kafka-ui icon indicating copy to clipboard operation
kafka-ui copied to clipboard

Published 20 hours ago verified publisher icon kafbat

BE: Support PEM trust/key stores and mTLS configuration. (#1437)

Open iamtakingiteasy opened this issue 2 weeks ago • 6 comments

  • [ ] Breaking change? -- Shouldn't be, configuration changes are append-only, unspecified store type is considered as JKS/PKCS12 (both can be handled under either and technically only a preference hint).

What changes did you make? Resolves #1437

Adds support for PEM keystore/truststore and mTLS configuration, replacing manual KeyManagerFactory/TrustManagerFactory calls with spring boot SslBundle to parametrize the kafka client and http/netty clients.

  • TruststoreConfig/KeystoreConfig extended with truststoreType/keystoreType with possible values of JKS, PKCS12 and PEM
  • KeystoreConfig is extended with keystoreCertificate for [pem] client certificate file.
  • Cluster is extended with securityProtocol and kafkaSsl for mTLS client certificate.

Out-of-the scope FE change: ApplicationConfigPropertiesKafkaSchemaRegistrySsl -> KeystoreConfig as reusable DTO is introduced, auto-generated one no longer exists.

Is there anything you'd like reviewers to focus on?

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • [ ] No need to
  • [x] Manually Tested on mTLS cluster with PEM, JKS and PKCS12 keystores
  • [x] Unit checks
  • [x] Integration checks
  • [ ] Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES) -- no environment variable changes is necessary in documentation compose files
  • [x] My changes generate no new warnings (e.g. Sonar is happy)
  • [x] I have added tests that prove my fix is effective or that my feature works -- a rather heavy setup would be required
  • [x] New and existing unit tests pass locally with my changes
  • [x] Any dependent changes have been merged -- no dependencies

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)

iamtakingiteasy avatar Nov 15 '25 03:11 iamtakingiteasy