feat: Kafka scaler move sasl and tls config to TriggerAuthentication metadata

[dttung2905]

Move sasl and tls config to metadata section of TriggerAuthentication

Checklist

• I have verified that my change is according to the deprecations & breaking changes policy
• Tests have been added
• Changelog has been updated and is aligned with our changelog requirements
• A PR is opened to update the documentation on (repo) Add Doc changes for enableTls and saslAuthType for Kafka Scaler ScaledObject keda-docs#1016
• Commits are signed with Developer Certificate of Origin (DCO - learn more)

Relates to #3611

Relates to #

[dttung2905]

Hi team,
I think this MR introduce breaking changes. Could you guide me on what should I do in this case?
Should we introduce grace period with deprecation messages or its fine to leave the MR like that with notes in the breaking changes section in the next release. The blast radius of this MR is just Kafka Scaler so the latter may be okay?

[dttung2905]

Hi @JorTurFer, thanks for approving my other MR so quickly, even during weekend 🙏 Could you help to guide me on this one as well ?

[zroubalik]

@dttung2905 I think that we should not move this config, but support specifying thsi option in both places. This way we maintain backwards compatibility.

There should be a check when this option is specified in both places (with different values), in this case we should fail.

WDYT @kedacore/keda-contributors ?

[dttung2905]

@dttung2905 I think that we should not move this config, but support specifying thsi option in both places. This way we maintain backwards compatibility.

There should be a check when this option is specified in both places (with different values), in this case we should fail.

WDYT @\kedacore/keda-contributors ?

Thanks for the feedback. Yes I can make it backward compatible too. Am I right to say that we will support having tls and sasl in both places ( but not both at the same time ) in the long run ? This is just for my understanding when updating the doc in the other MR

[dttung2905]

Hi @zroubalik , I have make changes to accommodate backward compatibility. Also a few checks I have implemented

• A check to flag out when the same value of tls or sasl are set in both places
• A check to flag out when tls and sasl are set in different places at the same time
• A few extra sets of unit test to test out the above 2 points

Could you help to review it ?

[zroubalik]

Thanks for the addition, the only nit is the changelog. Let see what other think.

[zroubalik]

Is this really a Brekaing Change? I am not sure, @tomkerkhove @JorTurFer wdyt?

[dttung2905]

Not necessarily though. Before we decided to make it backward compatible, I classified it as breaking changes. I can move it out of this section

[JorTurFer]

I don't think so, because it's backward compatible

[tomkerkhove]

Based on the doc changes it looks like a breaking change as we are removing fields/parameters which we already support

[JorTurFer]

I'd say that docs are outdated because based on the code, the values are read from both places

[tomkerkhove]

So instead of a secret, isn't the real fix that we need a plain text option in a CRD instead of moving this to metadata?

Something like:

  plainText:
  - parameter: tls
    value: true   

Because it feels better to me to keep everything part of the CRD "body" rather than some in metadata and other in the payload/body.

[dttung2905]

@tomkerkhove Thanks so much for the suggestion. I'm really curious to know how does it look like with your suggestion in ScaledObject. 🤔 My guess is below ( pls cmiiw )

apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
  name: pulsar-scaledobject
  namespace: default
spec:
  scaleTargetRef:
    name: pulsar-consumer
  pollingInterval: 30
  plainText:
  - parameter: tls
    value: true 

Hi team,
What do you think about Tom's suggestion?
I'm totally fine with both approaches but I think parking it under metadata would be slightly better in terms of consistency across other scalers ( take pulsar for example )

[tomkerkhove]

My suggestion is not for ScaledObject, but for Trigger Authentication instead where we already have multiple auth providers and this could be another one

[zroubalik]

Sorry for the delay, I understand what @tomkerkhove proposes here, I have been thinking about the same approach, though I am not 100% sure we should provide a plaintext in TriggerAuth. Users might start using this not ideal approach for storing sensitive data. Or am I too sensitive and we should let them do this? :)

[zroubalik]

@kedacore/keda-core-contributors do you have an opinion on the plainText field in TA?

[zroubalik]

/run-e2e kafka*
Update: You can check the progress here

[JorTurFer]

I don't think so, because it's backward compatible

[tomkerkhove]

As agreed on standup, the best location for this should be:

triggers:
- type: kafka
  metadata:
    bootstrapServers: kafka.svc:9092
    consumerGroup: my-group
    topic: test-topic
    lagThreshold: '5'
    activationLagThreshold: '3'
    offsetResetPolicy: latest
    allowIdleConsumers: false
    scaleToZeroOnInvalidOffset: false
    excludePersistentLag: false
    version: 1.0.0
+   saslAuthType: plaintext|scram_sha256|scram_sha512|oauthbearer|none
+   enableTls: true|false

[dttung2905]

Closing this MR in favour of MR #4322