Prevent NPE that may occur if the KafkaServer CR did not have trust anchors or client certificates. (kroxylicious#2093)

Signed-off-by: Keith Wall <[email protected]>

Author: k-wall

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/KafkaProxyIngressReconciler.java

@@ -9,6 +9,7 @@
 import java.time.Clock;
 import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -55,7 +56,7 @@ public List<EventSource<?, KafkaProxyIngress>> prepareEventSources(EventSourceCo
                 .withSecondaryToPrimaryMapper(proxy -> ResourcesUtil.findReferrers(context,
                         proxy,
                         KafkaProxyIngress.class,
-                        ingress -> ingress.getSpec().getProxyRef()))
+                        ingress -> Optional.of(ingress.getSpec().getProxyRef())))
                 .build();
         return List.of(new InformerEventSource<>(configuration, context));
     }

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/KafkaServiceReconciler.java

@@ -9,6 +9,7 @@
 import java.time.Clock;
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -21,6 +22,8 @@
 import io.javaoperatorsdk.operator.api.reconciler.EventSourceContext;
 import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
 import io.javaoperatorsdk.operator.processing.event.source.EventSource;
+import io.javaoperatorsdk.operator.processing.event.source.PrimaryToSecondaryMapper;
+import io.javaoperatorsdk.operator.processing.event.source.SecondaryToPrimaryMapper;
 import io.javaoperatorsdk.operator.processing.event.source.informer.InformerEventSource;
 
 import io.kroxylicious.kubernetes.api.common.AnyLocalRef;
@@ -29,6 +32,7 @@
 import io.kroxylicious.kubernetes.api.v1alpha1.KafkaServiceSpec;
 import io.kroxylicious.kubernetes.api.v1alpha1.kafkaservicespec.Tls;
 import io.kroxylicious.kubernetes.api.v1alpha1.kafkaservicespec.tls.TrustAnchorRef;
+import io.kroxylicious.proxy.tag.VisibleForTesting;
 
 import edu.umd.cs.findbugs.annotations.Nullable;
 
@@ -71,28 +75,59 @@ public List<EventSource<?, KafkaService>> prepareEventSources(EventSourceContext
                 Secret.class,
                 KafkaService.class)
                 .withName(SECRETS_EVENT_SOURCE_NAME)
-                .withPrimaryToSecondaryMapper((KafkaService cluster) -> ResourcesUtil.localRefAsResourceId(cluster, cluster.getSpec().getTls().getCertificateRef()))
-                .withSecondaryToPrimaryMapper(secret -> ResourcesUtil.findReferrers(context,
-                        secret,
-                        KafkaService.class,
-                        service -> service.getSpec().getTls().getCertificateRef()))
+                .withPrimaryToSecondaryMapper(kafkaServiceToSecret())
+                .withSecondaryToPrimaryMapper(secretToKafkaService(context))
                 .build();
         InformerEventSourceConfiguration<ConfigMap> serviceToConfigMap = InformerEventSourceConfiguration.from(
                 ConfigMap.class,
                 KafkaService.class)
                 .withName(CONFIG_MAPS_EVENT_SOURCE_NAME)
-                .withPrimaryToSecondaryMapper(
-                        (KafkaService cluster) -> ResourcesUtil.localRefAsResourceId(cluster, asRef(cluster.getSpec().getTls().getTrustAnchorRef())))
-                .withSecondaryToPrimaryMapper(configMap -> ResourcesUtil.findReferrers(context,
-                        configMap,
-                        KafkaService.class,
-                        service -> asRef(service.getSpec().getTls().getTrustAnchorRef())))
+                .withPrimaryToSecondaryMapper(kafkaServiceToConfigMap())
+                .withSecondaryToPrimaryMapper(configMapToKafkaService(context))
                 .build();
         return List.of(
                 new InformerEventSource<>(serviceToSecret, context),
                 new InformerEventSource<>(serviceToConfigMap, context));
     }
 
