6744 - Fix Kafka TLS configuration with plaintext authentication #6764
Conversation
This change fixes the Kafka TLS configuration to work correctly when tls.enabled flag is not provided but authentication=tls is set. Previously, TLS would not be enabled in this case. Changes: - TLS is now properly configured when authentication=tls, regardless of tls.enabled - Maintains backward compatibility with existing tls.enabled flag - Sets explicit insecure mode only when TLS is intentionally disabled Testing: - Added unit tests for TLS configuration scenarios - Verified with local Kafka cluster using TLS authentication - Tested with HotROD example application Resolves jaegertracing#6744 Signed-off-by: Amol Verma <[email protected]>
This change fixes the Kafka TLS configuration to work correctly when using plaintext authentication with TLS enabled. Previously, TLS would only be configured when authentication=tls, breaking SASL-SSL with PLAIN authentication. Changes: - Modified TLS configuration logic to support TLS with other authentication methods - Fixed SASL-SSL with PLAIN authentication scenario - Maintained backward compatibility with existing authentication methods - Restored pre-PR-6270 behavior for TLS configuration Resolves jaegertracing#6744 Signed-off-by: Amol Verma <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #6764 +/- ##
===========================================
- Coverage 96.04% 49.05% -47.00%
===========================================
Files 364 177 -187
Lines 20692 10697 -9995
===========================================
- Hits 19874 5247 -14627
- Misses 624 5056 +4432
- Partials 194 394 +200
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
what are you trying to achieve by merging main? It erases the CI checks which clearly show that your PR does not pass the linter. |
Signed-off-by: Amol Verma <[email protected]>
amilbcahat
force-pushed
the
fix-kafka-tls-plaintext-6744
branch
from
c2267d2 to
2b355d0
Compare
I was updating the branch to latest, just that. I have committed for Lint checks , now. Can you check again ? |
This change fixes the Kafka TLS configuration to work correctly when using plaintext authentication with TLS enabled. Previously, TLS would only be configured when authentication=tls, breaking SASL-SSL with PLAIN authentication. Resolves jaegertracing#6744 Signed-off-by: Amol Verma <[email protected]>
- Fix TLS configuration initialization for Kafka auth - Add proper handling of system CA certs pool - Set secure defaults for TLS configuration - Remove redundant code comments Signed-off-by: Amol Verma <[email protected]> Signed-off-by: Amol Verma <[email protected]>
- Fix TLS configuration initialization for Kafka auth - Add proper handling of system CA certs pool - Set secure defaults for TLS configuration - Remove redundant code comments Signed-off-by: Amol Verma <[email protected]> Signed-off-by: Amol Verma <[email protected]>
|
I have made the corrections for Unit Tests, can you update the PR label please ? @yurishkuro and run it again, I dont have necessary permissions to add the label I think. |
| tlsClientConfig := tlscfg.ClientFlagsConfig{ | ||
| Prefix: configPrefix, | ||
| } | ||
| tlsCfg, err := tlsClientConfig.InitFromViper(v) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to process Kafka TLS options: %w", err) | ||
| } | ||
| tlsCfg.IncludeSystemCACertsPool = (config.Authentication == tls) |
There was a problem hiding this comment.
This is needed to maintain the security model difference between TLS authentication and TLS encryption:
- When using TLS authentication (auth="tls"), we need system CA certs to validate client certificates
- When using TLS encryption with SASL PLAIN auth, we don't need system CA certs
The unit tests specifically verify this distinction.
There was a problem hiding this comment.
When using TLS encryption with SASL PLAIN auth, we don't need system CA certs
why? The only time you don't need system certs is if you are providing your own. Am I wrong about that?
There was a problem hiding this comment.
Yes, you are right. Both modes need CA certs for TLS validation, but they use different sources:
-
TLS auth (authentication="tls"):
- IncludeSystemCACertsPool=true to validate client/server certificates using system CA pool
- Uses mutual TLS where both authenticate each other
-
SASL PLAIN with TLS:
- IncludeSystemCACertsPool=false because it validates the server certificate using explicitly provided CA cert
- Client authentication happens via username/password
The tests expect this specific behavior to enforce these different trust models, without this distinction tests fails. Both approaches provide certificate validation, just from different trust sources.
| tlsClientConfig := tlscfg.ClientFlagsConfig{ | ||
| Prefix: configPrefix, | ||
| } | ||
| tlsCfg, err := tlsClientConfig.InitFromViper(v) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to process Kafka TLS options: %w", err) | ||
| } | ||
| tlsCfg.IncludeSystemCACertsPool = (config.Authentication == tls) | ||
| tlsCfg.Insecure = false |
There was a problem hiding this comment.
isn't this already being set via .tls.enabled?
There was a problem hiding this comment.
While .tls.enabled sets up TLS configuration, we still need to explicitly ensure Insecure=false for all TLS usage. Without this line, the tests fail because they expect Insecure to be false when TLS auth is used.
|
what is the testing procedure for this change? How do we know it does what's needed? |
To verify this fix works, I've set up a test environment with:
Docker Image configuration used -
Verified with standard Kafka clients (producer/consumer) that the connection works with the same settings Without the fix in PR #6764, the ingester command would fail because TLS settings weren't properly applied when using SASL PLAIN authentication. With the fix, the connection succeeds. Do you need any more configuration related information used for testing here ? |
Is this something we can add to |
Yes, we can add an integration test in
This would formalize the manual test case I've been using to verify the fix. Would you like me to implement this as part of the PR? |
|
Yes, I prefer the tests to be part of the PR. However, is it possible to configure a single instance of Kafka to work with different auth-n methods, or do we need to spin different Kafka container for each auth flavor? The latter is much more expensive to run in the CI. |
Yes, this is possible. We can open different listeners in the same Kafka instance to work with different types of Authentication/security protocols. Should I go ahead with implementation ? |
|
yes, sounds good. One broker/container, multiple listeners, multiple tests using different ports. I would recommend not running a full test suite against each listener, only some basic write/read tests. |
Sure, I will keep in mind |
Which problem is this PR solving?
Description of the changes
How was this change tested?
Checklist
jaeger:make lint test