Skip to content

fix: apply sslTrustStoreLocation to Kafka Connect / Schema Registry REST clients regardless of authMethod#761

Merged
fhussonnois merged 1 commit intostreamthoughts:mainfrom
Yoni-Weisberg:fix/connect-and-schema-registry-ssl-truststore-not-applied
Apr 16, 2026
Merged

fix: apply sslTrustStoreLocation to Kafka Connect / Schema Registry REST clients regardless of authMethod#761
fhussonnois merged 1 commit intostreamthoughts:mainfrom
Yoni-Weisberg:fix/connect-and-schema-registry-ssl-truststore-not-applied

Conversation

@Yoni-Weisberg
Copy link
Copy Markdown
Contributor

@Yoni-Weisberg Yoni-Weisberg commented Apr 15, 2026

Summary

The Kafka Connect and Schema Registry REST client factories only wired the configured SSLConfig (truststore, keystore, hostname verification) into the underlying HTTP client when authMethod = SSL (mTLS). For authMethod = basicAuth or none, the sslTrustStoreLocation property was loaded into the config object (visible in jikkou config view) but never applied to the SSL context. Any HTTPS call to a server backed by a private/internal CA failed with:

javax.net.ssl.SSLHandshakeException: PKIX path building failed:
  unable to find valid certification path to requested target

The only workaround today is to set JAVA_TOOL_OPTIONS=-Djavax.net.ssl.trustStore=... at the JVM level, which bypasses Jikkou's own config.

Changes

  • KafkaConnectApiFactory.create() and SchemaRegistryApiFactory.createForUrl() now call builder.sslConfig(config.sslConfig().get()) before the AuthMethod switch, so the truststore (and keystore, and hostname-verification override) is honored for every auth method, not just SSL.
  • RestClientBuilder.sslConfig() is now null-safe — it no longer NPEs on a sparsely populated SSLConfig:
    • Skips key-manager construction when keyStoreLocation is null (key managers stay null, which SSLContext.init already accepts).
    • Treats a null trustStorePassword / keyStorePassword as null char[] instead of NPEing on .toCharArray(). SSLUtils.createTrustManagers() already handles a null trustStoreLocation by falling back to the JVM's default cacerts.
    • Becomes a no-op when nothing is configured (no truststore, no keystore, no ignoreHostnameVerification).
  • Tests:
    • RestClientBuilderTest — three new cases exercising the empty / hostname-only / truststore-only paths against a plain HTTP MockWebServer, all of which previously NPEd.
    • SchemaRegistryApiFactoryTest — new integration test that starts an HTTPS MockWebServer with a self-signed cert (via okhttp-tls's HeldCertificate + HandshakeCertificates), writes the cert into a JKS truststore in @TempDir, and verifies that listSubjects() succeeds with AuthMethod.BASICAUTH + that truststore. Without this PR's fix, the same test fails with the exact PKIX error from the issue.

The Schema Registry test covers the fix structurally — the Kafka Connect factory takes the identical change. No HTTPS test was added in jikkou-provider-kafka-connect to keep this PR independent of the open #760 (which is what introduces mockwebserver to that pom).

Test plan

  • mvn test -pl extension-rest-client — 16 tests pass (3 new SSL cases + 13 existing)
  • mvn test -pl providers/jikkou-provider-schema-registry — 59 tests pass (1 new HTTPS case + 58 existing)
  • mvn test -pl providers/jikkou-provider-kafka-connect — 37 tests pass (no regressions)
  • Reverting just the SchemaRegistryApiFactory change makes shouldApplyTrustStoreForBasicAuthOverHttps fail with the issue's exact error message — confirms the test catches the bug.

Fixes #757.

🤖 Generated with Claude Code

@Yoni-Weisberg @claude
fix(http-client): apply sslTrustStoreLocation regardless of authMethod
aaa78d9 
The Kafka Connect and Schema Registry REST clients only wired the SSL
config (truststore, keystore, hostname verification) into the underlying
HTTP client when authMethod was SSL (mTLS). For basicAuth and none, the
sslTrustStoreLocation property was loaded but never applied, so HTTPS
calls to a server using a private CA always failed with PKIX path
building failed.

Also makes RestClientBuilder.sslConfig() null-safe so it can be called
with a sparsely populated SSLConfig (e.g. truststore only, no keystore;
or no password) without throwing NullPointerException on toCharArray()
or trying to open a null keystore path.

Adds:
- Unit tests in RestClientBuilderTest covering the empty / hostname-only
  / truststore-only paths.
- An HTTPS integration test in SchemaRegistryApiFactoryTest that serves
  a self-signed cert and verifies the configured truststore is honored
  for basicAuth. Without the fix it fails with PKIX path building failed.

Fixes streamthoughts#757.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fhussonnois
fhussonnois approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@fhussonnois fhussonnois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thank you for this new contribution :)

@fhussonnois fhussonnois merged commit e216f02 into streamthoughts:main Apr 16, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fhussonnois fhussonnois fhussonnois approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sslTrustStoreLocation not applied to Kafka Connect REST client SSL context

2 participants

@Yoni-Weisberg @fhussonnois