We're using Heroku's hosted Kafka service which provides client cert, client private key, and the certificate authority that signed those certs as environment variables. With the release of 1.1.0 we can pass the client certificates as strings but the CA still has to be a file (which forces us to pass all certificates as files).
There was a discussion on the PR about this with no one having a good reason to add it. We would like to see it added as it lets us avoid writing the certificates to files.
IMPORTANT: We will close issues where the checklist has not been completed.
Please provide the following information:
1.1.02.1.0ssl_ca=ENV["KAFKA_TRUSTED_CERT"] sslGentoo Linuxdebug=.. as necessary) from librdkafkaYou can set an in-memory CA cert with:
rd_kafka_conf_set_ssl_cert(conf, RD_KAFKA_CERT_CA, RD_KAFKA_CERT_ENC_PEM, your_ca_pem, strlen(your_ca_pem), errstr, sizeof(errstr))
I'm using (or at least experimenting) with the ruby bindings so I don't have access to rd_kafka_conf_set_ssl_cert directly.
If you think it's better handled in the bindings rather than librdkafka we can close this issue and I'll look at adding it there.
Adding a PEM configuration option (ssl.ca.pem) would be beneficial for us as well. We鈥檙e using dynamically provisioned certificates and need to pass the issuing CA to verify the entire chain.
If coming from C++,
auto conf_result = rd_kafka_conf_set_ssl_cert(conf->c_ptr_global(), RD_KAFKA_CERT_CA, RD_KAFKA_CERT_ENC_PEM, ssl_ca_str.c_str(), ssl_ca_str.size(), errstr, sizeof(errstr))
@edenhill can CA PEM be provided in ssl_ca property?
@mxk1235 Yes. We should document it properly, but here's the underlying code:
https://github.com/edenhill/librdkafka/blob/df6bcbf11e1bd9ed53423514de30d59dbe5fac07/src/rdkafka_cert.c#L160
@edenhill , since the confluent_kafka python client is a binding on librdkafka, can you confirm that the "ssl.ca.location" can be set to string data instead of a file? It seems to result in a KafkaError invalid arg, where it is trying to open it as a file.
Edit: After dumping the properties from kafkacat I realised that "ssl_ca" was still an undocumented property, and I learned about "ssl.certificate.pem" and "ssl.key.pem". Unfortunately it looks like at least through the python bindings or kafkacat, "ssl_ca" errors out with "Internal property 'ssl_ca' not settable"
@justinfx Indeed, I've the same issue on my ruby binding through WaterDrop.
Rdkafka::Config::ConfigError: Internal property "ssl_ca" not settable
So the only way we can specify this setting is through a file? Bummer.
@edenhill any plan to add a PEM configuration option (ssl.ca.pem) as @dstelljes suggested?
Adding separate config for CA PEM would be very useful for us as well
Most helpful comment
Adding a PEM configuration option (
ssl.ca.pem) would be beneficial for us as well. We鈥檙e using dynamically provisioned certificates and need to pass the issuing CA to verify the entire chain.