fix

Signed-off-by: Yuri Shkuro <[email protected]>
jaegertracing · Dec 10, 2024 · 325caa8 · 325caa8
1 parent 5bb6018
commit 325caa8
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 12 deletions.
diff --git a/pkg/config/tlscfg/options.go b/pkg/config/tlscfg/options.go
@@ -142,7 +142,7 @@ func (o *Options) ToOtelClientConfig() configtls.ClientConfig {
 
 			// when no truststore given, use SystemCertPool
 			// https://github.com/jaegertracing/jaeger/issues/6334
-			IncludeSystemCACertsPool: len(o.CAPath) == 0,
+			IncludeSystemCACertsPool: o.Enabled && (len(o.CAPath) == 0),
 		},
 	}
 }

diff --git a/pkg/kafka/auth/config_test.go b/pkg/kafka/auth/config_test.go
@@ -37,20 +37,18 @@ func Test_InitFromViper(t *testing.T) {
 		"--kafka.auth.kerberos.keytab-file=/path/to/keytab",
 		"--kafka.auth.kerberos.disable-fast-negotiation=true",
 		"--kafka.auth.tls.enabled=false",
+		"--kafka.auth.tls.ca=/not/allowed/if/tls/is/disabled",
 		"--kafka.auth.plaintext.username=user",
 		"--kafka.auth.plaintext.password=password",
 		"--kafka.auth.plaintext.mechanism=SCRAM-SHA-256",
-		"--kafka.auth.tls.ca=failing",
 	})
 
 	authConfig := &AuthenticationConfig{}
 	err := authConfig.InitFromViper(configPrefix, v)
-	require.EqualError(t, err, "failed to process Kafka TLS options: kafka.auth.tls.* options cannot be used when kafka.auth.tls.enabled is false")
+	require.ErrorContains(t, err, "kafka.auth.tls.* options cannot be used when kafka.auth.tls.enabled is false")
 
-	command.ParseFlags([]string{"--kafka.auth.tls.ca="})
-	v.BindPFlags(command.Flags())
-	err = authConfig.InitFromViper(configPrefix, v)
-	require.NoError(t, err)
+	command.ParseFlags([]string{"--kafka.auth.tls.ca="}) // incrementally update authConfig
+	require.NoError(t, authConfig.InitFromViper(configPrefix, v))
 
 	expectedConfig := &AuthenticationConfig{
 		Authentication: "tls",
@@ -64,7 +62,11 @@ func Test_InitFromViper(t *testing.T) {
 			KeyTabPath:      "/path/to/keytab",
 			DisablePAFXFast: true,
 		},
-		TLS: configtls.ClientConfig{},
+		TLS: configtls.ClientConfig{
+			Config: configtls.Config{
+				IncludeSystemCACertsPool: true,
+			},
+		},
 		PlainText: PlainTextConfig{
 			Username:  "user",
 			Password:  "password",

diff --git a/plugin/storage/kafka/options_test.go b/plugin/storage/kafka/options_test.go
@@ -184,12 +184,31 @@ func TestTLSFlags(t *testing.T) {
 			expected: auth.AuthenticationConfig{Authentication: "kerberos", Kerberos: kerb, TLS: configtls.ClientConfig{}, PlainText: plain},
 		},
 		{
-			flags:    []string{"--kafka.producer.authentication=tls"},
-			expected: auth.AuthenticationConfig{Authentication: "tls", Kerberos: kerb, TLS: configtls.ClientConfig{}, PlainText: plain},
+			flags: []string{"--kafka.producer.authentication=tls"},
+			expected: auth.AuthenticationConfig{
+				Authentication: "tls",
+				Kerberos:       kerb,
+				TLS: configtls.ClientConfig{
+					Config: configtls.Config{
+						IncludeSystemCACertsPool: true,
+					},
+				},
+				PlainText: plain,
+			},
 		},
 		{
-			flags:    []string{"--kafka.producer.authentication=tls", "--kafka.producer.tls.enabled=false"},
-			expected: auth.AuthenticationConfig{Authentication: "tls", Kerberos: kerb, TLS: configtls.ClientConfig{}, PlainText: plain},
+			flags: []string{"--kafka.producer.authentication=tls", "--kafka.producer.tls.enabled=false"},
+			expected: auth.AuthenticationConfig{
+				Authentication: "tls",
+				Kerberos:       kerb,
+				// TODO this test is unclear - if tls.enabled=false, why is it not tls.Insecure=true?
+				TLS: configtls.ClientConfig{
+					Config: configtls.Config{
+						IncludeSystemCACertsPool: true,
+					},
+				},
+				PlainText: plain,
+			},
 		},
 	}