json.v2+json" \ | ||
-d '{"records":[{"value":"Vectorized"},{"value":"Pandaproxy"},{"value":"JSON Demo"}]}' \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT:
kafkaapi-client-auth
is not what this test is doing. First it creates topic and then we are using panda proxy. Shouldn't this be something like pandaproxy-with-client-auth (or pandaproxy-with-mtls, but we should be consistent)?- The commit message lack of additional context like why we are reusing existing test and renaming it to the name that breaks the convention. Shouldn't we create new test?
- We could extend the https://github.com/redpanda-data/redpanda/tree/dev/src/go/k8s/tests/e2e/pandaproxy-produce-consume-tls-client test to reconfigure redpanda to use mTLS. In other words extend already existing test that tests mTLS
- Unfortunately, as @nicolaferraro rightly pointed out (Enable per kafka listener sasl #6940 (comment)),
curl
does not fail if the status code is not 2xx, you may need to check it manually. I agree all tests should be updated, as per @nicolaferraro comment, so we might need to address it in separated PR. Still :) let's not add more problem, please 🙏 The good example can be found ff18ceb6 from Allow using public TLS certificates for Pandaproxy API #6637. The next good exampleredpanda/src/go/k8s/tests/e2e-unstable/decommission/02-probe.yaml
Lines 18 to 29 in 85cc350
command: - /bin/sh - -c - -ex args: - > url=http://decommissioning-0.decommissioning.$NAMESPACE.svc.cluster.local:9644/v1/brokers res=$(curl --silent -L $url | tr '{' '\n' | grep node_id | wc -l) && echo $res > /dev/termination-log && if [[ "$res" != "3" ]]; then exit 1; fi apiVersion: v1 kind: Pod metadata: labels: job-name: wait-for-3-brokers status: containerStatuses: - name: curl state: terminated: message: | 3 phase: Succeeded
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I reused an existing test, I just renamed it. I also found out it does not fail, I thought I adjusted it though but perhaps did not 🤔 I'll fix that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no I think my test works, I've added grep -v error_code
which means that it fails if that string is added. I had to do it that way because the proxy returns HTTP 200 but an error code (at least in case of missing tls broker config)
src/go/k8s/tests/e2e/kafkaapi-client-auth/04-pandaproxy-consume.yaml
Outdated
Show resolved
Hide resolved
I saw that PR cover letter is not correctly formatted as per https://github.com/redpanda-data/redpanda/actions/runs/3738891086
|
c507712
to
5b3ce5e
Compare
52d7a5c
to
828ed66
Compare
The PR now properly checks both node issuer and node cert to see whether they are self signed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
f73fac6
to
908d530
Compare
908d530
to
3d3288a
Compare
/backport v22.3.x |
Failed to run cherry-pick command. I executed the below command:
|
…-proxy-tls Allow pandaproxy and schemaregistry to connect to kafka api over tls
…ma-proxy-tls Allow pandaproxy and schemaregistry to connect to kafka api over tls
When kafka api has tls enabled, we don't properly configure pandaproxy and schema registry clients to connect to kafka via these private listeners which meant that it did not work. This PR adds the missing parts of configmap and mounts the missing certificates to make it possible for pp/sr to connect.
For mTLS we need both node cert (if self signed - so that client can verify node cert) and also client certs mounted.
Example redpanda node boostrap config when internal kafka listener has enabled Require Client Auth option:
Fixes #5994
Backports Required
UX Changes
Release Notes
Bug Fixes