Set security protocol to SASL_SSL without having to provide TLS certs

[avinashupadhya99]

I am using Strimzi HTTP Bridge to send messages to Confluent Cloud brokers. The security protocol for Confluent Cloud clients is SASL_SSL but Bridge sets the security.protocol to SASL_PLAINTEXT

Here is my CR definition for bridge -

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaBridge
metadata:
  name: org1-bridge
  namespace: kafka
spec:
  bootstrapServers: pkc-*****.**-*****.***.confluent.cloud:9092
  authentication:
    type: plain
    username: ************
    passwordSecret:
      secretName: confluent-kafka-password
      password: cc-password
  producer:
    config:
      acks: all
  consumer:
    config:
      auto.offset.reset: earliest
      enable.auto.commit: true
  http:
    port: 8080

I have the following errors in my logs -

2023-03-19 12:27:54 INFO  AdminMetadataManager:235 - [AdminClient clientId=adminclient-1] Metadata update failed org.apache.kafka.common.errors.TimeoutException: Timed out waiting to send the call. Call: fetchMetadata                                                                                                        
2023-03-19 12:27:54 INFO  NetworkClient:935 - [AdminClient clientId=adminclient-1] Node -1 disconnected.                                                                                                        
2023-03-19 12:27:54 WARN  NetworkClient:768 - [AdminClient clientId=adminclient-1] Connection to node -1 (pkc-*****.**-*****.***.confluent.cloud/**.***.***.***:9092) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic),  (3) Transient network issue.

I see that in the Kafka Bridge Config Generator Script, the security protocol is set to SASL_SSL only if the TLS config is provided

[scholzj]

You have to use the .spec.tls section to enable TLS in the Kafka connection. Please check the docs for more details - for example the API reference.

[avinashupadhya99]

Thank you, my bad. I did not notice that trustedCertificates could be empty.

[ppatierno]

Yeah as Jakub said, you can find more info here for example https://strimzi.io/docs/operators/latest/configuring.html#con-common-configuration-trusted-certificates-reference