From e4b159ae75f534bf3e951085bd8e2385a26053ca Mon Sep 17 00:00:00 2001 From: Miguel Ruiz Date: Tue, 14 Jun 2022 12:17:11 +0200 Subject: [PATCH] [bitnami/zookeeper] Major release 10: Rename client-server authentication parameters and add support for server-server authentication (#10689) * [bitnami/zookeeper] Major release 10: Rename client-server authentication parameters and add support for server-server authentication Signed-off-by: Miguel Ruiz * Fix values metadata Signed-off-by: Miguel Ruiz * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * [bitnami/zookeeper] Update components versions Signed-off-by: Bitnami Containers Co-authored-by: Bitnami Containers Co-authored-by: Bitnami Containers --- bitnami/zookeeper/Chart.yaml | 2 +- bitnami/zookeeper/README.md | 87 +++++++++++--------- bitnami/zookeeper/templates/NOTES.txt | 10 +-- bitnami/zookeeper/templates/_helpers.tpl | 82 ++++++++++-------- bitnami/zookeeper/templates/secrets.yaml | 28 ++++++- bitnami/zookeeper/templates/statefulset.yaml | 36 ++++++-- bitnami/zookeeper/values.yaml | 65 ++++++++++----- 7 files changed, 195 insertions(+), 115 deletions(-) diff --git a/bitnami/zookeeper/Chart.yaml b/bitnami/zookeeper/Chart.yaml index 5f6613b746..d18829ae46 100644 --- a/bitnami/zookeeper/Chart.yaml +++ b/bitnami/zookeeper/Chart.yaml @@ -21,4 +21,4 @@ name: zookeeper sources: - https://github.com/bitnami/bitnami-docker-zookeeper - https://zookeeper.apache.org/ -version: 9.2.7 +version: 10.0.0 diff --git a/bitnami/zookeeper/README.md b/bitnami/zookeeper/README.md index 2ad11d8979..a94be785fd 100644 --- a/bitnami/zookeeper/README.md +++ b/bitnami/zookeeper/README.md @@ -80,43 +80,49 @@ The command removes all the Kubernetes components associated with the chart and ### ZooKeeper chart parameters -| Name | Description | Value | -| --------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ----------------------- | -| `image.registry` | ZooKeeper image registry | `docker.io` | -| `image.repository` | ZooKeeper image repository | `bitnami/zookeeper` | -| `image.tag` | ZooKeeper image tag (immutable tags are recommended) | `3.8.0-debian-11-r0` | -| `image.pullPolicy` | ZooKeeper image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug values should be set | `false` | -| `auth.enabled` | Enable ZooKeeper auth. It uses SASL/Digest-MD5 | `false` | -| `auth.clientUser` | User that will use ZooKeeper clients to auth | `""` | -| `auth.clientPassword` | Password that will use ZooKeeper clients to auth | `""` | -| `auth.serverUsers` | Comma, semicolon or whitespace separated list of user to be created | `""` | -| `auth.serverPasswords` | Comma, semicolon or whitespace separated list of passwords to assign to users when created | `""` | -| `auth.existingSecret` | Use existing secret (ignores previous passwords) | `""` | -| `tickTime` | Basic time unit (in milliseconds) used by ZooKeeper for heartbeats | `2000` | -| `initLimit` | ZooKeeper uses to limit the length of time the ZooKeeper servers in quorum have to connect to a leader | `10` | -| `syncLimit` | How far out of date a server can be from a leader | `5` | -| `preAllocSize` | Block size for transaction log file | `65536` | -| `snapCount` | The number of transactions recorded in the transaction log before a snapshot can be taken (and the transaction log rolled) | `100000` | -| `maxClientCnxns` | Limits the number of concurrent connections that a single client may make to a single member of the ZooKeeper ensemble | `60` | -| `maxSessionTimeout` | Maximum session timeout (in milliseconds) that the server will allow the client to negotiate | `40000` | -| `heapSize` | Size (in MB) for the Java Heap options (Xmx and Xms) | `1024` | -| `fourlwCommandsWhitelist` | A list of comma separated Four Letter Words commands that can be executed | `srvr, mntr, ruok` | -| `minServerId` | Minimal SERVER_ID value, nodes increment their IDs respectively | `1` | -| `listenOnAllIPs` | Allow ZooKeeper to listen for connections from its peers on all available IP addresses | `false` | -| `autopurge.snapRetainCount` | The most recent snapshots amount (and corresponding transaction logs) to retain | `3` | -| `autopurge.purgeInterval` | The time interval (in hours) for which the purge task has to be triggered | `0` | -| `logLevel` | Log level for the ZooKeeper server. ERROR