Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rotor: Add support for custom CA certificate in Kafka SSL configuration #1175

Open
wants to merge 1 commit into
base: newjitsu
Choose a base branch
from

Conversation

dmeremyanin
Copy link
Contributor

@dmeremyanin dmeremyanin commented Jan 24, 2025

This change introduces support for the KAFKA_SSL_CA and KAFKA_SSL_CA_FILE environment variables to configure custom CA certificate for verifying the Kafka server certificate. Before this change, server certificate verification was always skipped, and the KAFKA_SSL_SKIP_VERIFY environment variable was ignored.

Key changes:

  1. New behavior: If KAFKA_SSL_CA is set, it is used to verify the server certificate.
  2. New behavior: If KAFKA_SSL_CA_FILE is provided, the file path is read, and it is used to verify the server certificate.
  3. Fix: If KAFKA_SSL_SKIP_VERIFY is set, server certificate verification is skipped. If not set, the server certificate is verified with no extra configuration.

Related PR in the bulker repo: jitsucom/bulker#23.

@dmeremyanin dmeremyanin force-pushed the rotor-kafka-ssl-ca branch 2 times, most recently from f3dab7b to e5b5407 Compare January 24, 2025 22:56
@vklimontovich
Copy link
Contributor

Thanks for the contribution!

Is it possible to set the cert right in the env variable? Or provide two ways to set the cert, as file via KAFKA_SSL_CA_FILE and KAFKA_SSL_CA to embed it?

We're trying to keep Jitsu deployable on all platforms, and some platforms (Beanstalk, Google Containers, etc) won't allow add local file to the container.

@dmeremyanin
Copy link
Contributor Author

I like the idea of offering both options for flexibility and compatibility. So, I'll go ahead and update the PR:

  1. Rename the current KAFKA_SSL_CA env variable to KAFKA_SSL_CA_FILE.
  2. Add a new KAFKA_SSL_CA env variable that allows passing the CA certificate directly as a string in the variable.

Thanks for the quick review!

@dmeremyanin
Copy link
Contributor Author

@vklimontovich I've made the changes and updated the PR description accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants