fix: Include the bootstrap Kafka service in certificate SANs (#741)

* Include the global Kafka service in certificate SANs

* fix clippy lints

* changelog

* charts

* Rename kafka_name to kafka_bootstrap_service_name

* changelog

* changelog

* Use bootstrap_service_name instead of name_any

* Fix clippy lint

Author: sbernauer

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Fixed
+
+- Include the global Kafka bootstrap service (not the rolegroup-specific) DNS record as SAN entry in the generated
+  certificates used by Kafka. This allows you to access Kafka brokers secured using TLS via the global bootstrap
+  service ([#741]).
+
+[#741]: https://github.com/stackabletech/kafka-operator/pull/741
+
 ## [24.7.0] - 2024-07-24
 
 ### Added

deploy/helm/kafka-operator/crds/crds.yaml

@@ -7296,7 +7296,9 @@ spec:
 
                               ## TLS provider
 
-                              Only affects client connections. This setting controls: - If clients need to authenticate themselves against the broker via TLS - Which ca.crt to use when validating the provided client certs This will override the server TLS settings (if set) in `spec.clusterConfig.tls.serverSecretClass`.
+                              Only affects client connections. This setting controls: - If clients need to authenticate themselves against the broker via TLS - Which ca.crt to use when validating the provided client certs
+
+                              This will override the server TLS settings (if set) in `spec.clusterConfig.tls.serverSecretClass`.
                             type: string
                         required:
                           - authenticationClass
@@ -7331,11 +7333,17 @@ spec:
                       properties:
                         internalSecretClass:
                           default: tls
-                          description: 'The [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass.html) to use for internal broker communication. Use mutual verification between brokers (mandatory). This setting controls: - Which cert the brokers should use to authenticate themselves against other brokers - Which ca.crt to use when validating the other brokers Defaults to `tls`'
+                          description: |-
+                            The [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass.html) to use for internal broker communication. Use mutual verification between brokers (mandatory). This setting controls: - Which cert the brokers should use to authenticate themselves against other brokers - Which ca.crt to use when validating the other brokers
+
+                            Defaults to `tls`
                           type: string
                         serverSecretClass:
                           default: tls
-                          description: 'The [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass.html) to use for client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client Defaults to `tls`.'
+                          description: |-
+                            The [SecretClass](https://docs.stackable.tech/home/nightly/secret-operator/secretclass.html) to use for client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client
+
+                            Defaults to `tls`.
                           nullable: true
                           type: string
                       type: object

rust/crd/src/authentication.rs

@@ -40,6 +40,7 @@ pub struct KafkaAuthentication {
     /// Only affects client connections. This setting controls:
     /// - If clients need to authenticate themselves against the broker via TLS
     /// - Which ca.crt to use when validating the provided client certs
+    ///
     /// This will override the server TLS settings (if set) in `spec.clusterConfig.tls.serverSecretClass`.
     pub authentication_class: String,
 }

rust/crd/src/lib.rs

@@ -162,9 +162,10 @@ pub struct KafkaClusterConfig {
 }
 
 impl KafkaCluster {
-    /// The name of the role-level load-balanced Kubernetes `Service`
-    pub fn broker_role_service_name(&self) -> Option<String> {
-        self.metadata.name.clone()
+    /// The name of the load-balanced Kubernetes Service providing the bootstrap address. Kafka clients will use this
+    /// to get a list of broker addresses and will use those to transmit data to the correct broker.
+    pub fn bootstrap_service_name(&self) -> String {
+        self.name_any()
     }
 
     /// Metadata about a broker rolegroup

rust/crd/src/listener.rs

@@ -228,6 +228,7 @@ mod tests {
         "#;
         let kafka: KafkaCluster = serde_yaml::from_str(kafka_cluster).expect("illegal test input");
         let kafka_security = KafkaTlsSecurity::new(
+            &kafka,
             ResolvedAuthenticationClasses::new(vec![AuthenticationClass {
                 metadata: ObjectMetaBuilder::new().name("auth-class").build(),
                 spec: AuthenticationClassSpec {
@@ -294,6 +295,7 @@ mod tests {
         "#;
         let kafka: KafkaCluster = serde_yaml::from_str(input).expect("illegal test input");
         let kafka_security = KafkaTlsSecurity::new(
+            &kafka,
             ResolvedAuthenticationClasses::new(vec![]),
             "tls".to_string(),
             Some("tls".to_string()),
@@ -355,6 +357,7 @@ mod tests {
         "#;
         let kafka: KafkaCluster = serde_yaml::from_str(input).expect("illegal test input");
         let kafka_security = KafkaTlsSecurity::new(
+            &kafka,
             ResolvedAuthenticationClasses::new(vec![]),
             "".to_string(),
             None,

rust/crd/src/security.rs

@@ -42,13 +42,14 @@ pub enum Error {
 }
 
 /// Helper struct combining TLS settings for server and internal with the resolved AuthenticationClasses
-pub struct KafkaTlsSecurity {
+pub struct KafkaTlsSecurity<'a> {
+    kafka: &'a KafkaCluster,
     resolved_authentication_classes: ResolvedAuthenticationClasses,
     internal_secret_class: String,
     server_secret_class: Option<String>,
 }
 
