Generate proxy configuration honouring the KafkaService tls object (kroxylicious#2070)

* Hook up client and ca certificates in the proxy and in the volumes and mounts
* cipher suites and protocols
* Add an IT

Signed-off-by: Tom Bentley <[email protected]>

Author: tombentley

kroxylicious-operator/pom.xml

@@ -168,6 +168,11 @@
             <artifactId>kroxylicious-runtime</artifactId>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-api</artifactId>
+            <scope>compile</scope>
+        </dependency>
 
         <dependency>
             <groupId>io.micrometer</groupId>

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/ConfigurationFragment.java

@@ -6,16 +6,58 @@
 
 package io.kroxylicious.kubernetes.operator;
 
+import java.util.Optional;
 import java.util.Set;
+import java.util.function.BiFunction;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import io.fabric8.kubernetes.api.model.Volume;
 import io.fabric8.kubernetes.api.model.VolumeMount;
 
 /**
- * A piece of proxy configuration which references files on the proxy container filesystem
- * @param fragment The piece of proxy configuration
- * @param volumes The volumes the configuration depends on
- * @param mounts The mount the configuration depends on
- * @param <F> The type of fragment
+ * A piece of proxy configuration which references files on the proxy container filesystem.
+ * @param fragment The piece of proxy configuration.
+ * @param volumes The volumes the configuration depends on.
+ * @param mounts The mount the configuration depends on.
+ * @param <F> The type of fragment.
  */
-public record ConfigurationFragment<F>(F fragment, Set<Volume> volumes, Set<VolumeMount> mounts) {}
+record ConfigurationFragment<F>(F fragment, Set<Volume> volumes, Set<VolumeMount> mounts) {
+
+    /**
+     * @return An empty optional fragment.
+     * @param <F> The fragment type.
+     */
+    static <F> ConfigurationFragment<Optional<F>> empty() {
+        return new ConfigurationFragment<>(Optional.empty(), Set.of(), Set.of());
+    }
+
+    /**
+     * Combine two fragments into a new fragment by applying the given function and taking the union of their volumes and mounts.
+     * @param x The first fragment to combine.
+     * @param y The first fragment to combine.
+     * @param fn The combining function.
+     * @return The new fragment.
+     * @param <X> The type of the first fragment.
+     * @param <Y> The type of the second fragment.
+     * @param <F> The type of the result fragment.
+     */
+    public static <X, Y, F> ConfigurationFragment<F> combine(ConfigurationFragment<X> x, ConfigurationFragment<Y> y, BiFunction<X, Y, F> fn) {
+        var t = fn.apply(x.fragment(), y.fragment());
+        return new ConfigurationFragment<>(t,
+                Stream.concat(x.volumes.stream(), y.volumes.stream()).collect(Collectors.toSet()),
+                Stream.concat(x.mounts.stream(), y.mounts.stream()).collect(Collectors.toSet()));
+    }
+
+    /**
+     * Apply the given mapping function to the fragment, returning a new instance with the same volumes and mounts.
+     * @param mapper The mapping function.
+     * @return A new fragment.
+     * @param <G> The type of the new fragment.
+     */
+    public <G> ConfigurationFragment<G> map(Function<F, G> mapper) {
+        return new ConfigurationFragment<>(mapper.apply(fragment), volumes, mounts);
+    }
+
+}

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/KafkaProxyReconciler.java

@@ -5,6 +5,7 @@
  */
 package io.kroxylicious.kubernetes.operator;
 
+import java.nio.file.Path;
 import java.time.Clock;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -19,12 +20,15 @@
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import io.fabric8.kubernetes.api.model.Volume;
+import io.fabric8.kubernetes.api.model.VolumeBuilder;
 import io.fabric8.kubernetes.api.model.VolumeMount;
+import io.fabric8.kubernetes.api.model.VolumeMountBuilder;
 import io.javaoperatorsdk.operator.OperatorException;
 import io.javaoperatorsdk.operator.api.config.informer.InformerEventSourceConfiguration;
 import io.javaoperatorsdk.operator.api.reconciler.Context;
@@ -41,14 +45,17 @@
 import io.javaoperatorsdk.operator.processing.event.source.SecondaryToPrimaryMapper;
 import io.javaoperatorsdk.operator.processing.event.source.informer.InformerEventSource;
 
+import io.kroxylicious.kubernetes.api.common.AnyLocalRef;
 import io.kroxylicious.kubernetes.api.common.Condition;
 import io.kroxylicious.kubernetes.api.common.FilterRef;
 import io.kroxylicious.kubernetes.api.common.LocalRef;
 import io.kroxylicious.kubernetes.api.v1alpha1.KafkaProxy;
 import io.kroxylicious.kubernetes.api.v1alpha1.KafkaProxyIngress;
 import io.kroxylicious.kubernetes.api.v1alpha1.KafkaService;
+import io.kroxylicious.kubernetes.api.v1alpha1.KafkaServiceSpec;
 import io.kroxylicious.kubernetes.api.v1alpha1.VirtualKafkaCluster;
 import io.kroxylicious.kubernetes.api.v1alpha1.VirtualKafkaClusterSpec;
+import io.kroxylicious.kubernetes.api.v1alpha1.kafkaservicespec.tls.TrustAnchorRef;
 import io.kroxylicious.kubernetes.filter.api.v1alpha1.KafkaProtocolFilter;
 import io.kroxylicious.kubernetes.filter.api.v1alpha1.KafkaProtocolFilterSpec;
 import io.kroxylicious.kubernetes.operator.model.ProxyModel;
@@ -63,8 +70,17 @@
 import io.kroxylicious.proxy.config.admin.EndpointsConfiguration;
 import io.kroxylicious.proxy.config.admin.ManagementConfiguration;
 import io.kroxylicious.proxy.config.admin.PrometheusMetricsConfig;
+import io.kroxylicious.proxy.config.tls.AllowDeny;
+import io.kroxylicious.proxy.config.tls.KeyPair;
+import io.kroxylicious.proxy.config.tls.KeyProvider;
+import io.kroxylicious.proxy.config.tls.PlatformTrustProvider;
+import io.kroxylicious.proxy.config.tls.Tls;
+import io.kroxylicious.proxy.config.tls.TrustProvider;
+import io.kroxylicious.proxy.config.tls.TrustStore;
 import io.kroxylicious.proxy.tag.VisibleForTesting;
 
+import edu.umd.cs.findbugs.annotations.Nullable;
+
 import static io.kroxylicious.kubernetes.operator.ResourcesUtil.name;
 import static io.kroxylicious.kubernetes.operator.ResourcesUtil.namespace;
 import static io.kroxylicious.kubernetes.operator.ResourcesUtil.toLocalRef;
@@ -104,6 +120,7 @@ public class KafkaProxyReconciler implements
     public static final String CONFIG_DEP = "config";
     public static final String DEPLOYMENT_DEP = "deployment";
     public static final String CLUSTERS_DEP = "clusters";
+    public static final Path TARGET_CLUSTER_MOUNTS_BASE_DIR = Path.of("/opt/kroxylicious/target-cluster");
 
     private final Clock clock;
     private final SecureConfigInterpolator secureConfigInterpolator;
@@ -145,26 +162,25 @@ private ConfigurationFragment<Configuration> generateProxyConfig(ProxyModel mode
 
         var virtualClusters = buildVirtualClusters(namedDefinitions.keySet(), model);
 
-        List<NamedFilterDefinition> referencedFilters = virtualClusters.stream().flatMap(c -> Optional.ofNullable(c.filters()).stream().flatMap(Collection::stream))
+        List<NamedFilterDefinition> referencedFilters = virtualClusters.stream()
+                .flatMap(vcFragment -> Optional.ofNullable(vcFragment.fragment().filters()).stream().flatMap(Collection::stream))
                 .distinct()
                 .map(filterName -> namedDefinitions.get(filterName).fragment()).toList();
 
-        var allVolumes = allFilterDefinitions.stream()
+        var allVolumes = Stream.concat(allFilterDefinitions.stream(), virtualClusters.stream())
                 .flatMap(fd -> fd.volumes().stream())
                 .collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.comparing(Volume::getName).reversed())));
 
