Proposal

• Using the Kafka scaler + Kerberos against a KDC that doesn't support FAST currently fails with this unfortunate error, and a user can't do anything about it without re-configuring their KDC:

"error creating kafka client: kafka: client has run out of available brokers to talk to: [Root cause: KRBMessage_Handling_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid or client password/keytab incorrect < KRBMessage_Handling_Error: KDC did not respond appropriately to FAST negotiation"}

• The sarama Kafka client we are using in the Kafka scaler actually does have a setting GSSAPIConfig.DisablePAFXFAST that can be used to disable kerberos/GSSAPI FAST negotiation and "fix" this, but the Kafka scaler doesn't currently have any plumbing to read that setting out of the auth config to configure it -- so a user can't use it because it's not exposed.

• As such, the current state of affairs prevents users from using the Kafka scaler against against some configurations of KDCs -- like Active Directory -- that don't use FAST.

I'm proposing we add plumbing at least for the AuthConfig so we can expose this piece of client config as an authentication parameter so users can shut off FAST for their connections if they need to.

Use-Case

This would let us successfully use the Kafka scaler against KDCs that don't support FAST.

In a lot of cases the kerberos infrastructure was set up for other purposes and not just to auth our keda scaler, so modifying the KDC configuration itself is often out of reach of our users -- right now they just don't get to use kerberos with the kafka scaler. :sad

Is this a feature you are interested in implementing yourself?

Yes

Anything else?

( sarama uses gokrb5 under the hood, i.e. https://github.com/jcmturner/gokrb5/blob/master/v8/USAGE.md#active-directory-kdc-and-fast-negotiation. I was hoping for a "try and fallback" method but it doesn't look like there is one, it looks like all we get is "turn it off before you login plzkthx" )