Merge pull request #26 from superstreamlabs/master

release

Author: idanasulin2706

config-examples/README.md

@@ -448,11 +448,19 @@ npx superstream-kafka-analyzer
 - **Port**: 9092
 - **Best for**: Enterprise Confluent deployments
 
-### 7. **Aiven Kafka** (`config.example.aiven-kafka.json`)
-- **Use case**: Aiven managed Kafka service
-- **Authentication**: SASL_SSL with PLAIN mechanism
+### 7. **Aiven Kafka - SASL Authentication** (`config.example.aiven-kafka-sasl.json`)
+- **Use case**: Aiven managed Kafka service with SASL authentication
+- **Authentication**: SASL_SSL with SCRAM-SHA-256 mechanism
+- **Port**: Custom (e.g., 12345)
+- **Best for**: Cloud-managed Kafka with Aiven using username/password authentication
+- **Requirements**: Username, password, and CA certificate
+
+### 7a. **Aiven Kafka - SSL with Certificates** (`config.example.aiven-kafka-ssl.json`)
+- **Use case**: Aiven managed Kafka service with SSL client certificates
+- **Authentication**: SSL with client certificates
 - **Port**: Custom (e.g., 12345)
-- **Best for**: Cloud-managed Kafka with Aiven
+- **Best for**: Cloud-managed Kafka with Aiven using certificate-based authentication
+- **Requirements**: CA certificate, client certificate, and private key
 
 ### 8. **Redpanda** (`config.example.redpanda.json`)
 - **Use case**: Redpanda streaming platform
@@ -687,8 +695,13 @@ npx superstream-kafka-analyzer
 
 ### Aiven Kafka
 - Uses custom port numbers (not 9092)
-- Default username is `avnadmin`
+- Supports two authentication methods:
+  - **SASL_SSL**: Username/password with SCRAM-SHA-256 (recommended)
+  - **SSL**: Client certificates with CA verification
+- Default username is `avnadmin` for SASL authentication
 - Get connection details from Aiven console
+- CA certificate is required for SASL mode
+- For SSL mode, all three certificates (CA, client cert, private key) are required
 
 ### Redpanda
 - Compatible with Kafka protocol

config-examples/config.example.aiven-kafka-sasl.json

@@ -0,0 +1,22 @@
+{
+  "kafka": {
+    "brokers": ["kafka-xxxxx-aiven-kafka.aivencloud.com:12345"],
+    "clientId": "superstream-analyzer",
+    "vendor": "aiven",
+    "useSasl": true,
+    "sasl": {
+      "mechanism": "scram-sha-256",
+      "username": "avnadmin",
+      "password": "*********"
+    },
+    "ssl": {
+      "ca": "./certs/ca.pem"
+    }
+  },
+  "file": {
+    "outputDir": "./kafka-analysis",
+    "formats": ["json", "csv", "html", "txt"],
+    "includeMetadata": true
+  },
+  "email": "[email protected]"
+}

config-examples/config.example.aiven-kafka.json renamed to config-examples/config.example.aiven-kafka-ssl.json

@@ -5,9 +5,9 @@
     "vendor": "aiven",
     "useSasl": false,
     "ssl": {
-      "ca": "path/to/ca.pem",
-      "cert": "path/to/service.cert",
-      "key": "path/to/service.key"
+      "ca": "./certs/ca.pem",
+      "cert": "./certs/service.cert",
+      "key": "./certs/service.key"
     }
   },
   "file": {
@@ -16,4 +16,4 @@
     "includeMetadata": true
   },
   "email": "[email protected]"
-}
+}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "superstream-kafka-analyzer",
-  "version": "1.0.17",
+  "version": "1.0.18",
   "description": "Interactive utility to analyze Kafka clusters health and configuration",
   "main": "src/cli.js",
   "bin": {

src/cli.js

@@ -188,8 +188,8 @@ class CLI {
       brokerMessage = 'AWS MSK broker URLs (comma-separated):';
       brokerDefault = 'b-1.your-cluster.region.amazonaws.com:9092';
     } else if (vendorAnswer.vendor === 'aiven') {
-      brokerMessage = 'Aiven broker URLs (comma-separated):';
-      brokerDefault = 'kafka-xxxxx.aivencloud.com:12345';
+      brokerMessage = 'kafka-xxxxx.aivencloud.com:12345';
+      brokerDefault = 'superstream-test-superstream-3591.k.aivencloud.com:18848';
     }
 
     const kafkaAnswers = await inquirer.prompt([
@@ -328,13 +328,13 @@ class CLI {
           type: 'input',
           name: 'certPath',
           message: 'Client Certificate path (optional, eg. "./certs/service.cert"):',
-          default: './certs/service.cert',
+          default: '',
         },
         {
           type: 'input',
           name: 'keyPath',
           message: 'Client Private Key path (optional, eg. "./certs/service.key"):',
-          default: './certs/service.key',
+          default: '',
         }
       ]);
 

src/kafka-client.js

@@ -39,7 +39,11 @@ class KafkaClient {
       // If SSL keys are provided, disable SASL
       if (this.config.ssl && (this.config.ssl.ca || this.config.ssl.cert || this.config.ssl.key)) {
         this.config.useSasl = false;
-      } 
+      }
+      
+      if (this.config.vendor === 'aiven' && this.config.ssl.ca && !this.config.ssl.cert && !this.config.ssl.key) {
+        this.config.useSasl = true;
+      }
 
       // Handle authentication based on vendor and configuration
       if (this.config.useSasl && this.config.sasl) {
@@ -180,52 +184,25 @@ class KafkaClient {
             return true;
 
           case 'aiven':
-            // Aiven uses SASL_SSL with SCRAM-SHA-256 or OAuth
-            console.log('🔐 Aiven detected - configuring SSL with certificates...');
-            if (this.config.ssl && (this.config.ssl.ca || this.config.ssl.cert || this.config.ssl.key)) {
-              kafkaConfig.ssl = await this.buildSslConfig();
-            }
+            // Aiven supports both SSL with certificates and SASL_SSL with username/password
+            const hasSaslCredentials = this.config.sasl && this.config.sasl.username && this.config.sasl.password;
+            const hasSslCertificates = this.config.ssl && (this.config.ssl.cert || this.config.ssl.key);
 
-            if (mechanism === 'oauthbearer' && useOIDC) {
-              const oidcProvider = await createOIDCProvider('oidc', {
-                ...this.config.sasl,
-                discoveryUrl: this.config.sasl.discoveryUrl,
-                clientId: this.config.sasl.clientId,
-                clientSecret: this.config.sasl.clientSecret,
-                tokenHost: this.config.sasl.host || this.config.sasl.tokenHost,
-                tokenPath: this.config.sasl.path || this.config.sasl.tokenPath,
-                scope: this.config.sasl.scope,
-                audience: this.config.sasl.audience,
-                validateToken: this.config.sasl.validateToken
-              });
-              
-              kafkaConfig.sasl = {
-                mechanism: 'oauthbearer',
-                oauthBearerProvider: async () => {
-                  return await oidcProvider.getToken();
-                }
-              };
-            } else if (mechanism === 'oauthbearer') {
-              // Legacy OAuth support
-              const oauthProvider = createOAuthProvider('generic', {
-                clientId: this.config.sasl.clientId,
-                clientSecret: this.config.sasl.clientSecret,
-                tokenHost: this.config.sasl.host || this.config.sasl.tokenHost,
-                tokenPath: this.config.sasl.path || this.config.sasl.tokenPath
-              });
-              
-              kafkaConfig.sasl = {
-                mechanism: 'oauthbearer',
-                oauthBearerProvider: async () => {
-                  return await oauthProvider.getToken();
-                }
-              };
-            } else {
+            if (hasSaslCredentials) {
+              // SASL_SSL mode with username/password
+              console.log('🔐 Aiven detected - configuring SASL_SSL with username/password...');
+              kafkaConfig.ssl = await this.buildSslConfig();
               kafkaConfig.sasl = {
                 mechanism: 'scram-sha-256', // Aiven typically uses SCRAM-SHA-256
                 username: this.config.sasl.username,
                 password: this.config.sasl.password
               };
+            } else if (hasSslCertificates) {
+              // SSL mode with client certificates
+              console.log('🔐 Aiven detected - configuring SSL with client certificates...');
+              kafkaConfig.ssl = await this.buildSslConfig();
+            } else {
+              throw new Error('Aiven configuration requires either SASL credentials (username/password) or SSL certificates (cert/key)');
             }
             break;