Merge pull request #706 from Kilowhisky/SSL_NO_AUTH

Add support for 'none' authentication for kafka while still allowing SSL
2023-11-20 11:25:54 -07:00 · 2023-11-20 11:25:54 -07:00 · 4c34a534d1
parent 06cf6ebd67 c113180d0b
commit 4c34a534d1
1 changed files with 18 additions and 0 deletions
--- a/internal/endpoint/kafka.go
+++ b/internal/endpoint/kafka.go
@ -140,6 +140,24 @@ func (conn *KafkaConn) Send(msg string) error {
 			}

 			cfg.Net.TLS.Config = &tlsConfig
+		case "none":
+			// This path allows to either provide a custom ca certificate
+			// or, because RootCAs is nil, is using the hosts ca set
+			// to verify the server certificate
+			if conn.ep.Kafka.SSL {
+				tlsConfig := tls.Config{}
+
+				if conn.ep.Kafka.CACertFile != "" {
+					caCertPool, err := loadRootTLSCert(conn.ep.Kafka.CACertFile)
+					if err != nil {
+						return err
+					}
+					tlsConfig.RootCAs = &caCertPool
+				}
+
+				cfg.Net.TLS.Enable = true
+				cfg.Net.TLS.Config = &tlsConfig
+			}
 		}

 		c, err := sarama.NewSyncProducer([]string{uri}, cfg)