Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump(librdkafka): from v1.9.2 to v2.3.0 #5321

Merged
merged 2 commits into from Feb 20, 2024
Merged

bump(librdkafka): from v1.9.2 to v2.3.0 #5321

merged 2 commits into from Feb 20, 2024

Conversation

lc525
Copy link
Member

@lc525 lc525 commented Feb 15, 2024

Update needed for automatic re-authentication of kafka connections via SASL (used when connecting to Confluent Cloud via OAUTHBEARER)

  • smoke tested using pipeline-tests.sh in local kind cluster (with local Kafka)

@lc525 lc525 requested a review from sakoush as a code owner February 15, 2024 18:00
sakoush
sakoush approved these changes Feb 15, 2024
View reviewed changes
Copy link
Member

@sakoush sakoush left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. assuming jvm side is a follow up PR?

@lc525 lc525 marked this pull request as draft February 16, 2024 10:30
@lc525
Copy link
Member Author

lc525 commented Feb 16, 2024
edited

The jvm side doesn't use librdkafka afaik, but directly uses the jvm kafka-streams implementation.

Converting this to a draft as I have seen model/pipeline gateway start issuing some certificate errors when testing with external kafka (and OAUTHBEARER). I need to evaluate the impact of those.

@lc525
bump(librdkafka): from v1.9.2 to v2.3.0
52afa23 
- update needed for automatic re-authentication of kafka connections via
SASL (used when connecting to Confluent Cloud via OAUTHBEARER)
@lc525
fix(librdkafka): Copy certs bundle to path expected by librdkafka v2.3.0
4f396c8 
librdkafka uses libcurl for fetching OIDC tokens. However, depending on OS, the
location where the certs ca-bundle for validating the tls connection between
librdkafka and the auth provider is searched differs. We now copy the ca cert
bundle to multiple paths to make sure it is found.

While this is a bit hacky, there are limited alternatives we can take because:

- until now (with librdkafka 1.9.2) those certs were searched under
/etc/ssl/certs/ca-certificates.crt but after the update they are searched
under /etc/pki/tls/certs/ca-bundle.crt

- libcurl doesn't get passed/doesn't respect the caCert location
or .pem file set via librdkafka/kafka configs
(see confluentinc/librdkafka#375).

- there is no way clear way to influence the libcurl search path via env vars
(setting the CURL_CA_BUNDLE env var has no effect), with search paths fully
decided at compile-time.

The likely chain of reasons this has popped-up when updating librdkafka to
v2.3.0:
  - we're building {model, pipeline}gateway docker images based on debian
  bullseye image
  - we're copying the build results into redhat ubi9 container
  - libcurl was statically built in previous librdkafka, so was
  using the debian search paths on ubi9
  - libcurl ends up being dynamically linked in the current librdkafka
  (to ubi9 version) or has changed its default ca bundle search path
@lc525 lc525 marked this pull request as ready for review February 20, 2024 11:43
@lc525 lc525 merged commit de26cec into SeldonIO:v2 Feb 20, 2024
2 of 3 checks passed
@lc525 lc525 deleted the bump-librdkafka branch February 20, 2024 13:30
@sakoush sakoush added the v2 label Feb 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sakoush sakoush sakoush approved these changes

Assignees
No one assigned
Labels
v2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lc525 @sakoush