[Bug]: kafka: cannot connect to TLS kafka with TLS + plaintext #6744

edefaria · 2025-02-17T15:57:08Z

What happened?

Using v1.66.0
The PR 6270, change the way to load TLS on kafka.
Previously with kafka.[producer,consumer].authentication=plaintext if kafka.[producer,consumer].tls.enabled, || config.TLS.Enabled was loading setTLSConfiguration.

The new code only loads TLS when authentication=tls, failing the connection with other authentication (plaintext/kerberos) + TLS (does not upgrade to TLS during authentication).
Basically it has become impossible to configure SASL-SSL with PLAIN.

Steps to reproduce

Run jaeger-collector/jaeger-ingester with kafka + TLS producer/consumer enabled and authentification = plaintext (kerberos is probably also impacted).
Crash to connect to remote kafka.
See Relevant log output

Expected behavior

It should work as before.

Relevant log output

Feb 17 15:47:19 infra-2.local docker-compose[3961324]: jaeger-collector_1  | {"level":"fatal","ts":1739807239.7673259,"caller":"collector/main.go:75","msg":"Failed to init storage factory","error":"kafka: client has run out of available brokers to talk to: 5 errors occurred:\n\t* EOF\n\t* unexpected EOF\n\t* dial tcp: address broker-004.local:9091broker-005.local:9091: too many colons in address\n\t* unexpected EOF\n\t* unexpected EOF\n","stacktrace":"main.main.func1\n\tgithub.com/jaegertracing/jaeger/cmd/collector/main.go:75\ngithub.com/spf13/cobra.(*Command).execute\n\tgithub.com/spf13/[email protected]/command.go:985\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tgithub.com/spf13/[email protected]/command.go:1117\ngithub.com/spf13/cobra.(*Command).Execute\n\tgithub.com/spf13/[email protected]/command.go:1041\nmain.main\n\tgithub.com/jaegertracing/jaeger/cmd/collector/main.go:152\nruntime.main\n\truntime/proc.go:272"}

Feb 17 15:49:08 infra-2.local docker-compose[3964107]: jaeger-ingester_1   | {"level":"fatal","ts":1739807348.9089887,"caller":"ingester/main.go:72","msg":"Unable to create consumer","error":"kafka: client has run out of available brokers to talk to: 5 errors occurred:\n\t* unexpected EOF\n\t* unexpected EOF\n\t* EOF\n\t* dial tcp: address broker-004.local:9091broker-005.local:9091: too many colons in address\n\t* unexpected EOF\n","stacktrace":"main.main.func1\n\tgithub.com/jaegertracing/jaeger/cmd/ingester/main.go:72\ngithub.com/spf13/cobra.(*Command).execute\n\tgithub.com/spf13/[email protected]/command.go:985\ngithub.com/spf13/cobra.(*Command).ExecuteC\n\tgithub.com/spf13/[email protected]/command.go:1117\ngithub.com/spf13/cobra.(*Command).Execute\n\tgithub.com/spf13/[email protected]/command.go:1041\nmain.main\n\tgithub.com/jaegertracing/jaeger/cmd/ingester/main.go:108\nruntime.main\n\truntime/proc.go:272"}

Screenshot

No response

Additional context

No response

Jaeger backend version

v1.66.0

SDK

No response

Pipeline

No response

Stogage backend

No response

Operating system

No response

Deployment model

No response

Deployment configs

The text was updated successfully, but these errors were encountered:

sans-sehgal · 2025-02-17T21:16:42Z

New here - picking this up.

jkowall · 2025-02-18T05:38:49Z

What instrumentation are you using for this setup?

edefaria · 2025-02-18T07:45:28Z

What instrumentation are you using for this setup?

The kafka server is configured to work with SASL_SSL (only SSL/TLS listener are available with a signed certificate) with PLAIN authentication.

My Kafka settings for Jaeger regarding the collector (same for ingester with consumer) are as follows:

--kafka.producer.brokers=broker-001...:9091,....
--kafka.producer.topic=...
--kafka.producer.authentication=plaintext
--kafka.producer.tls.enabled
--kafka.producer.plaintext.username=user
--kafka.producer.plaintext.password=password

foxylion · 2025-02-18T11:59:16Z

We are seeing the same issue after updating to v1.66, v1.63 is working fine.

