KAFKA_SSL_TRUSTSTORE_CREDENTIALS should be optional when KAFKA_SSL_TRUSTSTORE_TYPE is PEM

[jonathansp]

Hello everybody!

I'm trying to set a PEM file as a trust store, as it seems to be supported here https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L311 as long as the password is null.

By checking https://github.com/confluentinc/kafka-images/blob/master/kafka/include/etc/confluent/docker/configure#L91 looks like KAFKA_SSL_TRUSTSTORE_CREDENTIALS is mandatory if SSL is enabled, meaning the password will never be null.

Shouldn't we test if KAFKA_SSL_TRUSTSTORE_TYPE is PEM before evaluating KAFKA_SSL_TRUSTSTORE_CREDENTIALS?

Thanks

[JKollien]

FYI: You could get around the check by using KAFKA_LISTENER_SECURITY_PROTOCOL_MAP to map SSL endpoints, e.g. EXTERNAL:SSL (see: https://github.com/confluentinc/kafka-images/issues/89)