-        var allMounts = allFilterDefinitions.stream()
+        var allMounts = Stream.concat(allFilterDefinitions.stream(), virtualClusters.stream())
                 .flatMap(fd -> fd.mounts().stream())
-                .collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.comparing(VolumeMount::getName).reversed())));
-
-        // TODO add the volume & mounts for each KafkaService's spec.tls
+                .collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.comparing(VolumeMount::getMountPath).reversed())));
 
         return new ConfigurationFragment<>(
                 new Configuration(
                         new ManagementConfiguration(null, null, new EndpointsConfiguration(new PrometheusMetricsConfig())),
                         referencedFilters,
                         null, // no defaultFilters <= each of the virtualClusters specifies its own
-                        virtualClusters,
+                        virtualClusters.stream().map(ConfigurationFragment::fragment).toList(),
                         List.of(),
                         false,
                         // micrometer
@@ -173,11 +189,11 @@ private ConfigurationFragment<Configuration> generateProxyConfig(ProxyModel mode
                 allMounts);
     }
 
-    private static List<VirtualCluster> buildVirtualClusters(Set<String> successfullyBuiltFilterNames, ProxyModel model) {
+    private static List<ConfigurationFragment<VirtualCluster>> buildVirtualClusters(Set<String> successfullyBuiltFilterNames, ProxyModel model) {
         return model.clustersWithValidIngresses().stream()
                 .filter(cluster -> Optional.ofNullable(cluster.getSpec().getFilterRefs()).stream().flatMap(Collection::stream).allMatch(
                         filters -> successfullyBuiltFilterNames.contains(filterDefinitionName(filters))))
-                .map(cluster -> getVirtualCluster(cluster, model.resolutionResult().kafkaServiceRef(cluster).orElseThrow(), model.ingressModel()))
+                .map(cluster -> buildVirtualCluster(cluster, model.resolutionResult().kafkaServiceRef(cluster).orElseThrow(), model.ingressModel()))
                 .toList();
     }
 
@@ -230,19 +246,95 @@ private SecureConfigInterpolator.InterpolationResult interpolateConfig(KafkaProt
         return secureConfigInterpolator.interpolate(configTemplate);
     }
 
-    private static VirtualCluster getVirtualCluster(VirtualKafkaCluster cluster,
-                                                    KafkaService kafkaServiceRef,
-                                                    ProxyIngressModel ingressModel) {
+    private static ConfigurationFragment<VirtualCluster> buildVirtualCluster(VirtualKafkaCluster cluster,
+                                                                             KafkaService kafkaServiceRef,
+                                                                             ProxyIngressModel ingressModel) {
 
         ProxyIngressModel.VirtualClusterIngressModel virtualClusterIngressModel = ingressModel.clusterIngressModel(cluster).orElseThrow();
-        String bootstrap = kafkaServiceRef.getSpec().getBootstrapServers();
-        return new VirtualCluster(
-                ResourcesUtil.name(cluster), new TargetCluster(bootstrap, Optional.empty()),
+
+        return buildTargetCluster(kafkaServiceRef).map(targetCluster -> new VirtualCluster(
+                ResourcesUtil.name(cluster),
+                targetCluster,
                 null,
                 Optional.empty(),
                 virtualClusterIngressModel.gateways(),
-                false, false,
-                filterNamesForCluster(cluster));
+                false,
+                false,
+                filterNamesForCluster(cluster)));
+    }
+
+    private static ConfigurationFragment<TargetCluster> buildTargetCluster(KafkaService kafkaServiceRef) {
+        return buildTargetClusterTls(kafkaServiceRef)
+                .map(tls -> new TargetCluster(kafkaServiceRef.getSpec().getBootstrapServers(), tls));
+    }
+
+    private static ConfigurationFragment<Optional<Tls>> buildTargetClusterTls(KafkaService kafkaServiceRef) {
+        return Optional.ofNullable(kafkaServiceRef.getSpec())
+                .map(KafkaServiceSpec::getTls)
+                .map(serviceTls -> ConfigurationFragment.combine(
+                        buildKeyProvider(serviceTls.getCertificateRef()),
+                        buildTrustProvider(serviceTls.getTrustAnchorRef()),
+                        (keyProviderOpt, trustProvider) -> Optional.of(
+                                new Tls(keyProviderOpt.orElse(null),
+                                        trustProvider,
+                                        Optional.ofNullable(serviceTls.getCipherSuites())
+                                                .map(cipherSuites -> new AllowDeny<>(cipherSuites.getAllowed(), new HashSet<>(cipherSuites.getDenied())))
+                                                .orElse(null),
+                                        Optional.ofNullable(serviceTls.getProtocols())
+                                                .map(protocols -> new AllowDeny<>(protocols.getAllowed(), new HashSet<>(protocols.getDenied())))
+                                                .orElse(null)))))
+                .orElse(ConfigurationFragment.empty());
+    }
+
+    private static ConfigurationFragment<Optional<KeyProvider>> buildKeyProvider(@Nullable AnyLocalRef certificateRef) {
+        return Optional.ofNullable(certificateRef)
+                .filter(ResourcesUtil::isSecret)
+                .map(ref -> {
+                    var volume = new VolumeBuilder()
+                            .withName(ResourcesUtil.volumeName("", "secrets", ref.getName()))
+                            .withNewSecret()
+                            .withSecretName(ref.getName())
+                            .endSecret()
+                            .build();
+                    Path mountPath = TARGET_CLUSTER_MOUNTS_BASE_DIR.resolve("client-certs").resolve(ref.getName());
+                    var mount = new VolumeMountBuilder()
+                            .withName(ResourcesUtil.volumeName("", "secrets", ref.getName()))
+                            .withMountPath(mountPath.toString())
+                            .withReadOnly(true)
+                            .build();
+                    var keyPath = mountPath.resolve("tls.key");
+                    var crtPath = mountPath.resolve("tls.crt");
+                    return new ConfigurationFragment<>(
+                            Optional.<KeyProvider> of(new KeyPair(keyPath.toString(), crtPath.toString(), null)),
+                            Set.of(volume),
+                            Set.of(mount));
+                }).orElse(ConfigurationFragment.empty());
+    }
+
+    private static ConfigurationFragment<TrustProvider> buildTrustProvider(@Nullable TrustAnchorRef trustAnchorRef) {
+        return Optional.ofNullable(trustAnchorRef)
+                .filter(ResourcesUtil::isConfigMap)
+                .map(ref -> {
+                    var volume = new VolumeBuilder()
+                            .withName(ResourcesUtil.volumeName("", "configmaps", ref.getName()))
+                            .withNewConfigMap()
+                            .withName(ref.getName())
+                            .endConfigMap()
+                            .build();
+                    Path mountPath = TARGET_CLUSTER_MOUNTS_BASE_DIR.resolve("trusted-certs").resolve(ref.getName());
+                    var mount = new VolumeMountBuilder()
+                            .withName(ResourcesUtil.volumeName("", "configmaps", ref.getName()))
+                            .withMountPath(mountPath.toString())
+                            .withReadOnly(true)
+                            .build();
+                    TrustProvider trustProvider = new TrustStore(
+                            mountPath.resolve(ref.getKey()).toString(),
+                            null,
+                            "PEM");
+                    return new ConfigurationFragment<>(trustProvider,
+                            Set.of(volume),
+                            Set.of(mount));
+                }).orElse(new ConfigurationFragment<>(PlatformTrustProvider.INSTANCE, Set.of(), Set.of()));
     }
 
     /**
@@ -266,7 +358,9 @@ public ErrorStatusUpdateControl<KafkaProxy> updateErrorStatus(KafkaProxy proxy,
                                                                   Context<KafkaProxy> context,
                                                                   Exception e) {
         if (e instanceof StaleReferentStatusException || e instanceof OperatorException && e.getCause() instanceof StaleReferentStatusException) {
-            LOGGER.debug("Completed reconciliation of {}/{} with stale referent", namespace(proxy), name(proxy), e);
+            if (LOGGER.isDebugEnabled()) {
+                LOGGER.debug("Completed reconciliation of {}/{} with stale referent", namespace(proxy), name(proxy), e);
+            }
             return ErrorStatusUpdateControl.noStatusUpdate();
         }
         var uc = ErrorStatusUpdateControl.patchStatus(statusFactory.newUnknownConditionStatusPatch(proxy, Condition.Type.Ready, e));

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/KafkaServiceReconciler.java

@@ -131,8 +131,7 @@ private KafkaService checkTrustAnchorRef(KafkaService service,
                                              Context<KafkaService> context,
                                              TrustAnchorRef trustAnchorRef) {
         String path = "spec.tls.trustAnchorRef";
-        if ("ConfigMap".equals(Optional.ofNullable(trustAnchorRef.getKind()).orElse("ConfigMap"))
-                && Optional.ofNullable(trustAnchorRef.getGroup()).orElse("").isEmpty()) {
+        if (ResourcesUtil.isConfigMap(trustAnchorRef)) {
             Optional<ConfigMap> configMapOpt = context.getSecondaryResource(ConfigMap.class, CONFIG_MAPS_EVENT_SOURCE_NAME);
             if (configMapOpt.isEmpty()) {
                 return statusFactory.newFalseConditionStatusPatch(service, ResolvedRefs,
@@ -173,8 +172,7 @@ private KafkaService checkCertRef(KafkaService service,
                                       Context<KafkaService> context,
                                       AnyLocalRef certRef) {
         String path = "spec.tls.certificateRef";
-        if ("Secret".equals(Optional.ofNullable(certRef.getKind()).orElse("Secret"))
-                && Optional.ofNullable(certRef.getGroup()).orElse("").isEmpty()) {
+        if (ResourcesUtil.isSecret(certRef)) {
             Optional<Secret> secretOpt = context.getSecondaryResource(Secret.class, SECRETS_EVENT_SOURCE_NAME);
             if (secretOpt.isEmpty()) {
                 return statusFactory.newFalseConditionStatusPatch(service, ResolvedRefs,

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/MountedResourceConfigProvider.java

@@ -24,13 +24,15 @@ public class MountedResourceConfigProvider implements SecureConfigProvider {
     static final MountedResourceConfigProvider CONFIGMAP_PROVIDER = new MountedResourceConfigProvider("", "configmaps",
             (vb, resourceName) -> vb.withNewConfigMap().withName(resourceName).endConfigMap());
 
-    private final String volumeNamePrefix;
+    private final String group;
+    private final String plural;
     private final BiFunction<VolumeBuilder, String, VolumeBuilder> volumeBuilder;
 
     MountedResourceConfigProvider(String group,
                                   String plural,
                                   BiFunction<VolumeBuilder, String, VolumeBuilder> volumeBuilder) {
-        this.volumeNamePrefix = group.isEmpty() ? plural : group + "." + plural;
+        this.group = group;
+        this.plural = plural;
         this.volumeBuilder = volumeBuilder;
     }
 
@@ -41,9 +43,7 @@ public ContainerFileReference containerFile(
                                                 String key,
                                                 Path mountPathBase) {
         try {
-            String volumeName = volumeNamePrefix + "-" + resourceName;
-            ResourcesUtil.requireIsDnsLabel(volumeName, true,
-                    "volume name would not be a DNS label: " + volumeName);
+            String volumeName = ResourcesUtil.volumeName(group, plural, resourceName);
             Path mountPath = mountPathBase.resolve(providerName).resolve(resourceName);
             Path itemPath = mountPath.resolve(key);
             Volume volume = volumeBuilder.apply(new VolumeBuilder(), resourceName)
@@ -60,7 +60,7 @@ public ContainerFileReference containerFile(
                     itemPath);
         }
         catch (IllegalArgumentException e) {
-            throw new InterpolationException("Cannot construct mounted volume for ${%s:%s:%s}".formatted(
+            throw new InterpolationException("Cannot construct mounted volume for ${%s:%s:%s}: %s".formatted(
                     providerName,
                     resourceName,
                     key,