Howdy! I’m new to Telegraf and have a couple questions around configuring the Kafka output correctly so that data is encrypted over the network.
Our Kafka brokers are configured using a TLS cert from a trusted CA so the broker port that Telegraf will be connecting on should enable secure / encrypted traffic.
Is the main purpose of the SSL section in the Telegraf config Kafka output section for client cert authentication?
## Optional SSL Config # ssl_ca = "/etc/telegraf/ca.pem" # ssl_cert = "/etc/telegraf/cert.pem" # ssl_key = "/etc/telegraf/key.pem" ## Use SSL but skip chain & host verification # insecure_skip_verify = true
We don’t want to use and manage certs for client auth but we must have SSL enabled for network data encryption.
The only way I can get Telegraf to connect to our secure Kafka port is by setting:
insecure_skip_verify = true
while leaving the rest of the SSL config options commented out. If I set ‘insecure_skip_verify’ to false it again fails to connect with the following errors in the log:
2017-12-21T03:07:55Z D! Attempting connection to output: kafka 2017-12-21T03:07:56Z E! Failed to connect to output kafka, retrying in 15s, error was 'kafka: client has run out of available brokers to talk to (Is your cluster reachable?)' 2017-12-21T03:08:12Z E! kafka: client has run out of available brokers to talk to (Is your cluster reachable?)
Can someone explain why this is necessary? What exactly does ‘insecure_skip_verify’ option do? I haven’t been able to find an explanation in any docs. If set to true, does that mean that the cert isn’t being verified that it is from a trusted CA? Our cert does match the domain names used for our Kafka brokers.
I do see this in the code:
Thanks for any help and clarification!