Address reviews suggestions.

morazow · morazow · commit faf28e0d2b5e · 2026-03-26T13:36:36.000+01:00
Changes:

- Add ZK negative tests
- Don't auto generate ZK username and password
- Rename sasl.configName to jaas.configName
- Documentation updates
- Refactor to previous methods, instead of generic methods
diff --git a/helm/templates/_security.tpl b/helm/templates/_security.tpl
@@ -130,61 +130,63 @@ Usage:
 {{- end -}}
 
 {{/*
-Returns a default SASL username based on a given prefix and the release name.
+Validates that ZooKeeper SASL username is not empty when ZK SASL is enabled.
+Returns an error message if invalid, empty string otherwise.
 Usage:
-  include "fluss.security.sasl.defaultUsername" (dict "prefix" "fluss-internal" "Release" .Release)
+  include "fluss.security.sasl.validateZookeeperUsername" .
 */}}
-{{- define "fluss.security.sasl.defaultUsername" -}}
-{{- printf "%s-user-%s" .prefix .Release.Name -}}
+{{- define "fluss.security.sasl.validateZookeeperUsername" -}}
+{{- if and .Values.security.zookeeper.sasl.enabled (not .Values.security.zookeeper.sasl.username) -}}
+  {{- print "security.zookeeper.sasl.username must not be empty when security.zookeeper.sasl.enabled is true" -}}
+{{- end -}}
 {{- end -}}
 
 {{/*
-Returns a default SASL password based on a given prefix and the release name (sha256 hashed).
+Validates that ZooKeeper SASL password is not empty when ZK SASL is enabled.
+Returns an error message if invalid, empty string otherwise.
 Usage:
-  include "fluss.security.sasl.defaultPassword" (dict "prefix" "fluss-internal" "Release" .Release)
+  include "fluss.security.sasl.validateZookeeperPassword" .
 */}}
-{{- define "fluss.security.sasl.defaultPassword" -}}
-{{- printf "%s-password-%s" .prefix .Release.Name | sha256sum -}}
+{{- define "fluss.security.sasl.validateZookeeperPassword" -}}
+{{- if and .Values.security.zookeeper.sasl.enabled (not .Values.security.zookeeper.sasl.password) -}}
+  {{- print "security.zookeeper.sasl.password must not be empty when security.zookeeper.sasl.enabled is true" -}}
+{{- end -}}
 {{- end -}}
 
 {{/*
-Returns the resolved internal SASL username.
-It generates internal username if user provided is empty.
+Returns the default internal SASL username based on the release name.
 Usage:
-  include "fluss.security.sasl.plain.internal.username" .
+  include "fluss.security.sasl.plain.internal.defaultUsername" .
 */}}
-{{- define "fluss.security.sasl.plain.internal.username" -}}
-{{- .Values.security.internal.sasl.plain.username | default (include "fluss.security.sasl.defaultUsername" (dict "prefix" "fluss-internal" "Release" .Release)) -}}
+{{- define "fluss.security.sasl.plain.internal.defaultUsername" -}}
+{{- printf "fluss-internal-user-%s" .Release.Name -}}
 {{- end -}}
 
 {{/*
-Returns the resolved internal SASL password.
-It generates internal password if user provided is empty.
+Returns the default internal SASL password based on the release name (sha256 hashed).
 Usage:
-  include "fluss.security.sasl.plain.internal.password" .
+  include "fluss.security.sasl.plain.internal.defaultPassword" .
 */}}
-{{- define "fluss.security.sasl.plain.internal.password" -}}
-{{- .Values.security.internal.sasl.plain.password | default (include "fluss.security.sasl.defaultPassword" (dict "prefix" "fluss-internal" "Release" .Release)) -}}
+{{- define "fluss.security.sasl.plain.internal.defaultPassword" -}}
+{{- printf "fluss-internal-password-%s" .Release.Name | sha256sum -}}
 {{- end -}}
 
 {{/*
-Returns the resolved ZooKeeper SASL username.
-It generates Zookeeper username if user provided is empty.
+Returns the resolved internal SASL username (user-provided or auto-generated default).
 Usage:
-  include "fluss.security.zookeeper.sasl.username" .
+  include "fluss.security.sasl.plain.internal.username" .
 */}}
-{{- define "fluss.security.zookeeper.sasl.username" -}}
-{{- .Values.security.zookeeper.sasl.username | default (include "fluss.security.sasl.defaultUsername" (dict "prefix" "fluss-zookeeper" "Release" .Release)) -}}
+{{- define "fluss.security.sasl.plain.internal.username" -}}
+{{- .Values.security.internal.sasl.plain.username | default (include "fluss.security.sasl.plain.internal.defaultUsername" .) -}}
 {{- end -}}
 
 {{/*
-Returns the resolved ZooKeeper SASL password.
-It generates Zookeeper password if user provided is empty.
+Returns the resolved internal SASL password (user-provided or auto-generated default).
 Usage:
-  include "fluss.security.zookeeper.sasl.password" .
+  include "fluss.security.sasl.plain.internal.password" .
 */}}
-{{- define "fluss.security.zookeeper.sasl.password" -}}
-{{- .Values.security.zookeeper.sasl.password | default (include "fluss.security.sasl.defaultPassword" (dict "prefix" "fluss-zookeeper" "Release" .Release)) -}}
+{{- define "fluss.security.sasl.plain.internal.password" -}}
+{{- .Values.security.internal.sasl.plain.password | default (include "fluss.security.sasl.plain.internal.defaultPassword" .) -}}
 {{- end -}}
 
 {{/*
@@ -214,19 +216,6 @@ Usage:
 {{- end -}}
 {{- end -}}
 
-{{/*
-Returns a warning if the ZooKeeper SASL user is using auto-generated credentials.
-Usage:
-  include "fluss.security.sasl.warnZookeeperUser" .
-*/}}
-{{- define "fluss.security.sasl.warnZookeeperUser" -}}
-{{- if .Values.security.zookeeper.sasl.enabled -}}
-  {{- if and (not .Values.security.zookeeper.sasl.username) (not .Values.security.zookeeper.sasl.password) -}}
-    {{- print "You are using AUTO-GENERATED SASL credentials for ZooKeeper authentication.\n  It is strongly recommended to set the following values in production:\n    - security.zookeeper.sasl.username\n    - security.zookeeper.sasl.password" -}}
-  {{- end -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Compile all warnings and errors into a single message.
 Usage:
@@ -238,13 +227,14 @@ Usage:
 {{- $errMessages = append $errMessages (include "fluss.security.sasl.validateMechanisms" .) -}}
 {{- $errMessages = append $errMessages (include "fluss.security.sasl.validateClientPlainUsers" .) -}}
 {{- $errMessages = append $errMessages (include "fluss.security.sasl.validateZookeeperLoginModuleClass" .) -}}
+{{- $errMessages = append $errMessages (include "fluss.security.sasl.validateZookeeperUsername" .) -}}
+{{- $errMessages = append $errMessages (include "fluss.security.sasl.validateZookeeperPassword" .) -}}
 
 {{- $errMessages = without $errMessages "" -}}
 {{- $errMessage := join "\n" $errMessages -}}
 
 {{- $warnMessages := list -}}
 {{- $warnMessages = append $warnMessages (include "fluss.security.sasl.warnInternalUser" .) -}}
-{{- $warnMessages = append $warnMessages (include "fluss.security.sasl.warnZookeeperUser" .) -}}
 
 {{- $warnMessages = without $warnMessages "" -}}
 {{- $warnMessage := join "\n" $warnMessages -}}
@@ -262,8 +252,8 @@ Usage:
 {{/*
 Returns the SASL JAAS config name.
 Usage:
-  include "fluss.security.sasl.configName" .
+  include "fluss.security.jaas.configName" .
 */}}
-{{- define "fluss.security.sasl.configName" -}}
+{{- define "fluss.security.jaas.configName" -}}
 {{ include "fluss.fullname" . }}-sasl-jaas-config
 {{- end -}}
diff --git a/helm/templates/secret-jaas-config.yaml b/helm/templates/secret-jaas-config.yaml
@@ -16,15 +16,15 @@
 # limitations under the License.
 #
 
-{{- if (include "fluss.security.jaas.required" .) -}}
+{{ if (include "fluss.security.jaas.required" .) }}
 {{- $internalMechanism := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "internal") -}}
 {{- $clientMechanism := include "fluss.security.listener.mechanism" (dict "context" .Values "listener" "client") -}}
 {{- $internalUsername := include "fluss.security.sasl.plain.internal.username" . -}}
 {{- $internalPassword := include "fluss.security.sasl.plain.internal.password" . -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "fluss.security.sasl.configName" . }}
+  name: {{ include "fluss.security.jaas.configName" . }}
   labels:
     {{- include "fluss.labels" . | nindent 4 }}
 type: Opaque
@@ -54,8 +54,8 @@ stringData:
 {{- if .Values.security.zookeeper.sasl.enabled }}
     ZookeeperClient {
        {{ .Values.security.zookeeper.sasl.loginModuleClass }} required
-       username="{{ include "fluss.security.zookeeper.sasl.username" . }}"
-       password="{{ include "fluss.security.zookeeper.sasl.password" . }}";
+       username="{{ .Values.security.zookeeper.sasl.username }}"
+       password="{{ .Values.security.zookeeper.sasl.password }}";
     };
 {{- end }}
 {{- if .Values.security.zookeeper.sasl.enabled }}
diff --git a/helm/templates/sts-coordinator.yaml b/helm/templates/sts-coordinator.yaml
@@ -121,7 +121,7 @@ spec:
         {{- if (include "fluss.security.jaas.required" .) }}
         - name: sasl-config
           secret:
-            secretName: {{ include "fluss.security.sasl.configName" . }}
+            secretName: {{ include "fluss.security.jaas.configName" . }}
         {{- end }}
   {{- if .Values.coordinator.storage.enabled }}
   volumeClaimTemplates:
diff --git a/helm/templates/sts-tablet.yaml b/helm/templates/sts-tablet.yaml
@@ -118,7 +118,7 @@ spec:
         {{- if (include "fluss.security.jaas.required" .) }}
         - name: sasl-config
           secret:
-            secretName: {{ include "fluss.security.sasl.configName" . }}
+            secretName: {{ include "fluss.security.jaas.configName" . }}
         {{- end }}
   {{- if .Values.tablet.storage.enabled }}
   volumeClaimTemplates:
diff --git a/helm/tests/security_test.yaml b/helm/tests/security_test.yaml
@@ -327,18 +327,6 @@ tests:
       - matchRegex:
           path: stringData["jaas.conf"]
           pattern: 'ZookeeperClient\s*\{'
-  - it: uses auto-generated ZK credentials when user does not override them
-    set:
-      security.zookeeper.sasl.enabled: true
-    asserts:
-      - hasDocuments:
-          count: 1
-      - matchRegex:
-          path: stringData["jaas.conf"]
-          pattern: 'username="fluss-zookeeper-user-RELEASE-NAME"'
-      - matchRegex:
-          path: stringData["jaas.conf"]
-          pattern: 'password="[a-f0-9]{64}"'
   - it: does not render SASL listener blocks when only ZK SASL is enabled
     set:
       security.zookeeper.sasl.enabled: true
@@ -429,14 +417,91 @@ tests:
 
