tile38/internal/endpoint/kafka.go

200 lines
4.4 KiB
Go
Raw Permalink Normal View History

package endpoint
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"io/ioutil"
2021-07-08 11:20:45 +03:00
"os"
"sync"
"time"
lg "log"
"github.com/Shopify/sarama"
"github.com/tidwall/gjson"
"github.com/tidwall/tile38/internal/log"
)
const kafkaExpiresAfter = time.Second * 30
2018-04-19 19:25:39 +03:00
// KafkaConn is an endpoint connection
type KafkaConn struct {
mu sync.Mutex
ep Endpoint
conn sarama.SyncProducer
cfg *sarama.Config
ex bool
t time.Time
}
2018-04-19 19:25:39 +03:00
// Expired returns true if the connection has expired
func (conn *KafkaConn) Expired() bool {
conn.mu.Lock()
defer conn.mu.Unlock()
if !conn.ex {
if time.Since(conn.t) > kafkaExpiresAfter {
if conn.conn != nil {
conn.close()
}
conn.ex = true
}
}
return conn.ex
}
2018-04-19 19:25:39 +03:00
func (conn *KafkaConn) close() {
if conn.conn != nil {
conn.conn.Close()
conn.conn = nil
conn.cfg.MetricRegistry.UnregisterAll()
conn.cfg = nil
}
}
2018-04-19 19:25:39 +03:00
// Send sends a message
func (conn *KafkaConn) Send(msg string) error {
conn.mu.Lock()
defer conn.mu.Unlock()
if conn.ex {
return errExpired
}
conn.t = time.Now()
if log.Level > 2 {
2021-02-19 01:34:01 +03:00
sarama.Logger = lg.New(log.Output(), "[sarama] ", 0)
}
uri := fmt.Sprintf("%s:%d", conn.ep.Kafka.Host, conn.ep.Kafka.Port)
if conn.conn == nil {
2018-04-17 18:30:49 +03:00
cfg := sarama.NewConfig()
2021-08-03 15:46:40 +03:00
cfg.Net.DialTimeout = time.Second
cfg.Net.ReadTimeout = time.Second * 5
cfg.Net.WriteTimeout = time.Second * 5
// Fix #333 : fix backward incompatibility introduced by sarama library
cfg.Producer.Return.Successes = true
cfg.Version = sarama.V0_10_0_0
switch conn.ep.Kafka.Auth {
case "sasl":
// Other than TLS authentication, SASL does not require SSL
if conn.ep.Kafka.SSL {
tlsConfig := tls.Config{}
log.Debugf("building kafka tls root config")
caCertPool, err := loadRootTLSCert(conn.ep.Kafka.CACertFile)
if err != nil {
return err
}
tlsConfig.RootCAs = &caCertPool
cfg.Net.TLS.Enable = true
cfg.Net.TLS.Config = &tlsConfig
}
2021-07-08 13:05:16 +03:00
2021-07-08 11:20:45 +03:00
log.Debugf("building kafka sasl config")
cfg.Net.SASL.Enable = true
cfg.Net.SASL.User = os.Getenv("KAFKA_USERNAME")
cfg.Net.SASL.Password = os.Getenv("KAFKA_PASSWORD")
cfg.Net.SASL.Handshake = true
2021-07-08 13:52:16 +03:00
if conn.ep.Kafka.SASLSHA256 {
cfg.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &XDGSCRAMClient{HashGeneratorFcn: SHA256} }
cfg.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA256
}
if conn.ep.Kafka.SASLSHA512 {
cfg.Net.SASL.SCRAMClientGeneratorFunc = func() sarama.SCRAMClient { return &XDGSCRAMClient{HashGeneratorFcn: SHA512} }
cfg.Net.SASL.Mechanism = sarama.SASLTypeSCRAMSHA512
}
2021-08-03 15:46:40 +03:00
case "tls":
tlsConfig := tls.Config{}
2021-08-03 15:46:40 +03:00
log.Debugf("building kafka tls client config")
certificates, err := loadClientTLSCert(conn.ep.Kafka.KeyFile, conn.ep.Kafka.CertFile)
if err != nil {
cfg.MetricRegistry.UnregisterAll()
return err
}
// TLS authentication requires SSL
// and Tile38 requires certificates to be validated
caCertPool, err := loadRootTLSCert(conn.ep.Kafka.CACertFile)
if err != nil {
return err
}
cfg.Net.TLS.Enable = true
tlsConfig.Certificates = certificates
tlsConfig.RootCAs = &caCertPool
cfg.Net.TLS.Config = &tlsConfig
}
2018-04-17 18:30:49 +03:00
c, err := sarama.NewSyncProducer([]string{uri}, cfg)
if err != nil {
cfg.MetricRegistry.UnregisterAll()
return err
}
conn.conn = c
conn.cfg = cfg
}
// parse json again to get out info for our kafka key
key := gjson.Get(msg, "key")
id := gjson.Get(msg, "id")
keyValue := fmt.Sprintf("%s-%s", key.String(), id.String())
message := &sarama.ProducerMessage{
Topic: conn.ep.Kafka.TopicName,
Key: sarama.StringEncoder(keyValue),
Value: sarama.StringEncoder(msg),
}
_, offset, err := conn.conn.SendMessage(message)
if err != nil {
conn.close()
return err
}
if offset < 0 {
conn.close()
return errors.New("invalid kafka reply")
}
return nil
}
2018-04-19 19:25:39 +03:00
func newKafkaConn(ep Endpoint) *KafkaConn {
return &KafkaConn{
ep: ep,
t: time.Now(),
}
}
2021-08-03 15:46:40 +03:00
func loadClientTLSCert(KeyFile, CertFile string) ([]tls.Certificate, error) {
// load client cert
cert, err := tls.LoadX509KeyPair(CertFile, KeyFile)
2021-08-03 15:46:40 +03:00
if err != nil {
2021-08-03 15:46:40 +03:00
return []tls.Certificate{cert}, err
}
2021-08-03 15:46:40 +03:00
return []tls.Certificate{cert}, err
}
func loadRootTLSCert(CACertFile string) (x509.CertPool, error) {
// Load CA cert
caCert, err := ioutil.ReadFile(CACertFile)
2021-08-03 15:46:40 +03:00
if err != nil {
2021-08-03 15:46:40 +03:00
return x509.CertPool{}, err
}
2021-08-03 15:46:40 +03:00
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
2021-08-03 15:46:40 +03:00
return *caCertPool, err
}