confluentinc
Help with SSL mapping
Since SSL mapping is not provided as part of the KafkaJS config migration, I have a question on how to migrate a KafkaJS SSL configuration.
We have 3rd party SSL-based connections that are configured today in KafkaJS as such:
brokers:
- kafka-dev1.some-domain.local:9096
ssl:
ca: ${secret.kafka.ca}
key: ${secret.kafka.key}
cert: ${secret.kafka.cert}
passphrase: ${secret.kafka.passphrase}
checkServerIdentity: false # disables hostname verification
...where ${secret.kafka.ca}, ${secret.kafka.key}, and ${secret.kafka.cert} are the string contents of .pem files (and the .pem files are not accessible at runtime).
I see a very wide range of ssl options in GlobalConfig, some prefixed with ssl_ and others with ssl.
I'm not sure how I should be mapping these to incorporate the passphrase and disable hostname verification.
ssl_ca: ${secret.kafka.ca}
ssl_key: ${secret.kafka.key}
ssl_certificate: ${secret.kafka.cert}
???
-or-
ssl.ca.pem: ${secret.kafka.ca}
ssl.key.pem: ${secret.kafka.key}
ssl.key.password: ${secret.kafka.passphrase}
ssl.certificate.pem: ${secret.kafka.cert}
???
-or- other?
Thanks!
The right way would be to use the latter
ssl.ca.pem: ${secret.kafka.ca}
ssl.key.pem: ${secret.kafka.key}
ssl.key.password: ${secret.kafka.passphrase}
ssl.certificate.pem: ${secret.kafka.cert}
Additionally, this:
enable.ssl.certificate.verification -> this should be set to false to disable hostname verification, it's true by default
The entire list of parameters is available here: https://github.com/confluentinc/librdkafka/blob/master/CONFIGURATION.md
Hope that helps!
