[fix] Enable Kafka TLS when TLS auth is specified #2107
Conversation
Signed-off-by: Pavol Loffay <[email protected]>
| expected: auth.AuthenticationConfig{Authentication: "tls", Kerberos: auth.KerberosConfig{ServiceName: "kafka", ConfigPath: "/etc/krb5.conf", KeyTabPath: "/etc/security/kafka.keytab"}, TLS: tlscfg.Options{Enabled: true}}, | ||
| }, | ||
| { | ||
| flags: []string{"--kafka.consumer.authentication=tls", "--kafka.consumer.tls.enabled=false"}, |
There was a problem hiding this comment.
This means that if someone explicitly set tls.enabled to false, this will be silently changed to true`. I have nothing against that, but perhaps there's a way to detect whether this value was explicitly provided and keep whatever the user set?
There was a problem hiding this comment.
it can be done by changing the enabled property to a pointer. I am not sure if there is much value in it. Some signatures will have to be also changed to accept the logger.
More controversial is this setting
// --kafka.consumer.authentication=kerberos",
--kafka.consumer.tls.enabled=true"
Somebody omitting the auth type and specifying tls.enabled=true.
There was a problem hiding this comment.
@yurishkuro any thoughts on this? I don't have a strong opinion whether kafka.consumer.tls.enabled=true should set kafka.consumer.authentication=tls.
There was a problem hiding this comment.
From Gitter, we just saw a case where a user wants TLS encryption between the agent and collector without the auth parts. kafka.producer.tls.enabled=true + kafka.producer.authentication=none is a valid combination.
There was a problem hiding this comment.
You are right, it's confusing for people to have both kafka.producer.tls.enabled and kafka.producer.authentication they will probably tend to forget the second one.
I have updated the PR to set tls auth when .tls.enabled is true.
There was a problem hiding this comment.
I have updated the PR to set tls auth when .tls.enabled is true.
It's the opposite. tls.enabled does not imply authentication=tls. It's perfectly possible to have authentication=none but the traffic be encrypted using TLS.
There was a problem hiding this comment.
@jpkrohling I am not sure if I understand you...
It's perfectly possible to have authentication=none but the traffic be encrypted using TLS.
This is exactly what the PR does.
There was a problem hiding this comment.
Sorry, I misunderstood you, you are absolutely correct :-)
Codecov Report
@@ Coverage Diff @@
## master #2107 +/- ##
==========================================
- Coverage 96.27% 96.11% -0.17%
==========================================
Files 214 217 +3
Lines 10535 10541 +6
==========================================
- Hits 10143 10131 -12
- Misses 333 354 +21
+ Partials 59 56 -3Continue to review full report at Codecov.
|
Signed-off-by: Pavol Loffay <[email protected]>
pkg/kafka/auth/config.go
Outdated
| if config.Authentication == tls { | ||
| config.TLS.Enabled = true | ||
| } | ||
| if config.TLS.Enabled == true { |
There was a problem hiding this comment.
in L83, can we change ShowEnabled to false?
There was a problem hiding this comment.
It will break jaeger-operator and clients which adopted 1.17
There was a problem hiding this comment.
Fair enough, but do we really want to keep this duality? We can extend the config to render tls.enabled as deprecated, and add warnings when used.
There was a problem hiding this comment.
I can try to do that, I don't like the current design either.
There was a problem hiding this comment.
I thought @jpkrohling had mentioned a required use case where TLS could be enabled, but authentication set to none or something other than tls?
There was a problem hiding this comment.
I have created an issue to remove them in the next release #2111
There was a problem hiding this comment.
@objectiser yes, the current flags are misleading for people because there is overlap betwen:
--kafka.consumer.authentication
--kafka.consumer.tls.enabled
The goal is to remove the second one.
Signed-off-by: Pavol Loffay <[email protected]>
pkg/kafka/auth/config.go
Outdated
| @@ -89,3 +90,14 @@ func (config *AuthenticationConfig) InitFromViper(configPrefix string, v *viper. | |||
| config.PlainText.UserName = v.GetString(configPrefix + plainTextPrefix + suffixPlainTextUserName) | |||
| config.PlainText.Password = v.GetString(configPrefix + plainTextPrefix + suffixPlainTextPassword) | |||
| } | |||
|
|
|||
| // Normalize normalizes kafka options | |||
| func (config *AuthenticationConfig) Normalize(logger *zap.Logger) { | |||
There was a problem hiding this comment.
I had to add to split InitFromViper and Normalize. InitFromViper is called via storage factory and it does not have access to the logger when doing the call.
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
|
@jaegertracing/jaeger-maintainers can anybody review this? |
cmd/ingester/app/flags_test.go
Outdated
| }, | ||
| { | ||
| flags: []string{"--kafka.consumer.authentication=kerberos", "--kafka.consumer.tls.enabled=true"}, | ||
| expected: auth.AuthenticationConfig{Authentication: "tls", Kerberos: auth.KerberosConfig{ServiceName: "kafka", ConfigPath: "/etc/krb5.conf", KeyTabPath: "/etc/security/kafka.keytab"}, TLS: tlscfg.Options{Enabled: true}}, |
There was a problem hiding this comment.
why is Authentication: "tls" here?
pkg/kafka/auth/config.go
Outdated
| @@ -85,6 +85,12 @@ func (config *AuthenticationConfig) InitFromViper(configPrefix string, v *viper. | |||
| } | |||
|
|
|||
| config.TLS = tlsClientConfig.InitFromViper(v) | |||
| if config.TLS.Enabled { | |||
| config.Authentication = tls | |||
There was a problem hiding this comment.
I don't think this is correct. Other modes can be compatible with TLS according to @jpkrohling, so just having tls.enabled should not change the auth scheme.
There was a problem hiding this comment.
I have removed this and made change to pkg/kafka/auth/config.go to load TLS when tls.enabled=true
| @@ -164,3 +167,43 @@ func TestRequiredAcksFailures(t *testing.T) { | |||
| _, err := getRequiredAcks("test") | |||
| assert.Error(t, err) | |||
| } | |||
|
|
|||
| func TestTLSFlags(t *testing.T) { | |||
There was a problem hiding this comment.
These tests are duplicated. Don't we have Kafka flags parsed by a packaged shared between ingester and storage?
There was a problem hiding this comment.
Both tests are in different packages, there is no shared test class.
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
* [fix] Enable Kafka TLS when TLS auth is specified Signed-off-by: Pavol Loffay <[email protected]> * Use TLS when tls.enabled=true Signed-off-by: Pavol Loffay <[email protected]> * Log deprecation message Signed-off-by: Pavol Loffay <[email protected]> * Fix fmt and lint Signed-off-by: Pavol Loffay <[email protected]> * Remove deprecated TLS enabled flag Signed-off-by: Pavol Loffay <[email protected]> * Review comments Signed-off-by: Pavol Loffay <[email protected]> * Add tls case back Signed-off-by: Pavol Loffay <[email protected]>
Resolves #2092
Signed-off-by: Pavol Loffay [email protected]