confluent-kafka-go icon indicating copy to clipboard operation
confluent-kafka-go copied to clipboard

Published 20 hours ago verified publisher icon confluentinc

[AUTHN-1982] Implement OAuthBearer mechanism for Kafka client to fetch JWT token by communicating with SPIRE agent

Open chang-you opened this issue 1 year ago • 1 comments

What is the purpose of the change

The goal of these changes is to write a test that integrates the Kafka client with a SPIRE server that runs in your local machine to fetch JWT token via the workload API.

  • Create handleJWTTokenRefreshEvent function to handle token refresh events
  • Create retrieveJWTToken function to fetch JWT from SPIRE agent
  • Import SPIFFE Workload API
  • Integrate OAuthBearer mechanism into Kafka Producer to enable secure communication

References

  • JIRA: https://confluentinc.atlassian.net/browse/AUTHN-1982

What will this work accomplish/help with?

This example test will serve as a guide for integrating Confluent’s Kafka Golang client with SPIRE to mint SPIFFE SVID’s in the form of JWT’s, this will be the client-side changes needed, we will have a separate ticket to implement the server-side changes where Kafka will be able to validate these credentials with SPIRE via the SPIRE agent/the SPIFFE workload API.

Verify the change

The test should run successfully against an actual Kafka cluster in that the followings are verified: 1- Authentication with a Kafka cluster works successfully. 2- Token refresh events are handled properly by fetching a new token every time the refresh event is fired.

CleanShot 2023-06-30 at 15 52 35@2x

2023-06-30 15 50 59

Producer + Consumer: image

2023-07-11 16 42 20

Documentation

To run the SPIRE server on kubernetes, either remote or on minikube, follow this guide

chang-you avatar Jun 23 '23 18:06 chang-you

@chang-you what's the status of this PR?

arvindth avatar Sep 13 '23 18:09 arvindth