Skip to content

changefeedccl: support client certificates for kafka sink #39817

Closed
#39832
Closed
changefeedccl: support client certificates for kafka sink#39817
#39832
Assignees
rolandcrosby
Labels
A-cdcChange Data CaptureC-enhancementSolution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)E-easyEasy issue to tackle, requires little or no CockroachDB experience
@mberhault

Description

@mberhault
mberhault
opened on Aug 22, 2019

We currently support TLS connections with a CA certificate to verify broker identities.

However, we do not support client certificates for mutual auth. This is an alternative to SASL authentication.
Adding the client cert/key to the tls.Config.Certificate field should be sufficient. See example of this used by cockroach clients.

In single listener configurations (something that is not easily changed with some orchestrations), it is not possible to mix TLS client auth and SASL. This means that an existing kafka broker with TLS auth for other clients cannot be used by CHANGEFEED until we support client certificates.

CC: @rolandcrosby

Metadata

Metadata

Assignees

Labels

A-cdcChange Data CaptureC-enhancementSolution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)E-easyEasy issue to tackle, requires little or no CockroachDB experience

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions