Enables SSL_SASL

[abohmeed]

What this PR does / why we need it:
Enables SASL_SSL for Kafka cluster connections
Which issue(s) this PR fixes:
#4415

Fixes #

Special notes for your reviewer:

[seldondev]

Hi @abohmeed. Thanks for your PR.

I'm waiting for a SeldonIO or todo member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the jenkins-x/lighthouse repository.

[abohmeed]

/assign @RafalSkolasinski

[abohmeed]

@RafalSkolasinski I've reopened the PR since the last one was incorrect

[RafalSkolasinski]

@abohmeed thanks for linking the issue - it may be better to re-open the previous PR as @agrski already left some review comments there? There is no need to re-opening as new PR.

[abohmeed]

@RafalSkolasinski Thanks. The old PR had unnecessary files modified (like topics.go) on which @agrski placed comments. So, I had to fix my branch and reopen a new PR where only two files are changed: server.go and utils.go. Sorry for any inconvenience.

[RafalSkolasinski]

@abohmeed Once you fix your branch and push the PR should automatically update itself. If this is not the case it could be because you opened it from your master branch - you could then try to create feature branch in your fork and open a PR from it. Other than changing the source branch of the PR you should not need to open a new one. Unless I am missing something?

[abohmeed]

@RafalSkolasinski Can't we just use this PR instead? I'm afraid I cannot reopen the old one since I re-forked the repo to avoid any issues.

[RafalSkolasinski]

Okay, re-forking probably changes the situation. Let's continue here then 👍

[abohmeed]

@agrski I've addressed your comments from the previous PR (closed) except for this one #4414 (comment). Can we open a new conversation about it in this PR?

[RafalSkolasinski]

/test integration

[RafalSkolasinski]

We have executor tests failing with

vet: api/util/utils.go:195:3: unknown field Password in struct literal

[RafalSkolasinski]

@abohmeed you should be able to run these tests locally with make test inside executor directory.

[abohmeed]

@RafalSkolasinski Thanks for getting back to me.
I made the necessary fixes and ran make test locally and it passed.

[RafalSkolasinski]

/test integration

[agrski]

Thanks again @abohmeed for improving the Kafka support here. Thanks also for tidying up the PR to
These comments aren't blockers, but it'd be good to discuss/implement them to make this PR even more useful.

On the other hand, I think this PR should also update executor/logger/worker.go to add in equivalent config handling there. This is the component that writes inference logs to Kafka (as opposed to a REST endpoint).

[agrski]

Suggested change

	UserName string
	Username string

🙃 Minor point for consistency with Kafka, which treats this as one word rather than two

[agrski]

💭 The SASL config is only relevant when we know we're using SASL_SSL so belongs within that conditional, ideally. This isn't a major change, but would be a little cleaner.

[abohmeed]

/test integration

[seldondev]

@abohmeed: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/test integration

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the jenkins-x/lighthouse repository.

[abohmeed]

@agrski Thanks for your comments. I've addressed both points.

[abohmeed]

@RafalSkolasinski @agrski Any updates? 🙂

[agrski]

@RafalSkolasinski @agrski Any updates? slightly_smiling_face

Hi @abohmeed, just getting back to this now. Thanks for being so responsive and applying the recommendations.

[agrski]

💭 To avoid the potential for duplication here, structuring this block of code like the below pseudo-code would help:

if protocol == "SSL" || protocol == "SASL_SSL" {
    getSslElements()
    // set up SSL
}
if protocol == "PLAIN" || protocol == "SASL_PLAIN" {
    getSaslElements()
    // set up SASL
}

Does that makes sense? The idea is that instead of nesting logic, we do SSL setup if we need to, and independently SASL setup if we need to.

[agrski]

This pattern would then apply to all 3 locations where changes need to happen (currently plaintext is only handled in 2 of them!)

[abohmeed]

Yes, but if the protocol is PLAIN without SASL then why grap SASL username and password at all? afaik PLAIN mean no authentication mechanism.

[abohmeed]

OK after reading your second comment, I will apply the change (if the docs say so 😉)

[abohmeed]

Done

[agrski]

🔧 From checking Kafka docs, I'm pretty sure the security protocol should be SASL_PLAINTEXT (or PLAINTEXT) instead of SASL_PLAIN.
It's the SASL mechanism that might be PLAIN.

[abohmeed]

Done

[abohmeed]

@agrski I've addressed your latest comments

[abohmeed]

@RafalSkolasinski @agrski Any updates yet? 🙂

[agrski]

Let's get this in!

[seldondev]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agrski

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [agrski]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[agrski]

The docs test failing feels like flakiness given nothing in this PR affects it, so I'll merge in spite of that.