Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Merged by Bors] - Kerberos keytab backend #99

Closed
wants to merge 63 commits into from
Closed

[Merged by Bors] - Kerberos keytab backend #99

wants to merge 63 commits into from

Conversation

nightkr
Copy link
Member

@nightkr nightkr commented Apr 1, 2022
edited by sbernauer
Loading

Description

This PR adds support for provisioning Kerberos principals and keytabs for pods, similar to the autoTls backend.

Currently only MIT Kerberos is supported, Heimdal and Active Directory still require manual provisioning.

There is a spike branch for the HDFS Operator (stackabletech/hdfs-operator#154) that uses this to provision a kerberized HDFS cluster.

Review Checklist

  • Code contains useful comments
  • (Integration-)Test cases added (or not applicable)
  • Documentation added (or not applicable)
  • Changelog updated (or not applicable)
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Once the review is done, comment bors r+ (or bors merge) to merge. Further information

nightkr added a commit to stackabletech/hdfs-operator that referenced this pull request Apr 1, 2022
@nightkr
Kerberization/TLS spike
773fcce 
Proof of concept for testing stackabletech/secret-operator#99

There are still plenty of issues here that need to be solved before this is
actually usable. For example, this will currently break when attempting to
access the cluster from outside of K8s (since the Krb principals will mismatch).
@nightkr nightkr mentioned this pull request Apr 1, 2022
Closed
6 tasks
@nightkr
Copy link
Member Author

nightkr commented Apr 1, 2022
edited
Loading

Remaining questions:

  • krb5-sys and krb5 are unused since we currently use the krb5 CLI instead, do we want to remove these entirely or mark them as unused in some other way?
  • Do we want to do a tutorial for setting up and using a minimal Krb realm?
  • Need to add krb CLI to Dockerfile too...

@nightkr nightkr marked this pull request as ready for review April 1, 2022 13:32
@nightkr nightkr self-assigned this Apr 1, 2022
@nightkr nightkr linked an issue Apr 1, 2022 that may be closed by this pull request
Kerberos keytab provisioning #4
Closed
@nightkr nightkr requested review from lfrancke, soenkeliebau and a team April 1, 2022 13:33
@nightkr nightkr requested review from a team and removed request for a team March 8, 2023 10:38
@nightkr
Copy link
Member Author

nightkr commented Mar 8, 2023

stackabletech/hdfs-operator#154 has bitrotted a fair amount, there's https://github.com/stackabletech/hdfs-operator/tree/spike/security2 which is a lazier port but should at least be closer to working.

sbernauer
sbernauer reviewed Mar 13, 2023
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only have went through the code so far, not tested/played around with it it yet.
I really like the separation layers you build around the C lib!

docker/Dockerfile Outdated
@@ -2,7 +2,7 @@
# This file is automatically generated from the templates in stackabletech/operator-templating
# DON'T MANUALLY EDIT THIS FILE
# =============
FROM docker.stackable.tech/stackable/ubi8-rust-builder AS builder
FROM docker.stackable.tech/natkr/krb5/ubi8-rust-builder AS builder
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Marker. stackabletech/docker-images#338 is approved

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://stackable-workspace.slack.com/archives/C02FZ581UCD/p1678785233391989

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e0e9f33

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e0e9f33 is about the krb image for the tests. This here is the ubi8-rust-builder, which is a different story

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahh you're right. Silly me.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

05a826f

sbernauer
sbernauer reviewed Mar 14, 2023
View reviewed changes
@sbernauer
Copy link
Member

Only two discussions left. Would be great if we could silence the hadolint check so that we can test the -pr99 helm chart...

@nightkr
Copy link
Member Author

nightkr commented Mar 14, 2023

I don't believe hadolint blocks chart publishing.

@sbernauer
Copy link
Member

My mistake, you are right!

sbernauer
sbernauer approved these changes Mar 14, 2023
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job!

@nightkr
Copy link
Member Author

nightkr commented Mar 14, 2023

bors

@nightkr
Copy link
Member Author

nightkr commented Mar 14, 2023

bors r+

bors bot pushed a commit that referenced this pull request Mar 14, 2023
@nightkr @stackable-bot @soenkeliebau
Kerberos keytab backend (#99)
0220ee9 
## Description

This PR adds support for provisioning Kerberos principals and keytabs for pods, similar to the `autoTls` backend.

Currently only MIT Kerberos is supported, Heimdal and Active Directory still require manual provisioning.

There is a spike branch for the HDFS Operator (stackabletech/hdfs-operator#154) that uses this to provision a kerberized HDFS cluster.



Co-authored-by: Teo Klestrup Röijezon <teo@nullable.se>
Co-authored-by: Stacky McStackface <stackable-bot@users.noreply.github.com>
Co-authored-by: Sönke Liebau <soenke.liebau@stackable.tech>
@bors
Copy link
Contributor

bors bot commented Mar 14, 2023

Pull request successfully merged into main.

Build succeeded:

@bors bors bot changed the title Kerberos keytab backend [Merged by Bors] - Kerberos keytab backend Mar 14, 2023
@bors bors bot closed this Mar 14, 2023
@bors bors bot deleted the spike/krb branch March 14, 2023 16:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbernauer sbernauer sbernauer approved these changes

@lfrancke lfrancke Awaiting requested review from lfrancke

@soenkeliebau soenkeliebau Awaiting requested review from soenkeliebau

Assignees

@nightkr nightkr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Kerberos keytab provisioning
4 participants
@nightkr @sbernauer @stackable-bot @soenkeliebau