SSL env variable are ignored for controller in KRaft isolated mode

[vszyndler]

Hi !

I'm using confluentinc/cp-kafka image in KRaft isolated mode.
I use SASL_SSL authentication for broker-to-controller and client-to-broker authentication.

I tried to use the following env variable to configure SSL on the KRaft controller side, but they are ignored because there is no listener called SSL nor SASL_SSL in the controller advertised listeners.
KAFKA_SSL_KEYSTORE_FILENAME
KAFKA_SSL_KEYSTORE_CREDENTIALS
KAFKA_SSL_KEY_CREDENTIALS
KAFKA_SSL_TRUSTSTORE_FILENAME
KAFKA_SSL_TRUSTSTORE_CREDENTIALS

The issue comes from the following lines :

kafka-images/server/include/etc/confluent/docker/configure

Lines 87 to 90 in d503508

	# Set if ADVERTISED_LISTENERS has SSL:// or SASL_SSL:// endpoints.
	if [[ -n "${KAFKA_ADVERTISED_LISTENERS-}" ]] && [[ $KAFKA_ADVERTISED_LISTENERS == *"SSL://"* ]]
	then
	echo "SSL is enabled."

Instead, I have to use the following env variable, which is an issue since it prevents me to use docker secrets to store the passwords.
KAFKA_SSL_KEYSTORE_LOCATION
KAFKA_SSL_KEYSTORE_PASSWORD
KAFKA_SSL_KEY_PASSWORD
KAFKA_SSL_TRUSTSTORE_LOCATION
KAFKA_SSL_TRUSTSTORE_PASSWORD

On the broker side, I can use the KAFKA_SSL_KEYSTORE_FILENAME and KAFKA_SSL_KEYSTORE_CREDENTIALS but the truststore variable are also ignored because I have configured KAFKA_SSL_CLIENT_AUTH to none (since I use SASL_SSL authentication).

This time , the issue comes from the following line :

kafka-images/server/include/etc/confluent/docker/configure

Line 108 in d503508

if [[ -n "${KAFKA_SSL_CLIENT_AUTH-}" ]] && ( [[ $KAFKA_SSL_CLIENT_AUTH == *"required"* ]] || [[ $KAFKA_SSL_CLIENT_AUTH == *"requested"* ]] )

I've seen that other similar issues have already been reported : #58 or #89.

When can we expect a fix for these issues?

[whit0694]

Thanks for adding this issue. I just hit this same thing and came to the same conclusion/workaround.

When running a controller-only Kraft container this line will remove any kafka_advertised_listeners env var

https://github.com/confluentinc/kafka-images/blob/master/kafka/include/etc/confluent/docker/configure#L21

But the part of the configure script that sets the necessary SSL env vars requires kafka_advertised_listeners be present

https://github.com/confluentinc/kafka-images/blob/master/kafka/include/etc/confluent/docker/configure#L87

I think #352 could help, since it would give the script another way of configuring those necessary SSL env vars.

But, honestly, I keep getting tripped up by the magic logic that happens in this configure file. I'm wondering if there's a better approach?