Merge pull request #14539 from Security-Onion-Solutions/reyesj2-patch-1

reyesj2 · web-flow · commit e3d5829b89f5 · 2025-04-14T13:06:20.000-05:00
fix kafka delayed initial connection with remote clients on multi-broker deployments
diff --git a/salt/kafka/config.map.jinja b/salt/kafka/config.map.jinja
@@ -34,7 +34,7 @@
 {%     do KAFKAMERGED.config.broker.update({'listeners': KAFKAMERGED.config.broker.listeners + ',' + KAFKAMERGED.config.external_access.listeners }) %}
 {%     do KAFKAMERGED.config.broker.update({'listener_x_security_x_protocol_x_map': KAFKAMERGED.config.broker.listener_x_security_x_protocol_x_map + ',' + KAFKAMERGED.config.external_access.listener_x_security_x_protocol_x_map }) %}
 {%     do KAFKAMERGED.config.broker.update({'sasl_x_enabled_x_mechanisms': KAFKAMERGED.config.external_access.sasl_x_enabled_x_mechanisms }) %}
-{%     do KAFKAMERGED.config.broker.update({'sasl_x_mechanism_x_broker_x_protocol': KAFKAMERGED.config.external_access.sasl_x_mechanism_x_broker_x_protocol }) %}
+{%     do KAFKAMERGED.config.broker.update({'sasl_x_mechanism_x_inter_x_broker_x_protocol': KAFKAMERGED.config.external_access.sasl_x_mechanism_x_inter_x_broker_x_protocol }) %}
 {%   else %}
 {%     do KAFKAMERGED.config.broker.update({'advertised_x_listeners': 'BROKER://'+ GLOBALS.node_ip +':9092' }) %}
 {%   endif %}
@@ -65,7 +65,7 @@
 {%     do KAFKAMERGED.config.broker.update({'listeners': KAFKAMERGED.config.broker.listeners + ',' + KAFKAMERGED.config.external_access.listeners }) %}
 {%     do KAFKAMERGED.config.broker.update({'listener_x_security_x_protocol_x_map': KAFKAMERGED.config.broker.listener_x_security_x_protocol_x_map + ',' + KAFKAMERGED.config.external_access.listener_x_security_x_protocol_x_map }) %}
 {%     do KAFKAMERGED.config.broker.update({'sasl_x_enabled_x_mechanisms': KAFKAMERGED.config.external_access.sasl_x_enabled_x_mechanisms }) %}
-{%     do KAFKAMERGED.config.broker.update({'sasl_x_mechanism_x_broker_x_protocol': KAFKAMERGED.config.external_access.sasl_x_mechanism_x_broker_x_protocol }) %}
+{%     do KAFKAMERGED.config.broker.update({'sasl_x_mechanism_x_inter_x_broker_x_protocol': KAFKAMERGED.config.external_access.sasl_x_mechanism_x_inter_x_broker_x_protocol }) %}
 {%   else %}
 {%     do KAFKAMERGED.config.broker.update({'advertised_x_listeners': 'BROKER://'+ GLOBALS.node_ip +':9092' + ',' + 'CONTROLLER://'+ GLOBALS.node_ip +':9093' }) %}
 {%   endif %}
diff --git a/salt/kafka/defaults.yaml b/salt/kafka/defaults.yaml
@@ -68,4 +68,4 @@ kafka:
       listeners: EXTERNAL_ACCESS://0.0.0.0:29092
       listener_x_security_x_protocol_x_map: EXTERNAL_ACCESS:SASL_SSL
       sasl_x_enabled_x_mechanisms: PLAIN
-      sasl_x_mechanism_x_broker_x_protocol: SSL
+      sasl_x_mechanism_x_inter_x_broker_x_protocol: SSL
diff --git a/salt/kafka/soc_kafka.yaml b/salt/kafka/soc_kafka.yaml
@@ -228,14 +228,40 @@ kafka:
         description: Enables or disables access to Kafka topics using user/password authentication. Used for producing / consuming messages via an external client.
         forcedType: bool
         helpLink: kafka.html
+      listeners:
+        description: Set of URIs that is listened on and the listener names in a comma-seperated list.
+        title: listeners
+        readonly: True
+        advanced: True
+        helpLink: kafka.html
+      listener_x_security_x_protocol_x_map:
+        description: External listener name and mapped security protocol.
+        title: listener.security.protocol.map
+        readonly: True
+        advanced: True
+        helpLink: kafka.html
+      sasl_x_enabled_x_mechanisms:
+        description: SASL/PLAIN is a simple username/password authentication mechanism, used with TLS to implement secure authentication.
+        title: sasl.enabled.mechanisms
+        readonly: True
+        advanced: True
+        helpLink: kafka.html
+      sasl_x_mechanism_x_inter_x_broker_x_protocol:
+        description: SASL mechanism used for inter-broker communication
+        title: sasl.mechanism.inter.broker.protocol
+        readonly: True
+        advanced: True
+        helpLink: kafka.html
       remote_users:
         user01: &remote_user
           username:
             description: Username to be used for custom account
             forcedType: string
+            global: True
           password:
             description: Password to be used for custom account
             forcedType: string
+            global: True
             sensitive: True
         user02: *remote_user
         user03: *remote_user
