Skip to content

feat: kafka trigger kerberos/gssapi support#7815

Merged
rubenfiszel merged 9 commits intomainfrom
alp/kafka_gssapi
Feb 6, 2026
Merged

feat: kafka trigger kerberos/gssapi support#7815
rubenfiszel merged 9 commits intomainfrom
alp/kafka_gssapi

Conversation

@alpetric
Copy link
Collaborator

@alpetric alpetric commented Feb 5, 2026

No description provided.

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Feb 5, 2026
edited
Loading

Deploying windmill with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3a70411
Status: ✅  Deploy successful!
Preview URL: https://a91da9b1.windmill.pages.dev
Branch Preview URL: https://alp-kafka-gssapi.windmill.pages.dev

View logs

@claude
Copy link
Contributor

claude bot commented Feb 5, 2026
edited
Loading

Claude finished @alpetric's task in 1m 37s —— View job

Reviewing PR #7815: Kafka Trigger Kerberos/GSSAPI Support

  • Gather context and analyze changed files
  • Review Dockerfile changes
  • Review Cargo dependency changes
  • Review workflow changes
  • Examine EE repository changes
  • Provide comprehensive feedback

Summary

This PR adds Kerberos/GSSAPI authentication support for Kafka triggers in Windmill Enterprise Edition. The changes are well-structured and follow the existing patterns in the codebase.

Changes Overview

File Change
Dockerfile Added libkrb5-dev, libsasl2-dev (build), libsasl2-modules-gssapi-mit (runtime)
docker/RHEL8/Dockerfile Added krb5-devel, cyrus-sasl-devel, cyrus-sasl-gssapi
docker/RHEL9/Dockerfile Added krb5-devel, cyrus-sasl-devel, cyrus-sasl-gssapi
backend/Cargo.toml Added kafka-gssapi feature
backend/windmill-api/Cargo.toml Added kafka-gssapi feature enabling rdkafka/gssapi
backend/Cargo.lock Added sasl2-sys and dependencies (duct, shared_child, os_pipe)
.github/workflows/backend-check.yml Added Kerberos dev packages for CI
.github/workflows/claude.yml Added Kerberos dev packages for Claude workflow
backend/ee-repo-ref.txt Updated EE repository reference

Code Review

✅ Strengths

  1. Clean Feature Separation: The kafka-gssapi feature is properly layered on top of the existing kafka feature, avoiding unnecessary coupling.

  2. Consistent Package Naming: The RHEL Dockerfiles correctly use cyrus-sasl-* packages while Debian uses libsasl2-* packages.

  3. Build vs Runtime Separation: The Dockerfile correctly separates build-time dependencies (libkrb5-dev, libsasl2-dev) from runtime dependencies (libsasl2-modules-gssapi-mit).

  4. CI Consistency: Both backend-check.yml and claude.yml workflows are updated to include the Kerberos development packages.

⚠️ Observations

  1. Missing Runtime Package in RHEL Dockerfiles: The RHEL Dockerfiles include cyrus-sasl-gssapi in the builder stage but I don't see a corresponding runtime stage update. If the RHEL images have a separate runtime stage, it may need cyrus-sasl-gssapi there as well. This may be intentional if the RHEL builds are static, but worth verifying.

  2. EE Repository Reference: The actual GSSAPI implementation logic is in the private EE repository (commit 128c654). This review can only verify the infrastructure changes in this open-source PR.

  3. Feature Flag Not in all_sqlx_features: The new kafka-gssapi feature is not added to all_sqlx_features in backend/Cargo.toml:111-114. This appears intentional since GSSAPI is optional and requires additional system packages, but it means the feature won't be tested in full-feature builds unless explicitly enabled.

✅ Security Considerations

  • Kerberos/GSSAPI is a widely-used, secure authentication mechanism appropriate for enterprise Kafka deployments
  • No hardcoded credentials or sensitive data introduced
  • The implementation properly uses system libraries rather than custom cryptographic code

✅ Performance Considerations

  • The new dependencies (sasl2-sys, duct, shared_child) are lightweight
  • No runtime performance impact when the kafka-gssapi feature is disabled

Verdict

This PR looks good to merge. The changes are minimal, well-organized, and follow established patterns. The infrastructure changes correctly enable GSSAPI support for the rdkafka library.

Testing Instructions

To verify the Kerberos/GSSAPI support for Kafka triggers:

Navigate to the Triggers page in Windmill, create or edit a Kafka trigger, and configure it to connect to a Kerberos-authenticated Kafka cluster. The Kafka resource configuration should now support GSSAPI authentication method (SASL mechanism). You'll need a Kerberos-enabled Kafka broker and valid Kerberos credentials (keytab or kinit) to test the actual connection. The new authentication options should be visible in the Kafka trigger configuration UI when using an Enterprise Edition deployment built with the kafka-gssapi feature enabled.

@windmill-internal-app
chore: update ee-repo-ref to bb32d562120dc34bbd8d659d92a0d4b8824b8c4c
cfd4239 
This commit updates the EE repository reference after PR #405 was merged in windmill-ee-private.

Previous ee-repo-ref: 128c6549d4557895a362fb720f56afa54d6f566b

New ee-repo-ref: bb32d562120dc34bbd8d659d92a0d4b8824b8c4c

Automated by sync-ee-ref workflow.
@windmill-internal-app
Copy link
Contributor

windmill-internal-app bot commented Feb 5, 2026

🤖 Updated ee-repo-ref.txt to bb32d562120dc34bbd8d659d92a0d4b8824b8c4c after windmill-ee-private PR #405 was merged.

@windmill-internal-app windmill-internal-app bot changed the title [ee] feat: kafka trigger kerberos/gssapi support feat: kafka trigger kerberos/gssapi support Feb 5, 2026
@rubenfiszel rubenfiszel merged commit 795e2be into main Feb 6, 2026
20 checks passed
@rubenfiszel rubenfiszel deleted the alp/kafka_gssapi branch February 6, 2026 06:23
@github-actions github-actions bot locked and limited conversation to collaborators Feb 6, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rubenfiszel rubenfiszel Awaiting requested review from rubenfiszel rubenfiszel is a code owner

@hugocasa hugocasa Awaiting requested review from hugocasa hugocasa is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alpetric @rubenfiszel