fix: redpanda console auth

izadoesdev · izadoesdev · commit b81c7bc5d36b · 2025-10-29T19:36:14.000+02:00
diff --git a/infra/env.example b/infra/env.example
diff --git a/infra/ingest/console-config.yml b/infra/ingest/console-config.yml
@@ -1,7 +1,21 @@
 kafka:
   brokers: ["redpanda:9092"]
+  sasl:
+    enabled: true
+    impersonateUser: false
 redpanda:
   adminApi:
     enabled: true
     urls: ["http://redpanda:9644"]
-
+    authentication:
+      impersonateUser: false
+authentication:
+  useSecureCookies: false
+  basic:
+    enabled: true
+authorization:
+  roleBindings:
+    - roleName: admin
+      users:
+        - loginType: basic
+          name: "admin"
diff --git a/infra/ingest/docker-compose.yml b/infra/ingest/docker-compose.yml
@@ -8,17 +8,27 @@ services:
       - "9644:9644"
     volumes:
       - redpanda_data:/var/lib/redpanda/data
+      - ./init-redpanda.sh:/init-redpanda.sh:ro
+      - ./redpanda.yaml:/etc/redpanda/redpanda.yaml.template:ro
     environment:
-      REDPANDA_LOG_LEVEL: ${REDPANDA_LOG_LEVEL:-info}
-      REDPANDA_ADVERTISED_HOST: ${REDPANDA_ADVERTISED_HOST:-localhost}
-    entrypoint: [ "/bin/bash", "-c" ]
+      REDPANDA_LOG_LEVEL: ${REDPANDA_LOG_LEVEL}
+      REDPANDA_ADVERTISED_HOST: ${REDPANDA_ADVERTISED_HOST}
+      REDPANDA_USER: ${REDPANDA_USER}
+      REDPANDA_PASSWORD: ${REDPANDA_PASSWORD}
+      VECTOR_KAFKA_USER: ${VECTOR_KAFKA_USER}
+      VECTOR_KAFKA_PASSWORD: ${VECTOR_KAFKA_PASSWORD}
+    entrypoint: ["/bin/bash", "-c"]
     command:
       - |
         if [ -z "$$REDPANDA_ADVERTISED_HOST" ]; then
           REDPANDA_ADVERTISED_HOST=$$(ip route get 1.1.1.1 2>/dev/null | grep -oP 'src \K\S+' || hostname -i)
         fi
+        echo "Cleaning up crash loop state if present..."
+        rm -f /var/lib/redpanda/data/startup_log
+        echo "Copying config file to writable location..."
+        cp /etc/redpanda/redpanda.yaml.template /etc/redpanda/redpanda.yaml
         echo "Advertising Kafka at: $$REDPANDA_ADVERTISED_HOST:19092"
-        exec /entrypoint.sh redpanda start \
+        /entrypoint.sh redpanda start \
           --kafka-addr internal://0.0.0.0:9092,external://0.0.0.0:19092 \
           --advertise-kafka-addr internal://redpanda:9092,external://$$REDPANDA_ADVERTISED_HOST:19092 \
           --pandaproxy-addr internal://0.0.0.0:8082 \
@@ -29,11 +39,42 @@ services:
           --smp 2 \
           --memory 2G \
           --reserve-memory 0M \
-          --default-log-level=info
+          --default-log-level=$${REDPANDA_LOG_LEVEL:-warn} &
+        REDPANDA_PID=$$!
+        echo "Waiting for Redpanda to be ready..."
+        MAX_RETRIES=30
+        RETRY_COUNT=0
+        while [ $$RETRY_COUNT -lt $$MAX_RETRIES ]; do
+          # Try without SASL first (SASL may not be enabled yet)
+          if rpk cluster health >/dev/null 2>&1; then
+            echo "Redpanda is ready!"
+            break
+          fi
+          # If that fails, try with SASL (in case it was already enabled)
+          if rpk cluster health -X user="$$REDPANDA_USER" -X pass="$$REDPANDA_PASSWORD" -X sasl.mechanism=SCRAM-SHA-256 >/dev/null 2>&1; then
+            echo "Redpanda is ready!"
+            break
+          fi
+          RETRY_COUNT=$$((RETRY_COUNT + 1))
+          echo "Waiting for Redpanda... ($$RETRY_COUNT/$$MAX_RETRIES)"
+          sleep 2
+        done
+        if [ $$RETRY_COUNT -eq $$MAX_RETRIES ]; then
+          echo "ERROR: Redpanda did not become ready in time"
+          kill $$REDPANDA_PID 2>/dev/null || true
+          exit 1
+        fi
+        echo "Initializing Redpanda users and ACLs..."
+        /bin/bash /init-redpanda.sh || echo "Warning: Initialization script failed, but continuing..."
+        wait $$REDPANDA_PID
     networks:
       - databuddy
     healthcheck:
-      test: [ "CMD-SHELL", "rpk cluster health | grep -q 'Healthy:.*true' && rpk topic list" ]
+      test:
+        [
+          "CMD-SHELL",
+          'rpk cluster health -X user="$$REDPANDA_USER" -X pass="$$REDPANDA_PASSWORD" -X sasl.mechanism=SCRAM-SHA-256 | grep -q ''Healthy:.*true'' && rpk topic list -X user="$$REDPANDA_USER" -X pass="$$REDPANDA_PASSWORD" -X sasl.mechanism=SCRAM-SHA-256',
+        ]
       interval: 10s
       timeout: 10s
       retries: 10
@@ -49,6 +90,13 @@ services:
       - ./console-config.yml:/tmp/console-config.yml:ro
     environment:
       CONFIG_FILEPATH: /tmp/console-config.yml
+      KAFKA_BROKERS: ${REDPANDA_BROKER}
+      KAFKA_SASL_USERNAME: ${REDPANDA_USER}
+      KAFKA_SASL_PASSWORD: ${REDPANDA_PASSWORD}
+      KAFKA_SASL_MECHANISM: SCRAM-SHA-256
+      REDPANDA_ADMINAPI_AUTHENTICATION_BASIC_USERNAME: ${REDPANDA_USER}
+      REDPANDA_ADMINAPI_AUTHENTICATION_BASIC_PASSWORD: ${REDPANDA_PASSWORD}
+      AUTHENTICATION_JWTSIGNINGKEY: ${CONSOLE_JWT_SIGNING_KEY}
     networks:
       - databuddy
     depends_on:
@@ -62,21 +110,22 @@ services:
     volumes:
       - ./vector.yaml:/etc/vector/vector.yaml:ro
     environment:
-      CLICKHOUSE_USER: ${CLICKHOUSE_USER:-default}
-      CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-defaultpass}
-      CLICKHOUSE_URL: ${CLICKHOUSE_URL:-http://clickhouse:8123}
-      VECTOR_LOG: ${VECTOR_LOG:-info}
-      VECTOR_KAFKA_USER: ${VECTOR_KAFKA_USER:-vector-agent}
-      VECTOR_KAFKA_PASSWORD: ${VECTOR_KAFKA_PASSWORD:-super_secret_password}
-      REDPANDA_BROKER: ${REDPANDA_BROKER:-redpanda:9092}
+      CLICKHOUSE_USER: ${CLICKHOUSE_USER}
+      CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD}
+      CLICKHOUSE_URL: ${CLICKHOUSE_URL}
+      VECTOR_LOG: ${VECTOR_LOG}
+      VECTOR_KAFKA_USER: ${VECTOR_KAFKA_USER}
+      VECTOR_KAFKA_PASSWORD: ${VECTOR_KAFKA_PASSWORD}
+      REDPANDA_BROKER: ${REDPANDA_BROKER}
     networks:
       - databuddy
+      - databuddy-network
     depends_on:
       redpanda:
         condition: service_healthy
         restart: true
     healthcheck:
-      test: [ "CMD", "vector", "validate", "/etc/vector/vector.yaml" ]
+      test: ["CMD", "vector", "validate", "/etc/vector/vector.yaml"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -85,8 +134,10 @@ services:
 volumes:
   redpanda_data:
 
-
 networks:
   databuddy:
     name: databuddy
     driver: bridge
+  databuddy-network:
+    name: databuddy-network
+    driver: bridge
diff --git a/infra/ingest/env.example b/infra/ingest/env.example
@@ -0,0 +1,19 @@
+# ClickHouse Configuration
+CLICKHOUSE_USER=default
+CLICKHOUSE_PASSWORD=defaultpass
+CLICKHOUSE_URL=http://clickhouse:8123
+
+# Redpanda Configuration
+REDPANDA_LOG_LEVEL=warn
+REDPANDA_ADVERTISED_HOST=localhost
+REDPANDA_BROKER=redpanda:9092
+REDPANDA_USER=admin
+REDPANDA_PASSWORD=super_secret_password
+
+# Vector Configuration
+VECTOR_LOG=warn
