feat(lambda-event-sources): add rootCACertificate to SelfManagedKafkaEventSource#21422
feat(lambda-event-sources): add rootCACertificate to SelfManagedKafkaEventSource#21422mergify[bot] merged 5 commits intoaws:mainfrom WtfJoke:addEncryptionParameterToSelfManagedKafka
rootCACertificate to SelfManagedKafkaEventSource#21422Conversation
|
|
property to SelfManagedKafkaEventSource Co-authored-by: abks90 <alexander.backes@codecentric.de> Co-authored-by: ccoltx <59687842+ccoltx@users.noreply.github.com>
TheRealAmazonKendra
left a comment
There was a problem hiding this comment.
Before we can provide a meaningful review we need the following:
- Please make sure that your PR title confirms to the conventional commit standard (fix, feat, chore) and that it is written in a style that will reflect correctly in the change log (See Contributing Guide, Pull Requests)
- Please make sure that your PR body describes the problem the PR is solving, and the design approach and alternatives considered. Explain why the PR solves the problem. A link to an issue is helpful, but does not replace an explanation of your thought process (See Contributing Guide, Pull Requests)
- Please add integration tests for this change. PRs with changes that are not statically guaranteed by the type system must have tests to make sure that (a) the new behavior works as intended and (b) it is not accidentally undone by future changes (See Contributing Guide, Work Your Magic).
|
Thank you for taking a first look at our PR. Regarding integration tests: I would appreciate if you could guide me here in the right direction. |
|
Thanks for giving this a go @WtfJoke ! We have specific docs for integration tests, but it looks like you've found them already. Regarding the issue of the the failing integration test. With your branch I'm getting the following error. Is that the one you see as well? How come we need a custom Kafka cluster running to deploy this? |
Pull request has been modified.
|
@mrgrain Thanks! I havent seen the error when I did that yesterday 🙈 . So I was assuming that part of the deployment (eg. creation of the trigger) would try to connect to the kafka broker as well. But luckily that isnt the case and it was just that the secrets werent filled. Now that the secrets have the required content the integration test worked :) |
|
I need clarification on a few things because I think our contract here is kind of rough and I'm having trouble understanding some of it. Full disclosure, I've never used Kafka so this is just going from the documentation, not my own user experience.
If the answer to both is yes, I'm think this takes the wrong approach. I would think we should add |
There was a problem hiding this comment.
@TheRealAmazonKendra How I understand it is that the root CA certificate in encryption is used in addition to any of the authentication methods [1]. Furthermore SourceAccessConfigurationType.SERVER_ROOT_CA_CERTIFICATE is coming in as a requirement from the AWS::Lambda::EventSourceMapping SourceAccessConfiguration definition.
If my understanding is correct, I'm basically happy with the current approach. There's a few things I'm not sure about:
- Is
encryptionthe right name for this property if what it represents is aSERVER_ROOT_CA_CERTIFICATE?
It seems likeencryptionis used in the UI andSERVER_ROOT_CA_CERTIFICATEis used in Cfn and the APIs. I'm not decided yet which conveys the meaning better. Currently I lean towards something likerootCaCertificate. But keen to hear other opinions and see prior art in the AWS CDK. - Can we fix the existing fuzzy contract about when
authenticationMethodsecretandencryptionare used or not? At least the docstrings should be improved. - We don't seem to support
CLIENT_CERTIFICATE_TLS_AUTHat the moment at all. This might be better as a follow up PR though.
[1] Technically as per the docs it doesn't apply to all authentication methods, but to the following list: "This setting applies to TLS encryption for SASL/SCRAM or SASL/PLAIN, and to mTLS authentication." That's all of them unless we're in a VPC. I guess we could proactively check if authentication is in the list and throw otherwise. However our existing contract is slightly off at the moment already. We say authenticationMethod is optional and defaults to AuthenticationMethod.SASL_SCRAM_512_AUTH. But in reality it's only used if secret is set.
