From 2ee81ff9fba5ceb8896554fb8d5b2a5795d3be80 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 29 Dec 2025 15:32:11 +0100 Subject: [PATCH 1/2] fix: Actually propagate OPA package name --- CHANGELOG.md | 1 + rust/operator-binary/src/controller.rs | 8 +- .../src/security/authorization.rs | 79 ++++++++++--------- .../templates/kuttl/oidc-opa/25-opa-rego.yaml | 4 +- .../templates/kuttl/oidc-opa/30_nifi.yaml.j2 | 2 +- 5 files changed, 49 insertions(+), 45 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 062310cb..17c2357b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file. ### Fixed - Also listen on the loopback interface so that k8s port-forwards work ([#870]). +- Don't ignore the configured `.spec.clusterConfig.authorization.opa.package`, but pass it into the NiFi config instead ([#XXX]). [#870]: https://github.com/stackabletech/nifi-operator/pull/870 diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs index 124f83db..b82c93df 100644 --- a/rust/operator-binary/src/controller.rs +++ b/rust/operator-binary/src/controller.rs @@ -452,7 +452,7 @@ pub async fn reconcile_nifi( } let authorization_config = NifiAuthorizationConfig::from( - &nifi.spec.cluster_config.authorization, + nifi.spec.cluster_config.authorization.as_ref(), client, nifi.metadata .namespace @@ -716,7 +716,7 @@ async fn build_node_rolegroup_config_map( nifi: &v1alpha1::NifiCluster, resolved_product_image: &ResolvedProductImage, authentication_config: &NifiAuthenticationConfig, - authorization_config: &NifiAuthorizationConfig, + authorization_config: &NifiAuthorizationConfig<'_>, role: &Role, rolegroup: &RoleGroupRef, rolegroup_config: &HashMap>, @@ -731,7 +731,7 @@ async fn build_node_rolegroup_config_map( .context(InvalidNifiAuthenticationConfigSnafu)?; let authorizers_xml = authorization_config - .get_authorizers_config(authentication_config) + .get_authorizers_config(nifi, authentication_config) .context(InvalidNifiAuthorizationConfigSnafu)?; let jvm_sec_props: BTreeMap> = rolegroup_config @@ -845,7 +845,7 @@ async fn build_node_rolegroup_statefulset( rolegroup_config: &HashMap>, merged_config: &NifiConfig, authentication_config: &NifiAuthenticationConfig, - authorization_config: &NifiAuthorizationConfig, + authorization_config: &NifiAuthorizationConfig<'_>, rolling_update_supported: bool, replicas: Option, service_account_name: &str, diff --git a/rust/operator-binary/src/security/authorization.rs b/rust/operator-binary/src/security/authorization.rs index 6c46f942..7085b619 100644 --- a/rust/operator-binary/src/security/authorization.rs +++ b/rust/operator-binary/src/security/authorization.rs @@ -2,12 +2,14 @@ use indoc::{formatdoc, indoc}; use snafu::{OptionExt, ResultExt, Snafu}; use stackable_operator::{ client::Client, + commons::opa::OpaConfig, crd::authentication::ldap, k8s_openapi::api::core::v1::{ConfigMap, ConfigMapKeySelector, EnvVar, EnvVarSource}, + kube::ResourceExt, }; use super::authentication::NifiAuthenticationConfig; -use crate::crd::NifiAuthorization; +use crate::crd::{NifiAuthorization, v1alpha1}; pub const OPA_TLS_VOLUME_NAME: &str = "opa-tls"; pub const OPA_TLS_MOUNT_PATH: &str = "/stackable/opa_tls"; @@ -27,9 +29,9 @@ pub enum Error { }, } -pub enum NifiAuthorizationConfig { +pub enum NifiAuthorizationConfig<'a> { Opa { - configmap_name: String, + config: &'a OpaConfig, cache_entry_time_to_live_secs: u64, cache_max_entries: u32, secret_class: Option, @@ -37,48 +39,41 @@ pub enum NifiAuthorizationConfig { Default, } -impl NifiAuthorizationConfig { +impl<'a> NifiAuthorizationConfig<'a> { pub async fn from( - nifi_authorization: &Option, + nifi_authorization: Option<&'a NifiAuthorization>, client: &Client, namespace: &str, ) -> Result { - let config = match nifi_authorization { - Some(authorization_config) => match authorization_config.opa.clone() { - Some(opa_config) => { - let configmap_name = opa_config.opa.config_map_name.clone(); - - // Resolve the secret class from the ConfigMap - let secret_class = client - .get::(&configmap_name, namespace) - .await - .with_context(|_| FetchOpaConfigMapSnafu { - configmap_name: configmap_name.clone(), - namespace: namespace.to_string(), - })? - .data - .and_then(|mut data| data.remove("OPA_SECRET_CLASS")); - - NifiAuthorizationConfig::Opa { - configmap_name, - cache_entry_time_to_live_secs: opa_config - .cache - .entry_time_to_live - .as_secs(), - cache_max_entries: opa_config.cache.max_entries, - secret_class, - } - } - None => NifiAuthorizationConfig::Default, - }, - None => NifiAuthorizationConfig::Default, + let Some(NifiAuthorization { + opa: Some(opa_config), + }) = nifi_authorization + else { + return Ok(NifiAuthorizationConfig::Default); }; - Ok(config) + // Resolve the secret class from the ConfigMap + let secret_class = client + .get::(&opa_config.opa.config_map_name, namespace) + .await + .with_context(|_| FetchOpaConfigMapSnafu { + configmap_name: &opa_config.opa.config_map_name, + namespace, + })? + .data + .and_then(|mut data| data.remove("OPA_SECRET_CLASS")); + + Ok(NifiAuthorizationConfig::Opa { + config: &opa_config.opa, + cache_entry_time_to_live_secs: opa_config.cache.entry_time_to_live.as_secs(), + cache_max_entries: opa_config.cache.max_entries, + secret_class, + }) } pub fn get_authorizers_config( &self, + nifi_cluster: &v1alpha1::NifiCluster, authentication_config: &NifiAuthenticationConfig, ) -> Result { let mut authorizers_xml = indoc! {r#" @@ -91,8 +86,11 @@ impl NifiAuthorizationConfig { NifiAuthorizationConfig::Opa { cache_entry_time_to_live_secs, cache_max_entries, + config: OpaConfig { package, .. }, .. } => { + // According to [`OpaConfig::document_url`] we default the stacklet name + let package = package.clone().unwrap_or_else(|| nifi_cluster.name_any()); authorizers_xml.push_str(&formatdoc! {r#" authorizer @@ -100,7 +98,7 @@ impl NifiAuthorizationConfig { {cache_entry_time_to_live_secs} {cache_max_entries} ${{env:OPA_BASE_URL}} - nifi/allow + {package}/allow "#}); } @@ -172,13 +170,18 @@ impl NifiAuthorizationConfig { pub fn get_env_vars(&self) -> Vec { match self { - NifiAuthorizationConfig::Opa { configmap_name, .. } => { + NifiAuthorizationConfig::Opa { + config: OpaConfig { + config_map_name, .. + }, + .. + } => { vec![EnvVar { name: "OPA_BASE_URL".to_owned(), value_from: Some(EnvVarSource { config_map_key_ref: Some(ConfigMapKeySelector { key: "OPA".to_owned(), - name: configmap_name.to_owned(), + name: config_map_name.to_owned(), ..Default::default() }), ..Default::default() diff --git a/tests/templates/kuttl/oidc-opa/25-opa-rego.yaml b/tests/templates/kuttl/oidc-opa/25-opa-rego.yaml index 57c90e7e..0f82301e 100644 --- a/tests/templates/kuttl/oidc-opa/25-opa-rego.yaml +++ b/tests/templates/kuttl/oidc-opa/25-opa-rego.yaml @@ -6,8 +6,8 @@ metadata: labels: opa.stackable.tech/bundle: "true" data: - nifi.rego: | - package nifi + my_nifi_package.rego: | + package my_nifi_package nifi_node_proxy := "CN=generated certificate for pod" nifi_reporting_task_user := "admin" diff --git a/tests/templates/kuttl/oidc-opa/30_nifi.yaml.j2 b/tests/templates/kuttl/oidc-opa/30_nifi.yaml.j2 index 659476a1..69837c4d 100644 --- a/tests/templates/kuttl/oidc-opa/30_nifi.yaml.j2 +++ b/tests/templates/kuttl/oidc-opa/30_nifi.yaml.j2 @@ -27,7 +27,7 @@ spec: authorization: opa: configMapName: opa - package: nifi + package: my_nifi_package cache: entryTimeToLive: 5s maxEntries: 10 From 3b26e823d0af400ee6d88e9d74ed3f09d6b98a6b Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 29 Dec 2025 15:35:02 +0100 Subject: [PATCH 2/2] changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17c2357b..f5e1578c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,9 +7,10 @@ All notable changes to this project will be documented in this file. ### Fixed - Also listen on the loopback interface so that k8s port-forwards work ([#870]). -- Don't ignore the configured `.spec.clusterConfig.authorization.opa.package`, but pass it into the NiFi config instead ([#XXX]). +- Don't ignore the configured `.spec.clusterConfig.authorization.opa.package`, but pass it into the NiFi config instead ([#881]). [#870]: https://github.com/stackabletech/nifi-operator/pull/870 +[#881]: https://github.com/stackabletech/nifi-operator/pull/881 ## [25.11.0] - 2025-11-07