Our configuration is via env variables:

KAFKA_CONSUMER_BROKERS=....kafka.eu-central-1.amazonaws.com:9096,....kafka.eu-central-1.amazonaws.com:9096,....kafka.eu-central-1.amazonaws.com:9096
KAFKA_CONSUMER_TOPIC=jaeger-spans
KAFKA_CONSUMER_PLAINTEXT_USERNAME=jaeger
KAFKA_CONSUMER_AUTHENTICATION=none
KAFKA_CONSUMER_PLAINTEXT_PASSWORD=...

amilbcahat · 2025-02-20T15:17:34Z

hey @foxylion , @edefaria , I am taking this up , can you guys share me the exact command and setup you are trying for, it will help me out . Thanks !

This change fixes the Kafka TLS configuration to work correctly when tls.enabled flag is not provided but authentication=tls is set. Previously, TLS would not be enabled in this case. Changes: - TLS is now properly configured when authentication=tls, regardless of tls.enabled - Maintains backward compatibility with existing tls.enabled flag - Sets explicit insecure mode only when TLS is intentionally disabled Testing: - Added unit tests for TLS configuration scenarios - Verified with local Kafka cluster using TLS authentication - Tested with HotROD example application Resolves jaegertracing#6744 Signed-off-by: Amol Verma <[email protected]>

This change fixes the Kafka TLS configuration to work correctly when using plaintext authentication with TLS enabled. Previously, TLS would only be configured when authentication=tls, breaking SASL-SSL with PLAIN authentication. Changes: - Modified TLS configuration logic to support TLS with other authentication methods - Fixed SASL-SSL with PLAIN authentication scenario - Maintained backward compatibility with existing authentication methods - Restored pre-PR-6270 behavior for TLS configuration Resolves jaegertracing#6744 Signed-off-by: Amol Verma <[email protected]>

This change fixes the Kafka TLS configuration to work correctly when using plaintext authentication with TLS enabled. Previously, TLS would only be configured when authentication=tls, breaking SASL-SSL with PLAIN authentication. Resolves jaegertracing#6744 Signed-off-by: Amol Verma <[email protected]>

edefaria added the bug label Feb 17, 2025

dosubot bot added the storage/kafka label Feb 17, 2025

yurishkuro added help wanted Features that maintainers are willing to accept but do not have cycles to implement good first issue Good for beginners labels Feb 17, 2025

amilbcahat linked a pull request Feb 21, 2025 that will close this issue

6744 - Fix Kafka TLS configuration with plaintext authentication #6764

Open

2 tasks

sans-sehgal linked a pull request Feb 23, 2025 that will close this issue

feat: allow load for plaintex/kuberos when TLS conditions set #6768

Open

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug]: kafka: cannot connect to TLS kafka with TLS + plaintext #6744

[Bug]: kafka: cannot connect to TLS kafka with TLS + plaintext #6744

edefaria commented Feb 17, 2025 •

edited

Loading

sans-sehgal commented Feb 17, 2025

jkowall commented Feb 18, 2025

edefaria commented Feb 18, 2025 •

edited

Loading

foxylion commented Feb 18, 2025 •

edited

Loading

amilbcahat commented Feb 20, 2025 •

edited

Loading

[Bug]: kafka: cannot connect to TLS kafka with TLS + plaintext #6744

[Bug]: kafka: cannot connect to TLS kafka with TLS + plaintext #6744

Comments

edefaria commented Feb 17, 2025 • edited Loading

What happened?

Steps to reproduce

Expected behavior

Relevant log output

Screenshot

Additional context

Jaeger backend version

SDK

Pipeline

Stogage backend

Operating system

Deployment model

Deployment configs

sans-sehgal commented Feb 17, 2025

jkowall commented Feb 18, 2025

edefaria commented Feb 18, 2025 • edited Loading

foxylion commented Feb 18, 2025 • edited Loading

amilbcahat commented Feb 20, 2025 • edited Loading

edefaria commented Feb 17, 2025 •

edited

Loading

edefaria commented Feb 18, 2025 •

edited

Loading

foxylion commented Feb 18, 2025 •

edited

Loading

amilbcahat commented Feb 20, 2025 •

edited

Loading