search

Azure / azure-functions-kafka-extension

Kafka extension for Azure Functions
MIT License
114 stars 78 forks source link

Allow retrieving custom certificates from certificate store #280

Open a99cl208 opened 2 years ago

a99cl208 commented 2 years ago

Hello,

For now in order to use a custom CA certificate, it needs to be referenced using SslCaLocation in the KafkaTrigger, and the certificate needs to be deployed along with the function. In order to better split infrastructure topics from applicative topics, and also to make easier to manage multi environments deployment, I would be great to find a way to retrive the certificates from the App Service certificate store. Unfortunately, it seems that the certificates are stores in the CurrentUserMy location, and by default the kakfa library only looks into the Root location. However, the confluent .NET library allows to change this by setting the SslCaCertificateStores property from the ClientOptions. Therefore it would be great to expose this option in the webjobs extension, i would say preferably in the KafkaOptions since it makes more sense that it impact all the functions.

Not sure i did not missed something in the use case but if not it seems an easy to implement feature with a great benefit.

m001z commented 1 year ago

I want to endorse this or another more secure solution, because I'm also using custom certificates and would like to be able and reference them in a secure way without the need to place the files on disk along with the function. Is that currently the only way of using certificates with this trigger?

sapinderpalsingh commented 1 year ago

It would be nice if we can reference the certificates directly from the Keyvault itself.

spilo-apex commented 1 year ago

Old-ish issue, but same case here, fetching from cert store is the usual method for MTLS, should be allowed for Kafka as well

Marty-Me commented 9 months ago

As my team is using the Python Function Trigger, we don't have any way to "pre-download" the key-pair needed to connect to our Kafka Cluster. Resulting in us having to store both the key and the certificate inside of our Function zip.

spilo-apex commented 9 months ago

I want to endorse this or another more secure solution, because I'm also using custom certificates and would like to be able and reference them in a secure way without the need to place the files on disk along with the function. Is that currently the only way of using certificates with this trigger?

Our workaround was to store the cert and private key in azure file storage (not really all that secure), and add a file share to a linux-based function. It works, and is slightly better than having it source, but not by much.