Internal Kafka clients should do TLS hostname verification except Nodeports

[see-quick]

Signed-off-by: see-quick [email protected]

Type of change

• Bugfix

Description

Currently, our internal Kafka clients do not perform TLS hostname verification on all possible Kubernetes listeners. This PR solves #7518 and enables TLS hostname verification and also disables it in situations where we do not want to execute it (e.g., when we use Nodeport listener, because it does not support TLS hostname verification on ports).

Checklist

• Make sure all tests pass

[see-quick]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[scholzj]

Same here ... Why does this use Node port listener here?

[see-quick]

The producer fails on this error:

eadyOps=0] SSL Handshake failed
javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 192.168.0.226 found
	at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:291) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]

[scholzj]

I'm not wondering about the disabling of it. I'm wondering why does this use node-ports in the first place as it seems unnecessary.

[see-quick]

I am not sure...you mean we should rather produce messages to the internal listener instead of producing them via external NodePort?

Because these test cases currently do the following:

1. Create a bridge consumer to receive messages from the external listener (NodePort)
2. Create a producer to produce messages via the same listener (NodePort)

So should we modify the second point to use an internal listener instead of an external one?

[scholzj]

Yeah, I think we should think about what the purpose of the test is. i mean I can approve this and we can merge it. But we should look into that in some separate PR - what exactly does this bring us.

[im-konge]

IIRC reason why we are using external producer etc. was because at the time I was writing those "weird username tests", there were no possibilities to use internal clients - as they didn't allow any username to be longer than some number of characters and it shouldn't contain any special characters.

External clients are allowing it.

TBH I don't remember the exact reason why we went this way - maybe there was a different reason, but I guess we can rewrite those test to use our test-clients.

But the rewriting itself should be for a different PR.

[see-quick]

Yeah, I think we should think about what the purpose of the test is.

I agree, we definitely could do an investigation into such test cases and find out if they are necessary. :) I can create an issue for that.

[see-quick]

btw it seems that a few test cases are failing in ListenersST due to the TLS hostname verification...with following errror:

Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching my-cluster-82bc9931-kafka-bootstrap found.
	at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:291) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]
	at java.security.AccessC

I am surprised about that because the client (producer) is configured to use an internal TLS listener and not Nodeport...

[see-quick]

Update: I have managed to solve issue with the latest commit :)

[see-quick]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[see-quick]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[see-quick]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[see-quick]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[see-quick]

I noticed that the test case testCaRenewalBreakInMiddle is failing for some reason. (but it is not related to my PR). I can create issue for fixing that test case :).

[see-quick]

/azp run regression

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).