Set security protocol to SASL_SSL without having to provide TLS certs
avinashupadhya99 opened this issue · comments
Avinash Upadhyaya K R commented
I am using Strimzi HTTP Bridge to send messages to Confluent Cloud brokers. The security protocol for Confluent Cloud clients is SASL_SSL
but Bridge sets the security.protocol
to SASL_PLAINTEXT
Here is my CR definition for bridge -
apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaBridge
metadata:
name: org1-bridge
namespace: kafka
spec:
bootstrapServers: pkc-*****.**-*****.***.confluent.cloud:9092
authentication:
type: plain
username: ************
passwordSecret:
secretName: confluent-kafka-password
password: cc-password
producer:
config:
acks: all
consumer:
config:
auto.offset.reset: earliest
enable.auto.commit: true
http:
port: 8080
I have the following errors in my logs -
2023-03-19 12:27:54 INFO AdminMetadataManager:235 - [AdminClient clientId=adminclient-1] Metadata update failed org.apache.kafka.common.errors.TimeoutException: Timed out waiting to send the call. Call: fetchMetadata
2023-03-19 12:27:54 INFO NetworkClient:935 - [AdminClient clientId=adminclient-1] Node -1 disconnected.
2023-03-19 12:27:54 WARN NetworkClient:768 - [AdminClient clientId=adminclient-1] Connection to node -1 (pkc-*****.**-*****.***.confluent.cloud/**.***.***.***:9092) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue.
I see that in the Kafka Bridge Config Generator Script, the security protocol is set to SASL_SSL
only if the TLS config is provided