Added Dynamic Cert Generation and resolved other comments

amol-verma-allen · amol-verma-allen · commit 893922a4220f · 2025-06-18T01:21:21.000+05:30
diff --git a/docker-compose/kafka/v3/docker-compose.yml b/docker-compose/kafka/v3/docker-compose.yml
@@ -1,7 +1,7 @@
 version: "3"
 services:
   kafka:
-    image: bitnami/kafka:3.9.0
+    image: bitnami/kafka:3.9.0@sha256:55df55bfc7ed5980447387620afa3498eab3985a4d8c731013d82b3fa8b43bff
     user: "0:0" # Run as root to avoid permission issues
     ports:
       - "9092:9092"
diff --git a/internal/config/tlscfg/testdata/kafka.keystore.jks b/internal/config/tlscfg/testdata/kafka.keystore.jks
diff --git a/internal/config/tlscfg/testdata/kafka.truststore.jks b/internal/config/tlscfg/testdata/kafka.truststore.jks
diff --git a/internal/storage/integration/kafka_test.go b/internal/storage/integration/kafka_test.go
@@ -338,4 +338,4 @@ func TestKafkaStorageWithSASLPlaintext(t *testing.T) {
 	s := &KafkaIntegrationTestSuite{}
 	s.initializeWithSASLPlaintext(t)
 	t.Run("GetTrace", s.testGetTrace)
-}
+}
diff --git a/internal/storage/kafka/auth/config.go b/internal/storage/kafka/auth/config.go
@@ -84,25 +84,22 @@ func (config *AuthenticationConfig) InitFromViper(configPrefix string, v *viper.
 	config.Kerberos.KeyTabPath = v.GetString(configPrefix + kerberosPrefix + suffixKerberosKeyTab)
 	config.Kerberos.DisablePAFXFast = v.GetBool(configPrefix + kerberosPrefix + suffixKerberosDisablePAFXFAST)
 
-	// Initialize TLS config with default values
-	var tlsCfg configtls.ClientConfig
-
 	// For TLS authentication or when TLS is enabled, process TLS options
 	if config.Authentication == tls || v.GetBool(configPrefix+".tls.enabled") {
 		tlsClientConfig := tlscfg.ClientFlagsConfig{
 			Prefix: configPrefix,
 		}
 		var err error
-		tlsCfg, err = tlsClientConfig.InitFromViper(v)
+		tlsCfg, err := tlsClientConfig.InitFromViper(v)
 		if err != nil {
 			return fmt.Errorf("failed to process Kafka TLS options: %w", err)
 		}
 		// Set IncludeSystemCACertsPool to true for TLS authentication
 		tlsCfg.IncludeSystemCACertsPool = (config.Authentication == tls)
 		tlsCfg.Insecure = false
-	}
 
-	config.TLS = tlsCfg
+		config.TLS = tlsCfg
+	}
 
 	config.PlainText.Username = v.GetString(configPrefix + plainTextPrefix + suffixPlainTextUsername)
 	config.PlainText.Password = v.GetString(configPrefix + plainTextPrefix + suffixPlainTextPassword)
diff --git a/internal/storage/kafka/auth/tls.go b/internal/storage/kafka/auth/tls.go
@@ -24,4 +24,3 @@ func setTLSConfiguration(config *configtls.ClientConfig, saramaConfig *sarama.Co
 	}
 	return nil
 }
-
diff --git a/scripts/e2e/kafka.sh b/scripts/e2e/kafka.sh
@@ -6,7 +6,7 @@
 set -euf -o pipefail
 
 compose_file=""
-jaeger_version="v2"
+jaeger_version="v1"
 kafka_version="v3"
 manage_kafka="true"
 success="false"
@@ -54,6 +54,62 @@ parse_args() {
   compose_file="docker-compose/kafka/${kafka_version}/docker-compose.yml"
 }
 
+generate_jks_files() {
+  local cert_dir="internal/config/tlscfg/testdata"
+  local password="kafkapass123"
+  
+  echo "Generating Kafka JKS files..."
+  
+  # Check if PEM files exist
+  if [[ ! -f "${cert_dir}/example-CA-cert.pem" || ! -f "${cert_dir}/example-server-cert.pem" || ! -f "${cert_dir}/example-server-key.pem" ]]; then
+    echo "PEM certificate files not found. Generating certificates first..."
+    cd "${cert_dir}"
+    ./gen-certs.sh
+    cd - > /dev/null
+  fi
+  
+  # Remove existing JKS files if they exist
+  rm -f "${cert_dir}/kafka.keystore.jks"
+  rm -f "${cert_dir}/kafka.truststore.jks"
+  
+  # Create temporary PKCS12 file from server certificate and key
+  local temp_p12="${cert_dir}/temp-server.p12"
+  
+  # Generate PKCS12 keystore from server certificate and private key
+  openssl pkcs12 -export \
+    -in "${cert_dir}/example-server-cert.pem" \
+    -inkey "${cert_dir}/example-server-key.pem" \
+    -out "${temp_p12}" \
+    -name kafka \
+    -passout pass:${password}
+  
+  # Convert PKCS12 to JKS keystore
+  keytool -importkeystore \
+    -deststorepass ${password} \
+    -destkeypass ${password} \
+    -destkeystore "${cert_dir}/kafka.keystore.jks" \
+    -srckeystore "${temp_p12}" \
+    -srcstoretype PKCS12 \
+    -srcstorepass ${password} \
+    -alias kafka \
+    -noprompt
+  
+  # Create truststore with CA certificate
+  keytool -import \
+    -alias caroot \
+    -file "${cert_dir}/example-CA-cert.pem" \
+    -keystore "${cert_dir}/kafka.truststore.jks" \
+    -storepass ${password} \
+    -noprompt
+  
+  # Clean up temporary file
+  rm -f "${temp_p12}"
+  
+  echo "JKS files generated successfully:"
+  echo "  - ${cert_dir}/kafka.keystore.jks"
+  echo "  - ${cert_dir}/kafka.truststore.jks"
+}
+
 setup_kafka() {
   echo "Starting Kafka using Docker Compose..."
   docker compose -f "${compose_file}" up -d kafka
@@ -119,6 +175,7 @@ main() {
   set -x
 
   if [[ "$manage_kafka" == "true" ]]; then
+    generate_jks_files
     setup_kafka
     trap 'teardown_kafka' EXIT
   fi
@@ -129,4 +186,4 @@ main() {
   success="true"
 }
 
-main "$@"
+main "$@"

Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,3 @@ func setTLSConfiguration(config configtls.ClientConfig, saramaConfig sarama.Co`
`24`	`24`	`}`
`25`	`25`	`return nil`
`26`	`26`	`}`
`27`		`-`