mTLS

You can use mutual TLS (mTLS) authentication as a fallback for SASL. A Bufstream broker derives the authentication principal from the client certificate if SASL authentication isn't used.To enable mTLS authentication, populate the config below and add it to kafka.authentication in your helm values.

yaml

mtls:
  # Supports [ANONYMOUS, SUBJECT_COMMON_NAME, SAN_DNS, SAN_URI].
  principalSource: ""

If principalSource is ANONYMOUS, the user is considered authenticated as long as the TLS handshake succeeds. If principalSource is one of SUBJECT_COMMON_NAME, SAN_DNS or SAN_URI, the user is authenticated if the client has sent a certificate with the specified principal source.

Breaking changes

Users, orgs, repositories

Private instance

SSO

SCIM

On-prem instance

Subscriptions

AWS

Google Cloud

Azure

Bufstream CLI commands

Admin

Client

Bufstream configuration files

Buf CLI commands

Beta

Registry

Config

Dep

Plugin

Registry

Module

Organization

Plugin

Sdk

v2

v1

v1beta

Standard rules

mTLS ​

mTLS