feat: add kafka integration support

[erenaslandev]

Summary by CodeRabbit

Release Notes

• New Features
  • Added Kafka SASL authentication support (plain and SCRAM mechanisms)
  • Added Kafka TLS and mTLS support
  • Added Kerberos/GSSAPI authentication support, including a Kerberos KDC container for the harness
  • Enabled broker certificate rotation correctness testing
• Bug Fixes
  • Improved Kafka TLS certificate generation to include the appropriate broker SANs
  • Tightened TLS private key file permissions for safer rotation
• Tests
  • Expanded automated coverage for Kafka authentication rendering and validation
• Chores
  • Extended local container build/publish workflows to include the Kerberos KDC image

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dc7d8873-a633-4aed-9b72-5f32581a37f6

📥 Commits

Reviewing files that changed from the base of the PR and between 4def960 and af57475.

📒 Files selected for processing (5)

• Makefile
• internal/config/case.go
• internal/config/kafka_auth_test.go
• internal/config/subject.go
• internal/orchestrator/docker.go

🚧 Files skipped from review as they are similar to previous changes (4)

• internal/config/kafka_auth_test.go
• internal/config/case.go
• internal/config/subject.go
• internal/orchestrator/docker.go

---

Walkthrough

Adds Kafka broker authentication support (SASL plain/SCRAM, mTLS, and Kerberos/GSSAPI) across the config model, a new KDC container with Kerberos provisioning, Docker Compose generation for all auth modes, generator container SASL/TLS wiring, and a new kafka_cert_rotation_correctness test built on a refactored shared mid-delivery flow abstraction.

Changes

Kafka Auth, Kerberos KDC, Cert Rotation, and Orchestration

Layer / File(s)	Summary
KafkaAuth config model, accessors, and validation internal/config/case.go, internal/config/cloud.go, internal/config/subject.go, internal/config/kafka_auth_test.go	KafkaAuth struct and Auth *KafkaAuth field added to KafkaConfig. Nine accessor methods normalize SASL/TLS mode, detect Kerberos, and provide realm/service defaults. validateKafkaAuth is wired into TestCase.Validate and enforces allowed mechanisms, rejects no-op auth, and applies Kerberos incompatibility rules. KafkaSASLUser/KafkaSASLPassword emulator constants added. Subject.CertDir field added with vmetric registry entry and HasCapability simplified via slices.Contains. Table-driven tests cover validation and accessor behavior.
KDC container and Kerberos provisioner containers/kdc/Dockerfile, Makefile, internal/orchestrator/kerberos.go, internal/orchestrator/tls.go	New Debian-based KDC Dockerfile installs krb5 packages with an sh -c entrypoint. Makefile adds build-kdc and push-kdc targets, KDC_IMAGE variable, and updates build-containers/push-containers/clean. PrepareKerberos creates per-run krb5 directory, writes krb5.conf/kdc.conf, computes broker SPN and client principal, and assembles a bootstrap shell command that initializes the KDC, exports keytabs, signals readiness via /krb5/.ready, and starts krb5kdc. writePEMKey is parameterized with os.FileMode; ca.key uses 0600, server/client keys use 0644.
Docker Compose Kafka auth orchestration internal/orchestrator/docker.go, internal/orchestrator/kafka_auth_render_test.go	writeCompose branches on KafkaGSSAPIEnabled (KDC service + Apache Kafka KRaft broker + GSSAPI JAAS) vs KafkaAuthEnabled (Redpanda with SASL/mTLS listener config and conditional redpanda-init bootstrap). RunConfig gains KrbHostDir and KerberosInitCmd fields. Adds SubjectCertDir volume mounts, conditionally injects generator SASL/TLS env vars, and extends compose template vars with Kafka auth toggles, SASL mechanism/credentials, client-auth, and Kerberos parameters (realm/service, KDC image, krb5 dir, init command, fixed cluster id). NewComposeRunner calls PrepareKerberos for GSSAPI cases. Manual map loops replaced with maps.Copy, timeout and batch normalization simplified with max/min. Render tests validate all five auth modes (SASL-plain, SASL+TLS, mTLS, GSSAPI, no-auth).
Generator container SASL/TLS support containers/generator/main.go, containers/generator/kafka.go, containers/generator/go.mod	config struct gains KafkaSASL, KafkaUser, KafkaPassword, KafkaTLS fields populated from GENERATOR_KAFKA_* env vars with SASL normalization via lowercasing/trimming and TLS as boolean. newKafkaClient configures PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512 SASL with franz-go plain/scram imports, optional TLS dialing via buildTLSConfig/kgo.DialTLSConfig, and rejects unknown SASL mechanisms early. golang.org/x/crypto v0.51.0 added as indirect dependency.
Cert rotation correctness and mid-delivery flow refactor internal/runner/runner.go, internal/runner/multi.go, cmd/harness/main.go, internal/results/report.go	kafka_cert_rotation_correctness wired into Runner.Run. midDeliveryFlow struct and runKafkaMidDeliveryAction driver unify crash and cert-rotation flows: validates total_lines, polls receiver to mid-point, fires action, drains, reports bounded Kafka over-delivery with percentage and flow-specific notes. rotateAndReload helper and runKafkaCertRotation added alongside refactored runKafkaInflightCrash. TLS cert SANs extended with redpanda when Kafka TLS is active. Standardizes generator timeout clamping with min(..., r.opts.Timeout), quietPolls bounds with max(..., 1), ExpectedMultiplier with max(..., 1), and uses maps.Copy/SplitSeq for slice/map operations. FailReason is persisted from shared error slice.

