feat: Add OPA TLS integration and test

tests/release.yaml

@@ -16,3 +16,5 @@ releases:
         operatorVersion: 0.0.0-dev
       kafka:
         operatorVersion: 0.0.0-dev
+      opa:
+        operatorVersion: 0.0.0-dev

tests/templates/kuttl/opa/00-patch-ns.yaml.j2

@@ -0,0 +1,9 @@
+{% if test_scenario['values']['openshift'] == 'true' %}
+# see https://github.com/stackabletech/issues/issues/566
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: kubectl patch namespace $NAMESPACE -p '{"metadata":{"labels":{"pod-security.kubernetes.io/enforce":"privileged"}}}'
+    timeout: 120
+{% endif %}

tests/templates/kuttl/opa/01-assert.yaml.j2

@@ -0,0 +1,10 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+{% if lookup('env', 'VECTOR_AGGREGATOR') %}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vector-aggregator-discovery
+{% endif %}

tests/templates/kuttl/opa/01-install-vector-aggregator-discovery-configmap.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: >-
+      helm install vector-aggregator vector
+      --namespace $NAMESPACE
+      --version 0.45.0
+      --repo https://helm.vector.dev
+      --values vector-aggregator-values.yaml
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vector-aggregator-discovery
+data:
+  ADDRESS: vector-aggregator:6123

tests/templates/kuttl/opa/09-install-secretclass.yaml.j2

@@ -0,0 +1,22 @@
+{% if test_scenario['values']['use-opa-tls'] == "true" %}
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      kubectl apply -n $NAMESPACE -f - << EOF
+      ---
+      apiVersion: secrets.stackable.tech/v1alpha2
+      kind: SecretClass
+      metadata:
+        name: opa-tls-$NAMESPACE
+      spec:
+        backend:
+          autoTls:
+            ca:
+              autoGenerate: true
+              secret:
+                name: opa-tls-ca
+                namespace: $NAMESPACE
+      EOF
+{% endif %}

tests/templates/kuttl/opa/10-assert.yaml.j2

@@ -0,0 +1,12 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 300
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test-zk-server-default
+status:
+  readyReplicas: 1
+  replicas: 1

tests/templates/kuttl/opa/10-install-zk.yaml.j2

@@ -0,0 +1,18 @@
+---
+apiVersion: zookeeper.stackable.tech/v1alpha1
+kind: ZookeeperCluster
+metadata:
+  name: test-zk
+spec:
+  image:
+    productVersion: "{{ test_scenario['values']['zookeeper-latest'] }}"
+    pullPolicy: IfNotPresent
+  clusterConfig:
+    vectorAggregatorConfigMapName: vector-aggregator-discovery
+  servers:
+    config:
+      logging:
+        enableVectorAgent: true
+    roleGroups:
+      default:
+        replicas: 1

tests/templates/kuttl/opa/20-assert.yaml.j2

@@ -0,0 +1,8 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+metadata:
+  name: install-opa
+timeout: 300
+commands:
+  - script: kubectl -n $NAMESPACE wait --for=condition=available opaclusters.opa.stackable.tech/test-opa --timeout 301s

tests/templates/kuttl/opa/20-install-opa.yaml.j2

@@ -0,0 +1,56 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      kubectl apply -n $NAMESPACE -f - <<EOF
+      ---
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: test-rego-kafka
+        labels:
+          opa.stackable.tech/bundle: "true"
+      data:
+        kafka.rego: |
+          package authz
+
+          allow if {
+              true
+          }
+      ---
+      apiVersion: opa.stackable.tech/v1alpha1
+      kind: OpaCluster
+      metadata:
+        name: test-opa
+      spec:
+        image:
+{% if test_scenario['values']['opa-latest'].find(",") > 0 %}
+          custom: "{{ test_scenario['values']['opa-latest'].split(',')[1] }}"
+          productVersion: "{{ test_scenario['values']['opa-latest'].split(',')[0] }}"
+{% else %}
+          productVersion: "{{ test_scenario['values']['opa-latest'] }}"
+{% endif %}
+          pullPolicy: IfNotPresent
+        clusterConfig:
+{% if test_scenario['values']['use-opa-tls'] == "true" %}
+          tls:
+            serverSecretClass: opa-tls-$NAMESPACE
+{% endif %}
+          vectorAggregatorConfigMapName: vector-aggregator-discovery
+        servers:
+          config:
+            logging:
+              enableVectorAgent: true
+              containers:
+                opa:
+                  console:
+                    level: INFO
+                  file:
+                    level: INFO
+                  loggers:
+                    decision:
+                      level: INFO
+          roleGroups:
+            default: {}
+      EOF

tests/templates/kuttl/opa/25-assert.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-scripts

tests/templates/kuttl/opa/25-install-test-scripts-configmap.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      kubectl create configmap test-scripts \
+        --namespace $NAMESPACE \
+        --from-file=test_client_tls.sh=25_test_client_tls.sh

tests/templates/kuttl/opa/25_test_client_tls.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+# Usage: test_client_tls.sh namespace
+
+# to be safe
+unset TOPIC
+unset BAD_TOPIC
+
+KAFKA="$(cat /stackable/listener-broker/default-address/address):$(cat /stackable/listener-broker/default-address/ports/kafka-tls)"
+
+echo "Connecting to bootstrap address $KAFKA"
+
+echo "Start client TLS testing..."
+############################################################################
+# Test the secured connection
+############################################################################
+# create random topics
+TOPIC=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo '')
+BAD_TOPIC=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo '')
+
+if /stackable/kafka/bin/kafka-topics.sh --create --topic "$TOPIC" --bootstrap-server "$KAFKA" --command-config /stackable/config/client.properties
+then
+  echo "[SUCCESS] Secure client topic created!"
+else
+  echo "[ERROR] Secure client topic creation failed!"
+  exit 1
+fi
+
+if /stackable/kafka/bin/kafka-topics.sh --list --topic "$TOPIC" --bootstrap-server "$KAFKA" --command-config /stackable/config/client.properties | grep "$TOPIC"
+then
+  echo "[SUCCESS] Secure client topic read!"
+else
+  echo "[ERROR] Secure client topic read failed!"
+  exit 1
+fi
+
+############################################################################
+# Test the connection without certificates
+############################################################################
+if /stackable/kafka/bin/kafka-topics.sh --create --topic "$BAD_TOPIC" --bootstrap-server "$KAFKA" &> /dev/null
+then
+  echo "[ERROR] Secure client topic created without certificates!"
+  exit 1
+else
+  echo "[SUCCESS] Secure client topic creation failed without certificates!"
+fi
+
+############################################################################
+# Test the connection with bad host name
+############################################################################
+if /stackable/kafka/bin/kafka-topics.sh --create --topic "$BAD_TOPIC" --bootstrap-server localhost:9093 --command-config /stackable/config/client.properties &> /dev/null
+then
+  echo "[ERROR] Secure client topic created with bad host name!"
+  exit 1
+else
+  echo "[SUCCESS] Secure client topic creation failed with bad host name!"
+fi
+
+echo "All client TLS tests successful!"
+exit 0

tests/templates/kuttl/opa/30-assert.yaml.j2

@@ -0,0 +1,32 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 300
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test-kafka-broker-default
+status:
+  readyReplicas: 1
+  replicas: 1
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: log-dirs-test-kafka-broker-default-0
+spec:
+  resources:
+    requests:
+      storage: 2Gi
+status:
+  phase: Bound
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: test-kafka-broker
+status:
+  expectedPods: 1
+  currentHealthy: 1
+  disruptionsAllowed: 1

tests/templates/kuttl/opa/30-install-kafka.yaml.j2

@@ -0,0 +1,46 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 300
+---
+apiVersion: kafka.stackable.tech/v1alpha1
+kind: KafkaCluster
+metadata:
+  name: test-kafka
+spec:
+  image:
+{% if test_scenario['values']['kafka-latest'].find(",") > 0 %}
+    custom: "{{ test_scenario['values']['kafka-latest'].split(',')[1] }}"
+    productVersion: "{{ test_scenario['values']['kafka-latest'].split(',')[0] }}"
+{% else %}
+    productVersion: "{{ test_scenario['values']['kafka-latest'] }}"
+{% endif %}
+    pullPolicy: IfNotPresent
+  clusterConfig:
+    authorization:
+      opa:
+        configMapName: test-opa
+        package: authz
+    tls:
+      serverSecretClass: tls
+    vectorAggregatorConfigMapName: vector-aggregator-discovery
+    zookeeperConfigMapName: test-zk
+  brokers:
+    config:
+      logging:
+        enableVectorAgent: true
+      #requestedSecretLifetime: 7d
+    roleGroups:
+      default:
+        replicas: 1
+        podOverrides:
+          spec:
+            volumes:
+              - name: test-scripts
+                configMap:
+                  name: test-scripts
+            containers:
+              - name: kafka
+                volumeMounts:
+                  - mountPath: /test-scripts
+                    name: test-scripts

tests/templates/kuttl/opa/40-assert.yaml.j2

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+commands:
+  - script: |
+      kubectl exec -n $NAMESPACE test-kafka-broker-default-0 -c kafka -- bash /test-scripts/test_client_tls.sh