feat(kafka-logger): add TLS support for Kafka brokers#13607
Conversation
|
Hi, thank you for your contribution. I looked through the historical APISIX issues related to this topic and agree that this is a reasonable fix. A previous issue, #9353, was closed by the bot as stale. Also, services such as AWS MSK require TLS, which means So I think this is a valid request. |
|
@ecsimsw some CI fails - do you have time to fix it before further reviewing? |
|
@juzhiyuan I've checked the CI failures. The last test environment already has Kafka SSL configured.
Which approach would you prefer? ** |
|
Hi @juzhiyuan, just a friendly follow-up — CI is green now. |
|
Hi @ecsimsw, thanks for your following up! I will request reviews from team next monday. |
|
The current tests only cover |
Follow the check_tls_bool convention used by http-logger and clickhouse-logger so users are warned when tls.verify is set to false.
…abled Call check_tls_bool inside the metadata branch, since the kafka config only exists in metadata_schema and check_schema returns early for TYPE_METADATA before reaching the non-metadata checks.
Drop the dedicated kafka-logger-tls.t file and its leftover batch-processor monkey-patch preprocessor, which was dead code since the integration tests were removed. The three schema-validation tests now live in kafka-logger2.t, consistent with the error-log-logger side of this PR.
Enable a TLS listener on 9093 for kafka-server1 so the TLS integration tests can connect. Generate a self-signed keystore via keytool and mount it as the broker keystore/truststore, mirroring the last test env.
- kafka-logger: produce over TLS (verify=false) and reject self-signed cert (verify=true) - error-log-logger: produce over TLS via plugin metadata - security-warning: assert check_tls_bool warns when tls.verify / kafka.tls.verify is disabled
|
@AlinsRan Following the
I also considered reusing the fixture (
|
check_tls_bool ran before core.schema.check filled schema defaults, so
a metadata config with "tls": {} (verify omitted, defaults to false)
left kafka.tls.verify as nil and the security warning was skipped. Move
the call after the schema check, matching kafka-logger, and add
security-warning tests for the verify-omitted case.
Description
Changes
Which issue(s) this PR fixes:
Verification
luacheck: passed locally (0 warnings / 0 errors)check-test-code-style.sh: passed locallylj-releng: requires LuaJIT 2.1 (not available locally), to be verified by CIChecklist