Uploaded image for project: 'OpenShift Autoscaling'
  1. OpenShift Autoscaling
  2. AUTOSCALE-285

Verify Kafka scaler Kerberos functionality and test it

XMLWordPrintable

    • Quality / Stability / Reliability
    • 8
    • False
    • Hide

      None

      Show
      None
    • False

      The the Kerberos functionality in CMA has never been properly tested/vetted, and we have multiple valuable customers that really want to use it. At least one of which has encountered bugs (that we are currently unable to reproduce).  

      So we support it but I'm not sure we've ever proven it works, and the extent of upstream's testing was "just trust me bro" https://github.com/kedacore/keda/pull/4851#issuecomment-1668640228    There was at least one person who said it worked, and I've tested parts of it myself for customers, but we don't have a working end-to-end example or any e2e tests or anything like that that we can point at. 

      We also don't have any documentation to speak of on how to set it up or use it. Upstream lists the option but that's about it. The extent of upstream's documentation is https://keda.sh/docs/2.17/scalers/apache-kafka/#your-kafka-cluster-turns-on-saslgssapi-auth-without-tls which is pretty much just "here is the list of options, good luck". 

      Why this is so unpleasant

      In order to test this, you have to: 

      • Set up a Kerberos KDC
      • Generate client keytabs + distribute them 
      • A Kafka deployment that is configured using JAAS or whatever to talk Kerberos using the generated server keytab
      • A CMA deployment with scaledObject + triggerAuthentication configured to use the generated client keytab 

      Things we know so far: 

      Kafka Images: 

      • Strmzi doesn't support Kerberos https://github.com/strimzi/strimzi-kafka-operator/issues/2570 (you might think "well maybe it works even though it's not supported", but nope it seems to just ignore all those JAAS kerberos config options. ) 
      • Bitnami's image also ignores the config options even if you supply them 
      • Confluent's image seems to work properly 

      Kerberos KDC images: 

      • Not a lot to choose from here, probably just have to 
        apt-get install -y krb5-kdc krb5-admin-server krb5-config

      Done when: 

      • Kafka has been tested with Kerberos 
      • Kafka scaler has a kerberos e2e test
      • We probably need a test to verify that kerberosDisableFAST works also
      • We at least have something to document for folks that want to try using CMA with Kerberos

              jkyros@redhat.com John Kyros
              jkyros@redhat.com John Kyros
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: