Re: [PR] [helm] Enable SASL authenticated connection to Zookeeper nodes [fluss]

via GitHub Thu, 26 Mar 2026 11:04:40 -0700


affo commented on code in PR #2700:
URL: https://github.com/apache/fluss/pull/2700#discussion_r2995853951



##########
helm/templates/_security.tpl:
##########
@@ -117,6 +139,56 @@ Usage:
 {{- end -}}
 {{- end -}}
 
+{{/*
+Validates that ZooKeeper SASL mechanism is valid.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperMechanism" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperMechanism" -}}
+{{- $allowedMechanisms := list "" "plain" -}}
+{{- $mechanism := include "fluss.security.zookeeper.mechanism" . -}}
+{{- if not (has $mechanism $allowedMechanisms) -}}
+  {{- print "security.zookeeper.sasl.mechanism must be empty or: plain" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validates that ZooKeeper SASL loginModuleClass is not empty when ZK SASL is 
enabled.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperLoginModuleClass" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperLoginModuleClass" -}}

Review Comment:
   ```suggestion
   {{- define "fluss.security.zookeeper.sasl.validateLoginModuleClass" -}}
   ```



##########
helm/templates/_security.tpl:
##########
@@ -117,6 +139,56 @@ Usage:
 {{- end -}}
 {{- end -}}
 
+{{/*
+Validates that ZooKeeper SASL mechanism is valid.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperMechanism" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperMechanism" -}}

Review Comment:
   ```suggestion
   {{- define "fluss.security.zookeeper.sasl.validateMechanism" -}}
   ```



##########
helm/templates/_security.tpl:
##########
@@ -29,6 +29,28 @@ Usage:
 {{- $mechanism -}}
 {{- end -}}
 
+{{/*
+Returns the ZooKeeper SASL authentication mechanism value.
+Allowed mechanism values: '', 'plain'
+Usage:
+  include "fluss.security.zookeeper.mechanism" .
+*/}}
+{{- define "fluss.security.zookeeper.mechanism" -}}

Review Comment:
   ```suggestion
   {{- define "fluss.security.zookeeper.sasl.mechanism" -}}
   ```



##########
helm/templates/_security.tpl:
##########
@@ -117,6 +139,56 @@ Usage:
 {{- end -}}
 {{- end -}}
 
+{{/*
+Validates that ZooKeeper SASL mechanism is valid.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperMechanism" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperMechanism" -}}
+{{- $allowedMechanisms := list "" "plain" -}}
+{{- $mechanism := include "fluss.security.zookeeper.mechanism" . -}}
+{{- if not (has $mechanism $allowedMechanisms) -}}
+  {{- print "security.zookeeper.sasl.mechanism must be empty or: plain" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validates that ZooKeeper SASL loginModuleClass is not empty when ZK SASL is 
enabled.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperLoginModuleClass" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperLoginModuleClass" -}}
+{{- if and (include "fluss.security.zookeeper.sasl.enabled" .) (not 
.Values.security.zookeeper.sasl.plain.loginModuleClass) -}}
+  {{- print "security.zookeeper.sasl.plain.loginModuleClass must not be empty 
when security.zookeeper.sasl.mechanism is plain" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validates that ZooKeeper SASL username is not empty when ZK SASL is enabled.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperUsername" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperUsername" -}}

Review Comment:
   ```suggestion
   {{- define "fluss.security.zookeeper.sasl.validateUsername" -}}
   ```



##########
helm/templates/secret-jaas-config.yaml:
##########
@@ -16,20 +16,21 @@
 # limitations under the License.
 #
 
-{{ if (include "fluss.security.sasl.plain.enabled" .) }}
+{{ if (include "fluss.security.jaas.required" .) }}
 {{- $internalMechanism := include "fluss.security.listener.mechanism" (dict 
"context" .Values "listener" "internal") -}}
 {{- $clientMechanism := include "fluss.security.listener.mechanism" (dict 
"context" .Values "listener" "client") -}}
 {{- $internalUsername := include "fluss.security.sasl.plain.internal.username" 
. -}}
 {{- $internalPassword := include "fluss.security.sasl.plain.internal.password" 
. -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "fluss.security.sasl.configName" . }}
+  name: {{ include "fluss.security.jaas.configName" . }}
   labels:
     {{- include "fluss.labels" . | nindent 4 }}
 type: Opaque
 stringData:
   jaas.conf: |
+{{- if (include "fluss.security.sasl.plain.enabled" .) }}

Review Comment:
   Do we also need the `if` after this one?
   You also check for the mechanism to be plain and now seems redundant



##########
helm/templates/_security.tpl:
##########
@@ -117,6 +139,56 @@ Usage:
 {{- end -}}
 {{- end -}}
 
+{{/*
+Validates that ZooKeeper SASL mechanism is valid.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperMechanism" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperMechanism" -}}
+{{- $allowedMechanisms := list "" "plain" -}}
+{{- $mechanism := include "fluss.security.zookeeper.mechanism" . -}}
+{{- if not (has $mechanism $allowedMechanisms) -}}
+  {{- print "security.zookeeper.sasl.mechanism must be empty or: plain" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validates that ZooKeeper SASL loginModuleClass is not empty when ZK SASL is 
enabled.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperLoginModuleClass" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperLoginModuleClass" -}}
+{{- if and (include "fluss.security.zookeeper.sasl.enabled" .) (not 
.Values.security.zookeeper.sasl.plain.loginModuleClass) -}}
+  {{- print "security.zookeeper.sasl.plain.loginModuleClass must not be empty 
when security.zookeeper.sasl.mechanism is plain" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validates that ZooKeeper SASL username is not empty when ZK SASL is enabled.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperUsername" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperUsername" -}}
+{{- if and (include "fluss.security.zookeeper.sasl.enabled" .) (not 
.Values.security.zookeeper.sasl.plain.username) -}}
+  {{- print "security.zookeeper.sasl.plain.username must not be empty when 
security.zookeeper.sasl.mechanism is plain" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Validates that ZooKeeper SASL password is not empty when ZK SASL is enabled.
+Returns an error message if invalid, empty string otherwise.
+Usage:
+  include "fluss.security.sasl.validateZookeeperPassword" .
+*/}}
+{{- define "fluss.security.sasl.validateZookeeperPassword" -}}

Review Comment:
   ```suggestion
   {{- define "fluss.security.zookeeper.sasl.validatePassword" -}}
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [helm] Enable SASL authenticated connection to Zookeeper nodes [fluss]

Reply via email to