-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Additional authentication type 'k8s-oidc' that extends 'oauth' #9657
base: main
Are you sure you want to change the base?
Conversation
@@ -27,6 +27,7 @@ | |||
@JsonSubTypes.Type(name = KafkaClientAuthenticationScramSha512.TYPE_SCRAM_SHA_512, value = KafkaClientAuthenticationScramSha512.class), | |||
@JsonSubTypes.Type(name = KafkaClientAuthenticationPlain.TYPE_PLAIN, value = KafkaClientAuthenticationPlain.class), | |||
@JsonSubTypes.Type(name = KafkaClientAuthenticationOAuth.TYPE_OAUTH, value = KafkaClientAuthenticationOAuth.class), | |||
@JsonSubTypes.Type(name = KafkaClientAuthenticationK8sOIDC.TYPE_K8S_OIDC, value = KafkaClientAuthenticationK8sOIDC.class), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we call it kubernetes
? Or serviceaccount
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, if it makes it clearer, it can be either. Both names make sense. Do you have a preference?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we should have a proposal for this to clarify details like this. @strimzi/maintainers Any thoughts on the type name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about kubernetes-internal
/ KUBERNETES_INTERNAL
/ K8S_INTERNAL
? From the discussion during community call it would make sense to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about TYPE_KUBERNETES_OPEN_ID_CONNECT_AUTH
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's may actually not be a good idea because searching for it through documentation or search engines will not produce good results.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So based on the community call from this week let's move this a little bit. In the comments there were the following options more or less:
kubernetes-openid
kubernetes-auth
kubernetes
kubernetes-oidc
kubernetes-internal
kubernetes-sa
maybe (not listed above)?serviceaccount
serviceacount-oidc
serviceacount-oauth
Any other options?
edit: added serviceaccount
, serviceacount-oidc
, serviceacount-oauth
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
serviceaccount
or some variant on it? serviceacount-oidc
or serviceaccount-oauth
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ye I was thinking about serviceaccount
as well, but alone it sounds little bit strange to me. serviceacount-oidc
or serviceacount-oauth
sounds better I think. I will put it into the list and I guess we could do some vote soon.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussed on the community call of 16.5.2024: We decided to go with type: serviceaccount-oauth
.
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
"`scram-sha-256` and `scram-sha-512` types use SASL SCRAM-SHA-256 and SASL SCRAM-SHA-512 Authentication, respectively. " + | ||
"`plain` type uses SASL PLAIN Authentication. " + | ||
"`oauth` type uses SASL OAUTHBEARER Authentication. " + | ||
"`serviceaccount-oauth` type uses SASL OAUTHBEARER Authentication. " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could add something like uses SASL OAUTHBEARER Authentication in combination with Kubernetes ServiceAccounts
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, sounds good.
...in/java/io/strimzi/api/kafka/model/common/authentication/KafkaClientAuthenticationOAuth.java
Show resolved
Hide resolved
@@ -41,6 +42,7 @@ public abstract class KafkaListenerAuthentication implements UnknownPropertyPres | |||
|
|||
@Description("Authentication type. " + | |||
"`oauth` type uses SASL OAUTHBEARER Authentication. " + | |||
"`serviceaccount-oauth` type uses SASL OAUTHBEARER Authentication. " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as earlier -> maybe you can explain how it differs from oauth
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your proposed string would work here as well. In order to be slightly more descriptive maybe we could say something like: 'uses SASL OAUTHBEARER Authentication pre-configured with Kubernetes ServiceAccount token file location'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think what you suggest would work fine here.
...rc/main/java/io/strimzi/api/kafka/model/kafka/listener/KafkaListenerAuthenticationOAuth.java
Show resolved
Hide resolved
@@ -1635,6 +1636,31 @@ public void testPodSetWithOAuthWithAccessToken() { | |||
}); | |||
} | |||
|
|||
@ParallelTest | |||
public void testPodSetWithServiceAccountOAuth() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this test also when it is used for the source clusters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the test by pattern-matching other OAuth tests, and they only test with target cluster. I guess the reasoning here was that we really test KafkaClientAuthenticationOAuthBuilder
here, which is used both for the target and for the source cluster, thus if it works for one why would it fail for the other?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The env vars work differently for source clusters as there might be many of them. That is why I think it needs to be tested as well. It is possible it was forgotten for the previous part, but you can probably add it at least for this feature.
@@ -1062,6 +1063,27 @@ public void testGenerateDeploymentWithConsumerOAuthWithAccessToken() { | |||
assertThat(cont.getEnv().stream().filter(var -> KafkaMirrorMakerCluster.ENV_VAR_KAFKA_MIRRORMAKER_OAUTH_CONFIG_CONSUMER.equals(var.getName())).findFirst().orElseThrow().getValue().isEmpty(), is(true)); | |||
} | |||
|
|||
@ParallelTest | |||
public void testGenerateDeploymentWithConsumerServiceAccountOAuth() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have test for producer as well? (or cover it in this test)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good catch. There's is a whole series of tests with consumer and with producer there. I missed the producer
one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more thing - this should also have some CHANGELOG record.
Type of change
Description
TODO: This PR uses an unreleased SNAPSHOT version of OAuth library.
Make it easy to configure the usage of Kubernetes internal OIDC server. The new authentication type 'k8s-oidc' is an extension of 'oauth' type for listeners and various managed Kafka clients (KafkaConnector, KafkaBridge, KafkaMirrorMaker2, ...).
Checklist
Please go through this checklist and make sure all applicable tasks have been done