use correct port in discovery for kerberos. Removed bootstrap changes for non-kerberos.

Author: adwk67

rust/crd/src/listener.rs

@@ -212,23 +212,7 @@ pub fn get_kafka_listener_config(
     }
 
     // BOOTSTRAP
-    if kafka_security.tls_client_authentication_class().is_some() {
-        listeners.push(KafkaListener {
-            name: KafkaListenerName::Bootstrap,
-            host: LISTENER_LOCAL_ADDRESS.to_string(),
-            port: kafka_security.bootstrap_port().to_string(),
-        });
-        advertised_listeners.push(KafkaListener {
-            name: KafkaListenerName::Bootstrap,
-            host: node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
-            port: node_port_cmd(
-                STACKABLE_LISTENER_BROKER_DIR,
-                kafka_security.client_port_name(),
-            ),
-        });
-        listener_security_protocol_map
-            .insert(KafkaListenerName::Bootstrap, KafkaListenerProtocol::Ssl);
-    } else if kafka_security.has_kerberos_enabled() {
+    if kafka_security.has_kerberos_enabled() {
         listeners.push(KafkaListener {
             name: KafkaListenerName::Bootstrap,
             host: LISTENER_LOCAL_ADDRESS.to_string(),
@@ -244,40 +228,6 @@ pub fn get_kafka_listener_config(
         });
         listener_security_protocol_map
             .insert(KafkaListenerName::Bootstrap, KafkaListenerProtocol::SaslSsl);
-    } else if kafka_security.tls_server_secret_class().is_some() {
-        listeners.push(KafkaListener {
-            name: KafkaListenerName::Bootstrap,
-            host: LISTENER_LOCAL_ADDRESS.to_string(),
-            port: kafka_security.bootstrap_port().to_string(),
-        });
-        advertised_listeners.push(KafkaListener {
-            name: KafkaListenerName::Bootstrap,
-            host: node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
-            port: node_port_cmd(
-                STACKABLE_LISTENER_BROKER_DIR,
-                kafka_security.client_port_name(),
-            ),
-        });
-        listener_security_protocol_map
-            .insert(KafkaListenerName::Bootstrap, KafkaListenerProtocol::Ssl);
-    } else {
-        listeners.push(KafkaListener {
-            name: KafkaListenerName::Bootstrap,
-            host: LISTENER_LOCAL_ADDRESS.to_string(),
-            port: KafkaTlsSecurity::BOOTSTRAP_PORT.to_string(),
-        });
-        advertised_listeners.push(KafkaListener {
-            name: KafkaListenerName::Bootstrap,
-            host: node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
-            port: node_port_cmd(
-                STACKABLE_LISTENER_BROKER_DIR,
-                kafka_security.client_port_name(),
-            ),
-        });
-        listener_security_protocol_map.insert(
-            KafkaListenerName::Bootstrap,
-            KafkaListenerProtocol::Plaintext,
-        );
     }
 
     Ok(KafkaListenerConfig {
@@ -372,22 +322,20 @@ mod tests {
         assert_eq!(
             config.listeners(),
             format!(
-                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port},{bootstrap_name}://{internal_host}:{bootstrap_port}",
+                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port}",
                 name = KafkaListenerName::ClientAuth,
                 host = LISTENER_LOCAL_ADDRESS,
                 port = kafka_security.client_port(),
                 internal_name = KafkaListenerName::Internal,
                 internal_host = LISTENER_LOCAL_ADDRESS,
                 internal_port = kafka_security.internal_port(),
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_port = kafka_security.bootstrap_port(),
             )
         );
 
         assert_eq!(
             config.advertised_listeners(),
             format!(
-                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port},{bootstrap_name}://{bootstrap_host}:{bootstrap_port}",
+                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port}",
                 name = KafkaListenerName::ClientAuth,
                 host = node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
                 port = node_port_cmd(
@@ -397,25 +345,17 @@ mod tests {
                 internal_name = KafkaListenerName::Internal,
                 internal_host = pod_fqdn(&kafka, object_name, &cluster_info).unwrap(),
                 internal_port = kafka_security.internal_port(),
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_host = node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
-                bootstrap_port = node_port_cmd(
-                    STACKABLE_LISTENER_BROKER_DIR,
-                    kafka_security.client_port_name()
-                ),
             )
         );
 
         assert_eq!(
             config.listener_security_protocol_map(),
             format!(
-                "{name}:{protocol},{internal_name}:{internal_protocol},{bootstrap_name}:{bootstrap_protocol}",
+                "{name}:{protocol},{internal_name}:{internal_protocol}",
                 name = KafkaListenerName::ClientAuth,
                 protocol = KafkaListenerProtocol::Ssl,
                 internal_name = KafkaListenerName::Internal,
                 internal_protocol = KafkaListenerProtocol::Ssl,
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_protocol = KafkaListenerProtocol::Ssl
             )
         );
 
@@ -430,23 +370,20 @@ mod tests {
         assert_eq!(
             config.listeners(),
             format!(
-                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port},{bootstrap_name}://{bootstrap_host}:{bootstrap_port}",
+                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port}",
                 name = KafkaListenerName::Client,
                 host = LISTENER_LOCAL_ADDRESS,
                 port = kafka_security.client_port(),
                 internal_name = KafkaListenerName::Internal,
                 internal_host = LISTENER_LOCAL_ADDRESS,
                 internal_port = kafka_security.internal_port(),
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_host = LISTENER_LOCAL_ADDRESS,
-                bootstrap_port = kafka_security.bootstrap_port(),
             )
         );
 
         assert_eq!(
             config.advertised_listeners(),
             format!(
-                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port},{bootstrap_name}://{bootstrap_host}:{bootstrap_port}",
+                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port}",
                 name = KafkaListenerName::Client,
                 host = node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
                 port = node_port_cmd(
@@ -456,25 +393,17 @@ mod tests {
                 internal_name = KafkaListenerName::Internal,
                 internal_host = pod_fqdn(&kafka, object_name, &cluster_info).unwrap(),
                 internal_port = kafka_security.internal_port(),
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_host = node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
-                bootstrap_port = node_port_cmd(
-                    STACKABLE_LISTENER_BROKER_DIR,
-                    kafka_security.client_port_name()
-                ),
             )
         );
 
         assert_eq!(
             config.listener_security_protocol_map(),
             format!(
-                "{name}:{protocol},{internal_name}:{internal_protocol},{bootstrap_name}:{bootstrap_protocol}",
+                "{name}:{protocol},{internal_name}:{internal_protocol}",
                 name = KafkaListenerName::Client,
                 protocol = KafkaListenerProtocol::Ssl,
                 internal_name = KafkaListenerName::Internal,
                 internal_protocol = KafkaListenerProtocol::Ssl,
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_protocol = KafkaListenerProtocol::Ssl
             )
         );
 
@@ -490,23 +419,20 @@ mod tests {
         assert_eq!(
             config.listeners(),
             format!(
-                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port},{bootstrap_name}://{bootstrap_host}:{bootstrap_port}",
+                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port}",
                 name = KafkaListenerName::Client,
                 host = LISTENER_LOCAL_ADDRESS,
                 port = kafka_security.client_port(),
                 internal_name = KafkaListenerName::Internal,
                 internal_host = LISTENER_LOCAL_ADDRESS,
                 internal_port = kafka_security.internal_port(),
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_host = LISTENER_LOCAL_ADDRESS,
-                bootstrap_port = kafka_security.bootstrap_port(),
             )
         );
 
         assert_eq!(
             config.advertised_listeners(),
             format!(
-                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port},{bootstrap_name}://{bootstrap_host}:{bootstrap_port}",
+                "{name}://{host}:{port},{internal_name}://{internal_host}:{internal_port}",
                 name = KafkaListenerName::Client,
                 host = node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
                 port = node_port_cmd(
@@ -516,25 +442,17 @@ mod tests {
                 internal_name = KafkaListenerName::Internal,
                 internal_host = pod_fqdn(&kafka, object_name, &cluster_info).unwrap(),
                 internal_port = kafka_security.internal_port(),
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_host = node_address_cmd(STACKABLE_LISTENER_BROKER_DIR),
-                bootstrap_port = node_port_cmd(
-                    STACKABLE_LISTENER_BROKER_DIR,
-                    kafka_security.client_port_name()
-                ),
             )
         );
 
         assert_eq!(
             config.listener_security_protocol_map(),
             format!(
-                "{name}:{protocol},{internal_name}:{internal_protocol},{bootstrap_name}:{bootstrap_protocol}",
+                "{name}:{protocol},{internal_name}:{internal_protocol}",
                 name = KafkaListenerName::Client,
                 protocol = KafkaListenerProtocol::Plaintext,
                 internal_name = KafkaListenerName::Internal,
                 internal_protocol = KafkaListenerProtocol::Plaintext,
-                bootstrap_name = KafkaListenerName::Bootstrap,
-                bootstrap_protocol = KafkaListenerProtocol::Plaintext
             )
         );
     }

rust/crd/src/security.rs

@@ -73,9 +73,14 @@ impl KafkaTlsSecurity {
     pub const CLIENT_PORT: u16 = 9092;
     pub const SECURE_CLIENT_PORT_NAME: &'static str = "kafka-tls";
     pub const SECURE_CLIENT_PORT: u16 = 9093;
+    // bootstrap: we will have a single named port with different values for
+    // secure (9095) and insecure (9094). The bootstrap listener is needed to
+    // be able to expose principals for both the broker and bootstrap in the
+    // JAAS configuration, so that clients can use both.
     pub const BOOTSTRAP_PORT_NAME: &'static str = "bootstrap";
     pub const BOOTSTRAP_PORT: u16 = 9094;
     pub const SECURE_BOOTSTRAP_PORT: u16 = 9095;
+    // internal
     pub const INTERNAL_PORT: u16 = 19092;
     pub const SECURE_INTERNAL_PORT: u16 = 19093;
     // - TLS global
@@ -494,9 +499,7 @@ impl KafkaTlsSecurity {
             );
         }
 
-        if self.tls_client_authentication_class().is_some()
-            || self.tls_server_secret_class().is_some()
-        {
+        if self.has_kerberos_enabled() {
             // Bootstrap
             config.insert(
                 Self::BOOTSTRAP_SSL_KEYSTORE_LOCATION.to_string(),

rust/operator-binary/src/discovery.rs

@@ -60,7 +60,11 @@ pub async fn build_discovery_configmaps(
     listeners: &[Listener],
 ) -> Result<Vec<ConfigMap>, Error> {
     let name = owner.name_unchecked();
-    let port_name = kafka_security.client_port_name();
+    let port_name = if kafka_security.has_kerberos_enabled() {
+        kafka_security.bootstrap_port_name()
+    } else {
+        kafka_security.client_port_name()
+    };
     Ok(vec![
         build_discovery_configmap(
             kafka,

rust/operator-binary/src/kafka_controller.rs

@@ -1188,7 +1188,7 @@ pub fn error_policy(
 
 /// We only expose client HTTP / HTTPS and Metrics ports.
 fn listener_ports(kafka_security: &KafkaTlsSecurity) -> Vec<ListenerPort> {
-    vec![
+    let mut ports = vec![
         ListenerPort {
             name: METRICS_PORT_NAME.to_string(),
             port: METRICS_PORT.into(),
@@ -1199,17 +1199,20 @@ fn listener_ports(kafka_security: &KafkaTlsSecurity) -> Vec<ListenerPort> {
             port: kafka_security.client_port().into(),
             protocol: Some("TCP".to_string()),
         },
-        ListenerPort {
+    ];
+    if kafka_security.has_kerberos_enabled() {
+        ports.push(ListenerPort {
             name: kafka_security.bootstrap_port_name().to_string(),
             port: kafka_security.bootstrap_port().into(),
             protocol: Some("TCP".to_string()),
-        },
-    ]
+        });
+    }
+    ports
 }
 
 /// We only expose client HTTP / HTTPS and Metrics ports.
 fn container_ports(kafka_security: &KafkaTlsSecurity) -> Vec<ContainerPort> {
-    vec![
+    let mut ports = vec![
         ContainerPort {
             name: Some(METRICS_PORT_NAME.to_string()),
             container_port: METRICS_PORT.into(),
@@ -1222,11 +1225,14 @@ fn container_ports(kafka_security: &KafkaTlsSecurity) -> Vec<ContainerPort> {
             protocol: Some("TCP".to_string()),
             ..ContainerPort::default()
         },
-        ContainerPort {
+    ];
+    if kafka_security.has_kerberos_enabled() {
+        ports.push(ContainerPort {
             name: Some(kafka_security.bootstrap_port_name().to_string()),
             container_port: kafka_security.bootstrap_port().into(),
             protocol: Some("TCP".to_string()),
             ..ContainerPort::default()
-        },
-    ]
+        });
+    }
+    ports
 }