Skip to content

feat(helm): optional mTLS Kafka support (KafkaUser + client-cert mounts), default off#34

Merged
bborbe merged 1 commit into
masterfrom
feature/chart-mtls-kafka
Jul 6, 2026
Merged

feat(helm): optional mTLS Kafka support (KafkaUser + client-cert mounts), default off#34
bborbe merged 1 commit into
masterfrom
feature/chart-mtls-kafka

Conversation

@bborbe

@bborbe bborbe commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Summary

Adds optional mTLS Kafka support to the agent chart for executor, controllers, and recurring-task-creator — default off (plaintext, quant unaffected). Unblocks the company Octopus per-stage-Strimzi (mTLS :9093) deploy without an octopus-only post-render patch.

When <component>.kafkaUser.enabled: true, the chart:

  1. emits a Strimzi KafkaUser CR (type: tls) in strimziNamespace, and
  2. mounts the client cert/key + cluster CA at the fixed /client-cert/file, /client-key/file, /server-cert/file paths github.com/bborbe/kafka reads for tls:// brokers.

New per-component values: kafkaUser.{enabled,cluster,strimziNamespace,userName,clientSecret,caCertSecret}. Secrets are referenced by name only (Strimzi issues them; an external syncer places them in the app namespace). Also adds the cert mount recurring-task-creator previously lacked. Chart 0.3.1 → 0.4.0.

Test plan

  • helm lint clean
  • enabled: true renders 3 KafkaUser CRs (type: tls, strimzi ns, derived names) + 9 cert mounts + correct client/CA secret refs
  • enabled: false (default): zero KafkaUser, zero cert mounts
  • Default render byte-identical to master except the helm.sh/chart version label → plaintext/quant installs unaffected
  • make precommit green

…executor, controllers, recurring — default off; chart 0.3.1→0.4.0
@bborbe bborbe marked this pull request as ready for review July 6, 2026 08:34

@ben-s-pull-request-reviewer ben-s-pull-request-reviewer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on my review of all changed files, here is my analysis:

Files Reviewed:

  • CHANGELOG.md, helm/Chart.yaml, helm/values.yaml
  • helm/templates/_helpers.tpl, helm/templates/executor-deployment.yaml, helm/templates/controller-statefulset.yaml
  • helm/templates/recurring-task-creator-statefulset.yaml
  • helm/templates/controller-kafkauser.yaml, helm/templates/executor-kafkauser.yaml, helm/templates/recurring-task-creator-kafkauser.yaml
  • helm/README.md

Must Fix (Critical): None identified.

Should Fix (Important): None — all concerns from the plan are either acceptable design decisions, already documented, or not actual bugs.

Nice to Have (Optional):

File Line Finding
helm/templates/_helpers.tpl 47, 54, 61 defaultMode: 420 (decimal) = 0644 octal (world-readable) for secret volumes containing TLS certs. While acceptable for certificates (they're designed to be distributed), stricter defaults like 0444 would be more aligned with secret-mount hardening best practices. The executor/controller securityContexts already drop ALL capabilities — this is lower severity.
helm/templates/controller-statefulset.yaml 133–138 The volumes: block is wrapped in `{{- if (($c.kafkaUser

Plan Concerns — Resolution:

Concern Verdict
defaultMode: 420 non-restrictive Accepted — certificates are not secrets; 0644 is standard for TLS certs
Controller volumes conditional wrapper Accepted — currently no conflict; documented for future refactoring
executor volumeMounts conflict Not an issue — executor had zero volumeMounts before this change
Name derivation chain for clientSecret Correct — Helm default chains properly resolve
KafkaUser in strimziNamespace By design — documented in values.yaml comments and README
No tls:// scheme validation By design — documented in README; silent failure if misconfigured
Hardcoded caCertSecret default Accepted — matches Strimzi convention; documented in values.yaml

Selector Mode Traceability:

  • Mechanical funnel: N/A (no ast-grep rules matched helm templates)
  • Judgment rules triggered: None
  • ast-grep-runner: skipped (no Go/Python files changed)
  • Step 4.0 toolchain check: N/A
{
  "verdict": "approve",
  "summary": "The mTLS Kafka feature is correctly implemented. Default-off behavior ensures zero breaking changes for existing plaintext Kafka installations. All concerns from the plan are either intentional design decisions (strimziNamespace placement, no tls:// validation), already documented (caCertSecret default), or not actual bugs (no volumeMount conflict for executor). The only optional improvement is considering stricter defaultMode for secret volumes.",
  "comments": [
    {
      "file": "helm/templates/_helpers.tpl",
      "line": 47,
      "severity": "nit",
      "message": "secret volume defaultMode 420 (=0644 octal, world-readable) for TLS certificates. While acceptable since certs are designed for distribution, stricter defaults like 0444 align better with K8s secret hardening guidance."
    },
    {
      "file": "helm/templates/_helpers.tpl",
      "line": 54,
      "severity": "nit",
      "message": "secret volume defaultMode 420 (=0644 octal, world-readable) for TLS key. See line 47 note."
    },
    {
      "file": "helm/templates/_helpers.tpl",
      "line": 61,
      "severity": "nit",
      "message": "secret volume defaultMode 420 (=0644 octal, world-readable) for CA certificate. See line 47 note."
    },
    {
      "file": "helm/templates/controller-statefulset.yaml",
      "line": 133,
      "severity": "nit",
      "message": "volumes block wrapped in kafkaUser.enabled conditional — future volume sources added unconditionally would need this wrapper refactored. Not a current bug; documented for maintainers."
    }
  ],
  "concerns_addressed": [
    "security: defaultMode 420 accepted — certs are not secrets, 0644 is standard for TLS material",
    "correctness: controller volumes block is correctly conditional — no other volume sources conflict",
    "correctness: executor volumeMounts has no conflict — executor had zero volumeMounts before this change",
    "correctness: name derivation chain for clientSecret is correct Helm template logic",
    "security: KafkaUser in strimziNamespace is intentional by design — documented in values.yaml and README",
    "correctness: no tls:// scheme validation is documented — silent failure is a known limitation",
    "security: caCertSecret default matches Strimzi convention — documented in values.yaml"
  ]
}

@bborbe bborbe merged commit 6919c03 into master Jul 6, 2026
1 check passed
@bborbe bborbe deleted the feature/chart-mtls-kafka branch July 6, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant