AlinsRan commented on code in PR #13607: URL: https://github.com/apache/apisix/pull/13607#discussion_r3568367631
########## docs/en/latest/plugins/kafka-logger.md: ########## @@ -487,3 +489,50 @@ If you have customized the `log_format` in addition to setting `include_req_body ``` ::: + +### Log to TLS-Enabled Kafka Brokers + +The following example demonstrates how to connect to TLS-enabled Kafka brokers, such as AWS MSK. + +Create a Route with `kafka-logger` and configure the `tls` attribute to connect to the TLS-enabled Kafka broker: + +```shell +curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT \ + -H "X-API-KEY: ${admin_key}" \ + -d '{ + "id": "kafka-logger-tls-route", + "uri": "/get", + "plugins": { + "kafka-logger": { + "brokers": [ + { + "host": "kafka.example.com", + "port": 9093 + } + ], + "kafka_topic": "test2", + "key": "key1", + "batch_max_size": 1, + "tls": { + "verify": true + } + } + }, + "upstream": { + "nodes": { + "httpbin.org:80": 1 + }, + "type": "roundrobin" + } + }' +``` + +When using self-signed certificates, set `tls.verify` to `false` to skip certificate verification: Review Comment: This steers users toward disabling certificate verification. Better to tell them how to keep it on: point `apisix.ssl.ssl_trusted_certificate` in `config.yaml` at their CA bundle (it defaults to `system`, so publicly-signed brokers like AWS MSK work with `verify: true` out of the box — only a private CA needs this). `verify: false` should be framed as test-environment-only. Same paragraph at the end of `error-log-logger.md`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
