Support configuring custom CA to validate TLS connection with Kafka #623

inge4pres · 2025-01-24T16:53:19Z

Describe current state

AFAICT there is not a way to set the RootCAs field for the TLS field of CommonConfig

Line 127 in 1822363

TLS *tls.Config

When the CA used to sign the TLS certificate of the Kafka connection is not part of the system pool, it should be possible to add other CAs as part of it.

Describe the desired state

The handling of TLS configurations seems to be happening in

apm-queue/kafka/common.go

Lines 212 to 218 in 1822363

    
           case cfg.TLS == nil && cfg.Dialer == nil && os.Getenv("KAFKA_PLAINTEXT") != "true": 
        
           	// Auto-configure TLS from environment variables. 
        
           	cfg.TLS = &tls.Config{} 
        
           	if os.Getenv("KAFKA_TLS_INSECURE") == "true" { 
        
           		cfg.TLS.InsecureSkipVerify = true 
        
           	} 
        
           }

We should allow configuring (parts of) the TLS field, most notably the CA, since it will be used to validate TLS certificate authenticity when KAFKA_TLS_INSECURE is set to false.

The text was updated successfully, but these errors were encountered:

marclop · 2025-01-28T01:58:19Z

Not that we need to use this library, but https://github.com/twmb/tlscfg/blob/main/tlscfg.go has some samples on how to add certificate key pairs to the tls.Config

inge4pres added the enhancement New feature or request label Jan 24, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support configuring custom CA to validate TLS connection with Kafka #623

Support configuring custom CA to validate TLS connection with Kafka #623

inge4pres commented Jan 24, 2025

marclop commented Jan 28, 2025

Support configuring custom CA to validate TLS connection with Kafka #623

Support configuring custom CA to validate TLS connection with Kafka #623

Comments

inge4pres commented Jan 24, 2025

marclop commented Jan 28, 2025