AlinsRan commented on code in PR #13607:
URL: https://github.com/apache/apisix/pull/13607#discussion_r3568367621


##########
apisix/plugins/kafka-logger.lua:
##########
@@ -89,6 +89,16 @@ local schema = {
             },
             uniqueItems = true,
         },
+        tls = {
+            type = "object",
+            description = "tls config for connecting to kafka brokers",
+            properties = {
+                verify = {
+                    type = "boolean",
+                    default = false,
+                },
+            },
+        },

Review Comment:
   Convention: plugins warn when certificate verification is off, via 
`core.utils.check_tls_bool` in `check_schema` (see http-logger.lua:99, 
clickhouse-logger.lua:106). Worth adding here:
   
   ```lua
   local ok, err = core.schema.check(schema, conf)
   if not ok then
       return nil, err
   end
   
   core.utils.check_tls_bool({"tls.verify"}, conf, plugin_name)
   ```
   
   `get_root_conf` handles dotted paths, and when `tls` is absent it returns 
nil so nothing is logged — no noise for the non-TLS case.



##########
apisix/plugins/error-log-logger.lua:
##########
@@ -108,6 +108,16 @@ local metadata_schema = {
                     },
                     uniqueItems = true,
                 },
+                tls = {
+                    type = "object",
+                    description = "tls config for connecting to kafka brokers",
+                    properties = {
+                        verify = {
+                            type = "boolean",
+                            default = false,
+                        },
+                    },
+                },

Review Comment:
   Same `check_tls_bool` suggestion as in kafka-logger, but note it has to go 
in the **metadata branch** here:
   
   ```lua
   if schema_type == core.schema.TYPE_METADATA then
       core.utils.check_tls_bool({"kafka.tls.verify"}, conf, plugin_name)
       return core.schema.check(metadata_schema, conf)
   end
   ```
   
   Reason: `kafka` only exists in `metadata_schema`, and `check_schema` returns 
early for `TYPE_METADATA` before reaching the existing 
`check_https`/`check_tls_bool` calls at L191-193. Those calls sit in the 
non-metadata branch and operate on the plugin conf, which never contains 
`tcp`/`skywalking`/`clickhouse` — so `check_tls_bool({"tcp.tls"})` there never 
fires today. That's a pre-existing bug, not yours; just don't copy the 
placement.



##########
docs/en/latest/plugins/kafka-logger.md:
##########
@@ -487,3 +489,50 @@ If you have customized the `log_format` in addition to 
setting `include_req_body
 ```
 
 :::
+
+### Log to TLS-Enabled Kafka Brokers
+
+The following example demonstrates how to connect to TLS-enabled Kafka 
brokers, such as AWS MSK.
+
+Create a Route with `kafka-logger` and configure the `tls` attribute to 
connect to the TLS-enabled Kafka broker:
+
+```shell
+curl "http://127.0.0.1:9180/apisix/admin/routes"; -X PUT \
+  -H "X-API-KEY: ${admin_key}" \
+  -d '{
+    "id": "kafka-logger-tls-route",
+    "uri": "/get",
+    "plugins": {
+      "kafka-logger": {
+        "brokers": [
+          {
+            "host": "kafka.example.com",
+            "port": 9093
+          }
+        ],
+        "kafka_topic": "test2",
+        "key": "key1",
+        "batch_max_size": 1,
+        "tls": {
+          "verify": true
+        }
+      }
+    },
+    "upstream": {
+      "nodes": {
+        "httpbin.org:80": 1
+      },
+      "type": "roundrobin"
+    }
+  }'
+```
+
+When using self-signed certificates, set `tls.verify` to `false` to skip 
certificate verification:

Review Comment:
   This steers users toward disabling certificate verification. Better to tell 
them how to keep it on: point `apisix.ssl.ssl_trusted_certificate` in 
`config.yaml` at their CA bundle (it defaults to `system`, so publicly-signed 
brokers like AWS MSK work with `verify: true` out of the box — only a private 
CA needs this). `verify: false` should be framed as test-environment-only.
   
   Same paragraph at the end of `error-log-logger.md`.



##########
t/plugin/kafka-logger-tls.t:
##########
@@ -0,0 +1,127 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->request) {
+        $block->set_value("request", "GET /t");
+    }
+});
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    my $extra_init_by_lua = <<_EOC_;
+    local bp_manager = require("apisix.utils.batch-processor-manager")
+    local core = require("apisix.core")
+    local function log_send_data(entry)
+        local data = type(entry) == "table" and core.json.encode(entry) or 
entry
+        core.log.info("send data to kafka: ", data)
+    end
+    local old_add = bp_manager.add_entry
+    bp_manager.add_entry = function(self, conf, entry, max_pending_entries)
+        local ok = old_add(self, conf, entry, max_pending_entries)
+        if ok then
+            log_send_data(entry)
+        end
+        return ok
+    end
+    local old_new = bp_manager.add_entry_to_new_processor
+    bp_manager.add_entry_to_new_processor = function(self, conf, entry, ctx, 
func, max_pending_entries)
+        local ok = old_new(self, conf, entry, ctx, func, max_pending_entries)
+        if ok then
+            log_send_data(entry)
+        end
+        return ok
+    end
+_EOC_
+
+    if (!defined $block->extra_init_by_lua) {
+        $block->set_value("extra_init_by_lua", $extra_init_by_lua);
+    }
+});

Review Comment:
   Dead code — this preprocessor monkey-patches `bp_manager.add_entry` / 
`add_entry_to_new_processor` to log entries, but all three tests in this file 
are `check_schema` calls that never reach the batch processor. Leftover from 
the integration tests that were removed. Please drop it (and the `GET /t` 
default-request preprocessor above can go too if the tests set `--- request` 
explicitly).



##########
t/plugin/kafka-logger-tls.t:
##########
@@ -0,0 +1,127 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';

Review Comment:
   Three pure schema-validation tests don't justify a new test file — it spins 
up another nginx instance, and it's inconsistent with the error-log-logger side 
of this PR, where the equivalent tests were appended to the existing 
`error-log-logger-kafka.t`. Suggest moving these into 
`t/plugin/kafka-logger2.t`. If/when real TLS integration tests land, a 
dedicated file makes sense.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to