-impl KafkaTlsSecurity {
+impl<'a> KafkaTlsSecurity<'a> {
     // ports
     pub const CLIENT_PORT_NAME: &'static str = "kafka";
     pub const CLIENT_PORT: u16 = 9092;
@@ -104,12 +105,15 @@ impl KafkaTlsSecurity {
     const STACKABLE_TLS_KEYSTORE_INTERNAL_DIR: &'static str = "/stackable/tls_keystore_internal";
     const STACKABLE_TLS_KEYSTORE_INTERNAL_DIR_NAME: &'static str = "tls-keystore-internal";
 
+    #[cfg(test)]
     pub fn new(
+        kafka: &'a KafkaCluster,
         resolved_authentication_classes: ResolvedAuthenticationClasses,
         internal_secret_class: String,
         server_secret_class: Option<String>,
     ) -> Self {
         Self {
+            kafka,
             resolved_authentication_classes,
             internal_secret_class,
             server_secret_class,
@@ -120,9 +124,10 @@ impl KafkaTlsSecurity {
     /// all provided `AuthenticationClass` references.
     pub async fn new_from_kafka_cluster(
         client: &Client,
-        kafka: &KafkaCluster,
+        kafka: &'a KafkaCluster,
     ) -> Result<Self, Error> {
         Ok(KafkaTlsSecurity {
+            kafka,
             resolved_authentication_classes: ResolvedAuthenticationClasses::from_references(
                 client,
                 &kafka.spec.cluster_config.authentication,
@@ -148,6 +153,7 @@ impl KafkaTlsSecurity {
     /// Check if TLS encryption is enabled. This could be due to:
     /// - A provided server `SecretClass`
     /// - A provided client `AuthenticationClass`
+    ///
     /// This affects init container commands, Kafka configuration, volume mounts and
     /// the Kafka client port
     pub fn tls_enabled(&self) -> bool {
@@ -273,6 +279,7 @@ impl KafkaTlsSecurity {
         if let Some(tls_server_secret_class) = self.get_tls_secret_class() {
             // We have to mount tls pem files for kcat (the mount can be used directly)
             pod_builder.add_volume(Self::create_tls_volume(
+                &self.kafka.bootstrap_service_name(),
                 Self::STACKABLE_TLS_CERT_SERVER_DIR_NAME,
                 tls_server_secret_class,
             )?);
@@ -282,6 +289,7 @@ impl KafkaTlsSecurity {
             );
             // Keystores fore the kafka container
             pod_builder.add_volume(Self::create_tls_keystore_volume(
+                &self.kafka.bootstrap_service_name(),
                 Self::STACKABLE_TLS_KEYSTORE_SERVER_DIR_NAME,
                 tls_server_secret_class,
             )?);
@@ -293,6 +301,7 @@ impl KafkaTlsSecurity {
 
         if let Some(tls_internal_secret_class) = self.tls_internal_secret_class() {
             pod_builder.add_volume(Self::create_tls_keystore_volume(
+                &self.kafka.bootstrap_service_name(),
                 Self::STACKABLE_TLS_KEYSTORE_INTERNAL_DIR_NAME,
                 tls_internal_secret_class,
             )?);
@@ -426,12 +435,17 @@ impl KafkaTlsSecurity {
     }
 
     /// Creates ephemeral volumes to mount the `SecretClass` into the Pods
-    fn create_tls_volume(volume_name: &str, secret_class_name: &str) -> Result<Volume, Error> {
+    fn create_tls_volume(
+        kafka_bootstrap_service_name: &str,
+        volume_name: &str,
+        secret_class_name: &str,
+    ) -> Result<Volume, Error> {
         Ok(VolumeBuilder::new(volume_name)
             .ephemeral(
                 SecretOperatorVolumeSourceBuilder::new(secret_class_name)
                     .with_pod_scope()
                     .with_node_scope()
+                    .with_service_scope(kafka_bootstrap_service_name)
                     .build()
                     .context(SecretVolumeBuildSnafu)?,
             )
@@ -440,6 +454,7 @@ impl KafkaTlsSecurity {
 
     /// Creates ephemeral volumes to mount the `SecretClass` into the Pods as keystores
     fn create_tls_keystore_volume(
+        kafka_bootstrap_service_name: &str,
         volume_name: &str,
         secret_class_name: &str,
     ) -> Result<Volume, Error> {
@@ -448,6 +463,7 @@ impl KafkaTlsSecurity {
                 SecretOperatorVolumeSourceBuilder::new(secret_class_name)
                     .with_pod_scope()
                     .with_node_scope()
+                    .with_service_scope(kafka_bootstrap_service_name)
                     .with_format(SecretFormat::TlsPkcs12)
                     .build()
                     .context(SecretVolumeBuildSnafu)?,

rust/crd/src/tls.rs

@@ -11,13 +11,15 @@ pub struct KafkaTls {
     /// This setting controls:
     /// - Which cert the brokers should use to authenticate themselves against other brokers
     /// - Which ca.crt to use when validating the other brokers
+    ///
     /// Defaults to `tls`
     #[serde(default = "internal_tls_default")]
     pub internal_secret_class: String,
     /// The [SecretClass](DOCS_BASE_URL_PLACEHOLDER/secret-operator/secretclass.html) to use for
     /// client connections. This setting controls:
     /// - If TLS encryption is used at all
     /// - Which cert the servers should use to authenticate themselves against the client
+    ///
     /// Defaults to `tls`.
     #[serde(
         default = "server_tls_default",

rust/operator-binary/src/discovery.rs

@@ -57,7 +57,7 @@ pub async fn build_discovery_configmaps(
     owner: &impl Resource<DynamicType = ()>,
     resolved_product_image: &ResolvedProductImage,
     client: &stackable_operator::client::Client,
-    kafka_security: &KafkaTlsSecurity,
+    kafka_security: &KafkaTlsSecurity<'_>,
     svc: &Service,
 ) -> Result<Vec<ConfigMap>, Error> {
     let name = owner.name_unchecked();

rust/operator-binary/src/kafka_controller.rs

@@ -106,9 +106,6 @@ pub enum Error {
     #[snafu(display("object defines no broker role"))]
     NoBrokerRole,
 
-    #[snafu(display("failed to calculate global service name"))]
-    GlobalServiceNameNotFound,
-
     #[snafu(display("failed to apply role Service"))]
     ApplyRoleService {
         source: stackable_operator::cluster_resources::Error,
@@ -324,7 +321,6 @@ impl ReconcilerError for Error {
             Error::ObjectHasNoName => None,
             Error::ObjectHasNoNamespace => None,
             Error::NoBrokerRole => None,
-            Error::GlobalServiceNameNotFound => None,
             Error::ApplyRoleService { .. } => None,
             Error::ApplyRoleServiceAccount { .. } => None,
             Error::ApplyRoleRoleBinding { .. } => None,
@@ -443,7 +439,7 @@ pub async fn reconcile_kafka(kafka: Arc<KafkaCluster>, ctx: Arc<Ctx>) -> Result<
     };
 
     let broker_role_service =
-        build_broker_role_service(&kafka, &resolved_product_image, &kafka_security)?;
+        build_bootstrap_service(&kafka, &resolved_product_image, &kafka_security)?;
 
     let broker_role_service = cluster_resources
         .add(client, broker_role_service)
@@ -580,21 +576,18 @@ pub async fn reconcile_kafka(kafka: Arc<KafkaCluster>, ctx: Arc<Ctx>) -> Result<
     Ok(Action::await_change())
 }
 
-/// The broker-role service is the primary endpoint that should be used by clients that do not perform internal load balancing,
-/// including targets outside of the cluster.
-pub fn build_broker_role_service(
+/// Kafka clients will use the load-balanced bootstrap service to get a list of broker addresses and will use those to
+/// transmit data to the correct broker.
+pub fn build_bootstrap_service(
     kafka: &KafkaCluster,
     resolved_product_image: &ResolvedProductImage,
     kafka_security: &KafkaTlsSecurity,
 ) -> Result<Service> {
     let role_name = KafkaRole::Broker.to_string();
-    let role_svc_name = kafka
-        .broker_role_service_name()
-        .context(GlobalServiceNameNotFoundSnafu)?;
     Ok(Service {
         metadata: ObjectMetaBuilder::new()
             .name_and_namespace(kafka)
-            .name(&role_svc_name)
+            .name(kafka.bootstrap_service_name())
             .ownerreference_from_resource(kafka, None, Some(true))
             .context(ObjectMissingMetadataForOwnerRefSnafu)?
             .with_recommended_labels(build_recommended_labels(
@@ -717,7 +710,7 @@ fn build_broker_rolegroup_service(
     Ok(Service {
         metadata: ObjectMetaBuilder::new()
             .name_and_namespace(kafka)
-            .name(&rolegroup.object_name())
+            .name(rolegroup.object_name())
             .ownerreference_from_resource(kafka, None, Some(true))
             .context(ObjectMissingMetadataForOwnerRefSnafu)?
             .with_recommended_labels(build_recommended_labels(
@@ -1049,7 +1042,7 @@ fn build_broker_rolegroup_statefulset(
     Ok(StatefulSet {
         metadata: ObjectMetaBuilder::new()
             .name_and_namespace(kafka)
-            .name(&rolegroup_ref.object_name())
+            .name(rolegroup_ref.object_name())
             .ownerreference_from_resource(kafka, None, Some(true))
             .context(ObjectMissingMetadataForOwnerRefSnafu)?
             .with_recommended_labels(build_recommended_labels(