KAFKA BRIDGE error enhancement

[sreejesh-radhakrishnan-db]

Hi
Might be an enhancement or might be I am looking at wrong place for log. Please correct me.

I use an CN based authorization and my observation is if the KAFKA user is not added , then the curl to BRIDGE just return with an empty arrray [] like below

I cannot see any error in KAKFA bridge pod, Operator or in KAFKA which says access was denied due to AUTHORIZATION and user was not present. ( I usally get this type of error if I try to have a producer with user not present in kafka)

• Connected to my-bridge-bridge-service.gpds-kafka (240.0.250.191) port 8080 (#0)

GET /topics HTTP/1.1
Host: my-bridge-bridge-service.gpds-kafka:8080
User-Agent: curl/7.61.1
Accept: /

< HTTP/1.1 200 OK
< content-type: application/vnd.kafka.v2+json
< content-length: 2
<
{ [2 bytes data]

100 2 100 2 0 0 62 0 --:--:-- --:--:-- --:--:-- 64

• Connection #0 to host my-bridge-bridge-service.gpds-kafka left intact
  []

After the user was provisioned

kafkauser.kafka.strimzi.io/bridgetechuser created

Note: Unnecessary use of -X or --request, GET is already inferred.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 240.0.250.191...

• TCP_NODELAY set
• Connected to my-bridge-bridge-service.gpds-kafka (240.0.250.191) port 8080 (#0)

GET /topics HTTP/1.1
Host: my-bridge-bridge-service.gpds-kafka:8080
User-Agent: curl/7.61.1
Accept: /

< HTTP/1.1 200 OK
< content-type: application/vnd.kafka.v2+json
< content-length: 584
<
{ [584 bytes data]

100 584 100 584 0 0 11230 0 --:--:-- --:--:-- --:--:-- 11230

• Connection #0 to host my-bridge-bridge-service.gpds-kafka left intact
  ["__strimzi_store_topic","inttest.integration-events-proto"]

Please let me know which error log should I look.

[ppatierno]

Sorry but I haven't got what you are asking for.
Have you created a KafkaUser and you want to use such a user for authenticating the bridge to the Kafka cluster? Or the HTTP client to the Kafka cluster ? La former is not possible in the bridge. Can you share the KafkaBridge custom resource you are using and the corresponding configuration which is printed at startup in the log please?

[sreejesh-radhakrishnan-db]

Sorry for late response.. KAFKABRIDGE custom resource here

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaBridge
metadata:
  name: my-bridge
  namespace: myapp-kafka
spec:
  replicas: 1
  bootstrapServers: myapp-uat-kafka-bootstrap.myapp-kafka:9092
  tls:
    trustedCertificates:
      - secretName: secrets-myapptechuser
        certificate: ca.crt
  authentication:
    type: tls
    certificateAndKey:
      certificate: tls.crt
      key: tls.key
      secretName: secrets-myapptechuser

  http:
    port: 8080
---

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: bridgetechuser
  labels:
    strimzi.io/cluster: myapp-dev1
  namespace: myapp-kafka
spec:
  authentication:
    type: tls-external
  authorization:
    type: simple
    acls:
      # Acls for topic
      - resource:
          type: topic
          name:  "*"
          patternType: literal
        operation: All
        host: "*"
      - resource:
          type: topic
          name:  "*"
          patternType: literal
        operation: Describe
        host: "*"
      - resource:
          type: topic
          name:  "*"
          patternType: literal
        operation: DescribeConfigs
        host: "*"
      - resource:
          type: topic
          name:  "*"
          patternType: literal
        operation: ClusterAction
        host: "*"
      - resource:
          type: group
          name: "*"
          patternType: literal
        operation: Read
        host: "*"
      - resource:
          type: transactionalId
          name: "*"
          patternType: literal
        operation: All
        host: "*"

---

[sreejesh-radhakrishnan-db]

Sorry for bad formatting, I cannot find easy way to paste it and keep formatting on.

My Q was- if the KAFKAUSER is not created +provisioned on KAFKA using KAFKAUSER manifest and when I do a curl to BRIDGE- My expectation was BRIDGE to show some kind of ACL error . which was not the case from example above

[ppatierno]

can you provide me the Kafka custom resource as well. I see that the bridge is connecting to a bootstrap server on port 9092 which is usually configured as PLAIN without TLS or authentication (unless you changed it).

[ppatierno]

Another point ... if the bootstrap server is the TLS enabled one, then this section is wrong:

tls:
    trustedCertificates:
      - secretName: secrets-myapptechuser
        certificate: ca.crt

That's the TLS certificate to trust for connecting via TLS (no authentication yet), so it has to be the cluster CA certificate. So something like <name of cluster>-cluster-ca-cert

[ppatierno]

Adding one more thing, if the KafkaUser doesn't exist so the corresponding Secret with cert/key doesn't exist, the operator will log a reconcile error when you create the KafkaBridge.
In the end, I see different problems in your configuration.