 ---
 
-suite: zookeeper-sasl-empty-login-module-fails
+suite: zookeeper-sasl-disabled
+templates:
+  - templates/secret-jaas-config.yaml
+  - templates/sts-coordinator.yaml
+  - templates/sts-tablet.yaml
+  - templates/configmap.yaml
+tests:
+  - it: does not render ZookeeperClient JAAS block when ZK SASL is disabled
+    template: templates/secret-jaas-config.yaml
+    set:
+      security.internal.sasl.mechanism: plain
+      security.internal.sasl.plain.username: internal-user
+      security.internal.sasl.plain.password: internal-pass
+    asserts:
+      - hasDocuments:
+          count: 1
+      - notMatchRegex:
+          path: stringData["jaas.conf"]
+          pattern: 'ZookeeperClient\s*\{'
+      - isNull:
+          path: stringData["zookeeper-client.properties"]
+  - it: does not render JAAS secret when neither SASL nor ZK SASL is enabled
+    template: templates/secret-jaas-config.yaml
+    asserts:
+      - hasDocuments:
+          count: 0
+  - it: does not render JAAS env var or volume mount for coordinator when ZK SASL is disabled
+    template: templates/sts-coordinator.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: FLUSS_ENV_JAVA_OPTS
+            value: "-Djava.security.auth.login.config=/etc/fluss/conf/jaas.conf"
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: sasl-config
+          any: true
+  - it: does not render JAAS env var or volume mount for tablet when ZK SASL is disabled
+    template: templates/sts-tablet.yaml
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: FLUSS_ENV_JAVA_OPTS
+            value: "-Djava.security.auth.login.config=/etc/fluss/conf/jaas.conf"
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: sasl-config
+          any: true
+  - it: does not render zookeeper client config path in configmap when ZK SASL is disabled
+    template: templates/configmap.yaml
+    asserts:
+      - notMatchRegex:
+          path: data["server.yaml"]
+          pattern: 'zookeeper\.client\.config\.path'
+
+---
+
+suite: zookeeper-sasl-validation
 templates:
   - templates/NOTES.txt
 tests:
   - it: fails when loginModuleClass is empty and ZK SASL is enabled
     set:
       security.zookeeper.sasl.enabled: true
+      security.zookeeper.sasl.username: zk-user
+      security.zookeeper.sasl.password: zk-pass
       security.zookeeper.sasl.loginModuleClass: ""
     asserts:
       - failedTemplate:
           errorMessage: "VALUES VALIDATION:\nsecurity.zookeeper.sasl.loginModuleClass must not be empty when security.zookeeper.sasl.enabled is true"
+  - it: fails when ZK SASL is enabled but username is empty
+    set:
+      security.zookeeper.sasl.enabled: true
+      security.zookeeper.sasl.password: zk-pass
+    asserts:
+      - failedTemplate:
+          errorMessage: "VALUES VALIDATION:\nsecurity.zookeeper.sasl.username must not be empty when security.zookeeper.sasl.enabled is true"
+  - it: fails when ZK SASL is enabled but password is empty
+    set:
+      security.zookeeper.sasl.enabled: true
+      security.zookeeper.sasl.username: zk-user
+    asserts:
+      - failedTemplate:
+          errorMessage: "VALUES VALIDATION:\nsecurity.zookeeper.sasl.password must not be empty when security.zookeeper.sasl.enabled is true"
diff --git a/website/docs/install-deploy/deploying-with-helm.md b/website/docs/install-deploy/deploying-with-helm.md
@@ -347,7 +347,7 @@ security:
       password: fluss-zk-password
 ```
 
-If the username or password is left empty, the chart automatically generates credentials based on the Helm release name. It is recommended to set these explicitly in production.
+The `username` and `password` fields are required when ZooKeeper SASL is enabled.
 
 ZooKeeper SASL can be enabled independently or together with the listeners SASL authentication.
 
