Fix Kafka TLS configuration with plaintext authentication

[amilbcahat]

Which problem is this PR solving?

• Resolves [Bug]: kafka: cannot connect to TLS kafka with TLS + plaintext #6744

Description of the changes

• Fixed TLS configuration to work with plaintext authentication when TLS is enabled
• Modified TLS configuration logic in Kafka authentication to support SASL-SSL with PLAIN
• Restored behavior to enable TLS regardless of authentication method when TLS is configured
• Fixed regression introduced in PR [kafka] OTEL helper instead of tlscfg package #6270

How was this change tested?

• Verified connectivity with TLS-enabled Kafka cluster using plaintext authentication
• Tested both collector and ingester components
• Validated SASL-SSL with PLAIN authentication works as expected

Checklist

• I have read https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md
• I have signed all commits
• [] I have added unit tests for the new functionality
• I have run lint and test steps successfully
  • for jaeger: make lint test

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 96.09%. Comparing base (148d4ef) to head (6197ff6).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6764      +/-   ##
==========================================
- Coverage   96.10%   96.09%   -0.02%     
==========================================
  Files         358      358              
  Lines       21585    21597      +12     
==========================================
+ Hits        20745    20754       +9     
- Misses        633      635       +2     
- Partials      207      208       +1     

Flag	Coverage Δ
badger_v1	9.90% <0.00%> (-0.02%)	⬇️
badger_v2	2.05% <0.00%> (-0.01%)	⬇️
cassandra-4.x-v1-manual	14.89% <0.00%> (-0.02%)	⬇️
cassandra-4.x-v2-auto	2.04% <0.00%> (-0.01%)	⬇️
cassandra-4.x-v2-manual	2.04% <0.00%> (-0.01%)	⬇️
cassandra-5.x-v1-manual	14.89% <0.00%> (-0.02%)	⬇️
cassandra-5.x-v2-auto	2.04% <0.00%> (-0.01%)	⬇️
cassandra-5.x-v2-manual	2.04% <0.00%> (-0.01%)	⬇️
elasticsearch-6.x-v1	20.14% <0.00%> (-0.03%)	⬇️
elasticsearch-7.x-v1	20.22% <0.00%> (-0.03%)	⬇️
elasticsearch-8.x-v1	20.40% <0.00%> (-0.03%)	⬇️
elasticsearch-8.x-v2	2.05% <0.00%> (-0.01%)	⬇️
grpc_v1	11.44% <0.00%> (-0.02%)	⬇️
grpc_v2	2.05% <0.00%> (-0.01%)	⬇️
kafka-3.x-v1	10.84% <100.00%> (+0.65%)	⬆️
kafka-3.x-v2	2.05% <0.00%> (-0.01%)	⬇️
memory_v2	2.05% <0.00%> (-0.01%)	⬇️
opensearch-1.x-v1	20.27% <0.00%> (-0.03%)	⬇️
opensearch-2.x-v1	20.27% <0.00%> (-0.03%)	⬇️
opensearch-2.x-v2	2.05% <0.00%> (-0.01%)	⬇️
query	2.05% <0.00%> (-0.01%)	⬇️
tailsampling-processor	0.55% <0.00%> (-0.01%)	⬇️
unittests	94.90% <100.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[yurishkuro]

what are you trying to achieve by merging main? It erases the CI checks which clearly show that your PR does not pass the linter.

[amilbcahat]

what are you trying to achieve by merging main? It erases the CI checks which clearly show that your PR does not pass the linter.

I was updating the branch to latest, just that. I have committed for Lint checks , now. Can you check again ?

[amilbcahat]

I have made the corrections for Unit Tests, can you update the PR label please ? @yurishkuro and run it again, I dont have necessary permissions to add the label I think.

[yurishkuro]

why?

[amilbcahat]

This is needed to maintain the security model difference between TLS authentication and TLS encryption:

• When using TLS authentication (auth="tls"), we need system CA certs to validate client certificates
• When using TLS encryption with SASL PLAIN auth, we don't need system CA certs
  The unit tests specifically verify this distinction.

[yurishkuro]

When using TLS encryption with SASL PLAIN auth, we don't need system CA certs

why? The only time you don't need system certs is if you are providing your own. Am I wrong about that?

[amilbcahat]

Yes, you are right. Both modes need CA certs for TLS validation, but they use different sources:

• TLS auth (authentication="tls"):

  • IncludeSystemCACertsPool=true to validate client/server certificates using system CA pool
  • Uses mutual TLS where both authenticate each other

• SASL PLAIN with TLS:

  • IncludeSystemCACertsPool=false because it validates the server certificate using explicitly provided CA cert
  • Client authentication happens via username/password

The tests expect this specific behavior to enforce these different trust models, without this distinction tests fails. Both approaches provide certificate validation, just from different trust sources.

[yurishkuro]

what is the testing procedure for this change? How do we know it does what's needed?

[amilbcahat]

what is the testing procedure for this change? How do we know it does what's needed?