by default | `ERROR` | -| `jvmFlags` | Default JVM flags for the ZooKeeper process | `""` | -| `dataLogDir` | Dedicated data log directory | `""` | -| `configuration` | Configure ZooKeeper with a custom zoo.cfg file | `""` | -| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for ZooKeeper | `""` | -| `extraEnvVars` | Array with extra environment variables to add to ZooKeeper nodes | `[]` | -| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for ZooKeeper nodes | `""` | -| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for ZooKeeper nodes | `""` | -| `command` | Override default container command (useful when using custom images) | `["/scripts/setup.sh"]` | -| `args` | Override default container args (useful when using custom images) | `[]` | +| Name | Description | Value | +| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `image.registry` | ZooKeeper image registry | `docker.io` | +| `image.repository` | ZooKeeper image repository | `bitnami/zookeeper` | +| `image.tag` | ZooKeeper image tag (immutable tags are recommended) | `3.8.0-debian-11-r5` | +| `image.pullPolicy` | ZooKeeper image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | +| `auth.client.enabled` | Enable ZooKeeper client-server authentication. It uses SASL/Digest-MD5 | `false` | +| `auth.client.clientUser` | User that will use ZooKeeper clients to auth | `""` | +| `auth.client.clientPassword` | Password that will use ZooKeeper clients to auth | `""` | +| `auth.client.serverUsers` | Comma, semicolon or whitespace separated list of user to be created | `""` | +| `auth.client.serverPasswords` | Comma, semicolon or whitespace separated list of passwords to assign to users when created | `""` | +| `auth.client.existingSecret` | Use existing secret (ignores previous passwords) | `""` | +| `auth.quorum.enabled` | Enable ZooKeeper server-server authentication. It uses SASL/Digest-MD5 | `false` | +| `auth.quorum.learnerUser` | User that the ZooKeeper quorumLearner will use to authenticate to quorumServers. | `""` | +| `auth.quorum.learnerPassword` | Password that the ZooKeeper quorumLearner will use to authenticate to quorumServers. | `""` | +| `auth.quorum.serverUsers` | Comma, semicolon or whitespace separated list of users for the quorumServers. | `""` | +| `auth.quorum.serverPasswords` | Comma, semicolon or whitespace separated list of passwords to assign to users when created | `""` | +| `auth.quorum.existingSecret` | Use existing secret (ignores previous passwords) | `""` | +| `tickTime` | Basic time unit (in milliseconds) used by ZooKeeper for heartbeats | `2000` | +| `initLimit` | ZooKeeper uses to limit the length of time the ZooKeeper servers in quorum have to connect to a leader | `10` | +| `syncLimit` | How far out of date a server can be from a leader | `5` | +| `preAllocSize` | Block size for transaction log file | `65536` | +| `snapCount` | The number of transactions recorded in the transaction log before a snapshot can be taken (and the transaction log rolled) | `100000` | +| `maxClientCnxns` | Limits the number of concurrent connections that a single client may make to a single member of the ZooKeeper ensemble | `60` | +| `maxSessionTimeout` | Maximum session timeout (in milliseconds) that the server will allow the client to negotiate | `40000` | +| `heapSize` | Size (in MB) for the Java Heap options (Xmx and Xms) | `1024` | +| `fourlwCommandsWhitelist` | A list of comma separated Four Letter Words commands that can be executed | `srvr, mntr, ruok` | +| `minServerId` | Minimal SERVER_ID value, nodes increment their IDs respectively | `1` | +| `listenOnAllIPs` | Allow ZooKeeper to listen for connections from its peers on all available IP addresses | `false` | +| `autopurge.snapRetainCount` | The most recent snapshots amount (and corresponding transaction logs) to retain | `3` | +| `autopurge.purgeInterval` | The time interval (in hours) for which the purge task has to be triggered | `0` | +| `logLevel` | Log level for the ZooKeeper server. ERROR by default | `ERROR` | +| `jvmFlags` | Default JVM flags for the ZooKeeper process | `""` | +| `dataLogDir` | Dedicated data log directory | `""` | +| `configuration` | Configure ZooKeeper with a custom zoo.cfg file | `""` | +| `existingConfigmap` | The name of an existing ConfigMap with your custom