Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/kafka] Allow setting ssl.client.auth separately for inter-broker, controller, and client listeners #43135

Closed
wants to merge 1 commit into from
Closed

[bitnami/kafka] Allow setting ssl.client.auth separately for inter-broker, controller, and client listeners #43135

wants to merge 1 commit into from

Conversation

Rablet
Copy link
Contributor

@Rablet Rablet commented Aug 1, 2023

Description of the change

The kafka container already has different settings for client auth for client, inter-broker, and controller listeners but it currently uses the same setting for all listeners.

This change allows users to set it separately for inter-broker, controller, and client listeners.

Benefits

This allows ssl client auth for different categories of listeners

Possible drawbacks

An even better change might be to make it configurable per listener (for example, you might have a CLIENT listener which doesn't need it, and an EXTERNAL listener which does need it). This change keeps it simple by retaining the existing settings.

Applicable issues

N/A

Additional information

N/A

@Rablet
Allow ssl.client.auth separately for inter-broker, controller, client…
e83139d 
… listeners

Signed-off-by: Robin <hi@rablet.dev>
@github-actions github-actions bot added the kafka label Aug 1, 2023
@Rablet Rablet mentioned this pull request Aug 1, 2023
Open
@Rablet Rablet changed the title Allow ssl.client.auth separately for inter-broker, controller, client… [bitnami/kafka] Allow setting ssl.client.auth separately for inter-broker, controller, and client listeners Aug 1, 2023
@github-actions github-actions bot added the triage Triage is needed label Aug 1, 2023
@carrodher carrodher added the verify Execute verification workflow for these changes label Aug 1, 2023
@carrodher carrodher removed the request for review from javsalgar August 4, 2023 17:12
jotamartos
jotamartos reviewed Aug 10, 2023
View reviewed changes
Copy link
Contributor

@jotamartos jotamartos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take a look at my comment and I'll take care of updating our systems once these changes are merged.

bitnami/kafka/3.5/debian-11/rootfs/opt/bitnami/scripts/libkafka.sh
kafka_server_conf_set "listener.name.${listener_lower}.ssl.client.auth" "$KAFKA_TLS_INTER_BROKER_AUTH"
if [[ "$listener" = "${KAFKA_CFG_INTER_BROKER_LISTENER_NAME:-INTERNAL}" ]]; then
kafka_server_conf_set "listener.name.${listener_lower}.ssl.client.auth" "$KAFKA_TLS_INTER_BROKER_AUTH"
elif [[ "${KAFKA_CFG_CONTROLLER_LISTENER_NAMES:-CONTROLLER}" =~ $listener ]]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use the same the syntax than in the first if

Suggested change
elif [[ "${KAFKA_CFG_CONTROLLER_LISTENER_NAMES:-CONTROLLER}" =~ $listener ]]; then
elif [[ "$listener" = "${KAFKA_CFG_CONTROLLER_LISTENER_NAMES:-CONTROLLER}" ]]; then

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use the same the syntax than in the first if

I used that format in order to be consistent with how the controller listener is detected on line 995:
elif [[ "${KAFKA_CFG_CONTROLLER_LISTENER_NAMES:-CONTROLLER}" =~ $listener ]]; then
My assumption is it was done that way because the config is a comma separated list rather than just a single name.

In light of that, would you still like me to change it?

@Rablet
Copy link
Contributor Author

Rablet commented Aug 18, 2023

@jotamartos just checking in to see if you're happy with the PR as-is based on my last comment or if you would still like me to change it. Thank you!

@github-actions github-actions bot added in-progress and removed triage Triage is needed labels Aug 18, 2023
@bitnami-bot bitnami-bot assigned CeliaGMqrz and unassigned jotamartos Aug 18, 2023
@carrodher carrodher removed the request for review from CeliaGMqrz August 18, 2023 14:06
@carrodher carrodher assigned jotamartos and unassigned CeliaGMqrz Aug 18, 2023
@Rablet
Copy link
Contributor Author

Rablet commented Aug 22, 2023

Looks like this was implemented in a different way recently:
KAFKA_TLS_<uppercase_controller_listener_name>_CLIENT_AUTH: Configures mTLS authentication method for kafka control plane communications. Allowed values: required, requested, none.
Closing this.

@Rablet Rablet closed this Aug 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jotamartos jotamartos jotamartos left review comments

Assignees

@jotamartos jotamartos

Labels
kafka solved verify Execute verification workflow for these changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Rablet @jotamartos @javsalgar @carrodher @CeliaGMqrz