Add support for kafka SSL autentication

Change-Id: Idef066a2e3b4923789a6b081d5442e931aba4507

oslo_messaging/_drivers/impl_kafka.py

@@ -101,6 +101,9 @@ class Connection(object):
         self.security_protocol = self.driver_conf.security_protocol
         self.sasl_mechanism = self.driver_conf.sasl_mechanism
         self.ssl_cafile = self.driver_conf.ssl_cafile
+        self.ssl_client_cert_file = self.driver_conf.ssl_client_cert_file
+        self.ssl_client_key_file = self.driver_conf.ssl_client_key_file
+        self.ssl_client_key_password = self.driver_conf.ssl_client_key_password
         self.url = url
         self.virtual_host = url.virtual_host
         self._parse_url()
@@ -238,6 +241,9 @@ class ConsumerConnection(Connection):
             'sasl.username': self.username,
             'sasl.password': self.password,
             'ssl.ca.location': self.ssl_cafile,
+            'ssl.certificate.location': self.ssl_client_cert_file,
+            'ssl.key.location': self.ssl_client_key_file,
+            'ssl.key.password': self.ssl_client_key_password,
             'enable.partition.eof': False,
             'default.topic.config': {'auto.offset.reset': 'latest'}
         }
@@ -323,7 +329,10 @@ class ProducerConnection(Connection):
                 'sasl.mechanism': self.sasl_mechanism,
                 'sasl.username': self.username,
                 'sasl.password': self.password,
-                'ssl.ca.location': self.ssl_cafile
+                'ssl.ca.location': self.ssl_cafile,
+                'ssl.certificate.location': self.ssl_client_cert_file,
+                'ssl.key.location': self.ssl_client_key_file,
+                'ssl.key.password': self.ssl_client_key_password
             }
             self.producer = confluent_kafka.Producer(conf)
 

oslo_messaging/_drivers/kafka_driver/kafka_options.py

@@ -73,7 +73,19 @@ KAFKA_OPTS = [
     cfg.StrOpt('ssl_cafile',
                default='',
                help='CA certificate PEM file used to verify the server'
-               ' certificate')
+               ' certificate'),
+
+    cfg.StrOpt('ssl_client_cert_file',
+               default='',
+               help='Client certificate PEM file used for authentication.'),
+
+    cfg.StrOpt('ssl_client_key_file',
+               default='',
+               help='Client key PEM file used for authentication.'),
+
+    cfg.StrOpt('ssl_client_key_password',
+               default='',
+               help='Client key password file used for authentication.')
 ]
 
 

oslo_messaging/tests/drivers/test_impl_kafka.py

@@ -113,7 +113,10 @@ class TestKafkaDriver(test_utils.BaseTestCase):
                 'sasl.mechanism': 'PLAIN',
                 'sasl.username': mock.ANY,
                 'sasl.password': mock.ANY,
-                'ssl.ca.location': ''
+                'ssl.ca.location': '',
+                'ssl.certificate.location': '',
+                'ssl.key.location': '',
+                'ssl.key.password': '',
             })
 
     def test_listen(self):
@@ -139,6 +142,9 @@ class TestKafkaDriver(test_utils.BaseTestCase):
                 'sasl.username': mock.ANY,
                 'sasl.password': mock.ANY,
                 'ssl.ca.location': '',
+                'ssl.certificate.location': '',
+                'ssl.key.location': '',
+                'ssl.key.password': '',
                 'default.topic.config': {'auto.offset.reset': 'latest'}
             })
 

releasenotes/notes/add-ssl-support-for-kafka.yaml

@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    | SSL support for oslo_messaging's kafka driver
+    | Next configuration params was added
+
+    * *ssl_client_cert_file* (default='')
+    * *ssl_client_key_file* (default='')
+    * *ssl_client_key_password* (default='')