chore: improve kafka startup logging #696
Conversation
| @@ -98,7 +106,6 @@ func NewKafkaBroker(ctx context.Context) (Broker, error) { | |||
|
|
|||
| //nolint:gosec | |||
| tlsConfig = &tls.Config{ | |||
| MinVersion: tls.VersionTLS12, | |||
There was a problem hiding this comment.
Unrelated, TLS 1.2 is the default value when this field is nil so useless.
internal/kafka/kafka.go
Outdated
| @@ -81,7 +81,15 @@ func NewKafkaBroker(ctx context.Context) (Broker, error) { | |||
| var saslMechanism sasl.Mechanism | |||
|
|
|||
| logger := zerolog.Ctx(ctx) | |||
| logger.Debug().Msgf("Setting up Kafka transport: %v", config.Kafka.Brokers) | |||
| logger.Info().Msgf("Setting up Kafka transport: %v TLS:%b Skip:%b CA:%b Auth:%s SASLMech:%s SASLProto:%s", | |||
There was a problem hiding this comment.
I guess %b should have been %t?
| logger.Info().Msgf("Setting up Kafka transport: %v TLS:%b Skip:%b CA:%b Auth:%s SASLMech:%s SASLProto:%s", | |
| logger.Info().Msgf("Setting up Kafka transport: %v TLS:%t Skip:%t CA:%t Auth:%s SASLMech:%s SASLProto:%s", |
lzap
force-pushed
the
kafka-better-logging
branch
from
4190439 to
ebd8275
Compare
|
Rebased. |
internal/kafka/kafka.go
Outdated
| config.Kafka.Brokers, | ||
| config.Kafka.TlsEnabled, | ||
| config.Kafka.TlsSkipVerify, | ||
| config.Kafka.CACert != "", | ||
| config.Kafka.AuthType, | ||
| config.Kafka.SASL.SaslMechanism, | ||
| config.Kafka.SASL.SecurityProtocol, |
There was a problem hiding this comment.
aren't we more interested in what's in the clowder config directly?
|
/retest |
|
Do not merge, I have some new info about clowder. |
lzap
force-pushed
the
kafka-better-logging
branch
3 times, most recently
from
ae9df73 to
bd2617c
Compare
|
After chat with Derek Horton, he suggest to provide an empty TLS config value as the library is supposed to automatically detect if TLS is present on a cluster or not and use the safest transport. He mentioned that he uses this on their project and it works even after Kafka migration from this weekend. Therefore this patch drops the newly introduced setting completely, I don’t have a TLS Kafka setup in my home lab so we need to test this. Ephemeral is plaintext and stage is TLS so if both works prod should be fine. Then I will remove these flags. |
lzap
force-pushed
the
kafka-better-logging
branch
from
bd2617c to
883efe0
Compare
|
DO NOT MERGE. Looks like Derek was not right, might not work as he described. |
lzap
force-pushed
the
kafka-better-logging
branch
2 times, most recently
from
7dbb463 to
e2aca9c
Compare
|
I am reverting the commit back to the initial one - only improves logging and drops a line that has no effect. Looks like our solution is the best for now. I asked via email if we can use one of clowder's fields to detect TLS, let’s wait until I get some reply. |
|
_Regarding how apps should know whether SSL is on or off moving forward... I think a good example we have is the one Dan Kuc just pushed for malware-detection[1]. You are correct that the only values Clowder sets on this field is either "SSL"[2] or "SASL_SSL"[3,4]. In short, I think you can use this logic to determine if your Kafka client should use SSL or not:
Your client should be able to use SSL with or without the 'cacert' field present. If the field is present, then use that as your client's trust store. If not, then ideally your client falls back to using the "system default trust store" -- which should already trust well-known root CA's like Digicert, Verisign, LetsEncrypt, and so on._ So I will go ahead and drop our own field and rely on this field instead. |
lzap
force-pushed
the
kafka-better-logging
branch
2 times, most recently
from
8a61f31 to
4d7316b
Compare
|
So the latest version drops the KAFKA_TLS_ENABLED flag and uses SecurityProtocol flag to check if it contains "SSL" string. If it does, it configures TLS. The same way it also checks for SASL in the AuthType which should contain this string if SASL should be used. I am keeping the verification skip flag tho, can be useful for local TLS testing. Once this is confirmed to work on both stage and ephemeral we can remove flags from app-interface. I believe this is the final version. |
lzap
force-pushed
the
kafka-better-logging
branch
from
4d7316b to
095e981
Compare
| Password string `env:"PASSWORD" env-default:"" env-description:"kafka SASL password"` | ||
| SaslMechanism string `env:"MECHANISM" env-default:"" env-description:"kafka SASL mechanism (scram-sha-512, scram-sha-256 or plain)"` | ||
| SecurityProtocol string `env:"PROTOCOL" env-default:"" env-description:"kafka SASL security protocol"` | ||
| Enabled bool `env:"ENABLED" env-default:"false" env-description:"kafka service enabled"` |
There was a problem hiding this comment.
should we delete it right away, given we are now quite sure it's probably not gonna be used? :)
There was a problem hiding this comment.
Delete what, enabled flag? How are you going to test Kafka in dev environment (without clowder)?
There was a problem hiding this comment.
Still not sure what you mean here, rebasing anyeway.
| @@ -93,18 +100,17 @@ func NewKafkaBroker(ctx context.Context) (Broker, error) { | |||
| } | |||
| } | |||
|
|
|||
| if config.Kafka.TlsEnabled && !config.InEphemeralClowder() { | |||
| if strings.Contains(strings.ToUpper(config.Kafka.SecurityProtocol), "SSL") { | |||
There was a problem hiding this comment.
I'd love to have the values in constants, but I guess we can contribute that to https://github.com/RedHatInsights/app-common-go and then use it.
So good for now 👍
|
So we got the following info for the field: PLAINTEXT, SSL, SASL_PLAINTEXT, or SASL_SSL I can incorporate this in the help text if necessary. |
Signed-off-by: Lukáš Zapletal <[email protected]>
lzap
force-pushed
the
kafka-better-logging
branch
from
095e981 to
4cccdb5
Compare
|
Rebased the docs-only change. |
|
/retest |
|
Fails on |
|
The error here is - image builder couldn't find the image. Becuase it expired. Will have to update the images for the stub. This is not related to the error sources we were talking about :) |
|
/retest |
|
Thanks! 🧡 |
It looks like we use TLS on stage but not on prod and ephemeral.
This is small logging improvement that should confirm it as we do not dump configuration on prod.