Add support for SASL and SSL

[pierDipi]

Fixes #368

This PR adds support for SASL and SSL.

A KafkaSink or a Broker enables SASL and SSL by adding a reference to a secret, like:

# broker config ConfigMap
auth.secret.ref.name: my-secret

# KafkaSink spec
spec:
  auth:
    secret:
      ref:
        name: my-secret

# Or
spec:
  auth.secret.ref.name: my-secret

The referenced secret format is documented in our proto definition and E2E tests contain all possible formats, see test/e2e/broker_sasl_ssl_test.go

Proposed Changes

• Add support for SASL and SSL

Release Note

Add support for SASL and SSL.

Docs

• TODO User documentation

/kind enhancement

[codecov]

Codecov Report

Merging #534 (03e7068) into master (0a76189) will decrease coverage by 5.07%.
The diff coverage is 80.21%.

@@             Coverage Diff              @@
##             master     #534      +/-   ##
============================================
- Coverage     76.96%   71.88%   -5.08%     
- Complexity      269      362      +93     
============================================
  Files            59       71      +12     
  Lines          1984     2586     +602     
  Branches         82      121      +39     
============================================
+ Hits           1527     1859     +332     
- Misses          342      583     +241     
- Partials        115      144      +29     

Flag	Coverage Δ	Complexity Δ
java-unittests	79.11% <85.77%> (+1.16%)	0.00 <95.00> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ	Complexity Δ
...nting/kafka/broker/core/security/AuthProvider.java	0.00% <0.00%> (ø)	0.00 <0.00> (?)
...knative/eventing/kafka/broker/dispatcher/Main.java	0.00% <0.00%> (ø)	0.00 <0.00> (ø)
...v/knative/eventing/kafka/broker/receiver/Main.java	0.00% <0.00%> (ø)	0.00 <0.00> (ø)
...fka/broker/core/security/PlaintextCredentials.java	25.00% <25.00%> (ø)	2.00 <2.00> (?)
control-plane/pkg/reconciler/base/reconciler.go	5.45% <28.57%> (ø)	0.00 <0.00> (?)
.../eventing/kafka/broker/receiver/RequestMapper.java	92.62% <42.85%> (-3.07%)	17.00 <0.00> (+1.00)	⬇️
control-plane/pkg/reconciler/kafka/admin.go	63.63% <50.00%> (-11.37%)	0.00 <0.00> (ø)
.../core/reconciler/impl/ResourcesReconcilerImpl.java	86.20% <50.00%> (-0.64%)	41.00 <0.00> (+1.00)	⬇️
control-plane/pkg/security/config.go	53.33% <53.33%> (ø)	0.00 <0.00> (?)
control-plane/pkg/security/scram.go	63.63% <63.63%> (ø)	0.00 <0.00> (?)
... and 31 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0a76189...9836bf6. Read the comment docs.

[pierDipi]

The linter complains about the generated code.

[pierDipi]

/kind api-change

[pierDipi]

/retest

[pierDipi]

Unrelated
/test pull-knative-sandbox-eventing-kafka-broker-integration-tests

[pierDipi]

/test pull-knative-sandbox-eventing-kafka-broker-integration-tests

[pierDipi]

/test pull-knative-sandbox-eventing-kafka-broker-integration-tests

[pierDipi]

/test pull-knative-sandbox-eventing-kafka-broker-integration-tests
#537

[matzew]

/assign

I will do a review on Friday

[slinkydeveloper]

This is going in the right direction. I left some style comments and a bunch of questions, but I look forward to the @matzew review, he has better knowledge about sasl/tls than me

[slinkydeveloper]

Why that? Can't you just invoke OnDeleteObserver in the FinalizeKind of the broker reconciler?

[pierDipi]

I started with your proposed approach and then migrated to this one since this is the way used in other places in eventing.
ATM, they should be equivalent.
However, given this issue: knative/pkg#1956, I think it's safer to call it regardless of being the leader or not.

[slinkydeveloper]

Can you add a TODO, in order to remember in future that we need to port this code to FinalizeKind after pkg#1956 is solved? The FinalizeKind approach is still more idiomatic

[pierDipi]

For example:
time 1: p is the leader for x -> reconcile x
time 2: p is not the leader for x anymore
time 3: delete x
time 4: no FinilizeKind called on x in p (this is a leak)

Calling it outside FinalizeKind makes sure that the reconciler doesn't leak.

Example usage in serving: https://github.com/knative/serving/blob/b7a7c18bb5f6c14ae73c9dda1a817ded1ae879b0/pkg/reconciler/route/controller.go#L108-L110

[pierDipi]

ATM, they should be equivalent.

This is not true.

[slinkydeveloper]

Why that? Can't you just invoke OnDeleteObserver in the FinalizeKind of the broker reconciler?

[pierDipi]

Same as the other comment.

[knative-metrics-robot]

The following is the coverage report on the affected files.
Say /test pull-knative-sandbox-eventing-kafka-broker-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
control-plane/pkg/apis/eventing/v1alpha1/kafka_sink_types.go	66.7%	75.0%	8.3
control-plane/pkg/reconciler/base/reconciler.go	Do not exist	3.7%
control-plane/pkg/reconciler/broker/broker.go	89.4%	87.9%	-1.5
control-plane/pkg/reconciler/broker/controller.go	78.6%	81.8%	3.2
control-plane/pkg/reconciler/kafka/admin.go	87.5%	81.8%	-5.7
control-plane/pkg/reconciler/sink/auth_provider.go	Do not exist	100.0%
control-plane/pkg/reconciler/sink/controller.go	75.0%	78.9%	3.9
control-plane/pkg/reconciler/sink/kafka_sink.go	85.3%	83.5%	-1.8
control-plane/pkg/security/config.go	Do not exist	70.0%
control-plane/pkg/security/scram.go	Do not exist	72.7%
control-plane/pkg/security/secret.go	Do not exist	92.4%

[knative-prow-robot]

@pierDipi: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-knative-sandbox-eventing-kafka-broker-go-coverage	9836bf6	link	/test pull-knative-sandbox-eventing-kafka-broker-go-coverage

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[pierDipi]

/test pull-knative-sandbox-eventing-kafka-broker-integration-tests

[slinkydeveloper]

/unhold

/lgtm
/approve

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pierDipi, slinkydeveloper

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pierDipi,slinkydeveloper]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Neustradamus]

@pierDipi: Thanks a lot for all about SCRAM.

Linked to:

• State of Play scram-sasl/info#1