+    @VisibleForTesting
+    static PrimaryToSecondaryMapper<KafkaService> kafkaServiceToSecret() {
+        return (KafkaService cluster) -> Optional.ofNullable(cluster.getSpec())
+                .map(KafkaServiceSpec::getTls)
+                .map(Tls::getCertificateRef)
+                .map(cr -> ResourcesUtil.localRefAsResourceId(cluster, cr)).orElse(Set.of());
+    }
+
+    @VisibleForTesting
+    static SecondaryToPrimaryMapper<Secret> secretToKafkaService(EventSourceContext<KafkaService> context) {
+        return secret -> ResourcesUtil.findReferrers(context,
+                secret,
+                KafkaService.class,
+                service -> Optional.ofNullable(service.getSpec())
+                        .map(KafkaServiceSpec::getTls)
+                        .map(Tls::getCertificateRef));
+    }
+
+    @VisibleForTesting
+    static SecondaryToPrimaryMapper<ConfigMap> configMapToKafkaService(EventSourceContext<KafkaService> context) {
+        return configMap -> ResourcesUtil.findReferrers(context,
+                configMap,
+                KafkaService.class,
+                service -> Optional.ofNullable(service.getSpec())
+                        .map(KafkaServiceSpec::getTls)
+                        .map(Tls::getTrustAnchorRef)
+                        .map(KafkaServiceReconciler::asRef));
+    }
+
+    @VisibleForTesting
+    static PrimaryToSecondaryMapper<KafkaService> kafkaServiceToConfigMap() {
+        return (KafkaService cluster) -> Optional.ofNullable(cluster.getSpec())
+                .map(KafkaServiceSpec::getTls)
+                .map(Tls::getTrustAnchorRef)
+                .map(tar -> ResourcesUtil.localRefAsResourceId(cluster, asRef(tar)))
+                .orElse(Set.of());
+    }
+
     @Override
     public UpdateControl<KafkaService> reconcile(KafkaService service, Context<KafkaService> context) {
 

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/ResourcesUtil.java

@@ -257,11 +257,11 @@ static <O extends HasMetadata, R extends HasMetadata> Set<ResourceID> localRefsA
     static <O extends HasMetadata, R extends HasMetadata> Set<ResourceID> findReferrers(EventSourceContext<?> context,
                                                                                         R referent,
                                                                                         Class<O> owner,
-                                                                                        Function<O, LocalRef<R>> refAccessor) {
+                                                                                        Function<O, Optional<LocalRef<R>>> refAccessor) {
         return ResourcesUtil.filteredResourceIdsInSameNamespace(context,
                 referent,
                 owner,
-                primary -> ResourcesUtil.isReferent(refAccessor.apply(primary), referent));
+                primary -> refAccessor.apply(primary).map(lr -> ResourcesUtil.isReferent(lr, referent)).orElse(false));
     }
 
     /**

kroxylicious-operator/src/main/java/io/kroxylicious/kubernetes/operator/VirtualKafkaClusterReconciler.java

@@ -219,7 +219,7 @@ public List<EventSource<?, VirtualKafkaCluster>> prepareEventSources(EventSource
                 .withSecondaryToPrimaryMapper(proxy -> ResourcesUtil.findReferrers(context,
                         proxy,
                         VirtualKafkaCluster.class,
-                        cluster -> cluster.getSpec().getProxyRef()))
+                        cluster -> Optional.of(cluster.getSpec().getProxyRef())))
                 .build();
 
         InformerEventSourceConfiguration<ConfigMap> clusterToProxyConfigState = InformerEventSourceConfiguration.from(
@@ -230,9 +230,9 @@ public List<EventSource<?, VirtualKafkaCluster>> prepareEventSources(EventSource
                 .withSecondaryToPrimaryMapper(configMap -> ResourcesUtil.findReferrers(context,
                         configMap,
                         VirtualKafkaCluster.class,
-                        cluster -> new AnyLocalRefBuilder().withGroup("").withKind("ConfigMap")
+                        cluster -> Optional.of(new AnyLocalRefBuilder().withGroup("").withKind("ConfigMap")
                                 .withName(cluster.getSpec().getProxyRef().getName() + CONFIG_STATE_CONFIG_MAP_SUFFIX)
-                                .build()))
+                                .build())))
                 .build();
 
         InformerEventSourceConfiguration<KafkaService> clusterToService = InformerEventSourceConfiguration.from(
@@ -244,7 +244,7 @@ public List<EventSource<?, VirtualKafkaCluster>> prepareEventSources(EventSource
                 .withSecondaryToPrimaryMapper(service -> ResourcesUtil.findReferrers(context,
                         service,
                         VirtualKafkaCluster.class,
-                        cluster -> cluster.getSpec().getTargetKafkaServiceRef()))
+                        cluster -> Optional.of(cluster.getSpec().getTargetKafkaServiceRef())))
                 .build();
 
         InformerEventSourceConfiguration<KafkaProxyIngress> clusterToIngresses = InformerEventSourceConfiguration.from(

kroxylicious-operator/src/test/java/io/kroxylicious/kubernetes/operator/KafkaServiceReconcilerTest.java

@@ -13,6 +13,7 @@
 import java.util.List;
 import java.util.Optional;
 import java.util.function.Consumer;
+import java.util.stream.Stream;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -24,13 +25,18 @@
 
 import io.fabric8.kubernetes.api.model.ConfigMap;
 import io.fabric8.kubernetes.api.model.ConfigMapBuilder;
+import io.fabric8.kubernetes.api.model.KubernetesResourceList;
 import io.fabric8.kubernetes.api.model.Secret;
 import io.fabric8.kubernetes.api.model.SecretBuilder;
 import io.fabric8.kubernetes.client.KubernetesClient;
+import io.fabric8.kubernetes.client.dsl.MixedOperation;
+import io.fabric8.kubernetes.client.dsl.Resource;
 import io.fabric8.kubernetes.client.server.mock.EnableKubernetesMockClient;
 import io.fabric8.kubernetes.client.server.mock.KubernetesMockServer;
 import io.javaoperatorsdk.operator.api.reconciler.Context;
+import io.javaoperatorsdk.operator.api.reconciler.EventSourceContext;
 import io.javaoperatorsdk.operator.api.reconciler.UpdateControl;
+import io.javaoperatorsdk.operator.processing.event.ResourceID;
 
 import io.kroxylicious.kubernetes.api.common.Condition;
 import io.kroxylicious.kubernetes.api.v1alpha1.KafkaService;
@@ -40,6 +46,7 @@
 import io.kroxylicious.kubernetes.operator.assertj.KafkaServiceStatusAssert;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -123,11 +130,11 @@ class KafkaServiceReconcilerTest {
 
     // @formatter:on
 
-    private KafkaServiceReconciler kafkaProtocolFilterReconciler;
+    private KafkaServiceReconciler kafkaServiceReconciler;
 
     @BeforeEach
     void setUp() {
-        kafkaProtocolFilterReconciler = new KafkaServiceReconciler(Clock.systemUTC());
+        kafkaServiceReconciler = new KafkaServiceReconciler(Clock.systemUTC());
     }
 
     @Test
@@ -372,7 +379,7 @@ private static void mockGetSecret(
     void shouldSetResolvedRefs(KafkaService kafkaService, Context<KafkaService> context, Consumer<ConditionListAssert> asserter) {
 
         // When
-        final UpdateControl<KafkaService> updateControl = kafkaProtocolFilterReconciler.reconcile(kafkaService, context);
+        final UpdateControl<KafkaService> updateControl = kafkaServiceReconciler.reconcile(kafkaService, context);
 
         // Then
         assertThat(updateControl).isNotNull();
@@ -382,4 +389,135 @@ void shouldSetResolvedRefs(KafkaService kafkaService, Context<KafkaService> cont
                 .conditionList();
         asserter.accept(c);
     }
+
+    @Test
+    void canMapFromKafkaServiceWithTrustAnchorToConfigMap() {
+        // Given
+        var mapper = KafkaServiceReconciler.kafkaServiceToConfigMap();
+
+        // When
+        var secondaryResourceIDs = mapper.toSecondaryResourceIDs(SERVICE);
+
+        // Then
+        assertThat(secondaryResourceIDs).containsExactly(ResourceID.fromResource(PEM_CONFIG_MAP));
+    }
+
+    @Test
+    void canMapFromKafkaServiceWithoutTrustAnchorToConfigMap() {
+        // Given
+        var mapper = KafkaServiceReconciler.kafkaServiceToConfigMap();
+        var serviceNoTrustAnchor = new KafkaServiceBuilder(SERVICE).editSpec().editTls().withTrustAnchorRef(null).endTls().endSpec().build();
+
+        // When
+        var secondaryResourceIDs = mapper.toSecondaryResourceIDs(serviceNoTrustAnchor);
+
+        // Then
+        assertThat(secondaryResourceIDs).isEmpty();
+    }
+
+    @Test
+    void canMapFromConfigMapToKafkaService() {
+        // Given
+        EventSourceContext<KafkaService> eventSourceContext = mock();
+        KubernetesClient client = mock();
+        when(eventSourceContext.getClient()).thenReturn(client);
+
+        KubernetesResourceList<KafkaService> mockList = mockKafkaServiceListOperation(client);
+        when(mockList.getItems()).thenReturn(List.of(SERVICE));
+
+        var mapper = KafkaServiceReconciler.configMapToKafkaService(eventSourceContext);
+
+        // When
+        var primaryResourceIDs = mapper.toPrimaryResourceIDs(PEM_CONFIG_MAP);
+
+        // Then
+        assertThat(primaryResourceIDs).containsExactly(ResourceID.fromResource(SERVICE));
+    }
+
+    static Stream<Arguments> mappingToConfigMapToleratesKafkaServicesWithoutTls() {
+        return Stream.of(
+                Arguments.argumentSet("without tls", new KafkaServiceBuilder(SERVICE).editSpec().withTls(null).endSpec().build()),
+                Arguments.argumentSet("with tls but without trust anchor",
+                        new KafkaServiceBuilder(SERVICE).editSpec().editTls().withTrustAnchorRef(null).endTls().endSpec().build()));
+    }
+
+    @ParameterizedTest
+    @MethodSource
+    void mappingToConfigMapToleratesKafkaServicesWithoutTls(KafkaService service) {
+        // Given
+        EventSourceContext<KafkaService> eventSourceContext = mock();
+        KubernetesClient client = mock();
+        when(eventSourceContext.getClient()).thenReturn(client);
+
+        KubernetesResourceList<KafkaService> mockList = mockKafkaServiceListOperation(client);
+        when(mockList.getItems()).thenReturn(List.of(service));
+
+        // When
+        var mapper = KafkaServiceReconciler.configMapToKafkaService(eventSourceContext);
+
+        // Then
+        var primaryResourceIDs = mapper.toPrimaryResourceIDs(new ConfigMapBuilder().withNewMetadata().withName("cm").endMetadata().build());
+        assertThat(primaryResourceIDs).isEmpty();
+    }
+
+    @Test
+    void canMapFromKafkaServiceWithClientCertToSecret() {
+        // Given
+        var mapper = KafkaServiceReconciler.kafkaServiceToSecret();
+
+        // When
+        var secondaryResourceIDs = mapper.toSecondaryResourceIDs(SERVICE);
+
+        // Then
+        assertThat(secondaryResourceIDs).containsExactly(ResourceID.fromResource(TLS_SECRET));
+    }
+
+    @Test
+    void canMapFromKafkaServiceWithoutClientCertToSecret() {
+        // Given
+        var mapper = KafkaServiceReconciler.kafkaServiceToSecret();
+        var serviceNoCert = new KafkaServiceBuilder(SERVICE).editSpec().editTls().withCertificateRef(null).endTls().endSpec().build();
+
+        // When
+        var secondaryResourceIDs = mapper.toSecondaryResourceIDs(serviceNoCert);
+
+        // Then
+        assertThat(secondaryResourceIDs).isEmpty();
+    }
+
+    static Stream<Arguments> mappingToSecretToleratesKafkaServicesWithoutTls() {
+        return Stream.of(
+                Arguments.argumentSet("without tls", new KafkaServiceBuilder(SERVICE).editSpec().withTls(null).endSpec().build()),
+                Arguments.argumentSet("with tls but without client cert",
+                        new KafkaServiceBuilder(SERVICE).editSpec().editTls().withCertificateRef(null).endTls().endSpec().build()));
+    }
+
+    @ParameterizedTest
+    @MethodSource
+    void mappingToSecretToleratesKafkaServicesWithoutTls(KafkaService service) {
+        // Given
+        EventSourceContext<KafkaService> eventSourceContext = mock();
+        KubernetesClient client = mock();
+        when(eventSourceContext.getClient()).thenReturn(client);
+
+        KubernetesResourceList<KafkaService> mockList = mockKafkaServiceListOperation(client);
+        when(mockList.getItems()).thenReturn(List.of(service));
+
+        // When
+        var mapper = KafkaServiceReconciler.secretToKafkaService(eventSourceContext);
+
+        // Then
+        var primaryResourceIDs = mapper.toPrimaryResourceIDs(new SecretBuilder().withNewMetadata().withName("secret").endMetadata().build());
+        assertThat(primaryResourceIDs).isEmpty();
+    }
+
+    private KubernetesResourceList<KafkaService> mockKafkaServiceListOperation(KubernetesClient client) {
+        MixedOperation<KafkaService, KubernetesResourceList<KafkaService>, Resource<KafkaService>> mockOperation = mock();
+        when(client.resources(KafkaService.class)).thenReturn(mockOperation);
+        KubernetesResourceList<KafkaService> mockList = mock();
+        when(mockOperation.list()).thenReturn(mockList);
+        when(mockOperation.inNamespace(any())).thenReturn(mockOperation);
+        return mockList;
+    }
+
 }