From 704309d19fa25944c6b0d33794e89bcef6d5fecd Mon Sep 17 00:00:00 2001 From: Jakob van Santen Date: Fri, 2 Jun 2023 14:05:34 +0200 Subject: [PATCH 1/3] Raise auth errors on topic and group rather than silently failing --- group.go | 4 +++- topic.go | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/group.go b/group.go index 79fba43..fa6c930 100644 --- a/group.go +++ b/group.go @@ -323,7 +323,9 @@ func (cmd *groupCmd) saramaConfig() *sarama.Config { cfg.ClientID = "kt-group-" + sanitizeUsername(usr.Username) cmd.infof("sarama client configuration %#v\n", cfg) - setupAuth(cmd.auth, cfg) + if err = setupAuth(cmd.auth, cfg); err != nil { + failf("failed to setup auth err=%v", err) + } return cfg } diff --git a/topic.go b/topic.go index 26ccfcf..5c87397 100644 --- a/topic.go +++ b/topic.go @@ -147,7 +147,9 @@ func (cmd *topicCmd) connect() { cfg.ClientID = "kt-topic-" + sanitizeUsername(usr.Username) cmd.infof("sarama client configuration %#v\n", cfg) - setupAuth(cmd.auth, cfg) + if err = setupAuth(cmd.auth, cfg); err != nil { + failf("failed to setup auth err=%v", err) + } if cmd.client, err = sarama.NewClient(cmd.brokers, cfg); err != nil { failf("failed to create client err=%v", err) From 125c070e3811b012b1c33c893264fbf22ad8c525 Mon Sep 17 00:00:00 2001 From: Jakob van Santen Date: Fri, 2 Jun 2023 14:10:02 +0200 Subject: [PATCH 2/3] Honor ca-certificate in 1-way TLS This lets you use kt with unauthenticated clusters exposed via a k8s ingress, e.g. as deployed by strimzi --- README.md | 7 ++++++- common.go | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 97a2fb4..e6c66c5 100644 --- a/README.md +++ b/README.md @@ -283,11 +283,16 @@ Required fields: - `mode`: This needs to be set to `TLS-1way` +Optional fields: + + - `ca-certificate`: Path to your CA certificate + + Example: { - "mode": "TLS-1way", + "mode": "TLS-1way" } ### Other modes diff --git a/common.go b/common.go index d8fa054..7a7f5b3 100644 --- a/common.go +++ b/common.go @@ -238,6 +238,26 @@ func setupSASL(auth authConfig, saramaCfg *sarama.Config) error { func setupAuthTLS1Way(auth authConfig, saramaCfg *sarama.Config) error { saramaCfg.Net.TLS.Enable = true saramaCfg.Net.TLS.Config = &tls.Config{} + + if auth.CACert == "" { + return nil + } + + caString, err := ioutil.ReadFile(auth.CACert) + if err != nil { + return fmt.Errorf("failed to read ca-certificate err=%v", err) + } + + caPool := x509.NewCertPool() + ok := caPool.AppendCertsFromPEM(caString) + if !ok { + failf("unable to add ca-certificate at %s to certificate pool", auth.CACert) + } + + tlsCfg := &tls.Config{RootCAs: caPool} + tlsCfg.BuildNameToCertificate() + + saramaCfg.Net.TLS.Config = tlsCfg return nil } From 5ccc515a765651626b5d0731b073e96c2a722087 Mon Sep 17 00:00:00 2001 From: Jakob van Santen Date: Fri, 8 Sep 2023 13:13:36 +0200 Subject: [PATCH 3/3] Allow relative paths in kt-auth.json --- common.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/common.go b/common.go index 7a7f5b3..9767dfa 100644 --- a/common.go +++ b/common.go @@ -9,6 +9,7 @@ import ( "io/ioutil" "math/rand" "os" + "path/filepath" "regexp" "strings" "syscall" @@ -291,6 +292,12 @@ func setupAuthTLS(auth authConfig, saramaCfg *sarama.Config) error { return nil } +func qualifyPath(argFN string, target *string) { + if *target != "" && !filepath.IsAbs(*target) { + *target = filepath.Join(filepath.Dir(argFN), *target) + } +} + func readAuthFile(argFN string, envFN string, target *authConfig) { if argFN == "" && envFN == "" { return @@ -309,4 +316,8 @@ func readAuthFile(argFN string, envFN string, target *authConfig) { if err := json.Unmarshal(byts, target); err != nil { failf("failed to unmarshal auth file err=%v", err) } + + qualifyPath(fn, &target.CACert) + qualifyPath(fn, &target.ClientCert) + qualifyPath(fn, &target.ClientCertKey) }