[helm] Enable SASL authentication configurations (apache#2506)

Author: morazow

helm/README.md

@@ -22,7 +22,7 @@ This chart deploys an Apache Fluss cluster on Kubernetes, following Helm best pr
 It requires a Zookeeper ensemble to be running in the same Kubernetes cluster. In future releases, we may add support for an embedded Zookeeper cluster.
 
 
-## Development environment 
+## Development environment
 
 | component                                                                      | version |
 | ------------------------------------------------------------------------------ | ------- |
@@ -33,7 +33,7 @@ It requires a Zookeeper ensemble to be running in the same Kubernetes cluster. I
 | [Apache Fluss](https://fluss.apache.org/docs/)                                 | v0.10.0-incubating  |
 
 
-## Image requirements 
+## Image requirements
 
 A container image for Fluss is available on DockerHub as `fluss/fluss`. You can use it directly or build your own from this repo. To use your own image you need to build the project with [Maven](https://fluss.apache.org/community/dev/building/) and build it with Docker.
 
@@ -98,6 +98,34 @@ Important Fluss options surfaced by the chart:
 - zookeeper.address must point to a reachable ensemble.
 - data.dir defaults to /tmp/fluss/data; use a PVC if persistence.enabled=true.
 
+### Security configuration
+
+The authentication methods are configured through `security` values block.
+
+```yaml
+listeners:
+  internal:
+    port: 9123
+  client:
+    port: 9124
+
+security:
+  client:
+    sasl:
+      mechanism: plain
+      plain:
+        users:
+          - username: client-user
+            password: client-password
+
+  internal:
+    sasl:
+      mechanism: plain
+      plain:
+        username: internal-user
+        password: internal-password
+```
+
 ### Private Docker Registry
 
 If you are pulling the Fluss image from a private Docker registry, you can configure the chart using `image.registry` and `image.pullSecrets`.

helm/templates/NOTES.txt

@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+CHART NAME: {{ .Chart.Name }}
+CHART VERSION: {{ .Chart.Version }}
+APP VERSION: {{ .Chart.AppVersion }}
+
+{{ include "fluss.security.validateValues" . }}

