Revert "RHINENG-2394: allow Kafka TLS withous CA cert"

This reverts commit 92c4131.
RedHatInsights · Oct 16, 2023 · bb4154c · bb4154c
1 parent 599e4eb
commit bb4154c
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 20 deletions.
diff --git a/base/mqueue/mqueue_impl_gokafka.go b/base/mqueue/mqueue_impl_gokafka.go
@@ -154,24 +154,23 @@ func getSaslMechanism() sasl.Mechanism {
 			panic(err)
 		}
 		return mechanism
-	case "plain", "none":
+	case "plain":
 		mechanism := kafkaPlain.Mechanism{Username: kafkaUsername, Password: kafkaPassword}
 		return mechanism
 	}
-	panic(fmt.Sprintf("Unknown sasl type '%s', options: {scram, scram-sha-256, scram-sha-512, plain, none}", saslType))
+	panic(fmt.Sprintf("Unknown sasl type '%s', options: {scram, scram-sha-256, scram-sha-512, plain}", saslType))
 }
 
 func caCertTLSConfigFromEnv() *tls.Config {
-	var caCertPool *x509.CertPool
-	if len(utils.Cfg.KafkaSslCert) > 0 {
-		caCertPool = x509.NewCertPool()
-		caCert, err := os.ReadFile(utils.Cfg.KafkaSslCert)
-		if err != nil {
-			panic(err)
-		}
-		caCertPool.AppendCertsFromPEM(caCert)
+	caCertPath := utils.FailIfEmpty(utils.Cfg.KafkaSslCert, "KAFKA_SSL_CERT")
+	caCert, err := os.ReadFile(caCertPath)
+	if err != nil {
+		panic(err)
 	}
 
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
 	tlsConfig := tls.Config{RootCAs: caCertPool} // nolint:gosec
 	return &tlsConfig
 }
diff --git a/base/utils/config.go b/base/utils/config.go
@@ -117,7 +117,6 @@ func initDBFromEnv() {
 }
 
 func initKafkaFromEnv() {
-	Cfg.KafkaSslEnabled = GetBoolEnvOrDefault("KAFKA_SSL_ENABLED", Cfg.KafkaSslEnabled)
 	Cfg.KafkaSslCert = Getenv("KAFKA_SSL_CERT", Cfg.KafkaSslCert)
 	Cfg.KafkaSslSkipVerify = GetBoolEnvOrDefault("KAFKA_SSL_SKIP_VERIFY", false)
 	Cfg.KafkaUsername = Getenv("KAFKA_USERNAME", Cfg.KafkaUsername)
@@ -191,8 +190,6 @@ func initKafkaFromClowder() {
 			} else {
 				Cfg.KafkaSslCert = *brokerCfg.Cacert
 			}
-		}
-		if Cfg.KafkaSslEnabled {
 			if brokerCfg.Sasl.Username != nil {
 				Cfg.KafkaUsername = *brokerCfg.Sasl.Username
 				Cfg.KafkaPassword = *brokerCfg.Sasl.Password

diff --git a/deploy/clowdapp.yaml b/deploy/clowdapp.yaml
@@ -34,7 +34,6 @@ objects:
         - {name: GIN_MODE, value: '${GIN_MODE}'}
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
-        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: patchman.evaluator.recalc}
         - {name: ENABLE_REPO_BASED_RE_EVALUATION, value: '${ENABLE_REPO_BASED_RE_EVALUATION}'}
         - {name: ENABLE_RECALC_MESSAGES_SEND, value: '${ENABLE_RECALC_MESSAGES_SEND}'}
@@ -117,7 +116,6 @@ objects:
         - {name: ENABLE_BASELINE_CHANGE_EVAL, value: '${ENABLE_BASELINE_CHANGE_EVAL}'}
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
-        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: '${EVAL_TOPIC_MANAGER}'}
         - {name: ENABLE_PACKAGE_CACHE, value: '${ENABLE_PACKAGE_CACHE_MANAGER}'}
         - {name: RESPONSE_TIMEOUT, value: '${RESPONSE_TIMEOUT}'}
@@ -163,7 +161,6 @@ objects:
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
-        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVENTS_TOPIC, value: platform.inventory.events}
         - {name: EVAL_TOPIC, value: patchman.evaluator.upload}
         - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status}
@@ -211,7 +208,6 @@ objects:
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
-        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: patchman.evaluator.upload}
         - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status}
         - {name: REMEDIATIONS_UPDATE_TOPIC, value: 'platform.remediation-updates.patch'}
@@ -280,7 +276,6 @@ objects:
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
-        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: patchman.evaluator.recalc}
         - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status}
         - {name: REMEDIATIONS_UPDATE_TOPIC, value: 'platform.remediation-updates.patch'}
@@ -346,7 +341,6 @@ objects:
                                                        key: vmaas-sync-database-password}}}
         - {name: KAFKA_GROUP, value: patchman}
         - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'}
-        - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'}
         - {name: EVAL_TOPIC, value: patchman.evaluator.recalc}
         - {name: ENABLE_REPO_BASED_RE_EVALUATION, value: '${ENABLE_REPO_BASED_RE_EVALUATION}'}
         - {name: ENABLE_RECALC_MESSAGES_SEND, value: '${ENABLE_RECALC_MESSAGES_SEND}'}
@@ -724,7 +718,6 @@ parameters:
 - {name: GIN_MODE, value: 'release'} # Gin webframework running mode
 - {name: PACKAGE_CACHE_SIZE, value: '1000000'}
 - {name: PACKAGE_NAME_CACHE_SIZE, value: '60000'}
-- {name: KAFKA_SSL_ENABLED, value: 'true'}
 - {name: KAFKA_READER_MAX_ATTEMPTS, value: '3'} # Limit of how many attempts will be made before kafka read error.
 - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '10'} # Limit of how many attempts will be made before kafka write error.
 - {name: VMAAS_CALL_MAX_RETRIES, value: '8'} # Limit of how many unsuccessful vmaas calls are allowed before panic.