Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kafka: Support specifying client certificates #636

Merged
merged 3 commits into from
Feb 25, 2025
Merged

Kafka: Support specifying client certificates #636

merged 3 commits into from
Feb 25, 2025

Conversation

marclop
Copy link
Contributor

@marclop marclop commented Feb 25, 2025

Adds support for Kafka to use client certificates based on two new env variables KAFKA_TLS_CERT_PATH and KAFKA_TLS_KEY_PATH. The current implementation supports hot reloading by checking if the file write time is greater than the last time it was read.

Most of the changes are in the form of unit tests.

@marclop
Kafka: Support specifying client certificates
e10d27a 
Adds support for Kafka to use client certificates based on two new env
variables `KAFKA_TLS_CERT_PATH` and `KAFKA_TLS_KEY_PATH`. The current
implementation supports hot reloading by checking if the file write time
is greater than the last time it was read.

Most of the changes are in the form of unit tests.

Signed-off-by: Marc Lopez Rubio <[email protected]>
@marclop marclop added the enhancement New feature or request label Feb 25, 2025
@marclop
Shorten reload
0789c25 
Signed-off-by: Marc Lopez Rubio <[email protected]>
@marclop marclop marked this pull request as ready for review February 25, 2025 09:27
@marclop marclop requested a review from a team as a code owner February 25, 2025 09:27
inge4pres
inge4pres reviewed Feb 25, 2025
View reviewed changes
@marclop
address review comments
527ed11 
Signed-off-by: Marc Lopez Rubio <[email protected]>
inge4pres
inge4pres reviewed Feb 25, 2025
View reviewed changes
kafka/common.go
dialFn, err := newCertReloadingDialer(caCertPath, cfg.TLS)
// Set a dialer that reloads the CA cert when the file changes.
dialFn, err := newCertReloadingDialer(
caCertPath, certPath, keyPath, 30*time.Second, cfg.TLS,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: what happens in between the time that the certificate changed and it is reloaded?
Do we risk to lose data because the connection is rejected?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The old certificate should still be valid and loaded in memory, so no risk of data loss as far as I understand.

@marclop marclop merged commit 07cf390 into main Feb 25, 2025
6 checks passed
@marclop marclop deleted the f/add-support-for-client-certificates branch February 25, 2025 10:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inge4pres inge4pres inge4pres approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marclop @inge4pres