iac/clusters/yc-k8s-test/infrastructure/patches/kafka.yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: kafka
  namespace: kafka
spec:
  interval: 5m
  timeout: 10m
  values:
    defaultInitContainers:
      prepareConfig:
        extraInit: |
          set -euxo pipefail
          perl -0pi -e 's/password="\s*([^"\n]+)"/password="$1"/g' /config/server.properties
          perl -0pi -e 's/user_controller_user="\s*([^"\n]+)"/user_controller_user="$1"/g' /config/server.properties
          perl -0pi -e 's/user_inter_broker_user="\s*([^"\n]+)"/user_inter_broker_user="$1"/g' /config/server.properties
          perl -0pi -e 's/node\.id=(\d+)ssl\.keystore\.key=/node.id=$1\nssl.keystore.key=/g' /config/server.properties

          sed -i '/^ssl\.keystore\.key=/d' /config/server.properties
          sed -i '/^ssl\.keystore\.certificate\.chain=/d' /config/server.properties
          sed -i '/^ssl\.truststore\.certificates=/d' /config/server.properties

          openssl pkcs8 -topk8 -nocrypt -in /mounted-certs/tls.key -out /tmp/tls.key.pk8

          # Валидация: key должен читаться
          openssl pkey -in /tmp/tls.key.pk8 -text -noout >/dev/null

          # Валидация: cert и key должны совпадать
          openssl pkey -in /tmp/tls.key.pk8 -pubout -out /tmp/key.pub
          openssl x509 -in /mounted-certs/tls.crt -pubkey -noout > /tmp/cert.pub
          diff -u /tmp/key.pub /tmp/cert.pub >/dev/null

          {
            printf '\nssl.keystore.key='
            awk '{ sub(/\r$/, ""); printf "%s\\\\n", $0 }' /tmp/tls.key.pk8
            printf '\n'
            printf 'ssl.keystore.certificate.chain='
            awk '{ sub(/\r$/, ""); printf "%s\\\\n", $0 }' /mounted-certs/tls.crt
            printf '\n'
            printf 'ssl.truststore.certificates='
            awk '{ sub(/\r$/, ""); printf "%s\\\\n", $0 }' /mounted-certs/ca.crt
            printf '\n'
          } >> /config/server.properties          
    global:
      imagePullSecrets:
        - regcred
      defaultStorageClass: local-path
    image:
      pullSecrets:
        - regcred
    controller:
      replicaCount: 1
      automountServiceAccountToken: true
      persistence:
        size: 8Gi
        storageClass: local-path
    broker:
      replicaCount: 0
      automountServiceAccountToken: true
    listeners:
      client:
        protocol: SASL_SSL
    provisioning:
      enabled: false
    sasl:
      managedExistingSecret:
        enabled: false
      existingSecret: ""
      enabledMechanisms: PLAIN,SCRAM-SHA-512
      interBrokerMechanism: PLAIN
      controllerMechanism: PLAIN
      client:
        users: []
        passwords: ""
    tls:
      type: PEM
    vault:
      enabled: true
      role: kafka
      authPath: auth/kubernetes
      secretPath: secrets/data/kafka/bootstrap
      clusterIdKey: clusterId
      interBrokerPasswordKey: interBrokerPassword
      controllerPasswordKey: controllerPassword