+VECTOR_KAFKA_USER=vector-agent
+VECTOR_KAFKA_PASSWORD=super_secret_password
+
+# Console Configuration
+CONSOLE_JWT_SIGNING_KEY=databuddy-console-jwt-secret-key-change-in-production-min-32-chars
diff --git a/infra/ingest/init-redpanda.sh b/infra/ingest/init-redpanda.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+set -e
+
+VECTOR_KAFKA_USER="${VECTOR_KAFKA_USER}"
+VECTOR_KAFKA_PASSWORD="${VECTOR_KAFKA_PASSWORD}"
+REDPANDA_USER="${REDPANDA_USER}"
+REDPANDA_PASSWORD="${REDPANDA_PASSWORD}"
+
+echo "Setting up Redpanda SASL users and ACLs..."
+
+echo "Step 1: Creating admin superuser (without SASL)..."
+OUTPUT=$(rpk security user create "${REDPANDA_USER}" -p "${REDPANDA_PASSWORD}" --mechanism SCRAM-SHA-256 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "already exists"; then
+	echo "Admin user already exists, skipping..."
+elif echo "${OUTPUT}" | grep -q "Created user"; then
+	echo "Admin user created successfully"
+else
+	echo "Warning: Failed to create admin user"
+	echo "${OUTPUT}"
+fi
+
+echo "Step 2: Setting admin as superuser..."
+OUTPUT=$(rpk cluster config set superusers "[\"${REDPANDA_USER}\"]" 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|Successfully"; then
+	echo "Admin set as superuser successfully"
+elif echo "${OUTPUT}" | grep -q "already"; then
+	echo "Admin is already configured as superuser"
+else
+	echo "Warning: Failed to set superuser"
+	echo "${OUTPUT}"
+fi
+
+echo "Step 3: Ensuring enterprise features are disabled (before enabling SASL)..."
+# Disable audit logging (enterprise feature)
+OUTPUT=$(rpk cluster config set audit_enabled false 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|already\|Successfully"; then
+	echo "Audit logging disabled"
+fi
+
+# Disable continuous data balancing (enterprise feature)
+OUTPUT=$(rpk cluster config set partition_autobalancing_mode node_add 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|already\|Successfully"; then
+	echo "Continuous data balancing disabled"
+fi
+
+# Disable continuous intra-broker partition balancing (enterprise feature)
+OUTPUT=$(rpk cluster config set core_balancing_continuous false 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|already\|Successfully"; then
+	echo "Continuous intra-broker balancing disabled"
+fi
+
+# Disable tiered storage (enterprise feature)
+OUTPUT=$(rpk cluster config set cloud_storage_enabled false 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|already\|Successfully"; then
+	echo "Tiered storage disabled"
+fi
+
+# Disable remote read replicas (enterprise feature)
+OUTPUT=$(rpk cluster config set cloud_storage_enable_remote_read false 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|already\|Successfully"; then
+	echo "Remote read replicas disabled"
+fi
+
+# Disable leader pinning (enterprise feature)
+OUTPUT=$(rpk cluster config set default_leaders_preference none 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|already\|Successfully"; then
+	echo "Leader pinning disabled"
+fi
+
+# Disable server-side schema ID validation (enterprise feature)
+OUTPUT=$(rpk cluster config set enable_schema_id_validation none 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|already\|Successfully"; then
+	echo "Server-side schema ID validation disabled"
+fi
+
+# Ensure we're only using SCRAM (not OIDC/OAUTHBEARER which are enterprise)
+OUTPUT=$(rpk cluster config set sasl_mechanisms '["SCRAM"]' 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|already\|Successfully"; then
+	echo "SASL mechanisms set to SCRAM only"
+fi
+
+echo "Step 4: Enabling auto-create topics..."
+OUTPUT=$(rpk cluster config set auto_create_topics_enabled true 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|Successfully"; then
+	echo "Auto-create topics enabled successfully"
+elif echo "${OUTPUT}" | grep -q "already"; then
+	echo "Auto-create topics is already enabled"
+else
+	echo "Warning: Failed to enable auto-create topics"
+	echo "${OUTPUT}"
+fi
+
+echo "Step 5: Enabling SASL authentication..."
+OUTPUT=$(rpk cluster config set enable_sasl true 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "Set\|Successfully"; then
+	echo "SASL enabled successfully"
+elif echo "${OUTPUT}" | grep -q "already"; then
+	echo "SASL is already enabled"
+else
+	echo "Warning: Failed to enable SASL (might already be enabled via config)"
+	echo "${OUTPUT}"
+fi
+
+echo "Step 6: Waiting for SASL to be fully ready..."
+sleep 3
+
+SASL_CONFIG="-X user=${REDPANDA_USER} -X pass=${REDPANDA_PASSWORD} -X sasl.mechanism=SCRAM-SHA-256"
+
+echo "Step 7: Creating vector-agent user (with SASL)..."
+OUTPUT=$(rpk security user create "${VECTOR_KAFKA_USER}" -p "${VECTOR_KAFKA_PASSWORD}" --mechanism SCRAM-SHA-256 ${SASL_CONFIG} 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "already exists"; then
+	echo "vector-agent user already exists, skipping..."
+elif echo "${OUTPUT}" | grep -q "Created user"; then
+	echo "vector-agent user created successfully"
+else
+	echo "Error: Failed to create vector-agent user"
+	echo "${OUTPUT}"
+	exit 1
+fi
+
+echo "Step 8: Setting ACL permissions for vector-agent..."
+OUTPUT=$(rpk security acl create \
+	--allow-principal "User:${VECTOR_KAFKA_USER}" \
+	--operation read,write,create \
+	--topic '*' \
+	--group '*' \
+	${SASL_CONFIG} 2>&1 || true)
+if echo "${OUTPUT}" | grep -q "already exists"; then
+	echo "ACL permissions already exist, skipping..."
+elif echo "${OUTPUT}" | grep -q "Created ACL"; then
+	echo "ACL permissions created successfully"
+else
+	echo "Warning: Failed to create ACLs (might already exist)"
+	echo "${OUTPUT}"
+fi
+
+echo "Redpanda initialization completed successfully!"
+
diff --git a/infra/ingest/redpanda.yaml b/infra/ingest/redpanda.yaml
@@ -0,0 +1,32 @@
+redpanda:
+  data_directory: /var/lib/redpanda/data
+  node_id: 0
+  rpc_server:
+    address: 0.0.0.0
+    port: 33145
+  kafka_api:
+    - address: 0.0.0.0
+      port: 9092
+      name: internal
+      authentication_method: sasl
+    - address: 0.0.0.0
+      port: 19092
+      name: external
+      authentication_method: sasl
+  admin:
+    - address: 0.0.0.0
+      port: 9644
+  admin_api_doc_dir: /usr/share/redpanda/admin-api-doc
+
+rpk:
+  enable_usage_stats: false
+
+pandaproxy:
+  pandaproxy_api:
+    - address: 0.0.0.0
+      port: 8082
+
+schema_registry:
+  schema_registry_api:
+    - address: 0.0.0.0
+      port: 8081
diff --git a/infra/ingest/vector.yaml b/infra/ingest/vector.yaml
@@ -12,6 +12,11 @@ sources:
       - analytics-email-events
       - analytics-blocked-traffic
     auto_offset_reset: earliest
+    sasl:
+      enabled: true
+      mechanism: SCRAM-SHA-256
+      username: "${VECTOR_KAFKA_USER}"
+      password: "${VECTOR_KAFKA_PASSWORD}"
     decoding:
       codec: json
 
@@ -177,6 +182,3 @@ sinks:
     path: /var/log/vector/dead_letters.log
     encoding:
       codec: json
-
-
-
