Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check KAFKA_LISTENER_SECURITY_PROTOCOL_MAP for SSL #352

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Check KAFKA_LISTENER_SECURITY_PROTOCOL_MAP for SSL #352

wants to merge 1 commit into from

Conversation

whit0694
Copy link

@whit0694 whit0694 commented Sep 6, 2024

The current approach adds SSL configuration if the advertised listeners includes the string SSL://.

But in a configuration such as

KAFKA_ADVERTISED_LISTENERS: CLIENTS://mykafka.host:9093
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CLIENTS:SSL

The ssl configuration is not added, even though the protocol CLIENTS does map to SSL

Tweaking this configuration script so that it looks in both KAFKA_ADVERTISED_LISTENERS and KAFKA_LISTENER_SECURITY_PROTOCOL_MAP for usage of SSL.

@whit0694
Check KAFKA_LISTENER_SECURITY_PROTOCOL_MAP for SSL
738989d 
The current approach adds SSL configuration if the advertised listeners
includes the string `SSL://`.

But in a configuration such as

```
KAFKA_ADVERTISED_LISTENERS: CLIENTS://mykafka.host:9093
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CLIENTS:SSL
```

The ssl configuration is not added, even though the protocol `CLIENTS`
does map to `SSL`

Tweaking this configuration script so that it looks in both
`KAFKA_ADVERTISED_LISTENERS` and `KAFKA_LISTENER_SECURITY_PROTOCOL_MAP`
for usage of SSL.
@whit0694 whit0694 requested a review from a team as a code owner September 6, 2024 20:08
@cla-assistant CLA Assistant
Copy link

cla-assistant bot commented Sep 6, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@whit0694 whit0694 mentioned this pull request Sep 19, 2024
Open
soondenana
soondenana approved these changes Oct 17, 2024
View reviewed changes
Copy link
Member

@soondenana soondenana left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks for the fix.

trnguyencflt
trnguyencflt reviewed Oct 18, 2024
View reviewed changes
kafka/include/etc/confluent/docker/configure
@@ -84,7 +84,9 @@ then
fi

# Set if ADVERTISED_LISTENERS has SSL:// or SASL_SSL:// endpoints.
if [[ -n "${KAFKA_ADVERTISED_LISTENERS-}" ]] && [[ $KAFKA_ADVERTISED_LISTENERS == *"SSL://"* ]]
# Or if the LISTENER_SECURITY_PROTOCOL_MAP includes SSL
if ([[ -n "${KAFKA_ADVERTISED_LISTENERS-}" ]] && [[ $KAFKA_ADVERTISED_LISTENERS == *"SSL://"* ]]) ||
Copy link
Member

@trnguyencflt trnguyencflt Oct 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this work with lower case, for example Sasl_ssl

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. Is that something that people would do? I don't think the current code covers that case either.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trnguyencflt trnguyencflt trnguyencflt left review comments

@soondenana soondenana soondenana approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@whit0694 @soondenana @trnguyencflt