Sequence Diagram(s)

sequenceDiagram
  participant Runner
  participant PrepareKerberos
  participant writeCompose
  participant KDC as KDC Container
  participant Kafka as Kafka KRaft Broker
  participant Generator

  Runner->>PrepareKerberos: tmpDir, KafkaConfig{realm, service}
  PrepareKerberos-->>Runner: KerberosPaths{Dir, InitCmd}
  Runner->>writeCompose: RunConfig{KrbHostDir, KerberosInitCmd, ...}
  writeCompose-->>Runner: docker-compose.yml (kdc + kafka + kafka-init services)

  rect rgba(100, 149, 237, 0.5)
    note over KDC,Kafka: Container startup
    KDC->>KDC: kdb5_util create, kadmin add principals, export keytabs
    KDC->>KDC: touch /krb5/.ready, start krb5kdc
    Kafka->>KDC: health-check /krb5/.ready
    Kafka->>Kafka: start with GSSAPI listener + JAAS config
  end

  Generator->>Kafka: produce via SASL/GSSAPI

Loading

sequenceDiagram
  participant Runner
  participant runKafkaMidDeliveryAction
  participant ReceiverMetrics
  participant Action as rotateAndReload / restartBroker

  Runner->>runKafkaMidDeliveryAction: midDeliveryFlow{action, prepare, verdictLabel}
  runKafkaMidDeliveryAction->>runKafkaMidDeliveryAction: validate total_lines
  runKafkaMidDeliveryAction->>runKafkaMidDeliveryAction: optional prepare (GenerateTLSCerts, set RunConfig)
  loop poll until mid-point
    runKafkaMidDeliveryAction->>ReceiverMetrics: check received count >= total/2
  end
  runKafkaMidDeliveryAction->>Action: fire disruptive action
  Action-->>runKafkaMidDeliveryAction: done
  loop drain until stable
    runKafkaMidDeliveryAction->>ReceiverMetrics: check counts stabilized
  end
  runKafkaMidDeliveryAction-->>Runner: verdict (PASSED/FAILED) with bounded over-delivery

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• VirtualMetric/PipeBench#6: Established the base Kafka/Redpanda Docker Compose orchestration and Kafka correctness runner flows that this PR extends with SASL, mTLS, and GSSAPI authentication modes.