To verify this fix works, I've set up a test environment with:

1. Kafka container configured for SASL_SSL:
   • Uses TLS encryption with SASL PLAIN authentication

Docker Image configuration used -

version: "3"
services:
  zookeeper:
    image: bitnami/zookeeper:latest
    ports:
      - "2181:2181"
    environment:
      - ALLOW_ANONYMOUS_LOGIN=yes
  kafka:
    image: bitnami/kafka:3.7.0
    ports:
      - "9092:9092"
      - "29093:29093"
    environment:
      - KAFKA_BROKER_ID=1
      - KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper:2181
      - KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR=1
      - ALLOW_PLAINTEXT_LISTENER=yes
      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=INTERNAL:PLAINTEXT,EXTERNAL:SASL_SSL
      - KAFKA_CFG_LISTENERS=internal://0.0.0.0:9092,external://0.0.0.0:29093
      - KAFKA_CFG_ADVERTISED_LISTENERS=internal://kafka:9092,external://localhost:29093
      - KAFKA_INTER_BROKER_LISTENER_NAME=INTERNAL
      - KAFKA_TLS_TYPE=JKS
      - KAFKA_CFG_SSL_KEYSTORE_LOCATION=/opt/bitnami/kafka/config/certs/kafka.keystore.jks
      - KAFKA_CFG_SSL_KEYSTORE_PASSWORD=kafkapass123
      - KAFKA_CFG_SSL_KEY_PASSWORD=kafkapass123
      - KAFKA_CFG_SSL_TRUSTSTORE_LOCATION=/opt/bitnami/kafka/config/certs/kafka.truststore.jks
      - KAFKA_CFG_SSL_TRUSTSTORE_PASSWORD=kafkapass123
      - KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=
      - KAFKA_CFG_SASL_ENABLED_MECHANISMS=PLAIN
      - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
      - KAFKA_CLIENT_USERS=admin
      - KAFKA_CLIENT_PASSWORDS=admin-secret
    volumes:
      - ./certs:/opt/bitnami/kafka/config/certs
    depends_on:
      - zookeeper

• Exposes port 29093 for SASL_SSL connections
• Configured with admin/admin-secret credentials locally

2. Test with ingester accessing Kafka:

   ./ingester \
     --kafka.consumer.brokers=localhost:29093 \
     --kafka.consumer.topic=jaeger-spans \
     --kafka.consumer.authentication=plaintext \
     --kafka.consumer.plaintext.username=admin \
     --kafka.consumer.plaintext.password=admin-secret \
     --kafka.consumer.plaintext.mechanism=PLAIN \
     --kafka.consumer.group-id=jaeger-ingester \
     --kafka.consumer.tls.enabled=true \
     --kafka.consumer.tls.ca=./certs/ca.crt \
     --kafka.consumer.tls.skip-host-verify=true

Verified with standard Kafka clients (producer/consumer) that the connection works with the same settings

Without the fix in PR #6764, the ingester command would fail because TLS settings weren't properly applied when using SASL PLAIN authentication. With the fix, the connection succeeds. Do you need any more configuration related information used for testing here ?

[yurishkuro]

To verify this fix works, I've set up a test environment with:

Is this something we can add to internal/storage/integration/kafka_test.go?

[amilbcahat]

To verify this fix works, I've set up a test environment with:

Is this something we can add to internal/storage/integration/kafka_test.go?

Yes, we can add an integration test in internal/storage/integration/kafka_test.go to verify this scenario works properly. The test would:

1. Set up a Kafka client with:

   • SASL PLAIN authentication
   • TLS enabled for encryption
   • Connected to a Kafka broker with SASL_SSL listener

2. Verify the client can successfully connect and produce/consume messages

This would formalize the manual test case I've been using to verify the fix. Would you like me to implement this as part of the PR?

[yurishkuro]

Yes, I prefer the tests to be part of the PR. However, is it possible to configure a single instance of Kafka to work with different auth-n methods, or do we need to spin different Kafka container for each auth flavor? The latter is much more expensive to run in the CI.

[amilbcahat]

Yes, I prefer the tests to be part of the PR. However, is it possible to configure a single instance of Kafka to work with different auth-n methods, or do we need to spin different Kafka container for each auth flavor? The latter is much more expensive to run in the CI.

Yes, this is possible. We can open different listeners in the same Kafka instance to work with different types of Authentication/security protocols. Should I go ahead with implementation ?

ref: https://developer.confluent.io/courses/security/authentication-basics/#:~:text=Configuring%20Authentication%3A%20Listeners%20and%20Security%20Protocols&text=Essentially%2C%20when%20configuring%20the%20broker,authenticate%2C%20whether%20SSL%20or%20SASL_SSL.

[yurishkuro]

yes, sounds good. One broker/container, multiple listeners, multiple tests using different ports.

I would recommend not running a full test suite against each listener, only some basic write/read tests.

[amilbcahat]

yes, sounds good. One broker/container, multiple listeners, multiple tests using different ports.

