Inquiry about XK6 Support for SASL/SSL Authentication and SSL Integration with Kafka in K6

Grafana k6 Extensions
1

Hello K6 community,

What steps are involved in setting up SSL integration between XK6 and Kafka? Are there any prerequisites or specific certificate/key configurations that should be taken into account?

3

Hey @meghanathote,

Configuring and using SASL with SSL is one of those hard tasks. I tried many different installations using Docker/docker-compose, such as this one, but I couldn’t make it work. If I could, I wouldn’t have ignored the test in the CI. Thus, I relied on cloud-based installations like Confluent, AWS MSK or the like to configure, test and provide SASL auth to the users. I actually tested the SASL/SSL integration manually using a demo account on Confluent Cloud, however it can’t be integrated in the CI, due to costs and other considerations.

Nevertheless, there are two examples in the xk6-kafka repository that shows how to configure SASL and TLS, given you already have a working Kafka instance with SASL and TLS enabled:

  1. test_sasl_auth.js: the complete example of SSL/SASL containing all the details.
  2. test_tls_with_jks.js: this example shows how to convert Java keystore (JKS) files and save the certificates in the same directory, and then referencing them in the TLS/SASL config.

You can find generated JS API docs for xk6-kafka here, and these are the specific configuration objects for TLS and SASL:

Good luck with your testing and feel free to ask specific questions.

1 Like
5

I am slightly confused on the ssl config example here: xk6-kafka/scripts/test_tls_with_jks.js at main · mostafa/xk6-kafka · GitHubI have a separate keystore and truststore for kafka connection with keystore passwords. I do not have ‘ClientKeyPassword‘, ‘clientKeyAlias‘. I am wondering how I would load the jks in this case?So should I load it like this:

const jks = LoadJKS({
path: keystorePath,
password: keyPassword,
clientCertAlias: “myalias”,
//clientKeyAlias: “”,
//clientKeyPassword: “”,
//serverCaAlias: “caroot”,});

const jks = LoadJKS({
path: trustorepath,
password: truststorepassword,
clientCertAlias: “mytruststorealias”,
//clientKeyAlias: “”,
//clientKeyPassword: “”,
//serverCaAlias: “caroot”,});

The comment said to load it twice.

Also not sure on this part in the example(lines 37-39):
clientCertPem: jks[“clientCertsPem”][0], // The first certificate in the chain
clientKeyPem: jks[“clientKeyPem”],
serverCaPem: jks[“serverCaPem”],

I don’t need to change anything here right?

Appreciate your help on this. TIA!