RHINENG-2394: allow Kafka TLS withous CA cert

RedHatInsights · Oct 4, 2023 · 92c4131 · 92c4131
1 parent 9bfffe3
commit 92c4131
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 9 deletions.
diff --git a/base/mqueue/mqueue_impl_gokafka.go b/base/mqueue/mqueue_impl_gokafka.go
@@ -154,23 +154,24 @@ func getSaslMechanism() sasl.Mechanism {
 			panic(err)
 		}
 		return mechanism
-	case "plain":
+	case "plain", "none":
 		mechanism := kafkaPlain.Mechanism{Username: kafkaUsername, Password: kafkaPassword}
 		return mechanism
 	}
-	panic(fmt.Sprintf("Unknown sasl type '%s', options: {scram, scram-sha-256, scram-sha-512, plain}", saslType))
+	panic(fmt.Sprintf("Unknown sasl type '%s', options: {scram, scram-sha-256, scram-sha-512, plain, none}", saslType))
 }
 
 func caCertTLSConfigFromEnv() *tls.Config {
-	caCertPath := utils.FailIfEmpty(utils.Cfg.KafkaSslCert, "KAFKA_SSL_CERT")
-	caCert, err := os.ReadFile(caCertPath)
-	if err != nil {
-		panic(err)
+	var caCertPool *x509.CertPool
+	if len(utils.Cfg.KafkaSslCert) > 0 {
+		caCertPool = x509.NewCertPool()
+		caCert, err := os.ReadFile(utils.Cfg.KafkaSslCert)
+		if err != nil {
+			panic(err)
+		}
+		caCertPool.AppendCertsFromPEM(caCert)
 	}
 
-	caCertPool := x509.NewCertPool()
-	caCertPool.AppendCertsFromPEM(caCert)
-
 	tlsConfig := tls.Config{RootCAs: caCertPool} // nolint:gosec
 	return &tlsConfig
 }
diff --git a/base/utils/config.go b/base/utils/config.go
@@ -116,6 +116,7 @@ func initDBFromEnv() {
 }
 
 func initKafkaFromEnv() {
+	Cfg.KafkaSslEnabled = GetBoolEnvOrDefault("KAFKA_SSL_ENABLED", Cfg.KafkaSslEnabled)
 	Cfg.KafkaSslCert = Getenv("KAFKA_SSL_CERT", Cfg.KafkaSslCert)
 	Cfg.KafkaSslSkipVerify = GetBoolEnvOrDefault("KAFKA_SSL_SKIP_VERIFY", false)
 	Cfg.KafkaUsername = Getenv("KAFKA_USERNAME", Cfg.KafkaUsername)
@@ -188,6 +189,8 @@ func initKafkaFromClowder() {
 			} else {
 				Cfg.KafkaSslCert = *brokerCfg.Cacert
 			}
+		}
+		if Cfg.KafkaSslEnabled {
 			if brokerCfg.Sasl.Username != nil {
 				Cfg.KafkaUsername = *brokerCfg.Sasl.Username
 				Cfg.KafkaPassword = *brokerCfg.Sasl.Password

diff --git a/deploy/clowdapp.yaml b/deploy/clowdapp.yaml
@@ -34,6 +34,7 @@ objects:
         - {name: GIN_MODE, value: '${GIN_MODE}'}
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
+        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: patchman.evaluator.recalc}
         - {name: ENABLE_REPO_BASED_RE_EVALUATION, value: '${ENABLE_REPO_BASED_RE_EVALUATION}'}
         - {name: ENABLE_RECALC_MESSAGES_SEND, value: '${ENABLE_RECALC_MESSAGES_SEND}'}
@@ -116,6 +117,7 @@ objects:
         - {name: ENABLE_BASELINE_CHANGE_EVAL, value: '${ENABLE_BASELINE_CHANGE_EVAL}'}
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
+        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: '${EVAL_TOPIC_MANAGER}'}
         - {name: ENABLE_PACKAGE_CACHE, value: '${ENABLE_PACKAGE_CACHE_MANAGER}'}
         - {name: RESPONSE_TIMEOUT, value: '${RESPONSE_TIMEOUT}'}
@@ -160,6 +162,7 @@ objects:
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
+        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVENTS_TOPIC, value: platform.inventory.events}
         - {name: EVAL_TOPIC, value: patchman.evaluator.upload}
         - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status}
@@ -207,6 +210,7 @@ objects:
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
+        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: patchman.evaluator.upload}
         - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status}
         - {name: REMEDIATIONS_UPDATE_TOPIC, value: 'platform.remediation-updates.patch'}
@@ -275,6 +279,7 @@ objects:
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
+        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: patchman.evaluator.recalc}
         - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status}
         - {name: REMEDIATIONS_UPDATE_TOPIC, value: 'platform.remediation-updates.patch'}
@@ -340,6 +345,7 @@ objects:
                                                        key: vmaas-sync-database-password}}}
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
+        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: patchman.evaluator.recalc}
         - {name: ENABLE_REPO_BASED_RE_EVALUATION, value: '${ENABLE_REPO_BASED_RE_EVALUATION}'}
         - {name: ENABLE_RECALC_MESSAGES_SEND, value: '${ENABLE_RECALC_MESSAGES_SEND}'}
@@ -716,6 +722,7 @@ parameters:
 - {name: GIN_MODE, value: 'release'} # Gin webframework running mode
 - {name: PACKAGE_CACHE_SIZE, value: '1000000'}
 - {name: PACKAGE_NAME_CACHE_SIZE, value: '60000'}
+- {name: KAFKA_SSL_ENABLED, value: 'true'}
 - {name: KAFKA_READER_MAX_ATTEMPTS, value: '3'} # Limit of how many attempts will be made before kafka read error.
 - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '10'} # Limit of how many attempts will be made before kafka write error.
 - {name: VMAAS_CALL_MAX_RETRIES, value: '8'} # Limit of how many unsuccessful vmaas calls are allowed before panic.