wip

Author: siegfriedweber

CHANGELOG.md

@@ -23,6 +23,10 @@ All notable changes to this project will be documented in this file.
 - Default to OCI for image metadata and product image selection ([#810]).
 - Bump Kafka 3.7.1 to 3.7.2 in tests and getting_started, and bump upgrade testing from 3.7.1->3.8.0 to 3.8.0->3.9.0 ([#822]).
 
+### Fixed
+
+- Readiness probe fixed if Kerberos is enabled
+
 [#796]: https://github.com/stackabletech/kafka-operator/pull/796
 [#803]: https://github.com/stackabletech/kafka-operator/pull/803
 [#809]: https://github.com/stackabletech/kafka-operator/pull/809

rust/operator-binary/src/crd/security.rs

@@ -293,6 +293,7 @@ impl KafkaTlsSecurity {
             args.push("-b".to_string());
             args.push(format!("localhost:{}", port));
             args.extend(Self::kcat_client_auth_ssl(Self::STACKABLE_TLS_KCAT_DIR));
+            args.push("-L".to_string());
         } else if self.has_kerberos_enabled() {
             let service_name = KafkaRole::Broker.kerberos_service_name();
             // here we need to specify a shell so that variable substitution will work
@@ -302,33 +303,39 @@ impl KafkaTlsSecurity {
             args.push("-euo".to_string());
             args.push("pipefail".to_string());
             args.push("-c".to_string());
-            args.push(
+
+            let mut bash_args = vec![];
+            bash_args.push(
                 format!(
                     "export KERBEROS_REALM=$(grep -oP 'default_realm = \\K.*' {});",
                     STACKABLE_KERBEROS_KRB5_PATH
                 )
                 .to_string(),
             );
-            args.push("/stackable/kcat".to_string());
-            args.push("-b".to_string());
-            args.push(format!("{pod_fqdn}:{port}"));
-            args.extend(Self::kcat_client_sasl_ssl(
+            bash_args.push("/stackable/kcat".to_string());
+            bash_args.push("-b".to_string());
+            bash_args.push(format!("{pod_fqdn}:{port}"));
+            bash_args.extend(Self::kcat_client_sasl_ssl(
                 Self::STACKABLE_TLS_KCAT_DIR,
                 service_name,
                 pod_fqdn,
             ));
+            bash_args.push("-L".to_string());
+
+            args.push(bash_args.join(" "));
         } else if self.tls_server_secret_class().is_some() {
             args.push("/stackable/kcat".to_string());
             args.push("-b".to_string());
             args.push(format!("localhost:{}", port));
             args.extend(Self::kcat_client_ssl(Self::STACKABLE_TLS_KCAT_DIR));
+            args.push("-L".to_string());
         } else {
             args.push("/stackable/kcat".to_string());
             args.push("-b".to_string());
             args.push(format!("localhost:{}", port));
+            args.push("-L".to_string());
         }
 
-        args.push("-L".to_string());
         args
     }
 

rust/operator-binary/src/kerberos.rs

@@ -45,6 +45,8 @@ pub fn add_kerberos_pod_config(
             SecretOperatorVolumeSourceBuilder::new(kerberos_secret_class)
                 .with_listener_volume_scope(LISTENER_BROKER_VOLUME_NAME)
                 .with_listener_volume_scope(LISTENER_BOOTSTRAP_VOLUME_NAME)
+                // The pod scope is required for the kcat-prober.
+                .with_pod_scope()
                 .with_kerberos_service_name(role.kerberos_service_name())
                 .build()
                 .context(KerberosSecretVolumeSnafu)?;

tests/test-definition.yaml

@@ -6,9 +6,6 @@
 dimensions:
   - name: kafka
     values:
-      - 3.7.1
-      - 3.7.2
-      - 3.8.1
       - 3.9.0
       # Alternatively, if you want to use a custom image, append a comma and the full image name to the product version
       # as in the example below.
@@ -34,11 +31,9 @@ dimensions:
   - name: use-client-tls
     values:
       - "true"
-      - "false"
   - name: use-client-auth-tls
     values:
       - "true"
-      - "false"
   - name: openshift
     values:
       - "false"
@@ -47,7 +42,6 @@ dimensions:
       - 1.21.1
   - name: kerberos-realm
     values:
-      - "CLUSTER.LOCAL"
       - "PROD.MYCORP"
   - name: kerberos-backend
     values: