Skip to content

Kerberization/TLS spike #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Kerberization/TLS spike #154

wants to merge 1 commit into from

Conversation

nightkr
Copy link
Member

@nightkr nightkr commented Apr 1, 2022

Description

Proof of concept for testing stackabletech/secret-operator#99

There are still plenty of issues here that need to be solved before this is
actually usable. For example, this will currently break when attempting to
access the cluster from outside of K8s (since the Krb principals will mismatch).

Review Checklist

  • Code contains useful comments
  • (Integration-)Test cases added (or not applicable)
  • Documentation added (or not applicable)
  • Changelog updated (or not applicable)
  • Cargo.toml only contains references to git tags (not specific commits or branches)
  • Helm chart can be installed and deployed operator works (or not applicable)

Once the review is done, comment bors r+ (or bors merge) to merge. Further information

@nightkr
Kerberization/TLS spike
773fcce 
Proof of concept for testing stackabletech/secret-operator#99

There are still plenty of issues here that need to be solved before this is
actually usable. For example, this will currently break when attempting to
access the cluster from outside of K8s (since the Krb principals will mismatch).
@nightkr nightkr mentioned this pull request Apr 1, 2022
Closed
5 tasks
nightkr added a commit that referenced this pull request Feb 17, 2023
@nightkr
WIP: rekerberize
6f6ec49 
see #154
sbernauer
sbernauer reviewed Mar 10, 2023
View reviewed changes
rust/operator/src/hdfs_controller.rs
},
]),
security_context: Some(PodSecurityContext {
fs_group: Some(9999),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In other operators we use https://github.com/stackabletech/trino-operator/blob/d143a7111cfab52fe75bf997ca00b876005e55b0/rust/operator-binary/src/controller.rs#L901-L906

        .security_context(PodSecurityContext {
            run_as_user: Some(1000),
            run_as_group: Some(1000),
            fs_group: Some(1000),
            ..PodSecurityContext::default()
        });

Not saying that's better, just for consistency reasons

bors bot pushed a commit to stackabletech/secret-operator that referenced this pull request Mar 14, 2023
@nightkr @stackable-bot @soenkeliebau
Kerberos keytab backend (#99)
0220ee9 
## Description

This PR adds support for provisioning Kerberos principals and keytabs for pods, similar to the `autoTls` backend.

Currently only MIT Kerberos is supported, Heimdal and Active Directory still require manual provisioning.

There is a spike branch for the HDFS Operator (stackabletech/hdfs-operator#154) that uses this to provision a kerberized HDFS cluster.



Co-authored-by: Teo Klestrup Röijezon <teo@nullable.se>
Co-authored-by: Stacky McStackface <stackable-bot@users.noreply.github.com>
Co-authored-by: Sönke Liebau <soenke.liebau@stackable.tech>
@sbernauer
Copy link
Member

Superseded by #334

@sbernauer sbernauer closed this Mar 16, 2023
@razvan razvan deleted the spike/security branch November 6, 2024 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbernauer sbernauer sbernauer left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nightkr @sbernauer