[jira] [Created] (KAFKA-20325) apache/kafka image - cannot set SSL as protocol for CONTROLLER on dedicated controller

Tue, 17 Mar 2026 05:54:11 -0700 

Neil Buesing created KAFKA-20325:
------------------------------------

             Summary: apache/kafka image - cannot set SSL as protocol for 
CONTROLLER on dedicated controller
                 Key: KAFKA-20325
                 URL: https://issues.apache.org/jira/browse/KAFKA-20325
             Project: Kafka
          Issue Type: Improvement
          Components: docker
    Affects Versions: 4.2.0, 4.1.0, 4.0.0
            Reporter: Neil Buesing


The logic to enable SSL for the container is via

```
 # Set if ADVERTISED_LISTENERS has SSL:// or SASL_SSL:// endpoints.
if [[ {-}n "$\{KAFKA_ADVERTISED_LISTENERS{-}}" ]] && [[ 
$KAFKA_ADVERTISED_LISTENERS == *"SSL://"* ]]
then
  echo "SSL is enabled."

```

However, earlier in the script, startup of controller is stopped if 
KAFKA_PROCESS_ROLES=controller 

 

```

if [[ {-}n "$\{KAFKA_PROCESS_ROLES{-}}" ]]
then
  echo "Running in KRaft mode..."
  ensure CLUSTER_ID
  if [[ $KAFKA_PROCESS_ROLES == "controller" ]]
  then
    if [[ {-}n "$\{KAFKA_ADVERTISED_LISTENERS{-}}" ]]
    then
      echo "KAFKA_ADVERTISED_LISTENERS is not supported on a KRaft controller."
      exit 1
    else
      # Unset in case env variable is set with empty value
      unset KAFKA_ADVERTISED_LISTENERS
    fi
  fi

```

 

Unless I'm missing something, the only way to set SSL for the controller is to 
fallback to standard property configuration which exposes the passwords within 
the configuration of the image deployment.

The logic for enabling SSL (and potentially SASL) needs to be checked to not be 
on advertised listeners when it comes to dedicated controllers.

 

 

 

–

Probably for a secondary ticket, but would like SASL and SSL to be determined 
if SSL is in the right hand side of the listeners, SSL isn't enabled in a 
scenario like this EXTERNAL:SSL, the LHS must be "EXTERNAL_SSL:SSL" – this 
leads to longer and more error prone configurations, due to 
`KAFKA_LISTENER_NAME_EXTERNAL__SSL_SSL`) but the logic really doesn't need to 
have SSL (or SASL) in the LHS of advertised listeners, it just needs to check 
for it on the RHS.

```
if [[ -n "${KAFKA_ADVERTISED_LISTENERS-}" ]] && [[ $KAFKA_ADVERTISED_LISTENERS 
== *"SSL://"* ]]
```



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to