Kafka Scaler with both SASL and SSL(TLS)

[zroubalik]

First of all I'd like to say, that I am not a Kafka expert.

Currently there's no way, how to set both SSL (cert, key, cacert) and SASL (username, password) for client in Kafka scaler, look at the code below:

keda/pkg/scalers/kafka_scaler.go

Lines 144 to 173 in bf25619

	if meta.authMode != kafkaAuthModeForNone && meta.authMode != kafkaAuthModeForSaslSSL {
	if authParams["username"] == "" {
	return meta, errors.New("no username given")
	}
	meta.username = strings.TrimSpace(authParams["username"])
	if authParams["password"] == "" {
	return meta, errors.New("no password given")
	}
	meta.password = strings.TrimSpace(authParams["password"])
	}
	if meta.authMode == kafkaAuthModeForSaslSSL {
	if authParams["ca"] == "" {
	return meta, errors.New("no ca given")
	}
	meta.ca = authParams["ca"]
	if authParams["cert"] == "" {
	return meta, errors.New("no cert given")
	}
	meta.cert = authParams["cert"]
	if authParams["key"] == "" {
	return meta, errors.New("no key given")
	}
	meta.key = authParams["key"]
	}
	return meta, nil

There are several options for Authentication of Kafka Scaler, but I haven't found a one, that allows me to specify both.

Is this a correct behavior? IMHO it should be possible to specify both.

[zroubalik]

FYI^ @tbickford @iyacontrol @ppatierno @grassiale @rasavant-ms @ahmelsayed @flecno

(sorry for the spam, but wasn't sure whom to ask, so I simply look at the contribution history on the Kafka Scaler 😅)

[ppatierno]

@zroubalik from what I see here

keda/pkg/scalers/kafka_scaler.go

Line 201 in bf25619

func getKafkaClients(metadata kafkaMetadata) (sarama.Client, sarama.ClusterAdmin, error) {

it's supported by mixing SSL with other SASL mechanisms for authentication like PLAINTEXT and SCRAM-SHA with both username and password. It's also possible to use SSL client authentication using the certificates.
Said that ... I really think that both codes need a refactoring because I can understand that it's not clear.
Enabling SSL is a different thing than enabling a specific SASL authentication mechanism.
At scaler level configuration I would differentiate them in two different parameters (encryption/tls and authentication) instead of having these kafkaAuthModeForXXXXX const trying to mix every single way.

[zroubalik]

At scaler level configuration I would differentiate them in two different parameters (encryption/tls and authentication) instead of having these kafkaAuthModeForXXXXX const trying to mix every single way.

+1000 that code is a mess

@ppatierno OK, but while looking at the code, the only authmode where you can specify certificates is in this if block metadata.authMode == kafkaAuthModeForSaslSSL, but for this authmode, you can't specify username and password.

keda/pkg/scalers/kafka_scaler.go

Line 224 in bf25619

if metadata.authMode == kafkaAuthModeForSaslSSL {