[helm] Enable SASL authentication configurations

Author: morazow

helm/templates/_helpers.tpl

@@ -63,4 +63,54 @@ Selector labels
 {{- define "fluss.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "fluss.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
+{{- end }}
+
+{{/*
+Generate JAAS configuration for SASL
+*/}}
+{{- define "fluss.sasl.jaasConfig" -}}
+{{- if .Values.sasl.jaasConfig }}
+{{- .Values.sasl.jaasConfig -}}
+{{- else }}
+FlussServer {
+   org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
+   {{- range .Values.sasl.users }}
+   user_{{ .username }}="{{ .password }}"
+   {{- end }};
+};
+{{- end }}
+{{- end }}
+
+{{/*
+Return true if SASL is configured in any of the listener protocols
+*/}}
+{{- define "fluss.isSaslEnabled" -}}
+{{- $ctx := . -}}
+{{- $res := "" -}}
+{{- $keys := keys .Values.listeners | sortAlpha -}}
+{{- range $keys }}
+  {{- $id := . -}}
+  {{- $l := index $ctx.Values.listeners $id -}}
+  {{- if regexFind "SASL" (upper $l.protocol) -}}
+    {{- $res = "true" -}}
+  {{- end -}}
+{{- end -}}
+{{- if $res -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generate ID:SECURITY list for listener protocols
+*/}}
+{{- define "fluss.listeners.protocolMap" -}}
+{{- $ctx := . -}}
+{{- $parts := list -}}
+{{- $keys := keys .Values.listeners | sortAlpha -}}
+{{- range $keys }}
+  {{- $id := . -}}
+  {{- $l := index $ctx.Values.listeners $id -}}
+  {{- $parts = append $parts (printf "%s:%s" (upper $id) (upper $l.protocol)) -}}
+{{- end -}}
+{{- join "," $parts -}}
+{{- end }}

helm/templates/secret-sasl.yaml

@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+{{- if (include "fluss.isSaslEnabled" .) }}
+{{- if not .Values.sasl.existingSecret -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "fluss.fullname" . }}-sasl-jaas-config
+  labels:
+    {{- include "fluss.labels" . | nindent 4 }}
+type: Opaque
+data:
+  jaas.conf: {{ include "fluss.sasl.jaasConfig" . | b64enc | quote }}
+{{- end -}}
+{{- end -}}

helm/templates/sts-coordinator.yaml

@@ -77,6 +77,21 @@ spec:
               echo "" >> $FLUSS_HOME/conf/server.yaml && \
               echo "bind.listeners: ${BIND_LISTENERS}" >> $FLUSS_HOME/conf/server.yaml && \
               echo "advertised.listeners: ${ADVERTISED_LISTENERS}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "security.protocol.map: {{ include "fluss.listeners.protocolMap" . }}" >> $FLUSS_HOME/conf/server.yaml && \
+
+              {{- if (include "fluss.isSaslEnabled" .) }}
+              {{- $jaasUsers := list -}}
+              {{- range .Values.sasl.users }}
+              {{- $jaasUsers = append $jaasUsers (printf "user_%s=\\\"%s\\\"" .username .password) -}}
+              {{- end }}
+              echo "security.sasl.enabled.mechanisms: {{ .Values.sasl.mechanism }}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "security.sasl.plain.jaas.config: org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required {{ join " " $jaasUsers }};" >> $FLUSS_HOME/conf/server.yaml && \
+
+              echo "client.security.protocol: SASL" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "client.security.sasl.mechanism: {{ .Values.sasl.mechanism }}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "client.security.sasl.username: {{ (first .Values.sasl.users).username }}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "client.security.sasl.password: {{ (first .Values.sasl.users).password }}" >> $FLUSS_HOME/conf/server.yaml && \
+              {{- end }}
 
               bin/coordinator-server.sh start-foreground
           livenessProbe:
@@ -100,6 +115,11 @@ spec:
               mountPath: /opt/conf
             - name: data
               mountPath: /tmp/fluss/data
+            {{- if (include "fluss.isSaslEnabled" .) }}
+            - name: sasl-config
+              mountPath: /etc/fluss/conf
+              readOnly: true
+            {{- end }}
       volumes:
         - name: fluss-conf
           configMap:
@@ -108,6 +128,11 @@ spec:
         - name: data
           emptyDir: {}
         {{- end }}
+        {{- if (include "fluss.isSaslEnabled" .) }}
+        - name: sasl-config
+          secret:
+            secretName: {{ if .Values.sasl.existingSecret }}{{ .Values.sasl.existingSecret }}{{ else }}{{ include "fluss.fullname" . }}-sasl-jaas-config{{ end }}
+        {{- end }}
   {{- if .Values.coordinator.storage.enabled }}
   volumeClaimTemplates:
     - metadata:

helm/templates/sts-tablet.yaml

@@ -74,6 +74,21 @@ spec:
               echo "tablet-server.id: ${FLUSS_SERVER_ID}" >> $FLUSS_HOME/conf/server.yaml && \
               echo "bind.listeners: ${BIND_LISTENERS}" >> $FLUSS_HOME/conf/server.yaml && \
               echo "advertised.listeners: ${ADVERTISED_LISTENERS}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "security.protocol.map: {{ include "fluss.listeners.protocolMap" . }}" >> $FLUSS_HOME/conf/server.yaml && \
+
+              {{- if (include "fluss.isSaslEnabled" .) }}
+              {{- $jaasUsers := list -}}
+              {{- range .Values.sasl.users }}
+              {{- $jaasUsers = append $jaasUsers (printf "user_%s=\\\"%s\\\"" .username .password) -}}
+              {{- end }}
+              echo "security.sasl.enabled.mechanisms: {{ .Values.sasl.mechanism }}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "security.sasl.plain.jaas.config: org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required {{ join " " $jaasUsers }};" >> $FLUSS_HOME/conf/server.yaml && \
+
+              echo "client.security.protocol: SASL" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "client.security.sasl.mechanism: {{ .Values.sasl.mechanism }}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "client.security.sasl.username: {{ (first .Values.sasl.users).username }}" >> $FLUSS_HOME/conf/server.yaml && \
+              echo "client.security.sasl.password: {{ (first .Values.sasl.users).password }}" >> $FLUSS_HOME/conf/server.yaml && \
+              {{- end }}
 
               bin/tablet-server.sh start-foreground
           livenessProbe:
@@ -97,6 +112,11 @@ spec:
               mountPath: /opt/conf
             - name: data
               mountPath: /tmp/fluss/data
+            {{- if (include "fluss.isSaslEnabled" .) }}
+            - name: sasl-config
+              mountPath: /etc/fluss/conf
+              readOnly: true
+            {{- end }}
       volumes:
         - name: fluss-conf
           configMap:
@@ -105,6 +125,11 @@ spec:
         - name: data
           emptyDir: {}
         {{- end }}
+        {{- if (include "fluss.isSaslEnabled" .) }}
+        - name: sasl-config
+          secret:
+            secretName: {{ if .Values.sasl.existingSecret }}{{ .Values.sasl.existingSecret }}{{ else }}{{ include "fluss.fullname" . }}-sasl-jaas-config{{ end }}
+        {{- end }}
   {{- if .Values.tablet.storage.enabled }}
   volumeClaimTemplates:
     - metadata:

helm/values.yaml

@@ -54,8 +54,10 @@ coordinator:
 # Fluss listener configurations
 listeners:
   internal:
+    protocol: PLAINTEXT
     port: 9123
   client:
+    protocol: PLAINTEXT
     port: 9124
 
 resources: {}
@@ -85,3 +87,14 @@ serviceAccount:
   # Additional annotations to apply to the ServiceAccount.
   # These can be useful, for example, to support integrations like workload identity.
   annotations: {}
+
+## Fluss SASL configurations for authentication.
+## These are required if SASL listeners are configured.
+sasl:
+  mechanism: PLAIN
+  # List of client users for authentication
+  users:
+    - username: admin
+      password: password
+  # If specified, the existing secret must contain a key `jaas.conf` with the JAAS configuration
+  existingSecret: ""

website/docs/install-deploy/deploying-with-helm.md

@@ -36,7 +36,7 @@ the installation documentation provides instructions for deploying one using Bit
 
 ### Running Fluss locally with Minikube
 
-For local testing and development, you can deploy Fluss on Minikube. This is ideal for development, testing, and learning purposes.
+For local testing and development, you can deploy Fluss on Minikube. This is ideal for development, testing and learning purposes.
 
 #### Prerequisites
 
@@ -157,7 +157,7 @@ kubectl logs -l app.kubernetes.io/component=tablet
 
 ## Configuration Parameters
 
-The following table lists the configurable parameters of the Fluss chart and their default values.
+The following table lists the configurable parameters of the Fluss chart, and their default values.
 
 ### Global Parameters
 
@@ -225,6 +225,13 @@ The following table lists the configurable parameters of the Fluss chart and the
 | `resources.tabletServer.limits.cpu` | CPU limits for tablet servers | Not set |
 | `resources.tabletServer.limits.memory` | Memory limits for tablet servers | Not set |
 
+### SASL Parameters
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `sasl.mechanism` | SASL mechanism | `PLAIN` |
+| `sasl.users` | User list for PLAIN authentication | `[{username: admin, password: password}]` |
+| `sasl.existingSecret` | Use existing secret containing `jaas.conf` | `""` |
 
 ## Advanced Configuration
 
@@ -245,16 +252,47 @@ The chart automatically configures listeners for internal cluster communication
 - **Internal Port (9123)**: Used for internal communication within the cluster
 - **Client Port (9124)**: Used for client connections
 
-Custom listener configuration:
+Default listeners configuration:
 
 ```yaml
 listeners:
   internal:
+    protocol: PLAINTEXT
     port: 9123
   client:
+    protocol: PLAINTEXT
     port: 9124
 ```
 
+To enable SASL based authentication, set any of the protocols to `SASL`.
+
+### Enabling Secure Connection
+
+With the helm deployment, you can specify authentication protocols when connecting to the Fluss cluster.
+
+The following table shows the supported protocols and security they provide:
+
+| Method      | Authentication | TLS Encryption     |
+|-------------|:--------------:|:------------------:|
+| `PLAINTEXT` | No             | No                 |
+| `SASL`      | Yes            | No                 |
+
+By default, the `PLAINTEXT` protocol is used.
+
+The SASL authentication will be enabled if any of the listener protocols is using `SASL`.
+
+Set these values for additional configurations:
+
+```yaml
+sasl:
+  mechanism: PLAIN
+  users:
+    - username: admin
+      password: password
+```
+
+The `users` defines comma-separated list of usernames and passwords for client communications when SASL is enabled.
+
 ### Storage Configuration
 
 Configure different storage volumes for coordinator or tablet pods: