Page MenuHomePhabricator
Create Task
Maniphest T386092

Enable custom SSL certificate CA bundle to work with confluent-kafka > 2.6.2
Closed, ResolvedPublic
Actions

Description

confluent-kafka 2.6.2 started using httpx instead of requests for the SchemaRegistryClient (https://docs.confluent.io/platform/current/clients/confluent-kafka-python/html/index.html?#schemaregistryclient), causing the REQUESTS_CA_BUNDLE environment variable to have no effect, ultimately causing SSL certificate validation errors (see https://wikimedia.slack.com/archives/C02291Z9YQY/p1738097562314939).

We create this task to make sure we don't pin confluent-kafka to 2.6.0 indefinitely.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
airflow-analytics: upgrade airflow to get a new confluent-kafka versionoperations/puppetproduction+1 -1
airflow-analytics: fix typo in configoperations/puppetproduction+1 -1
airflow-analytics: specify the path to the SSL CA certificate bundleoperations/puppetproduction+1 -1
Airflow: upgrade to confluent-kafka 2.8.0 and specify path to CA cert bundleoperations/deployment-chartsmaster+5 -1
Customize query in gerrit
Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
Fix typos in changelogrepos/data-engineering/airflow-dags!1069brouberolorigin/T386092-packagemain
Upgrade confluent-kafka to 2.8.0 now that we found how to avoid SSL validation errorsrepos/data-engineering/airflow-dags!1068brouberolT386092-packagemain
test_k8s: define a DAG emitting dataset lineagerepos/data-engineering/airflow-dags!1064brouberolT386092main
Customize query in GitLab

Event Timeline

brouberol created this task.Feb 11 2025, 1:10 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 11 2025, 1:10 PM
brouberol added a comment.Feb 11 2025, 1:13 PM

According to https://docs.confluent.io/platform/current/clients/confluent-kafka-python/html/_modules/confluent_kafka/schema_registry/schema_registry_client.html#SchemaRegistryClient, we should be able to specify ssl.cert.location: /etc/ssl/certs/ca-certificates.crt in the datahub_kafka_jumbo.extra_dejson.connection dict.

CodeReviewBot added a project: Patch-For-Review.Feb 11 2025, 1:13 PM

brouberol opened https://gitlab.wikimedia.org/repos/data-engineering/airflow/-/merge_requests/48

Drop confluent-kafka version constraint

brouberol added a comment.Feb 11 2025, 1:14 PM

Specifically, in the datahub_kafka_jumbo.extra_dejson.connection.schema_registry_config dict: https://github.com/datahub-project/datahub/blob/20409fd702d2d4454de9170f77bffecbfba8b527/metadata-ingestion/src/datahub/configuration/kafka.py#L15C5-L15C27

CodeReviewBot added a comment.Feb 11 2025, 1:21 PM

brouberol merged https://gitlab.wikimedia.org/repos/data-engineering/airflow/-/merge_requests/48

Drop confluent-kafka version constraint

Maintenance_bot removed a project: Patch-For-Review.Feb 11 2025, 1:30 PM
gerritbot added a comment.Feb 11 2025, 1:51 PM

Change #1118812 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/deployment-charts@master] Airflow: upgrade to confluent-kafka 2.8.0 and specify path to CA cert bundle

https://gerrit.wikimedia.org/r/1118812

gerritbot added a project: Patch-For-Review.Feb 11 2025, 1:51 PM
brouberol added a comment.Feb 11 2025, 2:16 PM

I was able to reproduce the issue in airflow-test-k8s.

brouberol added a comment.EditedFeb 11 2025, 2:19 PM

Once I redeployed airflow-test-k8s with the following diff:

    datahub_kafka_jumbo:
      conn_type: datahub_kafka
      host: kafka-jumbo-eqiad.external-services.svc.cluster.local:9092
      extra_dejson:
        connection:
          schema_registry_url: https://datahub-gms.discovery.wmnet:30443/schema-registry/api/
+         schema_registry_config:
+           ssl.ca.location: /etc/ssl/certs/ca-certificates.crt

the dag was able to execute successfully.

CodeReviewBot added a comment.Feb 11 2025, 2:21 PM

brouberol opened https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/1064

test_k8s: define a DAG emitting dataset lineage

brouberol moved this task from Backlog - project to In Progress on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.Feb 11 2025, 3:25 PM
brouberol moved this task from In Progress to Needs Review on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.Feb 11 2025, 3:31 PM
gerritbot added a comment.Feb 11 2025, 5:42 PM

Change #1118812 merged by Brouberol:

[operations/deployment-charts@master] Airflow: upgrade to confluent-kafka 2.8.0 and specify path to CA cert bundle

https://gerrit.wikimedia.org/r/1118812

gerritbot added a comment.Feb 12 2025, 8:01 AM

Change #1119043 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] airflow-analytics: specify the path to the SSL CA certificate bundle

https://gerrit.wikimedia.org/r/1119043

CodeReviewBot added a comment.Feb 12 2025, 8:33 AM

brouberol opened https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/1068

Upgrade confluent-kafka to 2.8.0 now that we found how to avoid SSL validation errors

CodeReviewBot added a comment.Feb 12 2025, 1:47 PM

brouberol merged https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/1068

Upgrade confluent-kafka to 2.8.0 now that we found how to avoid SSL validation errors

CodeReviewBot added a comment.Feb 12 2025, 2:11 PM

brouberol opened https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/1069

Fix typos in changelog

gerritbot added a comment.Feb 12 2025, 2:21 PM

Change #1119043 merged by Brouberol:

[operations/puppet@production] airflow-analytics: specify the path to the SSL CA certificate bundle

https://gerrit.wikimedia.org/r/1119043

CodeReviewBot added a comment.Feb 12 2025, 2:23 PM

brouberol merged https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/1069

Fix typos in changelog

gerritbot added a comment.Feb 12 2025, 4:59 PM

Change #1119185 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] airflow-analytics: fix typo in config

https://gerrit.wikimedia.org/r/1119185

tchin subscribed.Feb 13 2025, 12:43 AM

I don't know why but it seems like the kafka sink doesn't recognize schema_registry_config and it's currently failing:

Exception:
1 validation error for KafkaSinkConfig
schema_registry_config
extra fields not permitted (type=value_error.extra)
gerritbot added a comment.Feb 13 2025, 8:18 AM

Change #1119185 merged by Brouberol:

[operations/puppet@production] airflow-analytics: fix typo in config

https://gerrit.wikimedia.org/r/1119185

brouberol added a comment.Feb 13 2025, 8:36 AM

@tchin That was fixed in https://gerrit.wikimedia.org/r/c/operations/puppet/+/1119185

brouberol added a comment.Feb 13 2025, 8:45 AM

All failed tasks have been cleared and ran successfully

gerritbot added a comment.Feb 13 2025, 8:50 AM

Change #1119456 had a related patch set uploaded (by Brouberol; author: Brouberol):

[operations/puppet@production] airflow-analytics: upgarde the airflow deb package to get a new confluent-kafka version

https://gerrit.wikimedia.org/r/1119456

gerritbot added a comment.Feb 13 2025, 9:26 AM

Change #1119456 merged by Brouberol:

[operations/puppet@production] airflow-analytics: upgrade airflow to get a new confluent-kafka version

https://gerrit.wikimedia.org/r/1119456

brouberol closed this task as Resolved.Feb 13 2025, 10:38 AM
brouberol moved this task from Needs Review to Done on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.

The datahub emitter operator task ran successfully even with confluent-kafka 2.8.0, with the config change.

Gehel moved this task from Done to Reported on the Data-Platform-SRE (2025.02.10 - 2025.02.28) board.Feb 14 2025, 8:22 AM
CodeReviewBot added a comment.Feb 18 2025, 10:31 AM

brouberol merged https://gitlab.wikimedia.org/repos/data-engineering/airflow-dags/-/merge_requests/1064

test_k8s: define a DAG emitting dataset lineage

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits