Keith Wall

+1 Kroxylicious could be internet facing. in addition to the scenarios listed above, we should guard against a client that opens a connection and never sends any bytes. we should...

Our 'admin' HTTP interface is misnamed. It is just metrics. Plain connections connections are acceptable for that. Of course, if Kroxylicious ever evolves to present a REST API for Admin,...

Work of #1660 is a partial resolution to this issue. Specifically it addresses the issue for Kafka, but the issue for the HTTP transports (the KMS interaction) remains. It should...

Yes, I agree this is a useful optimization. I'd noticed that the Vault API supports this use-case just last week.

I notice Fortanix allows for batches too.

The Client has the ability to load PEMs, so we might be able to lean on it.

Wonder if we did something like this, we could force the issue to surface early? Not a fully thought through. ``` keyStore.aliases().asIterator().forEachRemaining(a -> { try { keyStore.getEntry(a, new java.security.KeyStore.PasswordProtection(password)); }...

It appear to be failing to proxy the authentication. Related to the way old clients used to do frameless SASL perhaps? I think this might be somehow related to kaf....

The problem has two aspects: 1. Kaf is sending the unframed SASL authenticate. There's no way to override that behaviour currently. https://github.com/birdayz/kaf/compare/master...k-wall:kaf:enable-sasl-v1 2. Kroxylicious can't handle an unframed SASL authenticate....

> The problem has two aspects: > > 1. Kaf is sending the unframed SASL authenticate. There's no way to override that behaviour currently. [birdayz/[email protected]:kaf:enable-sasl-v1](https://github.com/birdayz/kaf/compare/master...k-wall:kaf:enable-sasl-v1) (edit: I've opened a PR...