Implement support for TLS config, OAuth credentials and setup CP integration tests

[rohitsanj]

Summary of Changes

• Add cp-demo testcontainers, along with a script to set it up from scratch -- works locally and on CI.
• Added make targets to start/stop cp-demo.
• Added make targets to store/load the Docker images into/from Semaphore cache. (I noticed we weren't caching confluent-local, so I've added that too.)
• Bring @rhauch's implementation of mTLS and OAuth credentials from Add mTLS and OAuth 2.0 support for direct connections to Kafka and SR #211 and tweaked as follows. Mutual TLS is no longer a "credentials" type, but rather a sub-field called ssl under ConnectionSpec.KafkaClusterConfig as well as ConnectionSpec.SchemaRegistryConfig. The ssl config may be set along with any credentials type (basic, apikey/secret, oauth) and can even be set in the absence of creds.
• The field ssl holds all configs related to TLS. (h/t @flippingbits for this section)
  • It can be used to disable the usage of TLS via the boolean field enabled, in which case the sidecar uses an unencrypted but potentially authenticated channel to interact with the Kafka cluster.
  • It accepts a keystore via the field keystore, a truststore via the field truststore, and allows to disable hostname verification via the boolean field verify_hostname.
  • If ssl is set to null, the sidecar uses an encrypted channel to interact with the Kafka cluster, verifies the hostname, and does not take any custom keystore/truststore into account.

Any additional details or context that should be provided?

Follow up items:

• Add a new Credentials type called MutualTLSCredentials starting with a single field such as derived that is always set to true. The SSL configuration for mTLS will still need to be passed in the kafka_cluster.ssl (or schema_registry.ssl) object. -- Add MutualTLSCredentials as a placeholder Credentials type #237
• The OAuth credentials type is untested, we can add integration tests for this in a follow up PR. -- Add integration tests for OAuth credentials against cp-demo #238
• Fix pom.xml configuration to ensure we run integration tests just once, not twice. (Fixed in Fix coverage reporting and push to Sonarqube #224)
• Replace ZK with KRaft, start just one Kafka broker -- Modernize CPDemoTestEnvironment to use KRaft instead of to-be-deprecated ZK #239

Pull request checklist

Please check if your PR fulfills the following (if applicable):

• Tests:
  • Added new
  • Updated existing
  • Deleted existing
• Have you validated this change locally against a running instance of the Quarkus dev server?

  make quarkus-dev

• Have you validated this change against a locally running native executable?

  make mvn-package-native && ./target/ide-sidecar-*-runner

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[rhauch]

Thanks, @rohitsanj. I took a quick first pass, and wanted to share these questions/suggestions sooner than later.

[rohitsanj]

Some notes

[flippingbits]

Thanks for the updates, @rohitsanj! 🎉 I have a few questions and comments. Otherwise, your PR looks good to me. I feel you're very close to being able to merge it into main.

[flippingbits]

Can't we rely on the built-in/system certs in the absence of the truststore?
AFAIK, that's how you'd use mTLS with, for instance, Confluent Cloud.

[rohitsanj]

Sounds good -- I'd imagine the built-in/system certs will be picked up automatically by the Java runtime without us having to configure anything.

Or would we need to use the stored Preferences to add any tls_pem_paths to the trust store?

[flippingbits]

We should definitely test if that works with the native executable.

[rohitsanj]

Sounds good -- I've already created #235 for supporting mTLS against Confluent Cloud, so testing would be taken care of as well.

[rohitsanj]

For now, I've changed the constraints to allow passing keystore options without truststore.

[rohitsanj]

@flippingbits Thanks so much for the review! I've made some updates based on our offline conversation.

[rohitsanj]

Seems there's quite a few branches in the ConnectionSpec validation logic that have not been covered with tests. Given how large this PR has gotten, we can add tests in a follow up PR -- #241

[rohitsanj]

The two bugs reported by Sonarqube were false positives and I've resolved them with comments.

[flippingbits]

Thanks for the update, @rohitsanj! This looks great. I have two more very minor comments. Otherwise, your PR looks good to me.

[flippingbits]

Thanks for the great work, @rohitsanj! LGTM, pending the results of the CI pipeline.

[rohitsanj]

For those following: @rhauch is fine with us merging this.

[sonarqube-confluent]

• 57.90% Coverage on New Code (is less than 80.00%)

Analysis Details

8 Issues

• 0 Bugs
• 0 Vulnerabilities
• 8 Code Smells

Coverage and Duplications

• 57.90% Coverage (80.10% Estimated after merge)
• No duplication information (0.60% Estimated after merge)

Project ID: ide-sidecar

View in SonarQube