feat: add TLS #121
feat: add TLS #121
Conversation
Summary of ChangesHello @hugz6, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances Kplay's security posture by integrating robust TLS support for Kafka connections. Users can now define TLS settings directly within their Kplay profiles, enabling encrypted communication with Kafka brokers. This feature includes options for enabling TLS and controlling certificate verification, making Kplay more adaptable to various secure Kafka environments, from production to development setups. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request introduces TLS support, which is a great security enhancement. The implementation is mostly solid, but I've found a critical regression related to AWS MSK IAM authentication where TLS is no longer automatically enabled, which would break existing user configurations. I've provided a code suggestion to fix this. Additionally, I've noted that the documentation in the README regarding this is now incorrect. Finally, I've suggested an improvement to make the TLS configuration more robust by allowing custom CAs and client certificates for production environments. Overall, good work on adding this important feature.
README.md
Outdated
| insecureSkipVerify: false # Skip certificate verification (default: false, use true for self-signed certs in dev) | ||
| ``` | ||
|
|
||
| **Note:** When using AWS MSK IAM authentication, TLS is automatically enabled and configured. |
There was a problem hiding this comment.
This note is currently incorrect. The changes in this pull request have introduced a regression where TLS is no longer automatically enabled for AWS MSK IAM authentication. This will break existing configurations for users relying on this implicit behavior. To align the documentation with the intended (and previous) behavior, the implementation should be fixed to automatically enable TLS when authentication: aws_msk_iam is used.
internal/cmd/config.go
Outdated
| if pr.TLSConfig != nil && pr.TLSConfig.Enabled { | ||
| tlsCfg = &t.TLSConfig{ | ||
| Enabled: true, | ||
| InsecureSkipVerify: pr.TLSConfig.InsecureSkipVerify, | ||
| } | ||
| } |
There was a problem hiding this comment.
There's a regression here that breaks existing functionality. AWS MSK IAM requires TLS, but this logic no longer enables it automatically if tlsConfig isn't explicitly defined in the profile. Previously, TLS was implicitly enabled for MSK IAM. This change will break existing configurations that rely on this behavior.
To fix this, you should ensure TLS is enabled whenever auth == t.AWSMSKIAM, while still respecting any user-provided tlsConfig settings.
if (pr.TLSConfig != nil && pr.TLSConfig.Enabled) || auth == t.AWSMSKIAM {
// TLS is required for AWS MSK IAM and is now being enabled automatically.
tlsCfg = &t.TLSConfig{
Enabled: true,
}
if pr.TLSConfig != nil {
tlsCfg.InsecureSkipVerify = pr.TLSConfig.InsecureSkipVerify
}
}| cfg := &tls.Config{ | ||
| InsecureSkipVerify: tlsConfig.InsecureSkipVerify, | ||
| } |
There was a problem hiding this comment.
The current TLS implementation is a good first step, but it's limited as it only allows configuring InsecureSkipVerify. To make TLS support more robust and production-ready, consider extending tlsConfig and this function to support:
- Custom Root CAs (
RootCAsintls.Config) for verifying server certificates signed by a private CA. - Client certificates (
Certificatesintls.Config) for mutual TLS (mTLS) authentication.
This would greatly increase the security and flexibility of connecting to various Kafka setups.
|
@hugz6 Thanks for your contribution. I'll wait for you to mark the PR as ready for review before taking a look. |
Hi, sorry it took me a bit to come back to this PR, I was very busy. I tried to make it look clean even though I'm not very used to it. I hope it's okay. The goal of this PR is to allow the Kplay tool to work with TLS-secured Kafka clusters, which is very common in production. I'll let you review it, feel free to reach out if you have any questions. |
Thanks @hugz6. I will try to take a look at your changes on the weekend. |
Add TLS support
Adds TLS/SSL configuration for connecting to Kafka clusters.
Changes
enabledandinsecureSkipVerifyoptionsrootCAFilefor private certificate authoritiesclientCertFileandclientKeyFileConfiguration
TLS is automatically enabled when using
authentication: aws_msk_iam.Testing
Tested with:
mTLS implementation is included but not tested.