Participant pods fails with group authorization error when trying to access sync topic.
This patch provide wildcard access to all participants. Which fixes the sync topic access issue.
THIS SHOULD BE REMOVED once the oom charts gets fixed as part of the upcoming release.
Issue-ID: NONRTRIC-1020
Change-Id: If4dc2a6ca66bb81ed3a4f08d7ece6d3b3f549f12
Signed-off-by: aravind.est <aravindhan.a@est.tech>
--- /dev/null
+#!/bin/bash
+# ============LICENSE_START=======================================================
+# Copyright (C) 2025 OpenInfra Foundation Europe. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END============================================
+#
+
+# TODO: THIS SHOULD BE REMOVED ONCE the OOM POLICY CHARTS ARE UPDATED TO WORK WITH SYNC TOPIC
+
+
+# This will patch the below kafka users with the new group acl
+# This acl configuration gives the user permission to read from all groups
+
+# create an array with the kafka users
+kafka_users=(
+ "policy-clamp-ac-a1pms-ppnt-ku"
+ "policy-clamp-ac-http-ppnt-ku"
+ "policy-clamp-ac-k8s-ppnt-ku"
+ "policy-clamp-ac-kserve-ppnt-ku"
+ "policy-clamp-ac-pf-ppnt-ku"
+)
+
+# Iterate over an array of kafka users and check whether the user exists or not
+for user in "${kafka_users[@]}"; do
+ if kubectl get kafkauser "$user" -n onap; then
+ echo "Kafka user $user exists."
+ #patch the kafka users with new group acl
+ kubectl patch kafkauser "$user" -n onap --type='json' -p '[
+ {
+ "op": "add",
+ "path": "/spec/authorization/acls/-",
+ "value": {
+ "resource": {
+ "type": "group",
+ "name": "*",
+ "patternType": "literal"
+ },
+ "operation": "Read",
+ }
+ }
+ ]'
+ else
+ echo "Kafka user $user does not exist."
+ fi
+done
+
--- /dev/null
+# ============LICENSE_START===============================================
+# Copyright (C) 2025 OpenInfra Foundation Europe. All rights reserved.
+# ========================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=================================================
+#
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: policy-kafkauser-patch-config
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "2"
+data:
+{{ tpl (.Files.Glob "resources/patch-policy-kafka-users.sh").AsConfig . | indent 2 }}
\ No newline at end of file
--- /dev/null
+# ============LICENSE_START===============================================
+# Copyright (C) 2025 OpenInfra Foundation Europe. All rights reserved.
+# ========================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=================================================
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: policy-kafkauser-patch-sa
+ namespace: smo
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "1"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: policy-kafkauser-patch-role
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "1"
+rules:
+ - apiGroups: ['kafka.strimzi.io']
+ resources: ['kafkausers']
+ verbs: ["get","list","watch","patch","update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: policy-kafkauser-patch-rb
+ namespace: onap
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "1"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: policy-kafkauser-patch-role
+subjects:
+- kind: ServiceAccount
+ name: policy-kafkauser-patch-sa
+ namespace: smo
\ No newline at end of file
--- /dev/null
+################################################################################
+# Copyright (C) 2025 OpenInfra Foundation Europe #
+# #
+# Licensed under the Apache License, Version 2.0 (the "License"); #
+# you may not use this file except in compliance with the License. #
+# You may obtain a copy of the License at #
+# #
+# http://www.apache.org/licenses/LICENSE-2.0 #
+# #
+# Unless required by applicable law or agreed to in writing, software #
+# distributed under the License is distributed on an "AS IS" BASIS, #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
+# See the License for the specific language governing permissions and #
+# limitations under the License. #
+################################################################################
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: policy-kafkauser-patch
+ annotations:
+ "helm.sh/hook": pre-install
+ "helm.sh/hook-weight": "4"
+spec:
+ template:
+ spec:
+ serviceAccountName: policy-kafkauser-patch-sa
+ containers:
+ - name: policy-kafkauser-patch-container
+ image: bitnami/kubectl:1.32.2
+ command: ["bash","/scripts/patch-policy-kafka-users.sh"]
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsUser: 0
+ volumeMounts:
+ - name: policy-kafkauser-patch-config-volume
+ mountPath: /scripts
+ volumes:
+ - name: policy-kafkauser-patch-config-volume
+ configMap:
+ name: policy-kafkauser-patch-config
+ defaultMode: 0755
+ restartPolicy: Never
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "2"
data:
-{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
\ No newline at end of file
+{{ tpl (.Files.Glob "resources/patch-strimzi-kafka.sh").AsConfig . | indent 2 }}
\ No newline at end of file
Code Review / it / dep.git / commitdiff