feat: kafka sasl auth (#1186)

* feat: SASL Auth for Kafka Signed-off-by: Joshua Jorel Lee <[email protected]>
argoproj · Apr 30, 2021 · 41027b5 · 41027b5
1 parent 48c9ac7
commit 41027b5
Show file tree

Hide file tree

Showing 26 changed files with 1,407 additions and 685 deletions.
diff --git a/api/event-source.html b/api/event-source.html
diff --git a/api/event-source.md b/api/event-source.md
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
diff --git a/api/sensor.html b/api/sensor.html
diff --git a/api/sensor.md b/api/sensor.md
diff --git a/eventsources/sources/kafka/start.go b/eventsources/sources/kafka/start.go
@@ -270,6 +270,26 @@ func getSaramaConfig(kafkaEventSource *v1alpha1.KafkaEventSource, log *zap.Sugar
 		config.Version = version
 	}
 
+	if kafkaEventSource.SASL != nil {
+		config.Net.SASL.Enable = true
+
+		config.Net.SASL.Mechanism = sarama.SASLMechanism(kafkaEventSource.SASL.GetMechanism())
+
+		user, err := common.GetSecretFromVolume(kafkaEventSource.SASL.User)
+		if err != nil {
+			log.Errorf("Error getting user value from secret: %v", err)
+			return nil, err
+		}
+		config.Net.SASL.User = user
+
+		password, err := common.GetSecretFromVolume(kafkaEventSource.SASL.Password)
+		if err != nil {
+			log.Errorf("Error getting password value from secret: %v", err)
+			return nil, err
+		}
+		config.Net.SASL.Password = password
+	}
+
 	if kafkaEventSource.TLS != nil {
 		tlsConfig, err := common.GetTLSConfig(kafkaEventSource.TLS)
 		if err != nil {

diff --git a/eventsources/sources/kafka/validate.go b/eventsources/sources/kafka/validate.go
@@ -46,5 +46,8 @@ func validate(eventSource *v1alpha1.KafkaEventSource) error {
 	if eventSource.TLS != nil {
 		return apicommon.ValidateTLSConfig(eventSource.TLS)
 	}
+	if eventSource.SASL != nil {
+		return apicommon.ValidateSASLConfig(eventSource.SASL)
+	}
 	return nil
 }
diff --git a/pkg/apis/common/common.go b/pkg/apis/common/common.go
@@ -128,6 +128,19 @@ type TLSConfig struct {
 	DeprecatedClientKeyPath string `json:"clientKeyPath,omitempty" protobuf:"bytes,6,opt,name=clientKeyPath"`
 }
 
+// SASLConfig refers to SASL configuration for a client
+type SASLConfig struct {
+	// SASLMechanism is the name of the enabled SASL mechanism.
+	// Possible values: OAUTHBEARER, PLAIN (defaults to PLAIN).
+	// +optional
+	Mechanism string `json:"mechanism,omitempty" protobuf:"bytes,1,opt,name=mechanism"`
+	// User is the authentication identity (authcid) to present for
+	// SASL/PLAIN or SASL/SCRAM authentication
+	User *corev1.SecretKeySelector `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
+	// Password for SASL/PLAIN authentication
+	Password *corev1.SecretKeySelector `json:"password,omitempty" protobuf:"bytes,3,opt,name=password"`
+}
+
 // Backoff for an operation
 type Backoff struct {
 	// The initial duration in nanoseconds or strings like "1s", "3m"
@@ -153,3 +166,13 @@ type Metadata struct {
 	Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,1,rep,name=annotations"`
 	Labels      map[string]string `json:"labels,omitempty" protobuf:"bytes,2,rep,name=labels"`
 }
+
+func (s SASLConfig) GetMechanism() string {
+	switch s.Mechanism {
+	case "OAUTHBEARER", "SCRAM-SHA-256", "SCRAM-SHA-512", "GSSAPI":
+		return s.Mechanism
+	default:
+		// default to PLAINTEXT mechanism
+		return "PLAIN"
+	}
+}
diff --git a/pkg/apis/common/deepcopy_generated.go b/pkg/apis/common/deepcopy_generated.go