Description
Component(s)
receiver/kafkametrics
Describe the issue you're reporting
Today I was trying to configure the kafkametrics receiver to monitor a cluster that is using TLS w/ plain_text authentication.
In the end I've managed to make it work but I've admittedly lost a lot of time trying to configure it.
The documentation currently states:
auth.tls.ca_file: path to the CA cert. For a client this verifies the server certificate. Should only be used if insecure is set to trueauth.tls.insecure: (default = false) Disable verifying the server's certificate chain and host name (InsecureSkipVerify in the tls config)
However, after reviewing the code (here and here), I found discrepancies:
insecure: Does not disable certificate verification, it actually disables TLS entirelyca_file: The statement Should only be used if insecure is set to true is misleading - In reality, configuring a ca_file implicitly neutralizes an insecure=true, enabling TLS even if insecure is set to falseinsecure_skip_verify: This is the actual parameter that disables certificate verification, but it is undocumented
Additionally, the way the configuration is structured is a little confusing. There are valid Kafka configurations with plain_text authentication (like my case) or even Kerberos authentication that require TLS encryption. The only way to enable TLS in these scenarios is to pass a non-nil auth.tls configuration, as shown in my example configuration below, even if I'm not actually using mTLS authn.
The following configuration successfully enabled monitoring in my setup:
receivers:
kafkametrics:
brokers:
- broker0:9092
- broker1:9092
- broker3:9093
protocol_version: 2.0.0
scrapers:
- brokers
- topics
- consumers
auth:
plain_text:
username: username
password: password
tls:
insecure: false