From 31e467f455949c2eddd3107a9772f333b48a44ea Mon Sep 17 00:00:00 2001 From: Fiete Ostkamp Date: Tue, 12 Aug 2025 16:03:34 +0200 Subject: [PATCH] [CPS] Fix Kafka authorization issues in gating - fix authorization exception for ncmp-data-operation-event-group by granting the cps-core KafkaUser ACL permissions for that group - fix authorization exception for subscription, dmi-device-heartbeat topics by ensuring that these topics are created by the cps-core deployment Issue-ID: CPS-2932 Change-Id: Iff2fcd99ea925ed907e7be8d9395c973482d7dc7 Signed-off-by: Fiete Ostkamp --- .../cps-core/resources/config/application-helm.yml | 22 +++++++++++++--------- kubernetes/cps/components/cps-core/values.yaml | 14 +++++++++++--- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml index e9d4df5fe3..45e78b64e3 100644 --- a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml @@ -32,10 +32,22 @@ spring: liquibase: change-log: classpath:changelog/changelog-master.yaml label-filter: {{ .Values.config.liquibaseLabels }} - kafka: producer: client-id: cps-core +{{- with (first .Values.kafkaUser.acls) }} + consumer: + group-id: {{ .name }} +{{- end }} + bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + security: + protocol: SASL_PLAINTEXT + properties: + sasl: + mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + jaas: + config: ${SASL_JAAS_CONFIG} + security: # comma-separated uri patterns which do not require authorization @@ -61,13 +73,6 @@ ncmp: username: ${DMI_USERNAME} password: ${DMI_PASSWORD} -{{- with (first .Values.kafkaUser.acls) }} -spring.kafka.consumer.group-id: {{ .name }} -{{- end }} -spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -spring.kafka.security.protocol: SASL_PLAINTEXT -spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} -spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} # Kafka Topics {{- if .Values.topics.config }} @@ -98,4 +103,3 @@ otel: protocol: {{ .Values.otel.config.otlp.traces.protocol }} # Last empty line is required otherwise the last property will be missing from application.yml file in the pod. - diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index 2c251ee344..81fb82cd67 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -201,6 +201,12 @@ kafkaTopic: - name: &dataUpdatedTopic cps-data-updated-events retentionMs: 7200000 segmentBytes: 1073741824 + - name: &ncmpCmSubscriptionIn subscription + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: &dmiDeviceHeartbeatTopic dmi-device-heartbeat + retentionMs: 7200000 + segmentBytes: 1073741824 kafkaUser: authenticationType: scram-sha-512 @@ -208,6 +214,9 @@ kafkaUser: - name: cps-core-group type: group operations: [Read] + - name: ncmp-data-operation-event-group + type: group + operations: [Read] - name: *dataUpdatedTopic type: topic operations: [Write] @@ -220,7 +229,7 @@ kafkaUser: - name: &cmAvcSubscriptionTopic cm-avc-subscription type: topic operations: [Read] - - name: &ncmpCmSubscriptionIn subscription + - name: *ncmpCmSubscriptionIn type: topic operations: [Read] - name: &ncmpCmSubscriptionDmiIn ncmp-dmi-cm-avc-subscription @@ -235,7 +244,7 @@ kafkaUser: - name: &ncmpCmEventsTopic cm-events type: topic operations: [Read] - - name: &dmiDeviceHeartbeatTopic dmi-device-heartbeat + - name: *dmiDeviceHeartbeatTopic type: topic operations: [Read] - name: &lcmEventsTopic ncmp-events @@ -339,4 +348,3 @@ otel: otlp: traces: protocol: grpc - -- 2.16.6