[jaeger]Add kafka authentication option. #76
Conversation
Signed-off-by: Naseem <naseem@transit.app>
naseemkullah
force-pushed
the
auth-kafka
branch
3 times, most recently
from
5b0fa17 to
494cf21
Compare
| @@ -64,6 +64,8 @@ spec: | |||
| value: {{ include "helm-toolkit.utils.joinListWithComma" .Values.storage.kafka.brokers }} | |||
| - name: KAFKA_CONSUMER_TOPIC | |||
| value: {{ .Values.storage.kafka.topic }} | |||
| - name: KAFKA_CONSUMER_AUTHENTICATION | |||
There was a problem hiding this comment.
Not sure how that works in the Helm chart, but note that the Ingester can also be configured with Kafka as backend storage (ie, as producer):
$ podman run -e SPAN_STORAGE_TYPE=kafka jaegertracing/jaeger-ingester:1.17 --help | grep \\.authentication
--kafka.consumer.authentication string Authentication type used to authenticate with kafka cluster. e.g. none, kerberos, tls (default "none")
--kafka.producer.authentication string Authentication type used to authenticate with kafka cluster. e.g. none, kerberos, tls (default "none")There was a problem hiding this comment.
Oh thanks for bringint that up, the chart currently presumes it will only use ES or Cassandra as a backend.
We will have to add the functionality to use kafka as backend (in a separate issue). Any docs covering such use case?
I believe @arpitjindal97 based the implementation off the diagram here: https://www.jaegertracing.io/docs/1.17/architecture/#components
There was a problem hiding this comment.
Interesting, the documentation for jaeger-ingester skips a storage of type kafka. I'm now not sure we actually support that: https://www.jaegertracing.io/docs/1.17/cli/#jaeger-ingester
@objectiser, @kevinearls do you remember this is a valid scenario? Have we tested this at all? I don't remember anything in the code that would prevent this from happening, and Kafka Producer is just another storage plugin, but perhaps there's indeed something in the code that prevents the ingester from using a kafka storage mechanism?
There was a problem hiding this comment.
I don't think it is a configuration we would generally support - what is the purpose of ingesting spans from kafka only to then publish them back on kafka (presumably on a different topic)? Surely there are pure kafka related tools that could do that if necessary (e.g. mirrormaker)?
However I am not sure there is anything that explicitly prevents it - although we could add a warning message (or actively prevent it) if we didn't think it was good to allow?
There was a problem hiding this comment.
Kafka is put in between only to reduce the load on Database. It should not be used as Database.
I think for the time being, chart should have authentication at consumable side. When docuemtation for using Kafka as DB will be released, then we can add auth for producer side
There was a problem hiding this comment.
One scenerio i can think of is when load is way too more and putting Kafka in between also isn't working out. We might want to put another Kafka after ingester and then second ingester would put them in DB.
Collector --> Kafka1 --> Ingester1 --> Kafka2 --> Ingester2 --> DB
This works assuming scaling Kafka1 isn't helping much
There was a problem hiding this comment.
The case I had in mind was more like what mirror maker would do, and you are absolutely right: there are better tools to handle that then chaining ingester -> Kafka -> ingester.
There was a problem hiding this comment.
Thanks all for explaining!
@jpkrohling can we merge this then?
Deploying Cassandra is time consuming and test does not always complete within 500s Signed-off-by: Naseem <naseem@transit.app>
naseemkullah
force-pushed
the
auth-kafka
branch
from
494cf21 to
f00578c
Compare
Please see title.
Fixes any breakage related to jaegertracing/jaeger#2092 thus fixes #61
cc @pavelnikolov @jpkrohling @arpitjindal97