feat: HBase Listener integration

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Added
 
+- Added listener support for HBase ([#639]).
 - Adds new telemetry CLI arguments and environment variables ([#652]).
   - Use `--file-log-max-files` (or `FILE_LOG_MAX_FILES`) to limit the number of log files kept.
   - Use `--file-log-rotation-period` (or `FILE_LOG_ROTATION_PERIOD`) to configure the frequency of rotation.
@@ -38,6 +39,7 @@
 - test: Remove HDFS `3.3.4`, `3.3.6`, and `3.4.0` ([#655]).
 - test: HBase 2.4.18 removed ([#659]):
 
+[#639]: https://github.com/stackabletech/hbase-operator/pull/639
 [#640]: https://github.com/stackabletech/hbase-operator/pull/640
 [#645]: https://github.com/stackabletech/hbase-operator/pull/645
 [#647]: https://github.com/stackabletech/hbase-operator/pull/647

deploy/helm/hbase-operator/crds/crds.yaml

@@ -73,20 +73,6 @@ spec:
                     hdfsConfigMapName:
                       description: Name of the [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for an HDFS cluster.
                       type: string
-                    listenerClass:
-                      default: cluster-internal
-                      description: |-
-                        This field controls which type of Service the Operator creates for this HbaseCluster:
-
-                        * cluster-internal: Use a ClusterIP service
-
-                        * external-unstable: Use a NodePort service
-
-                        This is a temporary solution with the goal to keep yaml manifests forward compatible. In the future, this setting will control which [ListenerClass](https://docs.stackable.tech/home/nightly/listener-operator/listenerclass.html) will be used to expose the service, and ListenerClass names will stay the same, allowing for a non-breaking change.
-                      enum:
-                        - cluster-internal
-                        - external-unstable
-                      type: string
                     vectorAggregatorConfigMapName:
                       description: Name of the Vector aggregator [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery). It must contain the key `ADDRESS` with the address of the Vector aggregator. Follow the [logging tutorial](https://docs.stackable.tech/home/nightly/tutorials/logging-vector-aggregator) to learn how to configure log aggregation with Vector.
                       nullable: true
@@ -210,6 +196,10 @@ spec:
                         hbaseRootdir:
                           nullable: true
                           type: string
+                        listenerClass:
+                          description: This field controls which [ListenerClass](https://docs.stackable.tech/home/nightly/listener-operator/listenerclass.html) is used to expose this rolegroup.
+                          nullable: true
+                          type: string
                         logging:
                           default:
                             containers: {}
@@ -460,6 +450,10 @@ spec:
                               hbaseRootdir:
                                 nullable: true
                                 type: string
+                              listenerClass:
+                                description: This field controls which [ListenerClass](https://docs.stackable.tech/home/nightly/listener-operator/listenerclass.html) is used to expose this rolegroup.
+                                nullable: true
+                                type: string
                               logging:
                                 default:
                                   containers: {}
@@ -691,6 +685,10 @@ spec:
                         hbaseRootdir:
                           nullable: true
                           type: string
+                        listenerClass:
+                          description: This field controls which [ListenerClass](https://docs.stackable.tech/home/nightly/listener-operator/listenerclass.html) is used to expose this rolegroup.
+                          nullable: true
+                          type: string
                         logging:
                           default:
                             containers: {}
@@ -969,6 +967,10 @@ spec:
                               hbaseRootdir:
                                 nullable: true
                                 type: string
+                              listenerClass:
+                                description: This field controls which [ListenerClass](https://docs.stackable.tech/home/nightly/listener-operator/listenerclass.html) is used to expose this rolegroup.
+                                nullable: true
+                                type: string
                               logging:
                                 default:
                                   containers: {}
@@ -1228,6 +1230,10 @@ spec:
                         hbaseRootdir:
                           nullable: true
                           type: string
+                        listenerClass:
+                          description: This field controls which [ListenerClass](https://docs.stackable.tech/home/nightly/listener-operator/listenerclass.html) is used to expose this rolegroup.
+                          nullable: true
+                          type: string
                         logging:
                           default:
                             containers: {}
@@ -1478,6 +1484,10 @@ spec:
                               hbaseRootdir:
                                 nullable: true
                                 type: string
+                              listenerClass:
+                                description: This field controls which [ListenerClass](https://docs.stackable.tech/home/nightly/listener-operator/listenerclass.html) is used to expose this rolegroup.
+                                nullable: true
+                                type: string
                               logging:
                                 default:
                                   containers: {}

