[CPS] Fix Kafka authorization issues in gating

- fix authorization exception for ncmp-data-operation-event-group
  by granting the cps-core KafkaUser ACL permissions for that group
- fix authorization exception for subscription, dmi-device-heartbeat topics
  by ensuring that these topics are created by the cps-core deployment

Issue-ID: CPS-2932
Change-Id: Iff2fcd99ea925ed907e7be8d9395c973482d7dc7
Signed-off-by: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>

diff --git a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml
index e9d4df5..45e78b6 100644 (file)
--- a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml
+++ b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml
@@ -32,10 +32,22 @@ spring:
   liquibase:
     change-log: classpath:changelog/changelog-master.yaml
     label-filter: {{ .Values.config.liquibaseLabels }}
-
   kafka:
     producer:
       client-id: cps-core
+{{- with (first .Values.kafkaUser.acls) }}
+    consumer:
+      group-id: {{ .name }}
+{{- end }}
+    bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
+    security:
+      protocol: SASL_PLAINTEXT
+    properties:
+      sasl:
+        mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
+        jaas:
+          config: ${SASL_JAAS_CONFIG}
+
 
 security:
 # comma-separated uri patterns which do not require authorization
@@ -61,13 +73,6 @@ ncmp:
       username: ${DMI_USERNAME}
       password: ${DMI_PASSWORD}
 
-{{- with (first .Values.kafkaUser.acls) }}
-spring.kafka.consumer.group-id: {{ .name }}
-{{- end }}
-spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092
-spring.kafka.security.protocol: SASL_PLAINTEXT
-spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }}
-spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG}
 
 # Kafka Topics
 {{- if .Values.topics.config }}
@@ -98,4 +103,3 @@ otel:
         protocol: {{ .Values.otel.config.otlp.traces.protocol }}
 
 # Last empty line is required otherwise the last property will be missing from application.yml file in the pod.
-

diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml
index 2c251ee..81fb82c 100644 (file)
--- a/kubernetes/cps/components/cps-core/values.yaml
+++ b/kubernetes/cps/components/cps-core/values.yaml
@@ -201,6 +201,12 @@ kafkaTopic:
   - name: &dataUpdatedTopic cps-data-updated-events
     retentionMs: 7200000
     segmentBytes: 1073741824
+  - name: &ncmpCmSubscriptionIn subscription
+    retentionMs: 7200000
+    segmentBytes: 1073741824
+  - name: &dmiDeviceHeartbeatTopic dmi-device-heartbeat
+    retentionMs: 7200000
+    segmentBytes: 1073741824
 
 kafkaUser:
   authenticationType: scram-sha-512
@@ -208,6 +214,9 @@ kafkaUser:
     - name: cps-core-group
       type: group
       operations: [Read]
+    - name: ncmp-data-operation-event-group
+      type: group
+      operations: [Read]
     - name: *dataUpdatedTopic
       type: topic
       operations: [Write]
@@ -220,7 +229,7 @@ kafkaUser:
     - name: &cmAvcSubscriptionTopic cm-avc-subscription
       type: topic
       operations: [Read]
-    - name: &ncmpCmSubscriptionIn subscription
+    - name: *ncmpCmSubscriptionIn
       type: topic
       operations: [Read]
     - name: &ncmpCmSubscriptionDmiIn ncmp-dmi-cm-avc-subscription
@@ -235,7 +244,7 @@ kafkaUser:
     - name: &ncmpCmEventsTopic cm-events
       type: topic
       operations: [Read]
-    - name: &dmiDeviceHeartbeatTopic dmi-device-heartbeat
+    - name: *dmiDeviceHeartbeatTopic
       type: topic
       operations: [Read]
     - name: &lcmEventsTopic ncmp-events
@@ -339,4 +348,3 @@ otel:
     otlp:
       traces:
         protocol: grpc
-