Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DO NOT MERGE] - feat(iam): Changes to support bigmac IAM auth #65

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

[DO NOT MERGE] - feat(iam): Changes to support bigmac IAM auth #65

wants to merge 11 commits into from

Conversation

jdinh8124
Copy link
Collaborator

Purpose

This changeset represents what's needed to preserve all project functionality when Bigmac IAM Auth is enabled.

Linked Issues to Close

Closes https://qmacbis.atlassian.net/browse/OY2-23455

Approach

There are three major areas of updates:

  1. The CreateTopics and CleanupKafka resources which rely on KafkaJS to communicate with Bigmac had underyling library updates. KafkaJs was upgraded, along with the installation of an npm package that allows for msk iam authentication. The logic and flow of these resources is unchanged; the creation of the kafkajs admin handler is all that's modified.
  2. The connector ECS task was modified to accomodate IAM. An msk iam auth jar is installed as part of the bootstrapping process. The enviroment variables passed to the container are also expanded and modified, with the appropriate config for IAM auth. In particular, in these env variables is where we say "assume this role".

Assorted Notes/Considerations/Learning

Logic was following Mike's draft PR here

mdial89f
mdial89f reviewed Apr 10, 2023
View reviewed changes
Copy link
Contributor

@mdial89f mdial89f left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jdinh8124 I haven't figured out 'why', but the ECS connector task is not stable. It launches, then quickly dies saying it can't connect to the brokers.
awslogs get /aws/fargate/appian-connector-iam-kafka-connect --watch
That shows the error, which looks like:

ERROR Stopping due to error (org.apache.kafka.connect.cli.ConnectDistributed)
org.apache.kafka.connect.errors.ConnectException: Failed to connect to and describe Kafka cluster. Check worker's broker connection and security properties.

The changes look good to me, not sure what's happening.

@mdial89f
Copy link
Contributor

@jdinh8124 I haven't figured out 'why', but the ECS connector task is not stable. It launches, then quickly dies saying it can't connect to the brokers. awslogs get /aws/fargate/appian-connector-iam-kafka-connect --watch That shows the error, which looks like:

ERROR Stopping due to error (org.apache.kafka.connect.cli.ConnectDistributed)
org.apache.kafka.connect.errors.ConnectException: Failed to connect to and describe Kafka cluster. Check worker's broker connection and security properties.

The changes look good to me, not sure what's happening.

We discussed this a bit in slack, following up here:
We suspected this was a performance issue with the 'iam' msk cluster. We upgraded it from t3.small's to m5.large's. Problem solved itself.

Code LGTM @jdinh8124
I know we won't be merging this at the moment, but I'd consider this code complete. 🚀

benjaminpaige pushed a commit that referenced this pull request Apr 20, 2023
@mdial89f
chore(deps): Upgrade all node dependencies (#65)
057d4bb 
Co-authored-by: github-actions <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mdial89f mdial89f mdial89f left review comments

@benjaminpaige benjaminpaige Awaiting requested review from benjaminpaige

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jdinh8124 @mdial89f