git-server-git.apps.pok.os.sepia.ceph.com Git

author	Jan Radon <jan.fabian.radon@sap.com>
	Fri, 15 May 2026 13:42:08 +0000 (15:42 +0200)
committer	Jan Radon <jan.fabian.radon@sap.com>
	Sat, 23 May 2026 07:05:37 +0000 (09:05 +0200)
commit	591d8ac37480f75aafe8895d6ee6a588886172ad
tree	5cf4b6ad6497859bf4aa62a2521a7f3f9f18f71b	tree \| snapshot
parent	3e1eef4a33cc974690e2d4966735c49c886aaec9	commit \| diff

feat(rgw/kafka): add mTLS client certificate authentication for Kafka notifications
Add support for mutual TLS (mTLS) client certificate authentication
when publishing bucket notifications to Kafka brokers. RGW can now
present a client certificate and private key to authenticate with
brokers that require ssl.client.auth=required.
Changes:
- Add ssl-certificate-location, ssl-key-location, and ssl-key-password
topic attributes for configuring client certificates
- Validate that ssl_certificate and ssl_key are provided together
- Include ssl_key_password in connection identity (hash/equality)
- Add kafka-security.sh script for generating broker and client TLS certs
- Add mTLS test (test_notification_kafka_security_ssl_mtls) using
use_mtls=True flag on the existing SSL security path
- Update RGW notifications documentation with mTLS parameters

Fixes: http://tracker.ceph.com/issues/67427
Signed-off-by: Jan Radon <jan.fabian.radon@sap.com>

doc/radosgw/notifications.rst		diff \| blob \| history
qa/tasks/kafka.py		diff \| blob \| history
src/rgw/driver/rados/rgw_pubsub_push.cc		diff \| blob \| history
src/rgw/rgw_kafka.cc		diff \| blob \| history
src/rgw/rgw_kafka.h		diff \| blob \| history
src/rgw/rgw_rest_pubsub.cc		diff \| blob \| history
src/test/rgw/bucket_notification/README.rst		diff \| blob \| history
src/test/rgw/bucket_notification/kafka-security.sh		diff \| blob \| history
src/test/rgw/bucket_notification/test_bn.py		diff \| blob \| history