Kafka helm chart examples lead to literal '*' instead of wildcard #27480

florian-besser · 2024-06-21T11:40:53Z

Name and Version

oci://registry-1.docker.io/bitnamicharts/kafka:29.3.4

What architecture are you using?

arm64

What steps will reproduce the bug?

Apply the helm chart using the following values:

extraConfigYaml:
  "authorizer.class.name": "org.apache.kafka.metadata.authorizer.StandardAuthorizer"
  "super.users": "User:controller_user;User:provisioning"
# Removed listeners, sasl and TLS entries
provisioning:
  enabled: true
  extraProvisioningCommands:
    - echo "Allow redpanda user to consume from any topic/group"
    - >-
      /opt/bitnami/kafka/bin/kafka-acls.sh
      --bootstrap-server $KAFKA_SERVICE
      --command-config $CLIENT_CONF
      --add
      --allow-principal User:redpanda
      --operation READ
      --operation DESCRIBE
      --operation DescribeConfigs
      --topic '*'
 # skipping auth:

This creates a K8s job that launches a pod using:

Containers:
  kafka-provisioning:
    Command:
      /bin/bash
    Args:
      -efc
      echo "Configuring environment"
      . /opt/bitnami/scripts/libkafka.sh
      export CLIENT_CONF="${CLIENT_CONF:-/tmp/client.properties}"
      if [ ! -f "$CLIENT_CONF" ]; then
        touch $CLIENT_CONF
      
        kafka_common_conf_set "$CLIENT_CONF" security.protocol "SASL_SSL"
        kafka_common_conf_set "$CLIENT_CONF" ssl.keystore.type "PEM"
        kafka_common_conf_set "$CLIENT_CONF" ssl.truststore.type "PEM"
        ! is_empty_value "$KAFKA_CLIENT_KEY_PASSWORD" && kafka_common_conf_set "$CLIENT_CONF" ssl.key.password "$KAFKA_CLIENT_KEY_PASSWORD"
        file_to_multiline_property() {
            awk 'NR > 1{print line" \\"}{line=$0;}END{print $0" "}' <"${1:?missing file}"
        }
        kafka_common_conf_set "$CLIENT_CONF" ssl.keystore.key "$(file_to_multiline_property "/certs/kafka-pkcs8.key")"
        kafka_common_conf_set "$CLIENT_CONF" ssl.keystore.certificate.chain "$(file_to_multiline_property "/certs/kafka.crt")"
        kafka_common_conf_set "$CLIENT_CONF" ssl.truststore.certificates "$(file_to_multiline_property "/certs/kafka-ca.crt")"
        kafka_common_conf_set "$CLIENT_CONF" sasl.mechanism PLAIN
        kafka_common_conf_set "$CLIENT_CONF" sasl.jaas.config "org.apache.kafka.common.security.plain.PlainLoginModule required username=\"$SASL_USERNAME\" password=\"$SASL_USER_PASSWORD\";"
      fi
      
      echo "Running pre-provisioning script if any given"
      
                  
      
      kafka_provisioning_commands=(
                    "echo \"Allow redpanda user to consume from any topic/group\""
                    "/opt/bitnami/kafka/bin/kafka-acls.sh --bootstrap-server $KAFKA_SERVICE --command-config $CLIENT_CONF --add --allow-principal User:redpanda --operation READ --operation DESCRIBE --operation DescribeConfigs --topic '*'"
      )
      
      echo "Starting provisioning"
      for ((index=0; index < ${#kafka_provisioning_commands[@]}; index+=1))
      do
        for j in $(seq ${index} $((${index}+1-1)))
        do
            ${kafka_provisioning_commands[j]} & # Async command
        done
        wait  # Wait the end of the jobs
      done
      
      echo "Running post-provisioning script if any given"
      
                  
      
      echo "Provisioning succeeded"

Are you using any custom parameters or values?

See above

What is the expected behavior?

The resulting redpanda user should be able to read all topics

What do you see instead?

The redpanda can read the topic '*', meaning the topic with exactly the name '*'!

Additional information

I tried the following alternatives, all without success:

      /opt/bitnami/kafka/bin/kafka-acls.sh
      --bootstrap-server $KAFKA_SERVICE
      --command-config $CLIENT_CONF
      --add
      --allow-principal User:redpanda
      --operation READ
      --operation DESCRIBE
      --operation DescribeConfigs
      --topic "*"

      /opt/bitnami/kafka/bin/kafka-acls.sh
      --bootstrap-server $KAFKA_SERVICE
      --command-config $CLIENT_CONF
      --add
      --allow-principal User:redpanda
      --operation READ
      --operation DESCRIBE
      --operation DescribeConfigs
      --topic \*

In the end, my workaround was running the args with -efc instead of the default -ec, and then I could just:

      /opt/bitnami/kafka/bin/kafka-acls.sh
      --bootstrap-server $KAFKA_SERVICE
      --command-config $CLIENT_CONF
      --add
      --allow-principal User:redpanda
      --operation READ
      --operation DESCRIBE
      --operation DescribeConfigs
      --topic *

The text was updated successfully, but these errors were encountered:

carrodher · 2024-06-24T16:31:29Z

Thank you for bringing this issue to our attention. We appreciate your involvement! If you're interested in contributing a solution, we welcome you to create a pull request. The Bitnami team is excited to review your submission and offer feedback. You can find the contributing guidelines here.

