-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for GSSAPI in Kafka scaler #4851
Conversation
Thank you for your contribution! 🙏 We will review your PR as soon as possible.
While you are waiting, make sure to:
Learn more about: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice contribution!
Can we cover this new feature with an e2e tests somehow?
My changes only consider the kafka scaler (based on sarama). The change is to collect relevant information in TriggerAuthentication and pass it along to sarama. Not sure about the e2e test - would require standing up kerberos infra as part of the test. I'd rather trust that sarama will do the right thing with inputs (it does). Unit tests ensure that correct values are passed along. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any way to add an e2e tests which tests this?
FYI As far as I see as of yet strimzi doesn't have support for kerberos: strimzi/strimzi-kafka-operator#3088 |
Also, how do we deal with the token refreshment? I am not Kerberors expert at all, though I think that it needs to be refreshed after some period of time. |
Sarama takes care of it. We just provide the path to key tab |
I moved temp kerberos files into dedicated directory, just in case someone already mounts /tmp into their container. Don't think we are likely to run into any conflicts with /tmp/kerberos, especially since kerberos isn't supported by keda yet |
Once this merges, I will take a dig with |
What are next steps on this? There were couple small commits after approval. Need someone to approve again. Also, how do we make sure this goes hand in hand with docs and charts PR's? |
E2E tests run by one of the core maintainers. Ignore my above approval, that was a misclick. |
They are still on vacation. So progress is slow. |
We check that all the PRs are ready to merge before merging it on any repo. It's a manual action that we do before merging. |
Signed-off-by: Roman Novichenok <roman.novichenok@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am still not sure we should add another mount point. If the file needs to be stored, can't we use some in-memory go filesystem implementation?
Not sure what you mean, but open to any suggestions. I can spin up in-mem fs in the code and create a file in there, but I don't see any way to pass that file to sarama. Sarama accepts a parameter that if a file system path to the required files (kyetab and krb5.conf). Any files created in my in-memory filesystem will not be visible to sarama. |
Right. @sansmoraxz how does kafka-go client deal with kerberos auth? Does it need a file in a filesystem as well? |
Strictly speaking it's not something that's there in the official repo. Well there was a PR but not much progress was made. The sasl interface should be loose enough to implement without issues. Have to look more in dept. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@novicr Hi, the PR is looking good. The only concern is the new volume mount to host Kerberos files.
We talked about the issue on our community call today and the suggestion is:
- don't make this feature default (the volume mount part in
config/manager.yaml
- in the documentation add a section with an explanation, that if users want to use GSSAPI in Kafka scaler, they need to update the deployment with the volume mount (a code snippet that can be copy pasted is the way to go)
- the scaler code should reflect this and print an error message in case kerberos files are not available with a suggestion on adding a mount
- the existing Helm Chart supports adding arbitrary volume mounts, so it should be good from this side, CC @JorTurFer to confirm
Thanks!
FYI we plan to do a release on Wednesday
|
Signed-off-by: Roman Novichenok <roman.novichenok@gmail.com>
Signed-off-by: Roman Novichenok <roman.novichenok@gmail.com>
Signed-off-by: Roman Novichenok <roman.novichenok@gmail.com>
Signed-off-by: Roman Novichenok <roman.novichenok@gmail.com>
Removed kerberos mount from config/manager.yaml When /tmp is not writable and no writable /tmp/kerberos is provided, error message now has instructions to follow documentation. |
Signed-off-by: Roman Novichenok <roman.novichenok@gmail.com>
/run-e2e kafka |
Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com> Signed-off-by: novicr <43680008+novicr@users.noreply.github.com>
Signed-off-by: Roman Novichenok <roman.novichenok@gmail.com>
/run-e2e kafka |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the contribution!
Signed-off-by: Roman Novichenok <roman.novichenok@gmail.com> Signed-off-by: novicr <43680008+novicr@users.noreply.github.com> Co-authored-by: Roman Novichenok <roman.novichenok@gmail.com> Co-authored-by: Zbynek Roubalik <zroubalik@gmail.com> Signed-off-by: anton.lysina <alysina@gmail.com>
Added Kerberos authentication to Kafka scaler. TriggerAuthentication can now accept additional parameters that will be passed to Sarama to authenticate scaler via Kerberos.
Checklist
Fixes #4836
Relates to PR: kedacore/keda-docs#1201