Suggested reviewers

• namles
• yusufozturk

Poem

🐇 Hop hop, the rabbit encrypts!
SASL and mTLS, no more gaps,
Kerberos tickets, keytabs abound,
A KDC container, freshly found.
Certs rotate mid-flight, no data lost—
Security shipped, worth every cost! 🔐

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'feat: add kafka integration support' is vague and overly broad, failing to convey the specific nature of changes across multiple subsystems including KDC container support, SASL/TLS authentication, Kerberos GSSAPI, and broker certificate rotation.	Consider a more specific title that captures the primary scope, such as 'feat: add Kafka authentication and Kerberos GSSAPI support' or break into multiple commits with more targeted titles.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DT-796

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/config/case.go (1)

474-483: ⚠️ Potential issue | 🟠 Major

Add GSSAPI service names to reserved endpoint validation.

The reserved service-name map (lines 474-483) is missing kdc, kafka, and kafka-init. These services are unconditionally emitted by the compose template when KafkaGSSAPIEnabled is true, and users could inadvertently create endpoint name collisions. Add these three service names to the reserved map alongside the existing redpanda/vault services.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/config/case.go` around lines 474 - 483, The reserved map in the
case.go file is missing three service names that are unconditionally emitted
when KafkaGSSAPIEnabled is true. Add kdc, kafka, and kafka-init as entries to
the reserved map alongside the existing redpanda and vault service names to
prevent users from inadvertently creating endpoint name collisions with these
GSSAPI-related services.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/config/case.go`:
- Around line 570-572: The AuthEnabled() method is incorrectly validating Kafka
authentication configuration by allowing a scenario where the SASL mechanism is
empty but TLS is set to "server". This yields encryption without client
authentication, violating the KafkaAuth contract which specifies that an empty
mechanism is only valid for mTLS scenarios. Modify the AuthEnabled() logic to
reject configurations where there is no SASL mechanism configured (empty
mechanism string) but TLS is set to "server", ensuring that either both a
mechanism and TLS are properly configured for mTLS, or the configuration is
rejected as invalid. This validation should occur in the AuthEnabled() method
itself to catch the error early in configuration validation.

In `@internal/orchestrator/docker.go`:
- Around line 1655-1662: In the if tc.Kafka.UsesGSSAPI() block starting at line
1655, add validation checks before proceeding with GSSAPI configuration to fail
fast when required Kerberos inputs are missing. Check that both cfg.KrbHostDir
and cfg.KerberosInitCmd are non-empty, and if either is empty, return an error
immediately rather than allowing the code to proceed with invalid configuration
that would defer the failure to runtime.

In `@Makefile`:
- Line 97: The Makefile adds build-kdc to the build-containers target but lacks
a corresponding push-kdc target and it is not wired into push-containers,
causing the KDC image to not be pushed to the registry when users run
push-containers. Add a new push-kdc target that pushes the KDC container image
(following the same pattern as the existing push-generator, push-receiver, and
push-collector targets), and then add push-kdc as a dependency to the
push-containers target on line 97 alongside the other push targets.

---

Outside diff comments:
In `@internal/config/case.go`:
- Around line 474-483: The reserved map in the case.go file is missing three
service names that are unconditionally emitted when KafkaGSSAPIEnabled is true.
Add kdc, kafka, and kafka-init as entries to the reserved map alongside the
existing redpanda and vault service names to prevent users from inadvertently
creating endpoint name collisions with these GSSAPI-related services.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e9cfa121-fee5-4ff4-9738-44801d16eb21

📥 Commits

Reviewing files that changed from the base of the PR and between bea48a9 and 4def960.

📒 Files selected for processing (17)

• Makefile
• cmd/harness/main.go
• containers/generator/go.mod
• containers/generator/kafka.go
• containers/generator/main.go
• containers/kdc/Dockerfile
• internal/config/case.go
• internal/config/cloud.go
• internal/config/kafka_auth_test.go
• internal/config/subject.go
• internal/orchestrator/docker.go
• internal/orchestrator/kafka_auth_render_test.go
• internal/orchestrator/kerberos.go
• internal/orchestrator/tls.go
• internal/results/report.go
• internal/runner/multi.go
• internal/runner/runner.go

[cloudflare-workers-and-pages]

Deploying pipebench with    Cloudflare Pages

Latest commit:	af57475
Status:	✅  Deploy successful!
Preview URL:	https://bfb8b4c6.pipebench.pages.dev
Branch Preview URL:	https://dt-796.pipebench.pages.dev

View logs