[kafka] Ensure TLS is enabled when using MSK IAM auth (#40720)

#### Description

Fixes a defect introduced in #39115 that prevents MSK IAM auth from
working

Signed-off-by: Anthony J Mirabella <[email protected]>

Author: Aneurysm9

.chloggen/fix_kafka_iam_tls.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: kafka
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Fixes a defect introduced in #39115 that prevents MSK IAM auth from working"
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [40720]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: "IAM auth requires TLS, but the config translation was enabling SASL when it intended to enable TLS"
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]

internal/kafka/client.go

@@ -147,7 +147,7 @@ func newSaramaClientConfig(ctx context.Context, config configkafka.ClientConfig)
 		}
 	} else if config.Authentication.SASL != nil && config.Authentication.SASL.Mechanism == "AWS_MSK_IAM_OAUTHBEARER" {
 		saramaConfig.Net.TLS.Config = &tls.Config{}
-		saramaConfig.Net.SASL.Enable = true
+		saramaConfig.Net.TLS.Enable = true
 	}
 	configureSaramaAuthentication(ctx, config.Authentication, saramaConfig)
 	return saramaConfig, nil

internal/kafka/client_test.go

@@ -543,3 +543,30 @@ func TestSetSaramaProducerConfig_Compression(t *testing.T) {
 		})
 	}
 }
+
+func TestNewSaramaClientConfigWithAWSMSKIAM(t *testing.T) {
+	// Test case for AWS_MSK_IAM_OAUTHBEARER mechanism
+	clientConfig := configkafka.ClientConfig{
+		Brokers: []string{"localhost:9092"},
+		Authentication: configkafka.AuthenticationConfig{
+			SASL: &configkafka.SASLConfig{
+				Mechanism: "AWS_MSK_IAM_OAUTHBEARER",
+				AWSMSK: configkafka.AWSMSKConfig{
+					Region: "us-west-2",
+				},
+			},
+		},
+	}
+
+	saramaConfig, err := newSaramaClientConfig(context.Background(), clientConfig)
+	assert.NoError(t, err)
+
+	// Verify that TLS is enabled, not just SASL
+	assert.True(t, saramaConfig.Net.TLS.Enable, "TLS should be enabled for AWS_MSK_IAM_OAUTHBEARER")
+	assert.NotNil(t, saramaConfig.Net.TLS.Config, "TLS config should not be nil for AWS_MSK_IAM_OAUTHBEARER")
+
+	// Also verify that SASL is enabled and properly configured
+	assert.True(t, saramaConfig.Net.SASL.Enable, "SASL should be enabled for AWS_MSK_IAM_OAUTHBEARER")
+	assert.Equal(t, sarama.SASLMechanism(sarama.SASLTypeOAuth), saramaConfig.Net.SASL.Mechanism)
+	assert.NotNil(t, saramaConfig.Net.SASL.TokenProvider, "TokenProvider should not be nil for AWS_MSK_IAM_OAUTHBEARER")
+}