diff --git a/base/mqueue/mqueue_impl_gokafka.go b/base/mqueue/mqueue_impl_gokafka.go index 7c51a3587..7b6f8a768 100644 --- a/base/mqueue/mqueue_impl_gokafka.go +++ b/base/mqueue/mqueue_impl_gokafka.go @@ -154,24 +154,23 @@ func getSaslMechanism() sasl.Mechanism { panic(err) } return mechanism - case "plain", "none": + case "plain": mechanism := kafkaPlain.Mechanism{Username: kafkaUsername, Password: kafkaPassword} return mechanism } - panic(fmt.Sprintf("Unknown sasl type '%s', options: {scram, scram-sha-256, scram-sha-512, plain, none}", saslType)) + panic(fmt.Sprintf("Unknown sasl type '%s', options: {scram, scram-sha-256, scram-sha-512, plain}", saslType)) } func caCertTLSConfigFromEnv() *tls.Config { - var caCertPool *x509.CertPool - if len(utils.Cfg.KafkaSslCert) > 0 { - caCertPool = x509.NewCertPool() - caCert, err := os.ReadFile(utils.Cfg.KafkaSslCert) - if err != nil { - panic(err) - } - caCertPool.AppendCertsFromPEM(caCert) + caCertPath := utils.FailIfEmpty(utils.Cfg.KafkaSslCert, "KAFKA_SSL_CERT") + caCert, err := os.ReadFile(caCertPath) + if err != nil { + panic(err) } + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(caCert) + tlsConfig := tls.Config{RootCAs: caCertPool} // nolint:gosec return &tlsConfig } diff --git a/base/utils/config.go b/base/utils/config.go index 356b1c80a..c23a84aae 100644 --- a/base/utils/config.go +++ b/base/utils/config.go @@ -117,7 +117,6 @@ func initDBFromEnv() { } func initKafkaFromEnv() { - Cfg.KafkaSslEnabled = GetBoolEnvOrDefault("KAFKA_SSL_ENABLED", Cfg.KafkaSslEnabled) Cfg.KafkaSslCert = Getenv("KAFKA_SSL_CERT", Cfg.KafkaSslCert) Cfg.KafkaSslSkipVerify = GetBoolEnvOrDefault("KAFKA_SSL_SKIP_VERIFY", false) Cfg.KafkaUsername = Getenv("KAFKA_USERNAME", Cfg.KafkaUsername) @@ -191,8 +190,6 @@ func initKafkaFromClowder() { } else { Cfg.KafkaSslCert = *brokerCfg.Cacert } - } - if Cfg.KafkaSslEnabled { if brokerCfg.Sasl.Username != nil { Cfg.KafkaUsername = *brokerCfg.Sasl.Username Cfg.KafkaPassword = *brokerCfg.Sasl.Password diff --git a/deploy/clowdapp.yaml b/deploy/clowdapp.yaml index ac6b692c8..9b8eac9b9 100644 --- a/deploy/clowdapp.yaml +++ b/deploy/clowdapp.yaml @@ -34,7 +34,6 @@ objects: - {name: GIN_MODE, value: '${GIN_MODE}'} - {name: KAFKA_GROUP, value: patchman} - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'} - - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'} - {name: EVAL_TOPIC, value: patchman.evaluator.recalc} - {name: ENABLE_REPO_BASED_RE_EVALUATION, value: '${ENABLE_REPO_BASED_RE_EVALUATION}'} - {name: ENABLE_RECALC_MESSAGES_SEND, value: '${ENABLE_RECALC_MESSAGES_SEND}'} @@ -117,7 +116,6 @@ objects: - {name: ENABLE_BASELINE_CHANGE_EVAL, value: '${ENABLE_BASELINE_CHANGE_EVAL}'} - {name: KAFKA_GROUP, value: patchman} - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'} - - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'} - {name: EVAL_TOPIC, value: '${EVAL_TOPIC_MANAGER}'} - {name: ENABLE_PACKAGE_CACHE, value: '${ENABLE_PACKAGE_CACHE_MANAGER}'} - {name: RESPONSE_TIMEOUT, value: '${RESPONSE_TIMEOUT}'} @@ -163,7 +161,6 @@ objects: - {name: KAFKA_GROUP, value: patchman} - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'} - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'} - - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'} - {name: EVENTS_TOPIC, value: platform.inventory.events} - {name: EVAL_TOPIC, value: patchman.evaluator.upload} - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status} @@ -211,7 +208,6 @@ objects: - {name: KAFKA_GROUP, value: patchman} - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'} - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'} - - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'} - {name: EVAL_TOPIC, value: patchman.evaluator.upload} - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status} - {name: REMEDIATIONS_UPDATE_TOPIC, value: 'platform.remediation-updates.patch'} @@ -280,7 +276,6 @@ objects: - {name: KAFKA_GROUP, value: patchman} - {name: KAFKA_READER_MAX_ATTEMPTS, value: '${KAFKA_READER_MAX_ATTEMPTS}'} - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'} - - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'} - {name: EVAL_TOPIC, value: patchman.evaluator.recalc} - {name: PAYLOAD_TRACKER_TOPIC, value: platform.payload-status} - {name: REMEDIATIONS_UPDATE_TOPIC, value: 'platform.remediation-updates.patch'} @@ -346,7 +341,6 @@ objects: key: vmaas-sync-database-password}}} - {name: KAFKA_GROUP, value: patchman} - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '${KAFKA_WRITER_MAX_ATTEMPTS}'} - - {name: KAFKA_SSL_ENABLED, value: '${KAFKA_SSL_ENABLED}'} - {name: EVAL_TOPIC, value: patchman.evaluator.recalc} - {name: ENABLE_REPO_BASED_RE_EVALUATION, value: '${ENABLE_REPO_BASED_RE_EVALUATION}'} - {name: ENABLE_RECALC_MESSAGES_SEND, value: '${ENABLE_RECALC_MESSAGES_SEND}'} @@ -724,7 +718,6 @@ parameters: - {name: GIN_MODE, value: 'release'} # Gin webframework running mode - {name: PACKAGE_CACHE_SIZE, value: '1000000'} - {name: PACKAGE_NAME_CACHE_SIZE, value: '60000'} -- {name: KAFKA_SSL_ENABLED, value: 'true'} - {name: KAFKA_READER_MAX_ATTEMPTS, value: '3'} # Limit of how many attempts will be made before kafka read error. - {name: KAFKA_WRITER_MAX_ATTEMPTS, value: '10'} # Limit of how many attempts will be made before kafka write error. - {name: VMAAS_CALL_MAX_RETRIES, value: '8'} # Limit of how many unsuccessful vmaas calls are allowed before panic.