-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fix] Enable Kafka TLS when TLS auth is specified #2107
Conversation
Signed-off-by: Pavol Loffay <[email protected]>
expected: auth.AuthenticationConfig{Authentication: "tls", Kerberos: auth.KerberosConfig{ServiceName: "kafka", ConfigPath: "/etc/krb5.conf", KeyTabPath: "/etc/security/kafka.keytab"}, TLS: tlscfg.Options{Enabled: true}}, | ||
}, | ||
{ | ||
flags: []string{"--kafka.consumer.authentication=tls", "--kafka.consumer.tls.enabled=false"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means that if someone explicitly set tls.enabled
to false, this will be silently changed to
true`. I have nothing against that, but perhaps there's a way to detect whether this value was explicitly provided and keep whatever the user set?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it can be done by changing the enabled
property to a pointer. I am not sure if there is much value in it. Some signatures will have to be also changed to accept the logger.
More controversial is this setting
// --kafka.consumer.authentication=kerberos",
--kafka.consumer.tls.enabled=true"
Somebody omitting the auth type and specifying tls.enabled=true
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yurishkuro any thoughts on this? I don't have a strong opinion whether kafka.consumer.tls.enabled=true
should set kafka.consumer.authentication=tls
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From Gitter, we just saw a case where a user wants TLS encryption between the agent and collector without the auth parts. kafka.producer.tls.enabled=true
+ kafka.producer.authentication=none
is a valid combination.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, it's confusing for people to have both kafka.producer.tls.enabled
and kafka.producer.authentication
they will probably tend to forget the second one.
I have updated the PR to set tls
auth when .tls.enabled
is true
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have updated the PR to set tls auth when .tls.enabled is true.
It's the opposite. tls.enabled
does not imply authentication=tls
. It's perfectly possible to have authentication=none
but the traffic be encrypted using TLS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jpkrohling I am not sure if I understand you...
It's perfectly possible to have authentication=none but the traffic be encrypted using TLS.
This is exactly what the PR does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I misunderstood you, you are absolutely correct :-)
Codecov Report
@@ Coverage Diff @@
## master #2107 +/- ##
==========================================
- Coverage 96.27% 96.11% -0.17%
==========================================
Files 214 217 +3
Lines 10535 10541 +6
==========================================
- Hits 10143 10131 -12
- Misses 333 354 +21
+ Partials 59 56 -3 Continue to review full report at Codecov.
|
Signed-off-by: Pavol Loffay <[email protected]>
pkg/kafka/auth/config.go
Outdated
if config.Authentication == tls { | ||
config.TLS.Enabled = true | ||
} | ||
if config.TLS.Enabled == true { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in L83, can we change ShowEnabled to false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will break jaeger-operator and clients which adopted 1.17
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough, but do we really want to keep this duality? We can extend the config to render tls.enabled as deprecated, and add warnings when used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can try to do that, I don't like the current design either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought @jpkrohling had mentioned a required use case where TLS could be enabled, but authentication set to none
or something other than tls
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have created an issue to remove them in the next release #2111
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@objectiser yes, the current flags are misleading for people because there is overlap betwen:
--kafka.consumer.authentication
--kafka.consumer.tls.enabled
The goal is to remove the second one.
Signed-off-by: Pavol Loffay <[email protected]>
pkg/kafka/auth/config.go
Outdated
@@ -89,3 +90,14 @@ func (config *AuthenticationConfig) InitFromViper(configPrefix string, v *viper. | |||
config.PlainText.UserName = v.GetString(configPrefix + plainTextPrefix + suffixPlainTextUserName) | |||
config.PlainText.Password = v.GetString(configPrefix + plainTextPrefix + suffixPlainTextPassword) | |||
} | |||
|
|||
// Normalize normalizes kafka options | |||
func (config *AuthenticationConfig) Normalize(logger *zap.Logger) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had to add to split InitFromViper
and Normalize
. InitFromViper
is called via storage factory and it does not have access to the logger when doing the call.
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
@jaegertracing/jaeger-maintainers can anybody review this? |
cmd/ingester/app/flags_test.go
Outdated
}, | ||
{ | ||
flags: []string{"--kafka.consumer.authentication=kerberos", "--kafka.consumer.tls.enabled=true"}, | ||
expected: auth.AuthenticationConfig{Authentication: "tls", Kerberos: auth.KerberosConfig{ServiceName: "kafka", ConfigPath: "/etc/krb5.conf", KeyTabPath: "/etc/security/kafka.keytab"}, TLS: tlscfg.Options{Enabled: true}}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is Authentication: "tls"
here?
pkg/kafka/auth/config.go
Outdated
@@ -85,6 +85,12 @@ func (config *AuthenticationConfig) InitFromViper(configPrefix string, v *viper. | |||
} | |||
|
|||
config.TLS = tlsClientConfig.InitFromViper(v) | |||
if config.TLS.Enabled { | |||
config.Authentication = tls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is correct. Other modes can be compatible with TLS according to @jpkrohling, so just having tls.enabled
should not change the auth scheme.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have removed this and made change to pkg/kafka/auth/config.go
to load TLS when tls.enabled=true
@@ -164,3 +167,43 @@ func TestRequiredAcksFailures(t *testing.T) { | |||
_, err := getRequiredAcks("test") | |||
assert.Error(t, err) | |||
} | |||
|
|||
func TestTLSFlags(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These tests are duplicated. Don't we have Kafka flags parsed by a packaged shared between ingester and storage?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both tests are in different packages, there is no shared test class.
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
* [fix] Enable Kafka TLS when TLS auth is specified Signed-off-by: Pavol Loffay <[email protected]> * Use TLS when tls.enabled=true Signed-off-by: Pavol Loffay <[email protected]> * Log deprecation message Signed-off-by: Pavol Loffay <[email protected]> * Fix fmt and lint Signed-off-by: Pavol Loffay <[email protected]> * Remove deprecated TLS enabled flag Signed-off-by: Pavol Loffay <[email protected]> * Review comments Signed-off-by: Pavol Loffay <[email protected]> * Add tls case back Signed-off-by: Pavol Loffay <[email protected]>
Resolves #2092
Signed-off-by: Pavol Loffay [email protected]