helm/templates/_security.tpl

@@ -0,0 +1,209 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+{{/*
+Returns the authentication mechanism value of a given listener.
+Allowed mechanism values: '', 'plain'
+Usage:
+  include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "client")
+*/}}
+{{- define "fluss.security.listener.mechanism" -}}
+{{- $listener := index .context.security .listener | default (dict) -}}
+{{- $sasl := $listener.sasl | default (dict) -}}
+{{- $mechanism := lower (default "" $sasl.mechanism) -}}
+{{- $mechanism -}}
+{{- end -}}
+
+{{/*
+Returns true if any of the listeners uses SASL based authentication mechanism ('plain' for now).
+Usage:
+  include "fluss.security.sasl.enabled" .
+*/}}
+{{- define "fluss.security.sasl.enabled" -}}
+{{- $internal := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "internal") -}}
+{{- $client := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "client") -}}
+{{- if or (ne $internal "") (ne $client "") -}}true{{- end -}}
+{{- end -}}
+
+{{/*
+Returns true if any of the listeners uses 'plain' authentication mechanism.
+Usage:
+  include "fluss.security.sasl.plain.enabled" .
+*/}}
+{{- define "fluss.security.sasl.plain.enabled" -}}
+{{- $internal := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "internal") -}}
+{{- $client := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "client") -}}
+{{- if or (eq $internal "plain") (eq $client "plain") -}}true{{- end -}}
+{{- end -}}
+
+{{/*
+Returns protocol value derived from listener mechanism.
+Usage:
+  include "fluss.security.listener.protocol" (dict "context" .Values "listener" "internal")
+*/}}
+{{- define "fluss.security.listener.protocol" -}}
+{{- $mechanism := include "fluss.security.listener.mechanism" (dict "context" .context "listener" .listener) -}}
+{{- if eq $mechanism "" -}}PLAINTEXT{{- else -}}SASL{{- end -}}
+{{- end -}}
+
+{{/*
+Returns comma separated list of enabled mechanisms.
+Usage:
+  include "fluss.security.sasl.enabledMechanisms" .
+*/}}
+{{- define "fluss.security.sasl.enabledMechanisms" -}}
+{{- $mechanisms := list -}}
+{{- range $listener := list "internal" "client" -}}
+  {{- $current := include "fluss.security.listener.mechanism" (dict "context" $.Values "listener" $listener) -}}
+  {{- if and (ne $current "") (not (has (upper $current) $mechanisms)) -}}
+    {{- $mechanisms = append $mechanisms (upper $current) -}}
+  {{- end -}}
+{{- end -}}
+{{- join "," $mechanisms -}}
+{{- end -}}
+
+{{/*
+Validates that SASL mechanisms are valid.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateMechanisms" .
+*/}}
+{{- define "fluss.security.sasl.validateMechanisms" -}}
+{{- $allowedMechanisms := list "" "plain" -}}
+{{- range $listener := list "internal" "client" -}}
+  {{- $listenerValues := index $.Values.security $listener | default (dict) -}}
+  {{- $sasl := $listenerValues.sasl | default (dict) -}}
+  {{- $mechanism := lower (default "" $sasl.mechanism) -}}
+  {{- if not (has $mechanism $allowedMechanisms) -}}
+    {{- printf "security.%s.sasl.mechanism must be empty or: plain" $listener -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validates that the client PLAIN mechanism block contains the required users.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateClientPlainUsers" .
+*/}}
+{{- define "fluss.security.sasl.validateClientPlainUsers" -}}
+{{- $clientMechanism := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "client") -}}
+{{- if eq $clientMechanism "plain" -}}
+  {{- $users := .Values.security.client.sasl.plain.users | default (list) -}}
+  {{- if eq (len $users) 0 -}}
+    {{- print "security.client.sasl.plain.users must contain at least one user when security.client.sasl.mechanism is plain" -}}
+  {{- else -}}
+    {{- range $idx, $user := $users -}}
+      {{- if or (empty $user.username) (empty $user.password) -}}
+        {{- printf "security.client.sasl.plain.users[%d] must set both username and password" $idx -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns the default internal SASL username based on the release name.
+Usage:
+  include "fluss.security.sasl.plain.internal.defaultUsername" .
+*/}}
+{{- define "fluss.security.sasl.plain.internal.defaultUsername" -}}
+{{- printf "fluss-internal-user-%s" .Release.Name -}}
+{{- end -}}
+
+{{/*
+Returns the default internal SASL password based on the release name (sha256 hashed).
+Usage:
+  include "fluss.security.sasl.plain.internal.defaultPassword" .
+*/}}
+{{- define "fluss.security.sasl.plain.internal.defaultPassword" -}}
+{{- printf "fluss-internal-password-%s" .Release.Name | sha256sum -}}
+{{- end -}}
+
+{{/*
+Returns the resolved internal SASL username (user-provided or auto-generated default).
+Usage:
+  include "fluss.security.sasl.plain.internal.username" .
+*/}}
+{{- define "fluss.security.sasl.plain.internal.username" -}}
+{{- .Values.security.internal.sasl.plain.username | default (include "fluss.security.sasl.plain.internal.defaultUsername" .) -}}
+{{- end -}}
+
+{{/*
+Returns the resolved internal SASL password (user-provided or auto-generated default).
+Usage:
+  include "fluss.security.sasl.plain.internal.password" .
+*/}}
+{{- define "fluss.security.sasl.plain.internal.password" -}}
+{{- .Values.security.internal.sasl.plain.password | default (include "fluss.security.sasl.plain.internal.defaultPassword" .) -}}
+{{- end -}}
+
+{{/*
+Returns a warning if the internal SASL user is using auto-generated credentials.
+Usage:
+  include "fluss.security.sasl.warnInternalUser" .
+*/}}
+{{- define "fluss.security.sasl.warnInternalUser" -}}
+{{- if (include "fluss.security.sasl.enabled" .) -}}
+  {{- $internalMechanism := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "internal") -}}
+  {{- if eq $internalMechanism "plain" -}}
+    {{- if and (not .Values.security.internal.sasl.plain.username) (not .Values.security.internal.sasl.plain.password) -}}
+      {{- print "You are using AUTO-GENERATED SASL credentials for internal communication.\n  It is strongly recommended to set the following values in production:\n    - security.internal.sasl.plain.username\n    - security.internal.sasl.plain.password" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Compile all warnings and errors into a single message.
+Usage:
+  include "fluss.security.validateValues" .
+*/}}
+{{- define "fluss.security.validateValues" -}}
+
+{{- $errMessages := list -}}
+{{- $errMessages = append $errMessages (include "fluss.security.sasl.validateMechanisms" .) -}}
+{{- $errMessages = append $errMessages (include "fluss.security.sasl.validateClientPlainUsers" .) -}}
+
+{{- $errMessages = without $errMessages "" -}}
+{{- $errMessage := join "\n" $errMessages -}}
+
+{{- $warnMessages := list -}}
+{{- $warnMessages = append $warnMessages (include "fluss.security.sasl.warnInternalUser" .) -}}
+
+{{- $warnMessages = without $warnMessages "" -}}
+{{- $warnMessage := join "\n" $warnMessages -}}
+
+{{- if $warnMessage -}}
+{{-   printf "\nVALUES WARNING:\n%s" $warnMessage -}}
+{{- end -}}
+
+{{- if $errMessage -}}
+{{-   printf "\nVALUES VALIDATION:\n%s" $errMessage | fail -}}
+{{- end -}}
+
+{{- end -}}
+
+{{/*
+Returns the SASL JAAS config name.
+Usage:
+  include "fluss.security.sasl.configName" .
+*/}}
+{{- define "fluss.security.sasl.configName" -}}
+{{ include "fluss.fullname" . }}-sasl-jaas-config
+{{- end -}}

helm/templates/configmap.yaml

@@ -26,4 +26,19 @@ data:
   server.yaml: |
     {{- range $key, $val := .Values.configurationOverrides }}
     {{ $key }}: {{ tpl (printf "%v" $val) $ }}
-    {{- end }}
+    {{- end }}
+
+    ### Security
+
+    {{- $internalProtocol := include "fluss.security.listener.protocol" (dict "context" .Values "listener" "internal") | trim -}}
+    {{- $clientProtocol := include "fluss.security.listener.protocol" (dict "context" .Values "listener" "client") | trim -}}
+    {{- $enabledMechanisms := include "fluss.security.sasl.enabledMechanisms" . | trim -}}
+    {{- $internalMechanism := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "internal") -}}
+    {{- if (include "fluss.security.sasl.enabled" .) }}
+    security.protocol.map: INTERNAL:{{ $internalProtocol }},CLIENT:{{ $clientProtocol }}
+    security.sasl.enabled.mechanisms: {{ $enabledMechanisms }}
+    {{- if ne $internalMechanism "" }}
+    client.security.protocol: SASL
+    client.security.sasl.mechanism: {{ upper $internalMechanism }}
+    {{- end }}
+    {{- end }}

helm/templates/secret-jaas-config.yaml

@@ -0,0 +1,52 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+{{- if (include "fluss.security.sasl.plain.enabled" .) -}}
+{{- $internalMechanism := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "internal") -}}
+{{- $clientMechanism := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "client") -}}
+{{- $internalUsername := include "fluss.security.sasl.plain.internal.username" . -}}
+{{- $internalPassword := include "fluss.security.sasl.plain.internal.password" . -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "fluss.security.sasl.configName" . }}
+  labels:
+    {{- include "fluss.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  jaas.conf: |
+{{- if eq $internalMechanism "plain" }}
+    internal.FlussServer {
+       org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
+       user_{{ $internalUsername }}="{{ $internalPassword }}";
+    };
+    FlussClient {
+       org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
+       username="{{ $internalUsername }}"
+       password="{{ $internalPassword }}";
+    };
+{{- end }}
+{{- if eq $clientMechanism "plain" }}
+    client.FlussServer {
+       org.apache.fluss.security.auth.sasl.plain.PlainLoginModule required
+{{- range .Values.security.client.sasl.plain.users | default (list) }}
+       user_{{ .username }}="{{ .password }}"
+{{- end }};
+    };
+{{- end }}
+{{- end -}}