fix(kafka): improve TLS and plaintext auth configuration

- Fix TLS configuration initialization for Kafka auth
- Add proper handling of system CA certs pool
- Set secure defaults for TLS configuration
- Remove redundant code comments

Signed-off-by: Amol Verma <[email protected]>
Signed-off-by: Amol Verma <[email protected]>

pkg/kafka/auth/config.go

@@ -47,6 +47,10 @@ func (config *AuthenticationConfig) SetConfiguration(saramaConfig *sarama.Config
 		if err := setTLSConfiguration(&config.TLS, saramaConfig, logger); err != nil {
 			return err
 		}
+		// saramaConfig.Net.TLS.Config.InsecureSkipVerify = true
+		// if config.Authentication == tls {
+		//     return nil
+		// }
 	}
 
 	switch authentication {
@@ -84,12 +88,9 @@ func (config *AuthenticationConfig) InitFromViper(configPrefix string, v *viper.
 		if err != nil {
 			return fmt.Errorf("failed to process Kafka TLS options: %w", err)
 		}
+		tlsCfg.IncludeSystemCACertsPool = (config.Authentication == tls)
+		tlsCfg.Insecure = false
 		config.TLS = tlsCfg
-	} else {
-		// Explicitly set TLS to insecure when disabled
-		config.TLS = configtls.ClientConfig{
-			Insecure: true,
-		}
 	}
 
 	config.PlainText.Username = v.GetString(configPrefix + plainTextPrefix + suffixPlainTextUsername)

pkg/kafka/auth/tls.go

@@ -13,12 +13,14 @@ import (
 )
 
 func setTLSConfiguration(config *configtls.ClientConfig, saramaConfig *sarama.Config, _ *zap.Logger) error {
-	tlsConfig, err := config.LoadTLSConfig(context.Background())
-	if err != nil {
-		return fmt.Errorf("error loading tls config: %w", err)
-	}
+	if !config.Insecure {
+		tlsConfig, err := config.LoadTLSConfig(context.Background())
+		if err != nil {
+			return fmt.Errorf("error loading tls config: %w", err)
+		}
 
-	saramaConfig.Net.TLS.Enable = true
-	saramaConfig.Net.TLS.Config = tlsConfig
+		saramaConfig.Net.TLS.Enable = true
+		saramaConfig.Net.TLS.Config = tlsConfig
+	}
 	return nil
 }