Create KafkaCredentialStore #530

agustafson · 2021-02-14T21:44:42Z

Fix for #521

Moving the code in https://github.com/ovotech/ciris-aiven-kafka for credential loading.

Example code using ciris would now be:

def loadKafkaSetup[F[_]: Async: ContextShift]: Resource[F, KafkaCredentialStore] = {
  implicit val stringClientPrivateKeyConfigDecoder: ConfigDecoder[String, ClientPrivateKey] =
    ConfigDecoder.identity[String].mapOption("ClientPrivateKey") {
      ClientPrivateKey(_).toOption
    }
  implicit val stringClientCertificateConfigDecoder: ConfigDecoder[String, ClientCertificate] =
    ConfigDecoder.identity[String].mapOption("ClientCertificate") {
      ClientCertificate(_).toOption
    }
  implicit val stringServiceCertificateConfigDecoder: ConfigDecoder[String, ServiceCertificate] =
    ConfigDecoder.identity[String].mapOption("ServiceCertificate") {
      ServiceCertificate(_).toOption
    }

  Blocker[F].evalMap { blocker =>
    (
      env("KAFKA_CLIENT_PRIVATE_KEY").as[ClientPrivateKey],
      env("KAFKA_CLIENT_CERT").as[ClientCertificate],
      env("KAFKA_SERVER_CERT").as[ServiceCertificate]
    ).parTupled.load[F].flatMap {
      case (clientPrivateKey, clientCertificate, serviceCertificate) =>
        KafkaCredentialStore[F](clientPrivateKey, clientCertificate, serviceCertificate, blocker)
    }
  }
}

LMnet · 2021-02-15T03:41:07Z

modules/core/src/main/scala/fs2/kafka/security/package.scala

+import java.security.MessageDigest
+import scala.annotation.tailrec
+
+package object security {


Maybe we could consider moving it to a separate module?

Thanks @LMnet, I did wonder about that. It just seemed like it wasn't that separate from the core. Happy to move it out if that's what people want 👍

Actually, this code is blatantly copied from Secret in ciris. Perhaps it should be its own library, because I'm sure I've seen code very similar to this in a few different places.

I initially agreed with @LMnet, but I think it's better to keep it in the same module so we can have the withCredentials helpers on the settings classes.

bplommer · 2021-02-15T11:32:20Z

Thanks for this! I'll take a look soon

docs/src/main/mdoc/certificates.md

modules/core/src/main/scala/fs2/kafka/security/TrustStoreFile.scala

Co-authored-by: Ben Plommer <ben.plommer@gmail.com>

… *Settings

modules/vulcan/src/main/scala/fs2/kafka/vulcan/AvroSettings.scala

modules/vulcan/src/main/scala/fs2/kafka/vulcan/SchemaRegistryClientSettings.scala

bplommer · 2021-02-22T16:42:23Z

I assume you're happy for this code to be copied over @vlovgr?

vlovgr · 2021-02-25T08:10:25Z

I assume you're happy for this code to be copied over @vlovgr?

Absolutely. 👍

bplommer · 2021-03-01T13:26:30Z

Kafka 2.7.0 adds support for textual SSL credentials, so we may not need this after all: apache/kafka#9345

agustafson · 2021-03-08T10:00:20Z

Kafka 2.7.0 adds support for textual SSL credentials, so we may not need this after all: apache/kafka#9345

Happy to adapt this PR so that it can handle textual SSL creds or the code in this PR, if that would help

…tSettings

bplommer · 2021-03-08T10:56:27Z

Happy to adapt this PR so that it can handle textual SSL creds or the code in this PR, if that would help

Thanks, that would be great! I guess you saw the snippet I posted on Slack, but if not here it is:

consumerSettings
  .withProperties(Map(
  "security.protocol" -> "SSL",
  "ssl.truststore.type" -> "PEM",
  "ssl.truststore.certificates" ->
    """
      -----BEGIN CERTIFICATE-----
      // CA certificate
      -----END CERTIFICATE-----
      |""".replace('\n', ' '),
  "ssl.keystore.type" -> "PEM",
  "ssl.keystore.key" -> 
    """
      -----BEGIN PRIVATE KEY-----
      // access key
      -----END PRIVATE KEY-----""".replace('\n', ' ')
    ,
  "ssl.keystore.certificate.chain" -> 
    """
      -----BEGIN CERTIFICATE-----
      // access certificate
      -----END CERTIFICATE-----
    """.replace('\n', ' ')
))

agustafson · 2021-03-08T11:05:40Z

Happy to adapt this PR so that it can handle textual SSL creds or the code in this PR, if that would help

Thanks, that would be great! I guess you saw the snippet I posted on Slack, but if not here it is:

consumerSettings
  .withProperties(Map(
  "security.protocol" -> "SSL",
  "ssl.truststore.type" -> "PEM",
  "ssl.truststore.certificates" ->
    """
      -----BEGIN CERTIFICATE-----
      // CA certificate
      -----END CERTIFICATE-----
      |""".replace('\n', ' '),
  "ssl.keystore.type" -> "PEM",
  "ssl.keystore.key" -> 
    """
      -----BEGIN PRIVATE KEY-----
      // access key
      -----END PRIVATE KEY-----""".replace('\n', ' ')
    ,
  "ssl.keystore.certificate.chain" -> 
    """
      -----BEGIN CERTIFICATE-----
      // access certificate
      -----END CERTIFICATE-----
    """.replace('\n', ' ')
))

Cool, I'll add a few String-based methods and see how it looks

bplommer · 2021-04-01T10:11:25Z

I haven’t forgotten about this! I’ll get to it this weekend.

bplommer · 2021-04-05T10:44:19Z

I don't think Pkcs12KafkaCredentialStore is needed now that we have PemKafkaCredentialStore - I'm going to edit the PR to remove it assuming that's ok with you.

agustafson added 7 commits February 14, 2021 20:56

Create KafkaCredentialStore

2f7f4f0

Add certificates.md

e206794

certificates.md: add title and id

39e0330

certificates.md: fix docs using fromString methods

8894492

Add headers

ffe9c4b

Merge branch 'master' into certificate-loading

349bf03

scalafmt

ee2a052

LMnet reviewed Feb 15, 2021

View reviewed changes