configuration for ZooKeeper | `""` | +| `extraEnvVars` | Array with extra environment variables to add to ZooKeeper nodes | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for ZooKeeper nodes | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars for ZooKeeper nodes | `""` | +| `command` | Override default container command (useful when using custom images) | `["/scripts/setup.sh"]` | +| `args` | Override default container args (useful when using custom images) | `[]` | ### Statefulset parameters @@ -245,7 +251,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r0` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r4` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | @@ -420,6 +426,11 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 10.0.0 + +This new version of the chart adds support for server-server authentication. +The chart previously supported client-server authentication, to avioud confusion, the previous parameters have been renamed from `auth.*` to `auth.client.*`. + ### To 9.0.0 This new version of the chart includes the new ZooKeeper major version 3.8.0. Upgrade compatibility is not guaranteed. diff --git a/bitnami/zookeeper/templates/NOTES.txt b/bitnami/zookeeper/templates/NOTES.txt index a6b2ea47be..c287e1e565 100644 --- a/bitnami/zookeeper/templates/NOTES.txt +++ b/bitnami/zookeeper/templates/NOTES.txt @@ -2,8 +2,7 @@ CHART NAME: {{ .Chart.Name }} CHART VERSION: {{ .Chart.Version }} APP VERSION: {{ .Chart.AppVersion }} -{{- if contains .Values.service.type "LoadBalancer" }} -{{- if not .Values.auth.clientPassword }} +{{- if and (not .Values.auth.client.enabled) (eq .Values.service.type "LoadBalancer") }} ------------------------------------------------------------------------------- WARNING @@ -17,7 +16,6 @@ APP VERSION: {{ .Chart.AppVersion }} ------------------------------------------------------------------------------- {{- end }} -{{- end }} ** Please be patient while the chart is being deployed ** @@ -52,13 +50,13 @@ To connect to your ZooKeeper server run the following commands: To connect to your ZooKeeper server from outside the cluster execute the following commands: -{{- if contains "NodePort" .Values.service.type }} +{{- if eq .Values.service.type "NodePort" }} export NODE_IP=$(kubectl get nodes --namespace {{ template "zookeeper.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") export NODE_PORT=$(kubectl get --namespace {{ template "zookeeper.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }}) zkCli.sh $NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} +{{- else if eq .Values.service.type "LoadBalancer" }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. Watch the status with: 'kubectl get svc --namespace {{ template "zookeeper.namespace" . }} -w {{ template "common.names.fullname" . }}' @@ -66,7 +64,7 @@ To connect to your ZooKeeper server from outside the cluster execute the followi export SERVICE_IP=$(kubectl get svc --namespace {{ template "zookeeper.namespace" . }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") zkCli.sh $SERVICE_IP:{{ .Values.service.ports.client }} -{{- else if contains "ClusterIP" .Values.service.type }} +{{- else if eq .Values.service.type "ClusterIP" }} kubectl port-forward --namespace {{ template "zookeeper.namespace" . }} svc/{{ template "common.names.fullname" . }} {{ .Values.service.ports.client }}:{{ .Values.containerPorts.client }} & zkCli.sh 127.0.0.1:{{ .Values.service.ports.client }} diff --git a/bitnami/zookeeper/templates/_helpers.tpl b/bitnami/zookeeper/templates/_helpers.tpl index d21111b744..d855bada0f 100644 --- a/bitnami/zookeeper/templates/_helpers.tpl +++ b/bitnami/zookeeper/templates/_helpers.tpl @@ -52,21 +52,41 @@ Return ZooKeeper Namespace to use {{- end -}} {{/* -Return the ZooKeeper authentication credentials secret +Return the ZooKeeper client-server authentication credentials secret */}} -{{- define "zookeeper.secretName" -}} -{{- if .Values.auth.existingSecret -}} - {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} +{{- define "zookeeper.client.secretName" -}} +{{- if .Values.auth.client.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.client.existingSecret $) -}} {{- else -}} - {{- printf "%s-auth" (include "common.names.fullname" .) -}} + {{- printf "%s-client-auth" (include "common.names.fullname" .) -}} {{- end -}} {{- end -}} {{/* -Return true if a ZooKeeper authentication credentials secret object should be created +Return the ZooKeeper server-server authentication credentials secret */}} -{{- define "zookeeper.createSecret" -}} -{{- if and .Values.auth.enabled (empty .Values.auth.existingSecret) -}} +{{- define "zookeeper.quorum.secretName" -}} +{{- if .Values.auth.quorum.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.quorum.existingSecret $) -}} +{{- else -}} + {{- printf "%s-quorum-auth" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a ZooKeeper client-server authentication credentials secret object should be created +*/}} +{{- define "zookeeper.client.createSecret" -}} +{{- if and .Values.auth.client.enabled (empty .Values.auth.client.existingSecret) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a ZooKeeper server-server authentication credentials secret object should be created +*/}} +{{- define "zookeeper.quorum.createSecret" -}} +{{- if and .Values.auth.quorum.enabled (empty .Values.auth.quorum.existingSecret) -}} {{- true -}} {{- end -}} {{- end -}} @@ -85,28 +105,6 @@ otherwise it generates a random value. {{- end -}} {{- end }} -{{/* -Return ZooKeeper client password -*/}} -{{- define "zookeeper.client.password" -}} -{{- if not (empty .Values.auth.clientPassword) -}} - {{- .Values.auth.clientPassword -}} -{{- else -}} - {{- include "getValueFromSecret" (dict "Namespace" (include "zookeeper.namespace" .) "Name" (printf "%s-auth" (include "common.names.fullname" .)) "Length" 10 "Key" "client-password") -}} -{{- end -}} -{{- end -}} - -{{/* -Return ZooKeeper server password -*/}} -{{- define "zookeeper.server.password" -}} -{{- if not (empty .Values.auth.serverPasswords) -}} - {{- .Values.auth.serverPasswords -}} -{{- else -}} - {{- include "getValueFromSecret" (dict "Namespace" (include "zookeeper.namespace" .) "Name" (printf "%s-auth" (include "common.names.fullname" .)) "Length" 10 "Key" "server-password") -}} -{{- end -}} -{{- end -}} - {{/* Return the ZooKeeper configuration ConfigMap name */}} @@ -304,7 +302,8 @@ Compile all warnings into a single message. */}} {{- define "zookeeper.validateValues" -}} {{- $messages := list -}} -{{- $messages := append $messages (include "zookeeper.validateValues.auth" .) -}} +{{- $messages := append $messages (include "zookeeper.validateValues.client.auth" .) -}} +{{- $messages := append $messages (include "zookeeper.validateValues.quorum.auth" .) -}} {{- $messages := append $messages (include "zookeeper.validateValues.client.tls" .) -}} {{- $messages := append $messages (include "zookeeper.validateValues.quorum.tls" .) -}} {{- $messages := without $messages "" -}} @@ -318,11 +317,22 @@ Compile all warnings into a single message. {{/* Validate values of ZooKeeper - Authentication enabled */}} -{{- define "zookeeper.validateValues.auth" -}} -{{- if and .Values.auth.enabled (or (not .Values.auth.clientUser) (not .Values.auth.serverUsers)) }} -zookeeper: auth.enabled - In order to enable authentication, you need to provide the list - of users to be created and the user to use for clients access. +{{- define "zookeeper.validateValues.client.auth" -}} +{{- if and .Values.auth.client.enabled (not .Values.auth.client.existingSecret) (or (not .Values.auth.client.clientUser) (not .Values.auth.client.serverUsers)) }} +zookeeper: auth.client.enabled + In order to enable client-server authentication, you need to provide the list + of users to be created and the user to use for clients authentication. +{{- end -}} +{{- end -}} + +{{/* +Validate values of ZooKeeper - Authentication enabled +*/}} +{{- define "zookeeper.validateValues.quorum.auth" -}} +{{- if and .Values.auth.quorum.enabled (not .Values.auth.quorum.existingSecret) (or (not .Values.auth.quorum.learnerUser) (not .Values.auth.quorum.serverUsers)) }} +zookeeper: auth.quorum.enabled + In order to enable server-server authentication, you need to provide the list + of users to be created and the user to use for quorum authentication. {{- end -}} {{- end -}} diff --git a/bitnami/zookeeper/templates/secrets.yaml b/bitnami/zookeeper/templates/secrets.yaml index 247d8a913d..41314d03db 100644 --- a/bitnami/zookeeper/templates/secrets.yaml +++ b/bitnami/zookeeper/templates/secrets.yaml @@ -1,8 +1,8 @@ -{{- if (include "zookeeper.createSecret" .) }} +{{- if (include "zookeeper.client.createSecret" .) }} apiVersion: v1 kind: Secret metadata: - name: {{ printf "%s-auth" (include "common.names.fullname" .) }} + name: {{ printf "%s-client-auth" (include "common.names.fullname" .) }} namespace: {{ template "zookeeper.namespace" . }} labels: {{- include "common.labels.standard" . | nindent 4 }} app.kubernetes.io/component: zookeeper @@ -14,8 +14,28 @@ metadata: {{- end }} type: Opaque data: - client-password: {{ include "zookeeper.client.password" . | b64enc | quote }} - server-password: {{ include "zookeeper.server.password" . | b64enc | quote }} + client-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-client-auth" (include "common.names.fullname" .)) "key" "client-password" "providedValues" (list "auth.client.clientPassword") "context" $) }} + server-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-client-auth" (include "common.names.fullname" .)) "key" "server-password" "providedValues" (list "auth.client.serverPasswords") "context" $) }} +{{- end }} +{{- if (include "zookeeper.quorum.createSecret" .) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-quorum-auth" (include "common.names.fullname" .) }} + namespace: {{ template "zookeeper.namespace" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: zookeeper + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + quorum-learner-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-client-auth" (include "common.names.fullname" .)) "key" "quorum-learner-password" "providedValues" (list "auth.quorum.learnerPassword") "context" $) }} + quorum-server-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-client-auth" (include "common.names.fullname" .)) "key" "quorum-server-password" "providedValues" (list "auth.quorum.serverPasswords") "context" $) }} {{- end }} {{- if (include "zookeeper.client.createTlsPasswordsSecret" .) }} --- diff --git a/bitnami/zookeeper/templates/statefulset.yaml b/bitnami/zookeeper/templates/statefulset.yaml index f0db01dc44..ae2f7a10af 100644 --- a/bitnami/zookeeper/templates/statefulset.yaml +++ b/bitnami/zookeeper/templates/statefulset.yaml @@ -31,7 +31,7 @@ spec: {{- if (include "zookeeper.createConfigmap" .) }} checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} {{- end }} - {{- if or (include "zookeeper.createSecret" .) (include "zookeeper.client.createTlsPasswordsSecret" .) (include "zookeeper.quorum.createTlsPasswordsSecret" .) }} + {{- if or (include "zookeeper.quorum.createSecret" .) (include "zookeeper.client.createSecret" .) (include "zookeeper.client.createTlsPasswordsSecret" .) (include "zookeeper.quorum.createTlsPasswordsSecret" .) }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} {{- end }} {{- if or (include "zookeeper.client.createTlsSecret" .) (include "zookeeper.quorum.createTlsSecret" .) }} @@ -228,29 +228,47 @@ spec: {{- $clusterDomain := .Values.clusterDomain }} value: {{ range $i, $e := until $replicaCount }}{{ $zookeeperFullname }}-{{ $e }}.{{ $zookeeperHeadlessServiceName }}.{{ $releaseNamespace }}.svc.{{ $clusterDomain }}:{{ $followerPort }}:{{ $electionPort }}::{{ add $e $minServerId }} {{ end }} - name: ZOO_ENABLE_AUTH - value: {{ ternary "yes" "no" .Values.auth.enabled | quote }} - {{- if .Values.auth.enabled }} + value: {{ ternary "yes" "no" .Values.auth.client.enabled | quote }} + {{- if .Values.auth.client.enabled }} - name: ZOO_CLIENT_USER - value: {{ .Values.auth.clientUser | quote }} + value: {{ .Values.auth.client.clientUser | quote }} - name: ZOO_CLIENT_PASSWORD valueFrom: secretKeyRef: - name: {{ include "zookeeper.secretName" . }} + name: {{ include "zookeeper.client.secretName" . }} key: client-password - name: ZOO_SERVER_USERS - value: {{ .Values.auth.serverUsers | quote }} + value: {{ .Values.auth.client.serverUsers | quote }} - name: ZOO_SERVER_PASSWORDS valueFrom: secretKeyRef: - name: {{ include "zookeeper.secretName" . }} + name: {{ include "zookeeper.client.secretName" . }} key: server-password {{- end }} + - name: ZOO_ENABLE_QUORUM_AUTH + value: {{ ternary "yes" "no" .Values.auth.quorum.enabled | quote }} + {{- if .Values.auth.quorum.enabled }} + - name: ZOO_QUORUM_LEARNER_USER + value: {{ .Values.auth.quorum.learnerUser | quote }} + - name: ZOO_QUORUM_LEARNER_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "zookeeper.quorum.secretName" . }} + key: quorum-learner-password + - name: ZOO_QUORUM_SERVER_USERS + value: {{ .Values.auth.quorum.serverUsers | quote }} + - name: ZOO_QUORUM_SERVER_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "zookeeper.quorum.secretName" . }} + key: quorum-server-password + {{- end }} - name: ZOO_HEAP_SIZE value: {{ .Values.heapSize | quote }} - name: ZOO_LOG_LEVEL value: {{ .Values.logLevel | quote }} - name: ALLOW_ANONYMOUS_LOGIN - value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + value: {{ ternary "no" "yes" .Values.auth.client.enabled | quote }} {{- if .Values.jvmFlags }} - name: JVMFLAGS value: {{ .Values.jvmFlags | quote }} @@ -291,7 +309,7 @@ spec: - name: ZOO_TLS_QUORUM_ENABLE value: {{ .Values.tls.quorum.enabled | quote }} - name: ZOO_TLS_QUORUM_CLIENT_AUTH - value: {{ .Values.tls.quorum.auth | quote }} + value: {{ .Values.tls.auth.quorum | quote }} - name: ZOO_TLS_QUORUM_KEYSTORE_FILE value: {{ .Values.tls.quorum.keystorePath | quote }} - name: ZOO_TLS_QUORUM_TRUSTSTORE_FILE diff --git a/bitnami/zookeeper/values.yaml b/bitnami/zookeeper/values.yaml index 6e7ced7512..1bf9695f8c 100644 --- a/bitnami/zookeeper/values.yaml +++ b/bitnami/zookeeper/values.yaml @@ -75,7 +75,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/zookeeper - tag: 3.8.0-debian-11-r5 + tag: 3.8.0-debian-11-r6 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -95,26 +95,49 @@ image: ## Authentication parameters ## auth: - ## @param auth.enabled Enable ZooKeeper auth. It uses SASL/Digest-MD5 - ## - enabled: false - ## @param auth.clientUser User that will use ZooKeeper clients to auth - ## - clientUser: "" - ## @param auth.clientPassword Password that will use ZooKeeper clients to auth - ## - clientPassword: "" - ## @param auth.serverUsers Comma, semicolon or whitespace separated list of user to be created - ## Specify them as a string, for example: "user1,user2,admin" - ## - serverUsers: "" - ## @param auth.serverPasswords Comma, semicolon or whitespace separated list of passwords to assign to users when created - ## Specify them as a string, for example: "pass4user1, pass4user2, pass4admin" - ## - serverPasswords: "" - ## @param auth.existingSecret Use existing secret (ignores previous passwords) - ## - existingSecret: "" + client: + ## @param auth.client.enabled Enable ZooKeeper client-server authentication. It uses SASL/Digest-MD5 + ## + enabled: false + ## @param auth.client.clientUser User that will use ZooKeeper clients to auth + ## + clientUser: "" + ## @param auth.client.clientPassword Password that will use ZooKeeper clients to auth + ## + clientPassword: "" + ## @param auth.client.serverUsers Comma, semicolon or whitespace separated list of user to be created + ## Specify them as a string, for example: "user1,user2,admin" + ## + serverUsers: "" + ## @param auth.client.serverPasswords Comma, semicolon or whitespace separated list of passwords to assign to users when created + ## Specify them as a string, for example: "pass4user1, pass4user2, pass4admin" + ## + serverPasswords: "" + ## @param auth.client.existingSecret Use existing secret (ignores previous passwords) + ## + existingSecret: "" + quorum: + ## @param auth.quorum.enabled Enable ZooKeeper server-server authentication. It uses SASL/Digest-MD5 + ## + enabled: false + ## @param auth.quorum.learnerUser User that the ZooKeeper quorumLearner will use to authenticate to quorumServers. + ## Note: Make sure the user is included in auth.quorum.serverUsers + ## + learnerUser: "" + ## @param auth.quorum.learnerPassword Password that the ZooKeeper quorumLearner will use to authenticate to quorumServers. + ## + learnerPassword: "" + ## @param auth.quorum.serverUsers Comma, semicolon or whitespace separated list of users for the quorumServers. + ## Specify them as a string, for example: "user1,user2,admin" + ## + serverUsers: "" + ## @param auth.quorum.serverPasswords Comma, semicolon or whitespace separated list of passwords to assign to users when created + ## Specify them as a string, for example: "pass4user1, pass4user2, pass4admin" + ## + serverPasswords: "" + ## @param auth.quorum.existingSecret Use existing secret (ignores previous passwords) + ## + existingSecret: "" ## @param tickTime Basic time unit (in milliseconds) used by ZooKeeper for heartbeats ## tickTime: 2000