Your contribution will greatly benefit the community. Feel free to reach out if you have any questions or need assistance.

github-actions · 2024-07-10T01:26:44Z

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

Fixes bitnami#27480 Signed-off-by: Florian Besser <flo@gsgasset.com>

github-actions · 2024-07-16T01:26:59Z

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

florian-besser · 2024-07-16T02:57:55Z

Maybe keep this open until the PR is verified & merged? So far the issue is not solved.

github-actions · 2024-07-22T01:27:10Z

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

florian-besser · 2024-07-22T02:55:40Z

Maybe keep this open until the PR is verified & merged? So far the issue is not solved.

So far I've not received feedback on the PR, maybe it would be quickest to deal with the PR first and then deal with this report.

…groups (#27877) * Fix issue on how to provision access to all topics / groups Fixes #27480 Signed-off-by: Florian Besser <flo@gsgasset.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Florian Besser <flo@gsgasset.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Carlos Rodríguez Hernández <carlosrh@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Carlos Rodríguez Hernández <carlosrh@vmware.com>

…groups (bitnami#27877) * Fix issue on how to provision access to all topics / groups Fixes bitnami#27480 Signed-off-by: Florian Besser <flo@gsgasset.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Florian Besser <flo@gsgasset.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Carlos Rodríguez Hernández <carlosrh@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Carlos Rodríguez Hernández <carlosrh@vmware.com>

* Fix issue on how to provision access to all topics / groups Fixes #27480 Signed-off-by: Florian Besser <flo@gsgasset.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update documentation to use bash instead of sh Fixes #28195 Signed-off-by: Florian Besser <flo@gsgasset.com> * Increase chart version Signed-off-by: Florian Besser <flo@gsgasset.com> * Fix typo in version number Signed-off-by: Florian Besser <flo@gsgasset.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Florian Besser <flo@gsgasset.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Carlos Rodríguez Hernández <carlosrh@vmware.com> Signed-off-by: David Gomez <dgomezleon@vmware.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Carlos Rodríguez Hernández <carlosrh@vmware.com> Co-authored-by: David Gomez <dgomezleon@vmware.com>

florian-besser added the tech-issues The user has a technical issue about an application label Jun 21, 2024

github-actions bot added the triage Triage is needed label Jun 21, 2024

github-actions bot assigned carrodher Jun 21, 2024

carrodher added the kafka label Jun 21, 2024

github-actions bot added the stale 15 days without activity label Jul 10, 2024

florian-besser added a commit to florian-besser/bitnami-charts that referenced this issue Jul 10, 2024

Fix issue on how to provision access to all topics / groups

23ebb94

Fixes bitnami#27480 Signed-off-by: Florian Besser <flo@gsgasset.com>

florian-besser changed the title ~~Kafka helm chart examples lead tom literal '*' instead of wildcard~~ Jul 10, 2024

florian-besser mentioned this issue Jul 10, 2024

[bitnami/kafka] Fix issue on how to provision access to all topics / groups #27877

Merged

3 tasks

github-actions bot added the solved label Jul 16, 2024

bitnami-bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 16, 2024

carrodher reopened this Jul 16, 2024

github-actions bot removed the solved label Jul 16, 2024

github-actions bot added the solved label Jul 22, 2024

bitnami-bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 22, 2024

carrodher reopened this Jul 22, 2024

carrodher removed stale 15 days without activity solved labels Jul 22, 2024

github-actions bot assigned javsalgar Jul 22, 2024

alemorcuq closed this as completed in #27877 Jul 23, 2024

github-actions bot added the solved label Jul 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kafka helm chart examples lead to literal '*' instead of wildcard #27480

Kafka helm chart examples lead to literal '*' instead of wildcard #27480

florian-besser commented Jun 21, 2024 •

edited by carrodher

Loading

carrodher commented Jun 24, 2024

github-actions bot commented Jul 10, 2024

github-actions bot commented Jul 16, 2024

florian-besser commented Jul 16, 2024

github-actions bot commented Jul 22, 2024

florian-besser commented Jul 22, 2024

Kafka helm chart examples lead to literal '*' instead of wildcard #27480

Kafka helm chart examples lead to literal '*' instead of wildcard #27480

Comments

florian-besser commented Jun 21, 2024 • edited by carrodher Loading

Name and Version

What architecture are you using?

What steps will reproduce the bug?

Are you using any custom parameters or values?

What is the expected behavior?

What do you see instead?

Additional information

carrodher commented Jun 24, 2024

github-actions bot commented Jul 10, 2024

github-actions bot commented Jul 16, 2024

florian-besser commented Jul 16, 2024

github-actions bot commented Jul 22, 2024

florian-besser commented Jul 22, 2024

florian-besser commented Jun 21, 2024 •

edited by carrodher

Loading