Exclude schema registry and HTTP proxy config from 22.2.X deployment #544
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RafalKorepta
changed the title
Closed
RafalKorepta
force-pushed
the
rk/fix-22-2-x-schema-registry-and-panda-proxy-clients
branch
from
3bc4d35 to
c8871b8
Compare
RafalKorepta
pushed a commit
to RafalKorepta/helm-charts-1
that referenced
this pull request
Jun 15, 2023
The PR redpanda-data#544 does not pass tests due to bug in Redpanda. The pandaproxy fix will be backported eventually redpanda-data/redpanda#11425, but to unblock the nightly build the test SASL mechanism should be change from `SCRAM-SHA-512` to `SCRAM-SHA-256`.
|
Tests are blocked by #547 |
RafalKorepta
force-pushed
the
rk/fix-22-2-x-schema-registry-and-panda-proxy-clients
branch
2 times, most recently
from
cdbfccd to
aaf206a
Compare
|
Test 05 was adjusted to use not default settings #550. I hope upgrade tests will pass now. |
joejulian
reviewed
Jun 15, 2023
| @@ -538,6 +538,10 @@ than 1 core. | |||
| {{- toJson (dict "bool" (or (not (eq .Values.image.repository "docker.redpanda.com/redpandadata/redpanda")) (include "redpanda.semver" . | semverCompare ">=22.2.10-0,<22.3"))) -}} | |||
| {{- end -}} | |||
|
|
|||
| {{- define "redpanda-22-2-x-without-sasl" -}} | |||
| {{- toJson (dict "bool" (or (not (or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod)) (include "redpanda-atleast-22-3-0" . | fromJson).bool)) -}} | |||
There was a problem hiding this comment.
If this is accurate, I'd suggest this. The nested logic is way to hard to parse in my head.
Suggested change
| {{- toJson (dict "bool" (or (not (or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod)) (include "redpanda-atleast-22-3-0" . | fromJson).bool)) -}} | |
| {{- $result := (include "redpanda-atleast-22-3-0" . | fromJson).bool -}} | |
| {{- if or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod)) -}} | |
| {{- $result := false -}} | |
| {{- end -}} | |
| {{- toJson (dict "bool" $result -}} |
There was a problem hiding this comment.
I'm not that proficient in templating langue. If I could code this in go :)
Comment included into next push
joejulian
reviewed
Jun 15, 2023
Comment on lines
+65
to
+74
| {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.schemaRegistry.authenticationMethod }} | ||
| -u $USERNAME:$PASSWORD \ | ||
| {{- end }} | ||
| {{- if $cert.caEnabled }} | ||
| --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ | ||
| {{- end }} |
There was a problem hiding this comment.
This is repeated for each command. What do you think about putting it in a function?
schemaCurl () {
{{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.schemaRegistry.authenticationMethod }}
-u $USERNAME:$PASSWORD \
{{- end }}
{{- if $cert.caEnabled }}
--cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \
{{- end }} $1
}
schemaCurl https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.schemaRegistry.port }}/subjects/sensor-value/versions
There was a problem hiding this comment.
Great suggestion
joejulian
reviewed
Jun 15, 2023
Comment on lines
56
to
66
| curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors \ | ||
| -X POST -H "Content-Type: application/vnd.schemaregistry.v1+json" \ | ||
| -d '{"schema": "{\"type\":\"record\",\"name\":\"sensor_sample\",\"fields\":[{\"name\":\"timestamp\",\"type\":\"long\",\"logicalType\":\"timestamp-millis\"},{\"name\":\"identifier\",\"type\":\"string\",\"logicalType\":\"uuid\"},{\"name\":\"value\",\"type\":\"long\"}]}"}' \ | ||
| {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.schemaRegistry.authenticationMethod }} | ||
| -u $USERNAME:$PASSWORD \ | ||
| {{- end }} | ||
| http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.schemaRegistry.port }}/subjects/sensor-value/versions |
There was a problem hiding this comment.
similar to above, could this be made a little more DRY?
joejulian
reviewed
Jun 15, 2023
RafalKorepta
force-pushed
the
rk/fix-22-2-x-schema-registry-and-panda-proxy-clients
branch
from
aaf206a to
f962c4c
Compare
As version 22.2.X does not provide basic auth configuration option in both schema registry and panda proxy the client configuration for both services needs SASL credentails to be explicitly set in Redpanda configuration. That Redpanda configuration is generated in helm and sotred as config map which should not hold any credentails. Newer version can take HTTP basic auth header to impersonate user and authenticate against Redpanda Kafka listener. Additionally HTTP proxy and schema registry tests now are run when SASL is enabled
RafalKorepta
force-pushed
the
rk/fix-22-2-x-schema-registry-and-panda-proxy-clients
branch
from
f962c4c to
640adec
Compare
joejulian
approved these changes
Jun 16, 2023
This was referenced Jun 17, 2023
RafalKorepta
pushed a commit
to RafalKorepta/redpanda-operator
that referenced
this pull request
Nov 8, 2024
The PR redpanda-data/helm-charts#544 does not pass tests due to bug in Redpanda. The pandaproxy fix will be backported eventually redpanda-data/redpanda#11425, but to unblock the nightly build the test SASL mechanism should be change from `SCRAM-SHA-512` to `SCRAM-SHA-256`.
RafalKorepta
pushed a commit
to redpanda-data/redpanda-operator
that referenced
this pull request
Dec 3, 2024
The PR redpanda-data/helm-charts#544 does not pass tests due to bug in Redpanda. The pandaproxy fix will be backported eventually redpanda-data/redpanda#11425, but to unblock the nightly build the test SASL mechanism should be change from `SCRAM-SHA-512` to `SCRAM-SHA-256`.
RafalKorepta
pushed a commit
to redpanda-data/redpanda-operator
that referenced
this pull request
Dec 3, 2024
…/fix-22-2-x-schema-registry-and-panda-proxy-clients Exclude schema registry and HTTP proxy config from 22.2.X deployment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As version 22.2.X does not provide basic auth configuration option in both schema registry and panda proxy the client configuration for both services needs SASL credentails to be explicitly set in Redpanda configuration. That Redpanda configuration is generated in helm and sotred as config map which should not hold any credentails.
Newer version can take HTTP basic auth header to impersonate user and authenticate against Redpanda Kafka listener.
Additionally HTTP proxy and schema registry tests now are run when SASL is enabled