Can Kafka talk to ZooKeeper over TCP even if Kafka is serving TLS/SSL?

Question

I have created a 3-node ZK ensemble to use as a consensus cluster for Kafka and (potentially) other services as well.

I have also created a separate 2-node Kafka broker cluster that uses those 3 ZKs for leader election, etc. I have tested this configuration with remote producers & consumers and it seems to be working quite nicely.

I now want to have my Kafka brokers require TLS/SSL, so that Kafka clients have to communicate via SSL certs. But I don't want to configure my 3 ZK nodes to require TLS.

Can I have the following setup (?) :

Kafka Clients <---TLS---> Kafkas <---TCP---> ZK

Or do I need TLS all the way through to the ZK backend?

Answer 1

This task can still be achieved by a simple workaround mentioned in the steps below;

1. Install zookeeper-3.5.1-alpha (to use the .jar files. version 3.5+ can be used)
2. Replace default zookeeper*.jar with /zookeeper-3.5.1-alpha/zookeeper-3.5.1-alpha.jar in <kafka-installation-folder>\libs
3. Copy /zookeeper-3.5.1-alpha/lib/netty-3.7.0.Final.jar into <kafka-installation-folder>\libs
4. Relevant changes to enable SSL on Zookeeper (https://cwiki-test.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide)

Answer 2

Yes, you can. When you configure SSL in Kafka that is only for Kafka clients to Kafka servers and optionally between Kafka servers. Indeed, Zookeeper 3.4 does not support TLS communication between clients and servers yet. Thay feature is coming in Zookeeper 3.5.