SSL env variable are ignored for controller in KRaft isolated mode
vszyndler opened this issue · 1 comments
Hi !
I'm using confluentinc/cp-kafka image in KRaft isolated mode.
I use SASL_SSL authentication for broker-to-controller and client-to-broker authentication.
I tried to use the following env variable to configure SSL on the KRaft controller side, but they are ignored because there is no listener called SSL nor SASL_SSL in the controller advertised listeners.
KAFKA_SSL_KEYSTORE_FILENAME
KAFKA_SSL_KEYSTORE_CREDENTIALS
KAFKA_SSL_KEY_CREDENTIALS
KAFKA_SSL_TRUSTSTORE_FILENAME
KAFKA_SSL_TRUSTSTORE_CREDENTIALS
The issue comes from the following lines :
kafka-images/server/include/etc/confluent/docker/configure
Lines 87 to 90 in d503508
Instead, I have to use the following env variable, which is an issue since it prevents me to use docker secrets to store the passwords.
KAFKA_SSL_KEYSTORE_LOCATION
KAFKA_SSL_KEYSTORE_PASSWORD
KAFKA_SSL_KEY_PASSWORD
KAFKA_SSL_TRUSTSTORE_LOCATION
KAFKA_SSL_TRUSTSTORE_PASSWORD
On the broker side, I can use the KAFKA_SSL_KEYSTORE_FILENAME and KAFKA_SSL_KEYSTORE_CREDENTIALS but the truststore variable are also ignored because I have configured KAFKA_SSL_CLIENT_AUTH to none (since I use SASL_SSL authentication).
This time , the issue comes from the following line :
I've seen that other similar issues have already been reported : #58 or #89.
When can we expect a fix for these issues?
Thanks for adding this issue. I just hit this same thing and came to the same conclusion/workaround.
When running a controller-only Kraft container this line will remove any kafka_advertised_listeners env var
But the part of the configure script that sets the necessary SSL env vars requires kafka_advertised_listeners be present
I think #352 could help, since it would give the script another way of configuring those necessary SSL env vars.
But, honestly, I keep getting tripped up by the magic logic that happens in this configure file. I'm wondering if there's a better approach?