-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mTLS authentication for Amazon MSK/self-managed kafka event source #10260
Comments
Also, not documented anywhere obvious, but creating the trigger through the AWS console I found out that if you add an encryption "Required if your Kafka brokers use certificates signed by a private CA." then AWS adds a
|
Hello @mishabruml - thanks a lot for proposing this enhancement. I believe it makes sense to add such settings - here's the corresponding CloudFormation doc that suggest there shouldn't be any problem in implementing it in the Framework: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-eventsourcemapping-sourceaccessconfiguration.html Before moving forward, I will sync up with the team internally and if all sounds good, we'll be more than happy to accept a PR for this one. |
@pgrzesik that's great news, I would love to work on this! let me know 😄 following up on my above comment, it seems that if a
similar to how the
|
Thanks for sharing the details @mishabruml - we'd be more than happy to accept a PR if you're interested 🙌 |
Hey @pgrzesik, got a draft PR up, the changes were much simpler than I expected! I stuck with the path of least resistance and the programming style already present. I was wondering whether it might make sense to validate the settings a little more? Or just let errors fall through to cloudformation, I suppose. It depends on the design philosophy I guess. Another thing I noticed was the lack of integration tests for self-managed kafka event source. Is this something you'd like me to look at, or is it out of scope for this PR? |
Thanks a lot for that @mishabruml 🙇 What would you like to validate further? It's always worth considering failing as soon as possible to shorten feedback cycle. As for the integration tests for Self-managed Kafka - we've decided against them because it's a bit challenging to manage Kafka cluster just for them, we have integration tests for MSK though and even that was quite time-consuming. I also have another question - the PR addresses changes for |
Hey @pgrzesik so I was thinking validation along the lines of: If the event source is self managed, then there must be at least one bootstrap endpoint, and there must be at least one access configuration of type VPC/sasl/mtls I was thinking also if the strings provided for the source access configuration types could be validated as either ARNs or security group/subnet identifiers (regex?) That's fair enough about the self managed cluster integration tests. I deal with Kafka daily at work and we write integration tests against clusters we spin up in docker containers, so feel confident I could make an attempt at writing a test suite, if you think it would be valuable, but also I understand if you don't want to have to maintain this in the future. Re: MSK I completely forgot about that! 😂Yes, happy to make those changes too 😎 |
Hey @mishabruml 👋
I believe at the moment we have that -
This is also handled on schema validation level - is there something missing about that?
This is much appreciated, but I believe maintenance on our side might be a bit challenging in the long run, also I believe the setup might be a bit time consuming and we want to keep our integration tests (relatively) fast.
Awesome 🙌 Thanks a lot for your work on this @mishabruml 🙇 |
OK yeah cool, I now understand this better, I can see that the validation is being applied by AJV Schema. The lack of testing around this made it a little hard to spot 😛 - I've put some in No probs about the integration tests. You are right, setup is costly (time+effort) both in terms of initial design and build time in CI. And maintenance too.... I've pushed up some changes tonight, I think the PR for self-managed kafka is reaching completion 🙌 |
Thanks a lot @mishabruml, I'll check that out today 👍 |
Thanks @mishabruml for providing this feature!
According to https://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#smaa-authentication you can also pass a client certificate without a server root ca in case the server uses a cert which is "signed by a certificate authority (CA) that's in the Lambda trust store". So client and server cert do not depend on each other from what I can see. I currently work around this with an post install script to remove the test. |
Hey @fdesoye thanks for noticing this. That check is only due to my limited knowledge of mTLS and networking- I assumed that both client and server certificate were required. If @pgrzesik agrees that the validation could be relaxed then I can make a PR, or feel free yourself? @fdesoye could you prove/explain your scenario further by providing a cloudformation template(s)? |
ahh i see that SERVER_ROOT_CA_CERTIFICATE is not used for mTLS only, that makes sense. I was thinking that if it was for mTLS only then of course it wouldn't make sense to provide one without the other. Could you follow up on the case or providing CLIENT_CERTIFICATE_TLS_AUTH without SERVER_ROOT_CA_CERTIFICATE ? thanks 😄 |
Hello 👋 So it seems like we might need to relax the restriction that we have in place currently if I'm understanding the above correctly, right? |
Indeed, that would be my conclusion given it "works for me". I'd be happy to raise a PR for this. Would be my first one so might take a bit to find which unit tests have to be adjusted and what else I have to look at. |
@fdesoye happy to help you out if you need 😌 |
Small change only so I will probably manage. Will push something later this week (will mainly have to figure out the formalities of raising a proper MR). Do we need integration tests for this? |
Thanks @fdesoye - unit test will be just fine 👍 |
Not sure if this belongs in this thread, but I ran into a slightly annoying issue: the Kafka trigger takes rather long to deploy (probably due to whatever AWS spins up for this under the hood). |
Agreed, that sounds like a whole topic on its own, not sure if it would make sense here too. |
My question is, if there is some functionality already available in the framework, that could do this kind of validation prior to kicking off a deployment. |
We don't really have a good way to handle it right now - it can also cause issues where .e.g |
Agreed. Sounds like too much effort and risk for too little gain. |
Is there an existing issue for this?
Use case description
Support a further
accessConfigurations: CLIENT_CERTIFICATE_TLS_AUTH
) to allow configuring mTLS-authenticated lambda event sourceshttps://docs.aws.amazon.com/lambda/latest/dg/with-kafka.html#services-smaa-topic-add
https://aws.amazon.com/about-aws/whats-new/2021/11/aws-lambda-supports-mtls-authentication-amazon-msk-event-source/
https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-msk-as-an-event-source/
I'm happy to have a look at a PR for this?
The text was updated successfully, but these errors were encountered: