I am deploying a Spring Boot 3 application that heavily relies on the @Cacheable annotation and must use Data Grid 8.4 (Infinispan 14) as distributed cache to accommodate Spring clustering.
The installation is based on an operator that was installed by my customer's IT service.
My goal is to define a technical account to be configured both in Infinispan server and Spring Boot client in order to connect with Hot Rod client
Exploded (don't mind plaintext passwords)
---
# Source: ipe-cache/templates/config.yaml
#Role application
apiVersion: v1
kind: Secret
type: Opaque
stringData:
user: "application"
data:
password: "MzRCRTRKTDVkWU91NnpIWg=="
---
# Source: ipe-cache/templates/config.yaml
# retrieve the secret data using lookup function and when not exists, return an empty dictionary / map as result
# set $jwtSecret to existing secret data or generate a random one when not exists
apiVersion: v1
kind: ConfigMap
data:
infinispan-config.yaml: |-
infinispan:
cacheContainer:
caches:
base-template:
distributedCacheConfiguration:
encoding:
mediaType: application/octet-stream
expiration:
lifespan: "129600000"
extended-template:
distributedCacheConfiguration:
configuration: base-template
expiration:
lifespan: "129600000"
maxIdle: "43200000"
ipe-template:
distributedCacheConfiguration:
configuration: extended-template
encoding:
media-type: application/octet-stream
locking:
striping: true
memory:
storage: OFF_HEAP
mode: SYNC
owners: 1
statistics: true
identities-batch.yaml: |-
user create application -p 34BE4JL5dYOu6zHZ -g application
---
# Source: ipe-cache/templates/cache.yaml
apiVersion: infinispan.org/v2alpha1
kind: Cache
spec:
name: "ipe.ipe-settings"
updates:
strategy: recreate
clusterName: ipe-cache-infinispan
templateName: "ipe-template"
---
# Source: ipe-cache/templates/infinispan.yaml
apiVersion: infinispan.org/v1
kind: Infinispan
spec:
replicas: 1
configMapName: ipe-cache-cm
service:
type: DataGrid
expose:
type: Route
port: 11223
targetPort: 11223
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
logging:
categories:
org.infinispan: debug
org.jgroups: debug
org.jgroups.protocols.TCP: error
org.jgroups.protocols.relay.RELAY2: error
---
# Source: ipe-cache/templates/route.yaml
kind: Route
apiVersion: route.openshift.io/v1
spec:
to:
kind: Service
name: ipe-cache-infinispan-admin
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
port:
targetPort: infinispan-adm
---
# Source: ipe-cache/templates/route.yaml
kind: Route
apiVersion: route.openshift.io/v1
spec:
to:
kind: Service
name: ipe-cache-infinispan
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
port:
targetPort: infinispan
Explained:
I deploy the Infinispan server (named ipe-cache-infinispan), along with service and route which we are not mainly interested about, and all Cache custom objects for every Infinispan cache, associated to the Infinispan node and with the proper base template. In this example I show only one cache
For the authentication, I took inspiration from an article that tells you how to auto-generate secrets.
Messing with the Infinispan documentation for Helm charts, I learn that I can use identities-batch.yaml file to configure service accounts
It doesn't work. If i retrieve the operator password from the secret that is auto-generated by Infinispan, I can access CLI and console.
But look at what happens if I log in on the CLI
[disconnected]> connect localhost:11223
Username: operator
Password: ****************
[ipe-cache-e3-dev-infinispan-0-11942@ipe-cache-e3-dev-infinispan//containers/default]> user ls
[]
On the console, instead, I can log in with operator and see all caches healthy. But application login is refused
What is wrong in defining the application user like that? How should I define a custom user that has at very least the application grant (in order for Hot Rod to work)?
In the meantime, how can I debug Infinispan failed logins?
It appears that you're connecting to port 11223 which is the port created for the Infinispan Operator to manage the cluster. Instead, you should connect to the endpoint exposed on port 11222.
It's possible to define multiple users for the security-realm exposed on port 11222 by providing a Secret. Please see the Infinispan Operator docs for the exact procedure: https://infinispan.org/docs/infinispan-operator/main/operator.html#adding-credentials_authn