deploy/helm/hbase-operator/templates/roles.yaml

@@ -77,6 +77,12 @@ rules:
     verbs:
       - create
       - patch
+  - apiGroups:
+      - listeners.stackable.tech
+    resources:
+      - listeners
+    verbs:
+      - get
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:

docs/modules/hbase/pages/usage-guide/listenerclass.adoc

@@ -1,18 +1,37 @@
 = Service exposition with ListenerClasses
+:description: Configure HBase service exposure using ListenerClasses to control internal and external access for all roles.
 
-Apache HBase offers an API.
-The operator deploys a service called `<name>` (where `<name>` is the name of the HbaseCluster) through which HBase can be reached.
+The operator deploys a xref:listener-operator:listener.adoc[Listener] for each Master, Regionserver and Restserver pod.
+They all default to only being accessible from within the Kubernetes cluster, but this can be changed by setting `.spec.{masters,regionServers,restServers}.config.listenerClass`:
 
-This service can have either the `cluster-internal` or `external-unstable` type.
-`external-stable` is not supported for HBase at the moment.
-Read more about the types in the xref:concepts:service-exposition.adoc[service exposition] documentation at platform level.
+[source,yaml]
+----
+spec:
+  masters:
+    config:
+      listenerClass: external-unstable  # <1>
+  regionServers:
+    config:
+      listenerClass: external-unstable
+  restServers:
+    config:
+      listenerClass: external-unstable
+----
+<1> Specify one of `external-stable`, `external-unstable`, `cluster-internal` (the default setting is `cluster-internal`).
+This can be set separately for all three roles.
 
-This is how the listener class is configured:
+Externally-reachable endpoints (i.e. where listener-class = `external-unstable` or `external-unstable`) are written to a ConfigMap called `<cluster-name>-ui-endpoints`, listing each rolegroup by replica:
 
 [source,yaml]
 ----
-spec:
-  clusterConfig:
-    listenerClass: cluster-internal  # <1>
+apiVersion: v1
+data:
+  hbase.master-0.ui: 172.19.0.3:32353
+  hbase.master-1.ui: 172.19.0.5:31817
+  hbase.regionserver-0.ui: 172.19.0.3:31719
+  hbase.regionserver-1.ui: 172.19.0.5:30626
+  hbase.restserver-0.ui: 172.19.0.3:31790
+  hbase.restserver-1.ui: 172.19.0.5:32292
+kind: ConfigMap
+...
 ----
-<1> The default `cluster-internal` setting.

rust/operator-binary/src/crd/mod.rs

@@ -59,8 +59,6 @@ pub const SSL_CLIENT_XML: &str = "ssl-client.xml";
 
 pub const HBASE_CLUSTER_DISTRIBUTED: &str = "hbase.cluster.distributed";
 pub const HBASE_ROOTDIR: &str = "hbase.rootdir";
-pub const HBASE_UNSAFE_REGIONSERVER_HOSTNAME_DISABLE_MASTER_REVERSEDNS: &str =
-    "hbase.unsafe.regionserver.hostname.disable.master.reversedns";
 
 pub const HBASE_UI_PORT_NAME_HTTP: &str = "ui-http";
 pub const HBASE_UI_PORT_NAME_HTTPS: &str = "ui-https";
@@ -80,6 +78,8 @@ pub const HBASE_REST_UI_PORT: u16 = 8085;
 // This port is only used by Hbase prior to version 2.6 with a third-party JMX exporter.
 // Newer versions use the same port as the UI because Hbase provides it's own metrics API
 pub const METRICS_PORT: u16 = 9100;
+pub const LISTENER_VOLUME_NAME: &str = "listener";
+pub const LISTENER_VOLUME_DIR: &str = "/stackable/listener";
 
 const DEFAULT_REGION_MOVER_TIMEOUT: Duration = Duration::from_minutes_unchecked(59);
 const DEFAULT_REGION_MOVER_DELTA_TO_SHUTDOWN: Duration = Duration::from_minutes_unchecked(1);
@@ -106,6 +106,9 @@ pub enum Error {
 
     #[snafu(display("incompatible merge types"))]
     IncompatibleMergeTypes,
+
+    #[snafu(display("role-group is not valid"))]
+    NoRoleGroup,
 }
 
 #[versioned(version(name = "v1alpha1"))]
@@ -175,18 +178,6 @@ pub mod versioned {
         /// for a ZooKeeper cluster.
         pub zookeeper_config_map_name: String,
 
-        /// This field controls which type of Service the Operator creates for this HbaseCluster:
-        ///
-        /// * cluster-internal: Use a ClusterIP service
-        ///
-        /// * external-unstable: Use a NodePort service
-        ///
-        /// This is a temporary solution with the goal to keep yaml manifests forward compatible.
-        /// In the future, this setting will control which [ListenerClass](DOCS_BASE_URL_PLACEHOLDER/listener-operator/listenerclass.html)
-        /// will be used to expose the service, and ListenerClass names will stay the same, allowing for a non-breaking change.
-        #[serde(default)]
-        pub listener_class: CurrentlySupportedListenerClasses,
-
         /// Settings related to user [authentication](DOCS_BASE_URL_PLACEHOLDER/usage-guide/security).
         pub authentication: Option<AuthenticationConfig>,
 
@@ -216,6 +207,11 @@ impl v1alpha1::HbaseCluster {
         let defaults =
             AnyConfigFragment::default_for(role, &self.name_any(), hdfs_discovery_cm_name);
 
+        // Trivial values for role-groups are not allowed
+        if role_group.is_empty() {
+            return Err(Error::NoRoleGroup);
+        }
+
         let (mut role_config, mut role_group_config) = match role {
             HbaseRole::RegionServer => {
                 let role = self
@@ -231,7 +227,9 @@ impl v1alpha1::HbaseCluster {
                     .role_groups
                     .get(role_group)
                     .map(|rg| rg.config.config.clone())
-                    .unwrap_or_default();
+                    .expect(
+                        "Cannot be empty as trivial values of role-group have already been checked",
+                    );
 
                 (
                     AnyConfigFragment::RegionServer(role_config),
@@ -253,7 +251,9 @@ impl v1alpha1::HbaseCluster {
                     .role_groups
                     .get(role_group)
                     .map(|rg| rg.config.config.clone())
-                    .unwrap_or_default();
+                    .expect(
+                        "Cannot be empty as trivial values of role-group have already been checked",
+                    );
 
                 // Retrieve role resource config
                 (
@@ -273,7 +273,9 @@ impl v1alpha1::HbaseCluster {
                     .role_groups
                     .get(role_group)
                     .map(|rg| rg.config.config.clone())
-                    .unwrap_or_default();
+                    .expect(
+                        "Cannot be empty as trivial values of role-group have already been checked",
+                    );
 
                 // Retrieve role resource config
                 (
@@ -539,7 +541,7 @@ impl v1alpha1::HbaseCluster {
     }
 
     /// Name of the port used by the Web UI, which depends on HTTPS usage
-    fn ui_port_name(&self) -> String {
+    pub fn ui_port_name(&self) -> String {
         if self.has_https_enabled() {
             HBASE_UI_PORT_NAME_HTTPS
         } else {
@@ -565,27 +567,6 @@ pub fn merged_env(rolegroup_config: Option<&BTreeMap<String, String>>) -> Vec<En
     merged_env
 }
 
-// TODO: Temporary solution until listener-operator is finished
-#[derive(Clone, Debug, Default, Display, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
-#[serde(rename_all = "PascalCase")]
-pub enum CurrentlySupportedListenerClasses {
-    #[default]
-    #[serde(rename = "cluster-internal")]
-    ClusterInternal,
-
-    #[serde(rename = "external-unstable")]
-    ExternalUnstable,
-}
-
-impl CurrentlySupportedListenerClasses {
-    pub fn k8s_service_type(&self) -> String {
-        match self {
-            CurrentlySupportedListenerClasses::ClusterInternal => "ClusterIP".to_string(),
-            CurrentlySupportedListenerClasses::ExternalUnstable => "NodePort".to_string(),
-        }
-    }
-}
-
 #[derive(Clone, Debug, Deserialize, Eq, Hash, JsonSchema, PartialEq, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct KerberosConfig {
@@ -709,6 +690,7 @@ impl HbaseRole {
             affinity: get_affinity(cluster_name, self, hdfs_discovery_cm_name),
             graceful_shutdown_timeout: Some(graceful_shutdown_timeout),
             requested_secret_lifetime: Some(requested_secret_lifetime),
+            listener_class: Some("cluster-internal".to_string()),
         }
     }
 