Exactly this. At least thats also my understanding and suits to my limited testing.
Appreciate the transparency :) I use Kafka, but im not really familiar with all the possible authentication methods.
Yeah I'll agree here. encryption is not really a good name. I've choosen it simply for the fact that its called like that in the UI and it was already confusing enough that the authentication methods secret is simply called secret (which is a bit misleading imho). TLDR: My personal favorite name currently is
Can you please elaborate a bit more on that @mrgrain?
In our company we use exactly this combination. CLIENT_CERTIFICATE_TLS_AUTH + rootCA and it works (using the workaround by using eventsourcemapping instead of selfhostedkafkaprops).
Yes. Also secret is required if you arent in a vpc. |
|
Oof. I kind of hate their contract for this (not your implementation, this does the best it can with a bad contract). I'll leave the rest of the reviewing of this one to @mrgrain since it sounds like he has a much better understanding of this than me. Thanks for all the clarifications on this. What I will say, however, is that if you have an idea for a better overall contract and it's breaking change, put it under a feature flag and we'll gladly take a look at it. Personally, I'd prefer to create a better user experience that requires a feature flag than the kind of wonky contract required for updating this without breaking changes. If you and @mrgrain disagree, however, I'll defer to your judgement. |
|
Let's got with
Yes that's exactly what I meant.
I do as well, but I also like small single purpose PRs. I vote we get this one over the line. If you or anyone else would like to tackle the wonky contract and/or CLIENT_CERTIFICATE_TLS_AUTH in separate PRs, we will definitely look at them though. |
|
@WtfJoke Looks like something messed up the tests. Once that's resolved I think we are good to go. |
Co-authored-by: Momo Kornher <mail@moritzkornher.de>
|
Lets see if the build turns green now. Some rough thoughts about how improve the usability (with breaking change/feature flag).... That might improve the situation/usability. We also can take this up to a new PR. I dont know how you handle breaking changes/feature flags. |
rootCACertificate to SelfManagedKafkaEventSource
Let's take those improvements to a new PR. First please open an issue for it so we can discuss further there. @mrgrain and I both think this is good to go and my gripe is with their contract, not yours. So, let's merge this and then go from there if you're interested in making this a better user experience. We really appreciate all your work on this. Thanks for taking on this issue! |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…ret` Follow up to #21422 Type was missed there.
…ret` (#21555) Follow up to #21422 Type was missed there. ---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Co-authored-by: @abks90 alexander.backes@codecentric.de
Co-authored-by: @ccoltx 59687842+ccoltx@users.noreply.github.com
Description
In AWS its possible to configure a self hosted Kafka as an eventsource for a Lambda, described here.
Optional its possible to choose to reference the root certificate (CA) secret in the field encryption (see below screenshot
4.h)).However in CDK in the SelfManagedKafkaEventSourceProps of SelfManagedKafkaEventSource its not possible to specify that encryption secret. Its only possible to specify a secret for the also optional authentication field.
This PR add the possibly to specify the encryption secret to reference a root ca for self signed certificates in SelfManagedKafkaEventSource.
Screenshot of docs explaining how to set secret for root ca (field encryption)
Screenshot of aws console, where the field encryption is visible while adding a self hosted kafka as lambda eventsource trigger
Technical Approach
We started by adding a test (extending the
kafka.test.ts) which allows to pass an optional propertyencryptionof type secret.In case this property is set, we add it to the sourceAccessConfiguration in the AWS::Lambda::EventSourceMapping.
As a small bonus we also added the missing static variable for
SERVER_ROOT_CA_CERTIFICATEin the classSourceAccessConfigurationTypewith the value taken from this documented list of possible valuesAll Submissions:
Adding new Unconventional Dependencies:
New Features
yarn integto deploy the infrastructure and generate the snapshot (i.e.yarn integwithout--dry-run)?By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license