From 840b1e0ee5426179de6453d86d5a47b9c0b739f4 Mon Sep 17 00:00:00 2001 From: Carles Arnal Date: Tue, 25 Feb 2025 10:30:23 +0100 Subject: [PATCH] Fix kafka auth tls config --- cert.pem | 24 ++++++++++++++++++ key.pem | 0 .../operator/EnvironmentVariables.java | 14 +++++------ .../registry/operator/feat/KafkaSql.java | 25 ++++++++++++++++--- .../registry/operator/feat/KafkaSqlAuth.java | 8 +++--- .../registry/operator/feat/KafkaSqlTLS.java | 3 --- .../resources/k8s/examples/auth/keycloak.yaml | 2 +- ...imple-with_keycloak.apicurioregistry3.yaml | 18 +++++++------ .../kafkasql/oauth/oauth-example-cluster.yaml | 2 ++ ...xample-kafkasql-tls.apicurioregistry3.yaml | 3 +-- .../api/v1/spec/KafkaSqlAuthSpec.java | 8 +----- 11 files changed, 69 insertions(+), 38 deletions(-) create mode 100644 cert.pem create mode 100644 key.pem diff --git a/cert.pem b/cert.pem new file mode 100644 index 0000000000..8bc19f6787 --- /dev/null +++ b/cert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID/jCCAuagAwIBAgIUTsdR5JCRLZx8gNn5/Hc4Lle9pB8wDQYJKoZIhvcNAQEL +BQAwdDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJh +bmNpc2NvMREwDwYDVQQKDAhLZXljbG9hazEtMCsGA1UEAwwkc2ltcGxlLWtleWNs +b2FrLmFwcHMuY2x1c3Rlci5leGFtcGxlMB4XDTI1MDEzMTA3MjI1MVoXDTI2MDEz +MTA3MjI1MVowdDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1T +YW4gRnJhbmNpc2NvMREwDwYDVQQKDAhLZXljbG9hazEtMCsGA1UEAwwkc2ltcGxl +LWtleWNsb2FrLmFwcHMuY2x1c3Rlci5leGFtcGxlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAq1Kouy7RTmfigX8pfgItDoqAZtBxQmXl8yqLsfNIabcy +mFWDptAeZQErGMOjDozSPbfPacTBRr/CBtOhNpGxojMN7F9gH0aZDQfNmxD5lBJb +RIKD6pcvSeS5fkP+GKtp0wtfjTG27kA41+K0uYuVOAHDDweEOjQIiuUX40yZilkx +xk9Tatz0BgptUW6WLY1MYYfju0wHdfMf1oGbDBuX8lCGF+vHWpyEARjfYBrxKGYa +UW+9Isui2YnOXIDyCDZngP1ctmt+jc7JZCPZdAkPS2I8w/WLLmQetryvnSdd+Run +vIPhaEvaWV018tvOA24j8sRTm1T7NPjvFQoDJacb9QIDAQABo4GHMIGEMGMGA1Ud +EQRcMFqCJHNpbXBsZS1rZXljbG9hay5hcHBzLmNsdXN0ZXIuZXhhbXBsZYIIa2V5 +Y2xvYWuCDGtleWNsb2FrLnN2Y4Iaa2V5Y2xvYWsuc3ZjLmNsdXN0ZXIubG9jYWww +HQYDVR0OBBYEFKnx5Hc6DfUqIaXc2fvq6FbVG6WPMA0GCSqGSIb3DQEBCwUAA4IB +AQAMEcYAgL7T1IQdG12pnvwDP1rcNeIGdPgZlVlmXvvM57MGHVP06D2SkbyAiQlQ +r6Ohze4oS+9VcrkqAqoo2H3/fPT/dFLywqrXW47bs/7aEtD7bGnfwCkgS2mhn4ZK +9vpWRrrKQ4ZAG8YG4rJFbsaMNAhMB/joUjjLh60RoQnDdWmyhAbl07ARzCQwuv8M +DvpzrMi/U8nBFlvUPReIpsejj9HAyyfRBv2dJwSZGLxFOb2flSIxSC8aaaJ8NQmD +TZeZInxtUvHwEnnH0u5pB3wE+u8NklGSu7Xo3ctK+9q4Cb51vGapwd6dhtjnmlmx +gg82StaL1n9k01Rhu9keXA3J +-----END CERTIFICATE----- \ No newline at end of file diff --git a/key.pem b/key.pem new file mode 100644 index 0000000000..e69de29bb2 diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java b/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java index febe71f172..5c7a726999 100644 --- a/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java +++ b/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java @@ -23,12 +23,11 @@ public class EnvironmentVariables { // KafkaSQL oauth public static final String APICURIO_KAFKASQL_SECURITY_SASL_ENABLED = "APICURIO_KAFKASQL_SECURITY_SASL_ENABLED"; - public static final String APICURIO_KAFKASQL_SECURITY_SASL_PROTOCOL = "APICURIO_KAFKASQL_SECURITY_SASL_PROTOCOL"; public static final String APICURIO_KAFKASQL_SECURITY_SASL_MECHANISM = "APICURIO_KAFKASQL_SECURITY_SASL_MECHANISM"; - public static final String APICURIO_KAFKA_SECURITY_SASL_CLIENT_ID = "APICURIO_KAFKA_SECURITY_SASL_CLIENT_ID"; + public static final String APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_ID = "APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_ID"; public static final String APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_SECRET = "APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_SECRET"; - public static final String APICURIO_KAFAKSQL_SECURITY_SASL_TOKEN_ENDPOINT = "APICURIO_KAFAKSQL_SECURITY_SASL_TOKEN_ENDPOINT"; - public static final String APICURIO_KAFAKSQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS = "APICURIO_KAFAKSQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS"; + public static final String APICURIO_KAFKASQL_SECURITY_SASL_TOKEN_ENDPOINT = "APICURIO_KAFKASQL_SECURITY_SASL_TOKEN_ENDPOINT"; + public static final String APICURIO_KAFKASQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS = "APICURIO_KAFKASQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS"; // Auth related environment variables public static final String APICURIO_REGISTRY_AUTH_ENABLED = "QUARKUS_OIDC_TENANT_ENABLED"; @@ -37,10 +36,9 @@ public class EnvironmentVariables { public static final String APICURIO_UI_AUTH_OIDC_REDIRECT_URI = "APICURIO_UI_AUTH_OIDC_REDIRECT_URI"; public static final String APICURIO_UI_AUTH_OIDC_LOGOUT_URL = "APICURIO_UI_AUTH_OIDC_LOGOUT_URL"; public static final String APICURIO_REGISTRY_AUTH_SERVER_URL = "QUARKUS_OIDC_AUTH_SERVER_URL"; - public static final String OIDC_TLS_VERIFICATION = "QUARKUS_OIDC_TLS_VERIFICATION"; - public static final String OIDC_TLS_TRUSTSTORE_LOCATION = "QUARKUS_OIDC_TLS_TRUST_STORE_FILE"; - public static final String OIDC_TLS_TRUSTSTORE_PASSWORD = "QUARKUS_OIDC_TLS_TRUST_STORE_PASSWORD"; - + public static final String OIDC_TLS_VERIFICATION = "OIDC_TLS_VERIFICATION"; + public static final String QUARKUS_TLS_TRUST_STORE_P12_PATH = "QUARKUS_TLS_TRUST_STORE_P12_PATH"; + public static final String QUARKUS_TLS_TRUST_STORE_P12_PASSWORD = "QUARKUS_TLS_TRUST_STORE_P12_PASSWORD"; public static final String APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED = "APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_ENABLED"; public static final String APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_CACHE_EXPIRATION = "APICURIO_AUTHN_BASIC_CLIENT_CREDENTIALS_CACHE_EXPIRATION"; public static final String APICURIO_AUTH_ANONYMOUS_READ_ACCESS_ENABLED = "APICURIO_AUTH_ANONYMOUS_READ_ACCESS_ENABLED"; diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSql.java b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSql.java index 156e0960af..7431f3f5c8 100644 --- a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSql.java +++ b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSql.java @@ -12,6 +12,7 @@ import java.util.Map; +import static io.apicurio.registry.operator.EnvironmentVariables.KAFKASQL_SECURITY_PROTOCOL; import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME; import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.addEnvVar; import static io.apicurio.registry.operator.utils.Utils.isBlank; @@ -25,7 +26,7 @@ public class KafkaSql { public static String ENV_KAFKASQL_BOOTSTRAP_SERVERS = "APICURIO_KAFKASQL_BOOTSTRAP_SERVERS"; public static void configureKafkaSQL(ApicurioRegistry3 primary, Deployment deployment, - Map env) { + Map env) { ofNullable(primary.getSpec()).map(ApicurioRegistry3Spec::getApp).map(AppSpec::getStorage) .map(StorageSpec::getKafkasql).ifPresent(kafkasql -> { if (!isBlank(kafkasql.getBootstrapServers())) { @@ -34,14 +35,30 @@ public static void configureKafkaSQL(ApicurioRegistry3 primary, Deployment deplo addEnvVar(env, new EnvVarBuilder().withName(ENV_KAFKASQL_BOOTSTRAP_SERVERS) .withValue(kafkasql.getBootstrapServers()).build()); - if (KafkaSqlTLS.configureKafkaSQLTLS(primary, deployment, REGISTRY_APP_CONTAINER_NAME, - env)) { + boolean sslConfigured = KafkaSqlTLS.configureKafkaSQLTLS(primary, deployment, REGISTRY_APP_CONTAINER_NAME, + env); + + boolean oAuthConfigured = KafkaSqlAuth.configureKafkaSQLOauth(primary, + env); + + if (sslConfigured) { log.info("KafkaSQL storage with TLS security configured."); } - if (KafkaSqlAuth.configureKafkaSQLOauth(primary, env)) { + if (oAuthConfigured) { log.info("KafkaSQL storage with Oauth security configured."); } + + // Set the security protocol + if (sslConfigured) { + if (oAuthConfigured) { + addEnvVar(env, KAFKASQL_SECURITY_PROTOCOL, "SASL_SSL"); + } else { + addEnvVar(env, KAFKASQL_SECURITY_PROTOCOL, "SSL"); + } + } else if (oAuthConfigured) { + addEnvVar(env, KAFKASQL_SECURITY_PROTOCOL, "SASL_PLAINTEXT"); + } } }); } diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlAuth.java b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlAuth.java index 57e21b30fa..862abb32a3 100644 --- a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlAuth.java +++ b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlAuth.java @@ -29,17 +29,15 @@ public static boolean configureKafkaSQLOauth(ApicurioRegistry3 primary, Map { - addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_PROTOCOL, kafkaSqlAuthSpec.getProtocol()); addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_ENABLED, kafkaSqlAuthSpec.getEnabled().toString()); addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_MECHANISM, kafkaSqlAuthSpec.getMechanism()); - addEnvVar(env, APICURIO_KAFKA_SECURITY_SASL_CLIENT_ID, kafkaSqlAuthSpec.getClientId()); + addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_ID, kafkaSqlAuthSpec.getClientId()); addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_CLIENT_SECRET, new SecretKeyRefTool(kafkaSqlAuthSpec.getClientSecretRef(), "client-secret").getSecretVolumeKeyPath()); - addEnvVar(env, APICURIO_KAFAKSQL_SECURITY_SASL_TOKEN_ENDPOINT, kafkaSqlAuthSpec.getTokenEndpoint()); - addEnvVar(env, APICURIO_KAFAKSQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS, kafkaSqlAuthSpec.getLoginHandlerClass()); + addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_TOKEN_ENDPOINT, kafkaSqlAuthSpec.getTokenEndpoint()); + addEnvVar(env, APICURIO_KAFKASQL_SECURITY_SASL_LOGIN_CALLBACK_HANDLER_CLASS, kafkaSqlAuthSpec.getLoginHandlerClass()); }); return true; diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlTLS.java b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlTLS.java index d521808c8f..95b4d282ba 100644 --- a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlTLS.java +++ b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/KafkaSqlTLS.java @@ -44,9 +44,6 @@ public static boolean configureKafkaSQLTLS(ApicurioRegistry3 primary, Deployment boolean configured = false; if (truststore.isValid() && truststorePassword.isValid()) { - - addEnvVar(env, KAFKASQL_SECURITY_PROTOCOL, "SSL"); - // ===== Truststore addEnvVar(env, KAFKASQL_SSL_TRUSTSTORE_TYPE, "PKCS12"); diff --git a/operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml b/operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml index 75a6bd0a50..23784623f0 100644 --- a/operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml +++ b/operator/controller/src/test/resources/k8s/examples/auth/keycloak.yaml @@ -3158,7 +3158,7 @@ kind: Secret metadata: name: keycloak-truststore data: - truststore: MIILIAIBAzCCCtYGCSqGSIb3DQEHAaCCCscEggrDMIIKvzCCBQoGCSqGSIb3DQEHBqCCBPswggT3AgEAMIIE8AYJKoZIhvcNAQcBMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBDn4CIMajvaNozhj/sL9kKiAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQOglKxdNL07e7TsHpFzm+ooCCBIA58+CNnYjvMf+A1QgOXKAhmPahQ+r801Z4j5fYejxXzahxdxNqdmWoalOqyn44b1QzuyRILta79ZKzivGnON9KQo6GhvoIjTi45qqxYt4Lju+4UJiTdVpS8WH29sVIWdtoOGNZ1RvjqBI4Y4a/F7k+606MCaK+oNUtyoT3sl84bzebICxdfackE26ePg7z5d8wnFLozQUpydz1X9B2r3iPgBlnTep6BWQ1/nQ+VzwmXGkIpFtlfYFgeyAyzcYeVbnd1OsHpH/rLbCwZ+xW/aP0CBWzdJ2aXImr0lePjvi6SPM+wiKrPU1JWjIWswbcpjhFS3Bpkj6j5UXAP7dx67tMvoqruQJ8OnhI6rFg8vvJkla6cndeG8dkQtOYVBnl3RSEUggyXr8QGGdNRHDsjfF/RmQaAM3ozrOTCGylr7BzvG7xH+dYEJ1bVSSsXcQsYMplDkhfH7sLtOJLD+4PqOpHDxmCqQxGt+tLupKiDgHj1AMkpxzwBpgwjGFPO3jhH8NYkAaLfDt+ES8iCuBszhZejYtMDN6HS8Dvm+tPcn5uIpUrwfCZ59yu6UqNWMDVv65yvaneGTfnAjGdDvOdPyvCBpgZ/5iQofpwcUcuN7ZVK8X9+CrCVNVvKKNX10MJz0MuqG2AolbrQPW3W6G0KrYps1P1QiGcmbOx8QoxSDbMVWigwRiAprE0/YFFwLpgNm5Bl6vjfEyjUtdTJVaiI26iH2IXoR9qUBXczic83Lpo30ySrvBWr6g77y+Ib35VdxMBEKZoTtqO6q/HnsqK5tPsAostQkWsLtuyLIwVC4WnaaaXcAPAQs/6Z8R4TCSxdyjqoqouRB1aE0Loe7eoDDhHsik0C3GBa9MX2tzSs9CTih+2EvOQ6WBC0XWTfkICXMduZBg4FbuB4jlqRnm9Adi6Eu3Laa0LeQe+8FUN+cQcFu3G14XgHVtkpj65OXqYZpsUcxyRVsZ/QgbNpTV6bUimj8NaMMnshdMXp22bgH0qFXa0iKIgUG9xQdSuutKokcbuQK9M8IF7UtO/A38gPxRf2FJHN/l8nKaaYH68vfFNFpYlfgm5vY/E5OHATIqPZmP3he0Bj8oHx1Zzj/HaNM092c8amHtWgrKWJ76gq734yBTFp7cBkUhwoThCtIC4RNRwbQcL2lsTYp7iAJ1Oh++cg+70E/eGJSdgwIDhJxDgnp3CiR8TPYL3yTvqozpYSikLsBd3LPCkZobYq/K5rXQCB3y5bY+8LI2e4/GzqTR4q1tvyQ+7yP9Em7MdA5ohXycrYOTIRwpe8I4oEZ/aybfHQixy3N00YEehpbMePms3F4OQDNEJMrE/u0Gqg9T4xX196MMIFFth4o42N5dDi9997mxeLPWmGV1k82GNvJYCAgM4W+QUbqUbtNFvUaK/w60KPPkHZK3A/N91B0HX6OMOF++2/owJJwytyZgWZY6Fp01NFbag7H6K4QbArqsiyNT8DSymmsR76BeDLkyQI5gddZ2plbDPX1JGzcom7/ANjjLuiJ++/JDMxWE1XJvbQC4wggWtBgkqhkiG9w0BBwGgggWeBIIFmjCCBZYwggWSBgsqhkiG9w0BDAoBAqCCBTkwggU1MF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBDetqzZxOvqJumSDz2EX/2/AgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQtEVpQcFjXX1X05ALfJ8rCASCBNBgvZ5M3otctDoekXJFiCGXioYrmotnO4LV0lvjlsMBCjiI3mB65WoZT+HX7yL0qU62deoi3quZLNg3BsTzZ2sVeNddxRuE+EC0J3CvNlq1b3xGLNmsQ7OGgWkOBY26HJWJgxqlJzhhvNeU1kXRpPRKn/flzLGSOMi68O5ou+et0prxYmqusmkQy5KYLJRkgg44kSq5HU92vpW/T2Bp30sbHpNfq6wz7Ik9LIxSAlVC+N6nw/9MbpC8EVzIeGYnpdsijxsE+U3gEjT3f+P715UaOMu9YpTAp2OCGGuNUUsMAIUXe9oYpb1Tb5eDPhJTPaOxL6wyRfr2RIsvDE2+Ch2t0XrF8b2Snpknu44KzuxX66yIDWTUp8ihraew0T0p3qZApHtMbAFAzjooDOohog2BSLKQ7j16YRXh5EonzHGNG319uuPk9mXSS7TPosn4hNJlu7q0QSzo6t51LfkcTVngtjZfTox3qJE3wbjEceMdVXNe1Y92LCG8ioDJgjy1VfKexs85Gn8C9+WFcfckBaPGnbGaD1Wbdm5Dz+kqu27s0VJYdF1XIAPt+lrVHtkBfS+JucbEz8yLhJ+axJCFHdTFfOq4LwGHzPOmmLDLVen1Q8EbrHnjOY0JXusvpZbSPXW4LwKw6YFC8gWrZXOY1XCF6e/mZltkZZIcuAn6ZJKn3d8JuvMffoPpvt7XLGwD5dm4riuzeZ8JU2S5HzEVYS/o3+G/XDTgxWkgAiqC9lI4Wz1o3kcQMSeuVqhcs5mmOEChLauExWGlQia4siGjqCJvrXSldhihwK+7Vg8+EuneznqdMhvkXgdAKXMyupwZIVLhTafR21YeyCF4vezxGOUsrrtGEJU/Cdu0ND8NG1OLY/ZXqzxuGfkCaMlPuu2C1xHvI45E/WyyQKEWWWHTTjo1Fu/t1o0JgWN6F6HJno9zcLctq3USxVZrfblvVXljBF0OtptboPHVrOH98kd5FSK3QHDOtgMoyVhjBKHaM6Ut0MYannmJ0YBZghtgzZ18s9bYoQoVbDJtPAV55dhrKJp6gWdDCbyNBLTZ0E3aDx7vupGZch/pUKrnQ2m4BzuJABBtSlV4VnqllbHt6obOCezf7gVaWCwBIewl/T8BoQ5qMbixLkZ1G2jtcA2pZo1QSxGlQJGd1wfcy07Xu29yFrbh9hQLiX1beJo8UiN5C+P0aQ0Xbg/b9JtxNOdAzOpyYIgaAcPTE4D5dhqSa5Oe86XJy5FGX7S7RpAH4O9fs0mo6RWPw+cN8gI66/vCJN0+Ym2CzG9//Kr9f5mXCqMDJy7MHO+FfFEiR2IekiDu1VZl/tPohWusR0yCqM0Zz29cW7jtMFwFrPTpwFIgUh5ZXpIJem80CKeLgW4eWqQr0QTc4ghutOT50GK+PDrzrs/sp3JD1K0INphbvVn6V0SHeJLrLuQnT9+o0d2T9ep6gko0G+UgoI+xCybcmgipQH6MCxnPUoy7voKrRYGijgU2YBKSbaW+uYngL+S5zwd9gwE4XccmOTRjEcPaCOTd7jOgGxGkeXvouxNwGTIX9oc5SUbfzd8Fs2bW5omC64MaFzMKCXhdbT0+RNGyjYH58uL7+2h7zuWNjoosU7ODeAsN/35rEDAwDODrp+I18U7FSMAA/TFGMB8GCSqGSIb3DQEJFDESHhAAawBlAHkAYwBsAG8AYQBrMCMGCSqGSIb3DQEJFTEWBBTa7p1A+fn/spfdXFP1QSRoRetsEDBBMDEwDQYJYIZIAWUDBAIBBQAEIE0bqSV/+ruRpyhTLVyeuKwFEK5s5AyJl6aPdGIudg1SBAg7YpTb884DsgICCAA= + truststore: MIIFcgIBAzCCBRwGCSqGSIb3DQEHAaCCBQ0EggUJMIIFBTCCBQEGCSqGSIb3DQEHBqCCBPIwggTuAgEAMIIE5wYJKoZIhvcNAQcBMGYGCSqGSIb3DQEFDTBZMDgGCSqGSIb3DQEFDDArBBTWDbaAWuj7/2kDLsPby+f+u/1Z3AICJxACASAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEECppmZjl3PrTBtH62M3mmFmAggRwW9sTJl6adVUupqaTBWcRXpGPOkt3XB6f7roOvxTEBNjTulERNlTQxeWVi/OctAF0qzlavQebsmkgFDRkRrbyvAXgQKHYH3wlcnQCg2IcVbAPfyUkQksKqjAqCZaCDeMJLamgSEHuSO8Mr9ghLaGgOxeq0QK+DtkVQB8Ejkdb27VljHtYaxmdyDhqbtF3mIh5NTtkXWBL4I3XR77dYMtbdZYcMdnriJPxW1g1c02zCQ80WzxtvbJIkR03RyMHvwqpI2GbPpWMwuIw1NhpiFm7ho2leZj40hlzg4TkgvKiscxcRtnU9ZbztQyHGFg1oYLK6iUCaw5x6w9Kae5F7ChKMMvARgUuk5rlUwVd9TWQnfp6ZShpXRJtR0YKxge/CxQK87hpB1v0w8q9lIXf0QwUnueUTr7ffnu4f2oI7bZ0JDBvuTUU6U1xJuwZ90IoerhdfCvGNBdjwENTl7K45E26qLONzm41zCdihVkRG3oG7Oc4GWr1oh9qqnzn5X3bJp3iyYdUPbwrsh0Lt3BQNTJ9KOymJJGcJuG72LV+2KEhicF2sl8EgkI7mWhwTVGJfgDD+MIeG1lzL46USTl2EtBT9Nio3T/VWwwV4bpGEHSAo67WDqu/kKj59+2WZvH/uP67qpGYkvEQiztILJQFGYa4Kra4xQ3U+mCs3SMyS17x9qPEcnizivuUn6okrUqJjiiqpfsFT0uuX/YE18dyQ9BRAyXY32YnLaa4YS7tg1OBl8ufdfwLSsABd4i8472B4j9Y+mL44KGoRbo9dci97+y4LbbaqWKsX3v3Bs7Dtmpgrsl+pDCS3ChWhjWirtTKLMfRojFJOtv8DpdwNgWPjNX3/L5S0bonk0CIOn2FveiGnH0YSeK79++32DzEitBLY3mfIB45uFZPVhaX86EGi97k6H/GPh8kwBg61pt6lc0zFkaRXQCajngnoJ+jSnN8at6WFfXfayx5WxJP3Ryrndu1bI3AMCLHcEIMwy2IOQTQgOYT9YdgHqRTkMGyq9jphsGyQLdQQjNMC2TplLPrKjKBm9/rQdeVv7DIVWG/jfGn162Hm1C8knvxJhlRfel2tYAcp6HAkU/M7K1a5bsvL2n1BBFOYUwM2Tthkm148NGaH9SuQfQepSo52oC2H2Ycd854z+FTb2Uhq0RkVNWxrT1tG1nlvjGdeMCvdBoak1GNaePXXHKb5CwCIckpRiIdBzwvyF7AHNI87xqY0Q006oUGFhFMLYDi822cd/rcapjHa6sTY/cbWUge4b5d7KqKvJqARY4Fb2sVfokhEx2Fogj36iR6ipg/y2lJGcWFLOllU3nHPRpXvn/LEYAhF9c3xBBGN3XjuBIrNeTg275R/yAI4hIzHri58t7L1XPSCdJK5uBf1nkEaYKxDuJ+0cEtdKyPrRIHRJ8dgilxqPsST5stC26Bjw8ZZG+GHO++ha3WqCAl6eBC/RThLYpHUlrMEc3tnId85gDKDnPthW2bZzMuE0+5QUceATeejXQNc+yOcwcwTTAxMA0GCWCGSAFlAwQCAQUABCBEWEfkGKp/2eG5VysVzM8H1XxQKWPhycOyr4tl50hxDQQUxZwV85wj5XqTVYXuRyOl8C7kFQwCAicQ password: YXBpY3VyaW8= --- apiVersion: apps/v1 diff --git a/operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml b/operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml index fc5a4b0d9c..f78ad7c98b 100644 --- a/operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml +++ b/operator/controller/src/test/resources/k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml @@ -3,6 +3,9 @@ kind: ApicurioRegistry3 metadata: name: simple spec: + env: + - name: QUARKUS_OIDC_TLS_VERIFICATION + value: "none" app: ingress: host: simple-app.apps.cluster.example @@ -13,14 +16,13 @@ spec: authServerUrl: https://simple-keycloak.apps.cluster.example/realms/registry redirectURI: https://simple-ui.apps.cluster.example logoutURL: https://simple-ui.apps.cluster.example - tls: - tlsVerificationType: required - truststoreSecretRef: - name: keycloak-truststore - key: truststore - truststorePasswordSecretRef: - name: keycloak-truststore - key: password + tls: + truststoreSecretRef: + name: keycloak-truststore + key: truststore + truststorePasswordSecretRef: + name: keycloak-truststore + key: password ui: ingress: host: simple-ui.apps.cluster.example diff --git a/operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-cluster.yaml b/operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-cluster.yaml index 75f5a8cdec..59369990e5 100644 --- a/operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-cluster.yaml +++ b/operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-cluster.yaml @@ -39,6 +39,8 @@ spec: config: inter.broker.protocol.version: "3.8" offsets.topic.replication.factor: 1 + sasl.enabled.mechanisms: OAUTHBEARER + listener.name.tls.sasl.enabled.mechanisms: OAUTHBEARER storage: type: ephemeral zookeeper: diff --git a/operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-kafkasql-tls.apicurioregistry3.yaml b/operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-kafkasql-tls.apicurioregistry3.yaml index 3f90ab7803..65c903b5c4 100644 --- a/operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-kafkasql-tls.apicurioregistry3.yaml +++ b/operator/controller/src/test/resources/k8s/examples/kafkasql/oauth/oauth-example-kafkasql-tls.apicurioregistry3.yaml @@ -10,7 +10,7 @@ spec: storage: type: kafkasql kafkasql: - bootstrapServers: "..svc:9092" + bootstrapServers: "..svc:9093" # Try using Strimzi/Red Hat AMQ Streams Operator! tls: truststoreSecretRef: @@ -20,7 +20,6 @@ spec: name: keycloak-truststore key: password auth: - protocol: "SASL_SSL" enabled: true mechanism: "OAUTHBEARER" clientId: "admin-client" diff --git a/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/KafkaSqlAuthSpec.java b/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/KafkaSqlAuthSpec.java index 57361a23c1..b1e8b91fd9 100644 --- a/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/KafkaSqlAuthSpec.java +++ b/operator/model/src/main/java/io/apicurio/registry/operator/api/v1/spec/KafkaSqlAuthSpec.java @@ -21,7 +21,7 @@ @JsonDeserialize(using = JsonDeserializer.None.class) @JsonInclude(NON_NULL) -@JsonPropertyOrder({ "enabled", "mechanism", "protocol", "clientId", "clientSecretRef", "tokenEndpoint", +@JsonPropertyOrder({ "enabled", "mechanism", "clientId", "clientSecretRef", "tokenEndpoint", "loginHandlerClass" }) @NoArgsConstructor @AllArgsConstructor(access = PRIVATE) @@ -38,12 +38,6 @@ public class KafkaSqlAuthSpec { @JsonSetter(nulls = SKIP) private Boolean enabled; - @JsonProperty("protocol") - @JsonPropertyDescription(""" - The protocol used to authenticate to Kafka.""") - @JsonSetter(nulls = SKIP) - private String protocol; - @JsonProperty("mechanism") @JsonPropertyDescription(""" The mechanism used to authenticate to Kafka.""")