@@ -809,6 +791,7 @@ impl AnyConfigFragment {
                         cli_opts: None,
                     },
                     requested_secret_lifetime: Some(HbaseRole::DEFAULT_REGION_SECRET_LIFETIME),
+                    listener_class: Some("cluster-internal".to_string()),
                 })
             }
             HbaseRole::RestServer => AnyConfigFragment::RestServer(HbaseConfigFragment {
@@ -820,6 +803,7 @@ impl AnyConfigFragment {
                     HbaseRole::DEFAULT_REST_SERVER_GRACEFUL_SHUTDOWN_TIMEOUT,
                 ),
                 requested_secret_lifetime: Some(HbaseRole::DEFAULT_REST_SECRET_LIFETIME),
+                listener_class: Some("cluster-internal".to_string()),
             }),
             HbaseRole::Master => AnyConfigFragment::Master(HbaseConfigFragment {
                 hbase_rootdir: None,
@@ -830,6 +814,7 @@ impl AnyConfigFragment {
                     HbaseRole::DEFAULT_MASTER_GRACEFUL_SHUTDOWN_TIMEOUT,
                 ),
                 requested_secret_lifetime: Some(HbaseRole::DEFAULT_MASTER_SECRET_LIFETIME),
+                listener_class: Some("cluster-internal".to_string()),
             }),
         }
     }
@@ -907,6 +892,9 @@ pub struct HbaseConfig {
     /// Please note that this can be shortened by the `maxCertificateLifetime` setting on the SecretClass issuing the TLS certificate.
     #[fragment_attrs(serde(default))]
     pub requested_secret_lifetime: Option<Duration>,
+
+    /// This field controls which [ListenerClass](DOCS_BASE_URL_PLACEHOLDER/listener-operator/listenerclass.html) is used to expose this rolegroup.
+    pub listener_class: String,
 }
 
 impl Configuration for HbaseConfigFragment {
@@ -965,10 +953,6 @@ impl Configuration for HbaseConfigFragment {
                     HBASE_CLUSTER_DISTRIBUTED.to_string(),
                     Some("true".to_string()),
                 );
-                result.insert(
-                    HBASE_UNSAFE_REGIONSERVER_HOSTNAME_DISABLE_MASTER_REVERSEDNS.to_string(),
-                    Some("true".to_string()),
-                );
                 result.insert(HBASE_ROOTDIR.to_string(), self.hbase_rootdir.clone());
             }
             _ => {}
@@ -1060,6 +1044,9 @@ pub struct RegionServerConfig {
     /// The operator will compute a timeout period for the region move that will not exceed the graceful shutdown timeout.
     #[fragment_attrs(serde(default))]
     pub region_mover: RegionMover,
+
+    /// This field controls which [ListenerClass](DOCS_BASE_URL_PLACEHOLDER/listener-operator/listenerclass.html) is used to expose this rolegroup.
+    pub listener_class: String,
 }
 
 impl Configuration for RegionServerConfigFragment {
@@ -1116,10 +1103,6 @@ impl Configuration for RegionServerConfigFragment {
                     HBASE_CLUSTER_DISTRIBUTED.to_string(),
                     Some("true".to_string()),
                 );
-                result.insert(
-                    HBASE_UNSAFE_REGIONSERVER_HOSTNAME_DISABLE_MASTER_REVERSEDNS.to_string(),
-                    Some("true".to_string()),
-                );
                 result.insert(HBASE_ROOTDIR.to_string(), self.hbase_rootdir.clone());
             }
             _ => {}
@@ -1185,6 +1168,14 @@ impl AnyServiceConfig {
         }
     }
 
+    pub fn listener_class(&self) -> String {
+        match self {
+            AnyServiceConfig::Master(config) => config.listener_class.clone(),
+            AnyServiceConfig::RegionServer(config) => config.listener_class.clone(),
+            AnyServiceConfig::RestServer(config) => config.listener_class.clone(),
+        }
+    }
+
     /// Returns command line arguments to pass on to the region mover tool.
     /// The following arguments are excluded because they are already part of the
     /// hbase-entrypoint.sh script.