Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enables SSL_SASL #4416

Merged
merged 5 commits into from
Nov 7, 2022
Merged

Enables SSL_SASL #4416

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
42811af
Enables SSL_SASL
abohmeed Oct 31, 2022
35deeab
Addresses reviewer comments
abohmeed Oct 31, 2022
349155e
Fixes errors when testing
abohmeed Oct 31, 2022
8cc2ee3
Adds SASL_PLAIN support, modifies logger/worker.go
abohmeed Nov 2, 2022
4bbef47
Addresses comment discussion_r1013886734
abohmeed Nov 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 26 additions & 3 deletions executor/api/kafka/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func NewKafkaServer(fullGraph bool, workers int, deploymentName, namespace, prot
"go.delivery.reports": false, // Need this othewise will get memory leak
}
if broker != "" {
if util.GetKafkaSecurityProtocol() == "SSL" {
if util.GetKafkaSecurityProtocol() == "SSL" || util.GetKafkaSecurityProtocol() == "SASL_SSL" {
sslKakfaServer := util.GetSslElements()
producerConfigMap["security.protocol"] = util.GetKafkaSecurityProtocol()
if sslKakfaServer.CACertFile != "" && sslKakfaServer.ClientCertFile != "" {
Expand All @@ -101,7 +101,22 @@ func NewKafkaServer(fullGraph bool, workers int, deploymentName, namespace, prot
producerConfigMap["ssl.certificate.pem"] = sslKakfaServer.ClientCert
}
producerConfigMap["ssl.key.password"] = sslKakfaServer.ClientKeyPass // Key password, if any

if util.GetKafkaSecurityProtocol() == "SASL_SSL" { //if we also have SASL enabled, then we need to provide the necessary settings in addition to SSL
agrski marked this conversation as resolved.
Show resolved Hide resolved
saslKafkaServer := util.GetSaslElements()
producerConfigMap["sasl.mechanisms"] = saslKafkaServer.Mechanism
if saslKafkaServer.UserName != "" && saslKafkaServer.Password != "" {
producerConfigMap["sasl.username"] = saslKafkaServer.UserName
producerConfigMap["sasl.password"] = saslKafkaServer.Password
}
}
}
if util.GetKafkaSecurityProtocol() == "SASL_PLAIN" || util.GetKafkaSecurityProtocol() == "PLAIN" { //if we also have SASL enabled, then we need to provide the necessary (no SSL)
saslKafkaServer := util.GetSaslElements()
producerConfigMap["sasl.mechanisms"] = saslKafkaServer.Mechanism
if saslKafkaServer.UserName != "" && saslKafkaServer.Password != "" {
producerConfigMap["sasl.username"] = saslKafkaServer.UserName
producerConfigMap["sasl.password"] = saslKafkaServer.Password
}
}
}

Expand Down Expand Up @@ -180,7 +195,7 @@ func (ks *SeldonKafkaServer) Serve() error {
"auto.offset.reset": "earliest",
}

if util.GetKafkaSecurityProtocol() == "SSL" {
if util.GetKafkaSecurityProtocol() == "SSL" || util.GetKafkaSecurityProtocol() == "SASL_SSL" {
sslKakfaServer := util.GetSslElements()
consumerConfigMap["security.protocol"] = util.GetKafkaSecurityProtocol()
if sslKakfaServer.CACertFile != "" && sslKakfaServer.ClientCertFile != "" {
Expand All @@ -194,6 +209,14 @@ func (ks *SeldonKafkaServer) Serve() error {
consumerConfigMap["ssl.certificate.pem"] = sslKakfaServer.ClientCert
}
consumerConfigMap["ssl.key.password"] = sslKakfaServer.ClientKeyPass // Key password, if any
if util.GetKafkaSecurityProtocol() == "SASL_SSL" { //if we also have SASL enabled, then we need to provide the necessary settings in addition to SSL
saslKafkaServer := util.GetSaslElements()
consumerConfigMap["sasl.mechanisms"] = saslKafkaServer.Mechanism
if saslKafkaServer.UserName != "" && saslKafkaServer.Password != "" {
consumerConfigMap["sasl.username"] = saslKafkaServer.UserName
consumerConfigMap["sasl.password"] = saslKafkaServer.Password
}
}
}

c, err := kafka.NewConsumer(&consumerConfigMap)
Expand Down
19 changes: 19 additions & 0 deletions executor/api/util/utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,16 @@ func (o SslKakfa) String() string {
return "SslKakfa"
}

type SaslKafka struct {
UserName string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
UserName string
Username string

🙃 Minor point for consistency with Kafka, which treats this as one word rather than two

Password string
Mechanism string
}

func (o SaslKafka) String() string {
return "SaslKafka"
}

func GetKafkaSecurityProtocol() string {
return strings.ToUpper(GetEnv("KAFKA_SECURITY_PROTOCOL", ""))
}
Expand All @@ -176,3 +186,12 @@ func GetSslElements() *SslKakfa {
return &sslElements

}

func GetSaslElements() *SaslKafka {
saslElements := SaslKafka{
UserName: GetEnv("KAFKA_SASL_USERNAME", ""),
Password: GetEnv("KAFKA_SASL_PASSWORD", ""),
Mechanism: GetEnv("KAFKA_SASL_MECHANISM", ""),
}
return &saslElements
}
17 changes: 16 additions & 1 deletion executor/logger/worker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,22 @@ func NewWorker(id int, workQueue chan LogRequest, log logr.Logger, sdepName stri
producerConfigMap["ssl.certificate.pem"] = sslKafka.ClientCert
}
producerConfigMap["ssl.key.password"] = sslKafka.ClientKeyPass // Key password, if any

if util.GetKafkaSecurityProtocol() == "SASL_SSL" { //if we also have SASL enabled, then we need to provide the necessary settings in addition to SSL
saslKafkaServer := util.GetSaslElements()
producerConfigMap["sasl.mechanisms"] = saslKafkaServer.Mechanism
if saslKafkaServer.UserName != "" && saslKafkaServer.Password != "" {
producerConfigMap["sasl.username"] = saslKafkaServer.UserName
producerConfigMap["sasl.password"] = saslKafkaServer.Password
}
}
}
if util.GetKafkaSecurityProtocol() == "SASL_PLAIN" || util.GetKafkaSecurityProtocol() == "PLAIN" { //if we also have SASL enabled, then we need to provide the necessary (no SSL)
saslKafkaServer := util.GetSaslElements()
producerConfigMap["sasl.mechanisms"] = saslKafkaServer.Mechanism
if saslKafkaServer.UserName != "" && saslKafkaServer.Password != "" {
producerConfigMap["sasl.username"] = saslKafkaServer.UserName
producerConfigMap["sasl.password"] = saslKafkaServer.Password
}
}

producer, err = kafka.NewProducer(&producerConfigMap)
Expand Down