I would recommend not running a full test suite against each listener, only some basic write/read tests.

Sure, I will keep in mind

[amilbcahat]

Hi @yurishkuro, As we discussed, I have added -

1. Two Integration tests, for SASL Plaintext + TLS and SASL Plaintext + no TLS
2. Added the changes to include the flow in CI execution

To test these changes -

1. Go to - ./scripts/e2e/kafka.sh
2. Change jaeger_version to v1
3. Run kafka.sh file

Alternatively you can run specific integration test as well -

go test -v github.com/jaegertracing/jaeger/internal/storage/integration -run TestKafkaStorageWithSASLSSLPlaintext (need to setup the docker container first though and required certs as well)

[amilbcahat]

@yurishkuro Can you review this , please.

[yurishkuro]

why do we need a separate zookeeper, especially for a single-node cluster? it just makes the CI longer to start

[amilbcahat]

Yes, you are right, I have removed zookeeper in my latest commit and used Kraft with Kafka instead

[yurishkuro]

why not 9093?

[amilbcahat]

Changed to 9093

[yurishkuro]

how critical is it to generate cert for the test? We already have working certs used in other parts of unit tests

./pkg/config/tlscfg/testdata/example-server-cert.pem
./pkg/config/tlscfg/testdata/example-CA-cert.pem
./pkg/config/tlscfg/testdata/example-server-key.pem
./pkg/config/tlscfg/testdata/example-client-key.pem
./pkg/config/tlscfg/testdata/wrong-CA-cert.pem
./pkg/config/tlscfg/testdata/example-client-cert.pem

[amilbcahat]

I did try with these certs , but SASL + SSL would require certs generated with IP SANS information specified, these certs dont have it. But you are right, generating certs again and again is unnecessary... So I have generated the certs with IP Sans info and kept all the certs for this integration test at path -
pkg/config/tlscfg/testdata/kafka-certs , and removed the code for generating/cleaning up certs, in kafka.sh

[yurishkuro]

certs generated with IP SANS information specified

Why do we need this, isn't there skipVerify option that ignores the host address? And how can you pre-generate IP SANS if you don't know which IP the server will be running in the CI?

[amilbcahat]

Yes you right, I missed that ... added the flag now. Now it will just use the previous testdata. We need JKS format , so I have generated those through the testdata provided at -
internal/config/tlscfg/testdata, and used the same in kafka's docker compose file.

[amilbcahat]

@yurishkuro Please review the changes made

[yurishkuro]

your change has merge conflicts that need to be resolved

[yurishkuro]

these last two files have no changes. please git checkout main $file to restore them

[amilbcahat]

Done

[yurishkuro]

not necessary, you can assign config.TLS = tlsCfg inside if()

[amilbcahat]

Done

[yurishkuro]

don't you need this?

[amilbcahat]

No, we don't need this. The tests are already passing without this, indicating the current implementation handles this case correctly.

[amilbcahat]

@yurishkuro Have removed the binary files... kafka.sh now has the code to generate it on each run. Please review the PR, and sorry for delay

please do not commit binary files. If there are not available in the source form then it's better to regenerate on each run

[yurishkuro]

I don't understand the need for these changes. Some of them just saying the same thing in reverse

[amilbcahat]

You're right about the PROCESS_ROLES reordering from controller,broker to broker,controller is purely cosmetic. I have reverted that.

However, the other changes are functionally required because we're adding SSL and SASL authentication support to our Kafka integration tests. Here's why:

1. New Test Requirements:
   Our integration test suite now includes TestKafkaStorageWithSASLSSLPlaintext and TestKafkaStorageWithSASLPlaintext
   These tests require different connection types: basic plaintext, SASL with SSL, and SASL without SSL
   Each needs its own listener and port
2. Port Changes Were Mandatory:
   Port 9093 was needed for SASL_SSL connections (test requirement)
   Had to move controller to port 9096 to avoid conflict
   Port 9095 added for SASL_PLAINTEXT connections
3. The 'Redundant' Security Protocol Map:
   SASL_SSL:SASL_SSL,SASL_PLAINTEXT:SASL_PLAINTEXT

This isn't redundant - Kafka requires explicit mapping of each listener to its security protocol
Without these mappings, Kafka doesn't know how to handle the new connection types
4. SSL/SASL Configuration:
All the SSL keystore and SASL authentication settings support the kafka.sh script that generates certificates and runs the secure connection tests
The NODE_ID change from 0→1 was needed because NODE_ID=0 failed to start with our specific multi-listener configuration, while NODE_ID=1 works.

[yurishkuro]

there is a lot of redundancy here, please DRY

[amilbcahat]

Done

[yurishkuro]

where is it?

[amilbcahat]

It was at internal/config/tlscfg/testdata/gen-certs.sh, but have removed that if check now, as the .pem files were already checked in.

[yurishkuro]

these files are checked in, why wouldn't they exist?

[amilbcahat]

Yes you are right. I have removed this if check now.

[yurishkuro]

@mahadzaryab1 can you review?