While investigating the Spring Boot Kafka support (for the upcoming release of Spring Boot 3 Recipes) I noticed that the Kafka autoconfiguration also has the possibility to set various SSL settings. I would expect that this would also use the new SSL Bundle support in Spring Boot, this is however not the case.

It would be great if we could use SSL Bundles for Kafka as well.

Comment From: wilkinsona

It's intentional that Spring Boot Kafka integration does not support SSL bundles as we believed that it was not possible to configure Kafka with an SSLContext or similar and, instead, everything had to be stringly-typed and property-based. However, this issue prompted me to take another look and it looks like it may be possible after all.

Kafka provides a plug point for its SSL configuration with its SslEngineFactory interface. This has to be provided to Kafka as a Class or as a String class name, preventing us from providing a factory instance that's pre-configured with the necessary state. However, it appears to be possible to pass this state through the Map<String, ?> of config with which the SslEngineFactory implementation is called.

I've prototyped something that seems to show that this approach may be worth some further investigation. The SslEngineFactory is called in such a way that it can access an SslBundle from which it can then create an SSLEngine. I'll discuss it with the rest of the team to see if this approach is worth pursuing.

Comment From: philwebb

We like the prototype and think we can add support using it.

Comment From: ozozgun

Hi, I have arrived here from a google search and it seems to be the only official information on the subject. Is there any documentation for this ?

Comment From: philwebb

@ozozgun You can read about SSL bundles at https://docs.spring.io/spring-boot/reference/features/ssl.html. Once you've got the concept you can use one of the spring.kafka.*.ssl.bundle properties to apply it (for example spring.kafka.producer.ssl.bundle.

If you have any issues, please ask questions on stackoverflow.com as we prefer to keep this issue tracker for bugs and enhancements.