Skip to content

Deploy a SASL_PLAIN Kafka listener & test notifications against it #2300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
delthas wants to merge 6 commits into
base: development/2.13
Choose a base branch
from
Open

Deploy a SASL_PLAIN Kafka listener & test notifications against it #2300

delthas wants to merge 6 commits into from

Conversation

@delthas
Copy link

@delthas delthas commented Dec 24, 2025

Issue: ZENKO-5106

@bert-e
Copy link
Contributor

bert-e commented Dec 24, 2025

Hello delthas,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

@delthas delthas requested a review from Copilot December 24, 2025 10:52
Copilot AI reviewed Dec 24, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for testing SASL_PLAIN authenticated Kafka listeners with bucket notifications. It configures a new Kafka listener with SASL authentication and creates the necessary test infrastructure to verify notifications work with authenticated Kafka endpoints.

  • Adds a third notification destination with SASL_PLAIN authentication support
  • Configures a new Kafka listener on port 9095 with SASL authentication
  • Extends test parameters and environment variables to support authenticated notifications

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
tests/ctst/world/Zenko.ts Adds interface properties for authenticated notification destination configuration
tests/ctst/steps/notifications.ts Implements test step for setting up an authenticated notification destination
.github/workflows/end2end.yaml Defines environment variables for authenticated destination credentials and topic
.github/scripts/end2end/run-e2e-ctst.sh Passes authenticated notification parameters to test world configuration
.github/scripts/end2end/configure-e2e.sh Adds Kafka topic creation for authenticated notification destination
.github/scripts/end2end/configure-e2e-ctst.sh Configures SASL_PLAIN Kafka listener and creates authenticated notification topic
.github/scripts/end2end/configs/notification_destinations.yaml Defines ZenkoNotificationTarget with basic authentication credentials

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/scripts/end2end/configs/notification_destinations.yaml
Comment on lines +40 to +41
auth: basic
basic:
Copy link

Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The authentication type is specified as 'basic', but Kafka typically uses SASL authentication mechanisms. The field name 'basic' for the authentication credentials section (lines 41-43) may not align with Kafka's SASL_PLAIN mechanism. Verify that this authentication configuration is compatible with the SASL_PLAIN listener configured in configure-e2e-ctst.sh, or consider using more Kafka-specific terminology like 'sasl' instead of 'basic'.

Suggested change
auth: basic
basic:
auth: sasl
sasl:

Copilot uses AI. Check for mistakes.
Copy link
Contributor

@francoisferrand francoisferrand Jan 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • looking at ZKOP pr, this is currently plain
  • should we call this field sasl instead, as recommended by Copilot? (or sasl-plain)

@delthas delthas force-pushed the improvement/ZENKO-5106/kafka-sasl-plain branch from 47079c0 to 84be537 Compare December 24, 2025 12:24
@scality scality deleted a comment from bert-e Dec 24, 2025
@bert-e
Copy link
Contributor

bert-e commented Dec 24, 2025

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

@delthas delthas force-pushed the improvement/ZENKO-5106/kafka-sasl-plain branch 3 times, most recently from 8c5d50f to de82fb9 Compare December 24, 2025 16:33
Copilot AI reviewed Dec 24, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@delthas delthas force-pushed the improvement/ZENKO-5106/kafka-sasl-plain branch from de82fb9 to f2cb766 Compare December 29, 2025 10:07
@delthas delthas force-pushed the improvement/ZENKO-5106/kafka-sasl-plain branch from f2cb766 to a091dc4 Compare December 29, 2025 14:04
@delthas
Copy link
Author

delthas commented Dec 29, 2025

Test failure appears to be unrelated: https://github.com/scality/Zenko/actions/runs/20574693679/job/59089167866#step:10:57882

2025-12-29T15:46:43.5917709Z Failures:
2025-12-29T15:46:43.5919230Z 
2025-12-29T15:46:43.5932481Z 1) Scenario: Replicate objects created before creating the replication rule # features/crrReplicationS3utils.feature:17
2025-12-29T15:46:43.5934141Z    ✔ Before # hooks/Logger.ts:39
2025-12-29T15:46:43.5934864Z    ✔ Before # hooks/versionTags.ts:5
2025-12-29T15:46:43.5935688Z    ✔ Before # common/hooks.ts:36
2025-12-29T15:46:43.5936910Z    ✔ Given an existing bucket "source-bucket-1" "with" versioning, "without" ObjectLock "without" retention mode # common/common.ts:140
2025-12-29T15:46:43.5938501Z    ✔ And an object "source-object-1" that "exists" # common/common.ts:374
2025-12-29T15:46:43.5939409Z    ✔ And a replication configuration to "awsbackendmismatch" location # common/common.ts:263
2025-12-29T15:46:43.5940262Z    ✔ When the job to replicate existing objects with status "NEW" is executed # steps/replication.ts:16
2025-12-29T15:46:43.5942424Z    ✖ Then the object replication should "succeed" within 300 seconds # steps/replication.ts:66
2025-12-29T15:46:43.5943870Z        AssertionError [ERR_ASSERTION]: Timeout: Object 'source-object-1' is still in pending/processing state after timeout
2025-12-29T15:46:43.5945061Z            at Zenko.<anonymous> (/ctst/steps/replication.ts:115:16)
2025-12-29T15:46:43.5946134Z            at processTicksAndRejections (node:internal/process/task_queues:95:5)
2025-12-29T15:46:43.5947426Z    - And the replicated object should be the same as the source object # steps/replication.ts:118
2025-12-29T15:46:43.5948470Z    ✔ After # common/hooks.ts:63
2025-12-29T15:46:43.5949143Z    ✔ After # hooks/Logger.ts:63
2025-12-29T15:46:43.5949522Z 
2025-12-29T15:46:43.5950166Z 2) Scenario: Re-replicate objects that failed to replicate # features/crrReplicationS3utils.feature:29
2025-12-29T15:46:43.5951256Z    ✔ Before # hooks/Logger.ts:39
2025-12-29T15:46:43.5951954Z    ✔ Before # hooks/versionTags.ts:5
2025-12-29T15:46:43.5952688Z    ✔ Before # common/hooks.ts:36
2025-12-29T15:46:43.5954249Z    ✔ Given an existing bucket "source-bucket2" "with" versioning, "without" ObjectLock "without" retention mode # common/common.ts:140
2025-12-29T15:46:43.5955986Z    ✔ And a replication configuration to "awsbackendreplicationctstfail" location # common/common.ts:263
2025-12-29T15:46:43.5957390Z    ✔ And a deleted destination bucket on that location # steps/replication.ts:176
2025-12-29T15:46:43.5958563Z    ✔ And an object "source-object-2" that "exists" # common/common.ts:374
2025-12-29T15:46:43.5959809Z    ✖ Then the object replication should "fail" within 500 seconds # steps/replication.ts:66
2025-12-29T15:46:43.5961216Z        AssertionError [ERR_ASSERTION]: Timeout: Object 'source-object-2' is still in pending/processing state after timeout
2025-12-29T15:46:43.5962476Z            at Zenko.<anonymous> (/ctst/steps/replication.ts:115:16)
2025-12-29T15:46:43.5963479Z            at processTicksAndRejections (node:internal/process/task_queues:95:5)
2025-12-29T15:46:43.5964828Z    - When the destination bucket on the location is created again # steps/replication.ts:198
2025-12-29T15:46:43.5966141Z    - And the job to replicate existing objects with status "FAILED" is executed # steps/replication.ts:16
2025-12-29T15:46:43.5967146Z    - Then the object replication should "succeed" within 300 seconds # steps/replication.ts:66
2025-12-29T15:46:43.5967876Z    - And the replicated object should be the same as the source object # steps/replication.ts:118
2025-12-29T15:46:43.5968491Z    ✔ After # common/hooks.ts:63
2025-12-29T15:46:43.5968900Z    ✔ After # hooks/Logger.ts:63
2025-12-29T15:46:43.5969116Z

@delthas
Copy link
Author

delthas commented Dec 30, 2025

Finally passed after 3 retries.

francoisferrand
francoisferrand reviewed Jan 6, 2026
View reviewed changes
@scality scality deleted a comment from bert-e Jan 7, 2026
@scality scality deleted a comment from bert-e Jan 7, 2026
@bert-e
Copy link
Contributor

bert-e commented Jan 7, 2026

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

@delthas delthas force-pushed the improvement/ZENKO-5106/kafka-sasl-plain branch from f1789f5 to 3d0d560 Compare January 7, 2026 16:20
SylvainSenechal
SylvainSenechal reviewed Jan 7, 2026
View reviewed changes
SylvainSenechal
SylvainSenechal approved these changes Jan 7, 2026
View reviewed changes
Copy link
Contributor

@SylvainSenechal SylvainSenechal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth to see what happens with the same test that you added, but unauthenticated.
given a non-authenticated notification
then i should not receive a notifciation

but maybe annoying to setup and not worth it, whatever

SylvainSenechal
SylvainSenechal reviewed Jan 7, 2026
View reviewed changes
@francoisferrand
Copy link
Contributor

francoisferrand commented Jan 12, 2026

PR has conflicts (deps.yaml I guess), needs to be rebased...

francoisferrand
francoisferrand reviewed Jan 12, 2026
View reviewed changes
.github/scripts/end2end/configure-e2e-ctst.sh
{"op": "replace", "path": "/spec/readOnlyConfig", "value": $config}
]')
kubectl patch kafkacluster "$KAFKA_CLUSTER" --type='json' -p="$KAFKA_PATCH"
kubectl wait --for=jsonpath='{.status.state}'=ClusterRunning --timeout 10m kafkacluster "$KAFKA_CLUSTER"
Copy link
Contributor

@francoisferrand francoisferrand Jan 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

patching the existing cluster is not safe, as it is "owned" by ZKOP: which should in theory reconcile it back to the expected state... maybe it works due to some "happy" bug in ZKOP which does not notice the discrepency.

should we not just deploy another kafka cluster, to be on the safe side? (and avoid future flakiness...)

francoisferrand
francoisferrand reviewed Jan 12, 2026
View reviewed changes
solution/deps.yaml
# yq eval 'sortKeys(.)' -i deps.yaml
backbeat:
sourceRegistry: ghcr.io/scality
sourceRegistry: ghcr.io/scality/playground/delthas
Copy link
Contributor

@francoisferrand francoisferrand Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to be updated before merging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@francoisferrand francoisferrand francoisferrand left review comments

@SylvainSenechal SylvainSenechal SylvainSenechal approved these changes

Copilot code review Copilot Copilot left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@delthas @bert-e @francoisferrand @SylvainSenechal