search

confluentinc / confluent-kafka-javascript

Confluent's Apache Kafka JavaScript client
https://www.npmjs.com/package/@confluentinc/kafka-javascript
MIT License
50 stars 5 forks source link

Help with SSL mapping #46

Open apeloquin-agilysys opened 4 months ago

apeloquin-agilysys commented 4 months ago

Since SSL mapping is not provided as part of the KafkaJS config migration, I have a question on how to migrate a KafkaJS SSL configuration.

We have 3rd party SSL-based connections that are configured today in KafkaJS as such:

brokers:
  - kafka-dev1.some-domain.local:9096
ssl:
  ca: ${secret.kafka.ca}
  key: ${secret.kafka.key}
  cert: ${secret.kafka.cert}
  passphrase: ${secret.kafka.passphrase}
  checkServerIdentity: false  # disables hostname verification

...where ${secret.kafka.ca}, ${secret.kafka.key}, and ${secret.kafka.cert} are the string contents of .pem files (and the .pem files are not accessible at runtime).

I see a very wide range of ssl options in GlobalConfig, some prefixed with ssl_ and others with ssl.

I'm not sure how I should be mapping these to incorporate the passphrase and disable hostname verification.

ssl_ca: ${secret.kafka.ca}
ssl_key: ${secret.kafka.key}
ssl_certificate: ${secret.kafka.cert}
???

-or-

ssl.ca.pem: ${secret.kafka.ca}
ssl.key.pem: ${secret.kafka.key}
ssl.key.password: ${secret.kafka.passphrase}
ssl.certificate.pem: ${secret.kafka.cert}
???

-or- other?

Thanks!

milindl commented 4 months ago

The right way would be to use the latter

ssl.ca.pem: ${secret.kafka.ca}
ssl.key.pem: ${secret.kafka.key}
ssl.key.password: ${secret.kafka.passphrase}
ssl.certificate.pem: ${secret.kafka.cert}

Additionally, this:

enable.ssl.certificate.verification -> this should be set to false to disable hostname verification, it's true by default

The entire list of parameters is available here: https://github.com/confluentinc/librdkafka/blob/master/CONFIGURATION.md

Hope that helps!