Skip to content

feat(sync): Support Kerberos authentication for HDFS sync #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zxh326 merged 6 commits into from
Jan 23, 2026
Merged

feat(sync): Support Kerberos authentication for HDFS sync #101

zxh326 merged 6 commits into from
Jan 23, 2026

Conversation

@sw-cho
Copy link
Contributor

@sw-cho sw-cho commented Jan 20, 2026
edited
Loading

#103

Support kerberos authentication to sync to/from HDFS.

  • JuiceFS client already supports Kerberos authentication via environment variables
  • Add the kerberos related fields to SyncSinkExternal
    • krb5Keytab: Path to the keytab file.
    • krb5KeytabBase64: Base64 encoded keytab content.
    • krb5Principal: The Kerberos principal to use.
  • export these values as environment variables in preparecommand
  • Prevent HDFS-to-HDFS sync because kerberos envs cannot be distinguished between source and destination.

@zxh326 zxh326 requested a review from Copilot January 21, 2026 09:26
Copilot AI reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Kerberos authentication support for HDFS sync operations in the JuiceFS operator. The implementation leverages existing JuiceFS client support for Kerberos via environment variables.

Changes:

  • Added three new Kerberos-related fields to the SyncSinkExternal API (KRB5Keytab, KRB5KeytabBase64, KRB5Principal)
  • Implemented environment variable mapping and export logic for Kerberos credentials in the sync preparation pipeline
  • Added validation to prevent HDFS-to-HDFS sync operations due to environment variable collision concerns

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
api/v1/sync_types.go Added Kerberos credential fields (KRB5Keytab, KRB5KeytabBase64, KRB5Principal) to SyncSinkExternal struct
api/v1/zz_generated.deepcopy.go Auto-generated deep copy methods for new Kerberos fields
config/crd/bases/juicefs.io_syncs.yaml Added CRD schema definitions for Kerberos fields in sync resources
config/crd/bases/juicefs.io_cronsyncs.yaml Added CRD schema definitions for Kerberos fields in cronsync resources
pkg/utils/sync.go Implemented logic to process Kerberos fields and export them as environment variables for HDFS schemes
pkg/builder/sync_secret.go Added secret generation logic for Kerberos credential values
pkg/utils/sync_test.go Added unit tests for HDFS sync with Kerberos authentication scenarios
internal/controller/sync_controller.go Added validation to reject HDFS-to-HDFS sync operations

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@zxh326 zxh326 enabled auto-merge (squash) January 23, 2026 03:52
@zxh326 zxh326 merged commit fcc7676 into juicedata:main Jan 23, 2026
2 of 6 checks passed
@zxh326 zxh326 mentioned this pull request Jan 23, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@zxh326 zxh326 zxh326 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sw-cho @zxh326