Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ISSUE #184 #192] expose acl configuration as configMap #231

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

usernameisnull
Copy link
Contributor

What is the purpose of the change

[ISSUE #184 #192]

Brief changelog

expose acl configuration as configMap

Verifying this change

  • add a acl configuration as configMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: broker-acl-config
data:
  plain_acl.yml: |
    globalWhiteRemoteAddresses:
      - 10.10.103.*
      - 192.168.0.*

    accounts:
      - accessKey: RocketMQ
        secretKey: 123456789 # |||
        whiteRemoteAddress:
        admin: false
        defaultTopicPerm: DENY
        defaultGroupPerm: SUB
        topicPerms:
          - topicA=DENY
          - topicB=PUB|SUB
          - topicC=SUB
        groupPerms:
          # the group should convert to retry topic
          - groupA=DENY
          - groupB=PUB|SUB
          - groupC=SUB
    
      - accessKey: rocketmq2
        secretKey: 123456789 # |||
        whiteRemoteAddress: 192.168.1.*
        # if it is admin, it could access all resources 
        admin: true

the brokers cr

apiVersion: rocketmq.apache.org/v1alpha1
kind: Broker
metadata:
  annotations:
    input: '{"cluster":"mabing","namespace":"mcamel-system","name":"test0405","version":"v5.1.4","group_size":1,"replica_per_group":1,"broker_sync_mode":"SYNC_MASTER","root_name":"rocketmq","root_password":"MQ56/8wNi5u43S1VN859dA==","storage_class_name":"local-path","storage_capacity":"1Gi","service_type":1,"ports":[{"name":"nameservice","protocol":"TCP","port":9876,"target_port":9876}],"cpu_request":"0.1","cpu_limit":"1","memory_request":"0.1Gi","memory_limit":"1Gi","conf":"\n#
      brokerClusterName, brokerName, brokerId are automatically generated by the operator
      and do not set it manually!!!\ndeleteWhen=04\nfileReservedTime=48\nflushDiskType=ASYNC_FLUSH\n","name_service_cpu_request":"0.1","name_service_cpu_limit":"1","name_service_memory_request":"0.1Gi","name_service_memory_limit":"1Gi","name_service_replicas":1,"controller_cpu_request":"0.1","controller_cpu_limit":"1","controller_memory_request":"0.1Gi","controller_memory_limit":"1Gi","controller_replicas":1,"controller_storage_class_name":"local-path","controller_storage_capacity":"1Gi","is_open_console":true,"console_service_type":1,"console_cpu_request":"0.1","console_cpu_limit":"1","console_memory_request":"0.1Gi","console_memory_limit":"1Gi","service_monitor_interval":"30s","affinity":{}}'
  creationTimestamp: "2024-05-09T06:18:46Z"
  generation: 4
  name: test0405
  namespace: mcamel-system
  resourceVersion: "97739696"
  uid: 3bd0ee60-f45e-4ad2-b668-6f941d7e11c4
spec:
  affinity: {}
  allowRestart: true
  brokerImage: ghcr.m.daocloud.io/ksmartdata/rocketmq-broker:v5.1.4
  clusterMode: CONTROLLER
  env:
  - name: BROKER_MEM
    value: ' -Xms75m -Xmx768m -Xmn256m '
  hostPath: /data/rocketmq/broker
  imagePullPolicy: IfNotPresent
  replicaPerGroup: 1
  resources:
    limits:
      cpu: "1"
      memory: 1Gi
    requests:
      cpu: 100m
      memory: 107374182400m
  scalePodName: test0405-0-master-0
  size: 1
  storageMode: StorageClass
  volumeClaimTemplates:
  - metadata:
      name: broker-storage
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 1Gi
      storageClassName: local-path
    status: {}
  volumes:
  - configMap:
      items:
      - key: broker-common.conf
        path: broker-common.conf
      name: test0405-broker-cm
    name: broker-config
  - configMap:
      items:
      - key: plain_acl.yml
        path: plain_acl.yml
      name: broker-acl-config
    name: broker-acl-config
status:
  nodes:
  - test0405-0-1-0
  - test0405-0-0-0
  size: 1

the /root/rocketmq/broker/conf/plain_acl.yml in the pod
image

Please go through this checklist to help us incorporate your contribution quickly and easily.

Notice: It would be helpful if you could finish the following checklist (the last one is not necessary) before request the community to review your PR.

  • Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
  • Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Check RBAC rights for Kubernetes roles.
  • Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist.
  • Run make docker-build to build docker image for operator, try your changes from Pod inside your Kubernetes cluster, not just locally. Also provide screenshots to show that the RocketMQ cluster is healthy after the changes.
  • Before committing your changes, remember to run make manifests to make sure the CRD files are updated.
  • Update documentation if necessary.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

@usernameisnull usernameisnull marked this pull request as ready for review May 15, 2024 07:29
@usernameisnull
Copy link
Contributor Author

PTAL @caigy

Comment on lines +42 to +43
- accessKey: RocketMQ
secretKey: 123456789
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is any more secure ways to store secretKey? Exposing it in confimap may not be a secure practice, but currently I couldn't find an appropriate way.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we store the whole plain_acl.yml in Secret?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants