Add SSL service connection support for Kafka

See gh-41137

Author: mhalbritter

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/kafka/KafkaAnnotationDrivenConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,7 +23,6 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnThreading;
 import org.springframework.boot.autoconfigure.thread.Threading;
-import org.springframework.boot.ssl.SslBundles;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.task.SimpleAsyncTaskExecutor;
@@ -152,11 +151,10 @@ private ConcurrentKafkaListenerContainerFactoryConfigurer configurer() {
 	ConcurrentKafkaListenerContainerFactory<?, ?> kafkaListenerContainerFactory(
 			ConcurrentKafkaListenerContainerFactoryConfigurer configurer,
 			ObjectProvider<ConsumerFactory<Object, Object>> kafkaConsumerFactory,
-			ObjectProvider<ContainerCustomizer<Object, Object, ConcurrentMessageListenerContainer<Object, Object>>> kafkaContainerCustomizer,
-			ObjectProvider<SslBundles> sslBundles) {
+			ObjectProvider<ContainerCustomizer<Object, Object, ConcurrentMessageListenerContainer<Object, Object>>> kafkaContainerCustomizer) {
 		ConcurrentKafkaListenerContainerFactory<Object, Object> factory = new ConcurrentKafkaListenerContainerFactory<>();
-		configurer.configure(factory, kafkaConsumerFactory.getIfAvailable(() -> new DefaultKafkaConsumerFactory<>(
-				this.properties.buildConsumerProperties(sslBundles.getIfAvailable()))));
+		configurer.configure(factory, kafkaConsumerFactory
+			.getIfAvailable(() -> new DefaultKafkaConsumerFactory<>(this.properties.buildConsumerProperties())));
 		kafkaContainerCustomizer.ifAvailable(factory::setContainerCustomizer);
 		return factory;
 	}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/kafka/KafkaAutoConfiguration.java

@@ -23,6 +23,7 @@
 import org.apache.kafka.clients.CommonClientConfigs;
 import org.apache.kafka.clients.consumer.ConsumerConfig;
 import org.apache.kafka.clients.producer.ProducerConfig;
+import org.apache.kafka.common.config.SslConfigs;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
@@ -32,10 +33,12 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnSingleCandidate;
+import org.springframework.boot.autoconfigure.kafka.KafkaConnectionDetails.Configuration;
 import org.springframework.boot.autoconfigure.kafka.KafkaProperties.Jaas;
 import org.springframework.boot.autoconfigure.kafka.KafkaProperties.Retry.Topic.Backoff;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslBundles;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
@@ -54,6 +57,7 @@
 import org.springframework.kafka.transaction.KafkaTransactionManager;
 import org.springframework.retry.backoff.BackOffPolicyBuilder;
 import org.springframework.retry.backoff.SleepingBackOffPolicy;
+import org.springframework.util.StringUtils;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for Apache Kafka.
@@ -84,8 +88,9 @@ public class KafkaAutoConfiguration {
 
 	@Bean
 	@ConditionalOnMissingBean(KafkaConnectionDetails.class)
-	PropertiesKafkaConnectionDetails kafkaConnectionDetails(KafkaProperties properties) {
-		return new PropertiesKafkaConnectionDetails(properties);
+	PropertiesKafkaConnectionDetails kafkaConnectionDetails(KafkaProperties properties,
+			ObjectProvider<SslBundles> sslBundles) {
+		return new PropertiesKafkaConnectionDetails(properties, sslBundles.getIfAvailable());
 	}
 
 	@Bean
@@ -111,9 +116,9 @@ public LoggingProducerListener<Object, Object> kafkaProducerListener() {
 
 	@Bean
 	@ConditionalOnMissingBean(ConsumerFactory.class)
-	public DefaultKafkaConsumerFactory<?, ?> kafkaConsumerFactory(KafkaConnectionDetails connectionDetails,
-			ObjectProvider<DefaultKafkaConsumerFactoryCustomizer> customizers, ObjectProvider<SslBundles> sslBundles) {
-		Map<String, Object> properties = this.properties.buildConsumerProperties(sslBundles.getIfAvailable());
+	DefaultKafkaConsumerFactory<?, ?> kafkaConsumerFactory(KafkaConnectionDetails connectionDetails,
+			ObjectProvider<DefaultKafkaConsumerFactoryCustomizer> customizers) {
+		Map<String, Object> properties = this.properties.buildConsumerProperties();
 		applyKafkaConnectionDetailsForConsumer(properties, connectionDetails);
 		DefaultKafkaConsumerFactory<Object, Object> factory = new DefaultKafkaConsumerFactory<>(properties);
 		customizers.orderedStream().forEach((customizer) -> customizer.customize(factory));
@@ -122,9 +127,9 @@ public LoggingProducerListener<Object, Object> kafkaProducerListener() {
 
 	@Bean
 	@ConditionalOnMissingBean(ProducerFactory.class)
-	public DefaultKafkaProducerFactory<?, ?> kafkaProducerFactory(KafkaConnectionDetails connectionDetails,
-			ObjectProvider<DefaultKafkaProducerFactoryCustomizer> customizers, ObjectProvider<SslBundles> sslBundles) {
-		Map<String, Object> properties = this.properties.buildProducerProperties(sslBundles.getIfAvailable());
+	DefaultKafkaProducerFactory<?, ?> kafkaProducerFactory(KafkaConnectionDetails connectionDetails,
+			ObjectProvider<DefaultKafkaProducerFactoryCustomizer> customizers) {
+		Map<String, Object> properties = this.properties.buildProducerProperties();
 		applyKafkaConnectionDetailsForProducer(properties, connectionDetails);
 		DefaultKafkaProducerFactory<?, ?> factory = new DefaultKafkaProducerFactory<>(properties);
 		String transactionIdPrefix = this.properties.getProducer().getTransactionIdPrefix();
@@ -160,8 +165,8 @@ public KafkaJaasLoginModuleInitializer kafkaJaasInitializer() throws IOException
 
 	@Bean
 	@ConditionalOnMissingBean
-	public KafkaAdmin kafkaAdmin(KafkaConnectionDetails connectionDetails, ObjectProvider<SslBundles> sslBundles) {
-		Map<String, Object> properties = this.properties.buildAdminProperties(sslBundles.getIfAvailable());
+	KafkaAdmin kafkaAdmin(KafkaConnectionDetails connectionDetails) {
+		Map<String, Object> properties = this.properties.buildAdminProperties(null);
 		applyKafkaConnectionDetailsForAdmin(properties, connectionDetails);
 		KafkaAdmin kafkaAdmin = new KafkaAdmin(properties);
 		KafkaProperties.Admin admin = this.properties.getAdmin();
@@ -193,26 +198,26 @@ public RetryTopicConfiguration kafkaRetryTopicConfiguration(KafkaTemplate<?, ?>
 
 	private void applyKafkaConnectionDetailsForConsumer(Map<String, Object> properties,
 			KafkaConnectionDetails connectionDetails) {
-		properties.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, connectionDetails.getConsumerBootstrapServers());
-		if (!(connectionDetails instanceof PropertiesKafkaConnectionDetails)) {
-			properties.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "PLAINTEXT");
-		}
+		Configuration consumer = connectionDetails.getConsumer();
+		properties.put(ConsumerConfig.BOOTSTRAP_SERVERS_CONFIG, consumer.getBootstrapServers());
+		applySecurityProtocol(properties, connectionDetails.getSecurityProtocol());
+		applySslBundle(properties, consumer.getSslBundle());
 	}
 
 	private void applyKafkaConnectionDetailsForProducer(Map<String, Object> properties,
 			KafkaConnectionDetails connectionDetails) {
-		properties.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, connectionDetails.getProducerBootstrapServers());
-		if (!(connectionDetails instanceof PropertiesKafkaConnectionDetails)) {
-			properties.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "PLAINTEXT");
-		}
+		Configuration producer = connectionDetails.getProducer();
+		properties.put(ProducerConfig.BOOTSTRAP_SERVERS_CONFIG, producer.getBootstrapServers());
+		applySecurityProtocol(properties, producer.getSecurityProtocol());
+		applySslBundle(properties, producer.getSslBundle());
 	}
 
 	private void applyKafkaConnectionDetailsForAdmin(Map<String, Object> properties,
 			KafkaConnectionDetails connectionDetails) {
-		properties.put(CommonClientConfigs.BOOTSTRAP_SERVERS_CONFIG, connectionDetails.getAdminBootstrapServers());
-		if (!(connectionDetails instanceof PropertiesKafkaConnectionDetails)) {
-			properties.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, "PLAINTEXT");
-		}
+		Configuration admin = connectionDetails.getAdmin();
+		properties.put(CommonClientConfigs.BOOTSTRAP_SERVERS_CONFIG, admin.getBootstrapServers());
+		applySecurityProtocol(properties, admin.getSecurityProtocol());
+		applySslBundle(properties, admin.getSslBundle());
 	}
 
 	private static void setBackOffPolicy(RetryTopicConfigurationBuilder builder, Backoff retryTopicBackoff) {
@@ -231,4 +236,17 @@ private static void setBackOffPolicy(RetryTopicConfigurationBuilder builder, Bac
 		}
 	}
 
+	static void applySslBundle(Map<String, Object> properties, SslBundle sslBundle) {
+		if (sslBundle != null) {
+			properties.put(SslConfigs.SSL_ENGINE_FACTORY_CLASS_CONFIG, SslBundleSslEngineFactory.class.getName());
+			properties.put(SslBundle.class.getName(), sslBundle);
+		}
+	}
+
+	static void applySecurityProtocol(Map<String, Object> properties, String securityProtocol) {
+		if (StringUtils.hasLength(securityProtocol)) {
+			properties.put(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, securityProtocol);
+		}
+	}
+
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/kafka/KafkaConnectionDetails.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 import java.util.List;
 
 import org.springframework.boot.autoconfigure.service.connection.ConnectionDetails;
+import org.springframework.boot.ssl.SslBundle;
 
 /**
  * Details required to establish a connection to a Kafka service.
@@ -36,36 +37,173 @@ public interface KafkaConnectionDetails extends ConnectionDetails {
 	 */
 	List<String> getBootstrapServers();
 
+	/**
+	 * Returns the SSL bundle.
+	 * @return the SSL bundle
+	 * @since 3.5.0
+	 */
+	default SslBundle getSslBundle() {
+		return null;
+	}
+
+	/**
+	 * Returns the security protocol.
+	 * @return the security protocol
+	 * @since 3.5.0
+	 */
+	default String getSecurityProtocol() {
+		return null;
+	}
+
+	/**
+	 * Returns the consumer configuration.
+	 * @return the consumer configuration
+	 * @since 3.5.0
+	 */
+	default Configuration getConsumer() {
+		return Configuration.of(getBootstrapServers(), getSslBundle(), getSecurityProtocol());
+	}
+
+	/**
+	 * Returns the producer configuration.
+	 * @return the producer configuration
+	 * @since 3.5.0
+	 */
+	default Configuration getProducer() {
+		return Configuration.of(getBootstrapServers(), getSslBundle(), getSecurityProtocol());
+	}
+
+	/**
+	 * Returns the admin configuration.
+	 * @return the admin configuration
+	 * @since 3.5.0
+	 */
+	default Configuration getAdmin() {
+		return Configuration.of(getBootstrapServers(), getSslBundle(), getSecurityProtocol());
+	}
+
+	/**
+	 * Returns the Kafka Streams configuration.
+	 * @return the Kafka Streams configuration
+	 * @since 3.5.0
+	 */
+	default Configuration getStreams() {
+		return Configuration.of(getBootstrapServers(), getSslBundle(), getSecurityProtocol());
+	}
+
 	/**
 	 * Returns the list of bootstrap servers used for consumers.
 	 * @return the list of bootstrap servers used for consumers
+	 * @deprecated since 3.5.0 for removal in 3.7.0 in favor of {@link #getConsumer()}
 	 */
+	@Deprecated(since = "3.5.0", forRemoval = true)
 	default List<String> getConsumerBootstrapServers() {
-		return getBootstrapServers();
+		return getConsumer().getBootstrapServers();
 	}
 
 	/**
 	 * Returns the list of bootstrap servers used for producers.
 	 * @return the list of bootstrap servers used for producers
+	 * @deprecated since 3.5.0 for removal in 3.7.0 in favor of {@link #getProducer()}
 	 */
+	@Deprecated(since = "3.5.0", forRemoval = true)
 	default List<String> getProducerBootstrapServers() {
-		return getBootstrapServers();
+		return getProducer().getBootstrapServers();
 	}
 
 	/**
 	 * Returns the list of bootstrap servers used for the admin.
 	 * @return the list of bootstrap servers used for the admin
+	 * @deprecated since 3.5.0 for removal in 3.7.0 in favor of {@link #getAdmin()}
 	 */
+	@Deprecated(since = "3.5.0", forRemoval = true)
 	default List<String> getAdminBootstrapServers() {
-		return getBootstrapServers();
+		return getAdmin().getBootstrapServers();
 	}
 
 	/**
 	 * Returns the list of bootstrap servers used for Kafka Streams.
 	 * @return the list of bootstrap servers used for Kafka Streams
+	 * @deprecated since 3.5.0 for removal in 3.7.0 in favor of {@link #getStreams()}
 	 */
+	@Deprecated(since = "3.5.0", forRemoval = true)
 	default List<String> getStreamsBootstrapServers() {
-		return getBootstrapServers();
+		return getStreams().getBootstrapServers();
+	}
+
+	/**
+	 * Kafka connection details configuration.
+	 */
+	interface Configuration {
+
+		/**
+		 * Creates a new configuration with the given bootstrap servers.
+		 * @param bootstrapServers the bootstrap servers
+		 * @return the configuration
+		 */
+		static Configuration of(List<String> bootstrapServers) {
+			return Configuration.of(bootstrapServers, null, null);
+		}
+
+		/**
+		 * Creates a new configuration with the given bootstrap servers and SSL bundle.
+		 * @param bootstrapServers the bootstrap servers
+		 * @param sslBundle the SSL bundle
+		 * @return the configuration
+		 */
+		static Configuration of(List<String> bootstrapServers, SslBundle sslBundle) {
+			return Configuration.of(bootstrapServers, sslBundle, null);
+		}
+
+		/**
+		 * Creates a new configuration with the given bootstrap servers, SSL bundle and
+		 * security protocol.
+		 * @param bootstrapServers the bootstrap servers
+		 * @param sslBundle the SSL bundle
+		 * @param securityProtocol the security protocol
+		 * @return the configuration
+		 */
+		static Configuration of(List<String> bootstrapServers, SslBundle sslBundle, String securityProtocol) {
+			return new Configuration() {
+				@Override
+				public List<String> getBootstrapServers() {
+					return bootstrapServers;
+				}
+
+				@Override
+				public SslBundle getSslBundle() {
+					return sslBundle;
+				}
+
+				@Override
+				public String getSecurityProtocol() {
+					return securityProtocol;
+				}
+			};
+		}
+
+		/**
+		 * Returns the list of bootstrap servers.
+		 * @return the list of bootstrap servers
+		 */
+		List<String> getBootstrapServers();
+
+		/**
+		 * Returns the SSL bundle.
+		 * @return the SSL bundle
+		 */
+		default SslBundle getSslBundle() {
+			return null;
+		}
+
+		/**
+		 * Returns the security protocol.
+		 * @return the security protocol
+		 */
+		default String getSecurityProtocol() {
+			return null;
+		}
+
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/kafka/KafkaProperties.java

@@ -38,7 +38,6 @@
 import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.context.properties.source.MutuallyExclusiveConfigurationPropertiesException;
 import org.springframework.boot.convert.DurationUnit;
-import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.SslBundles;
 import org.springframework.core.io.Resource;
 import org.springframework.kafka.listener.ContainerProperties.AckMode;
@@ -1401,10 +1400,10 @@ public Map<String, Object> buildProperties() {
 		public Map<String, Object> buildProperties(SslBundles sslBundles) {
 			validate();
 			String bundleName = getBundle();
+			Properties properties = new Properties();
 			if (StringUtils.hasText(bundleName)) {
-				return buildPropertiesForSslBundle(sslBundles, bundleName);
+				return properties;
 			}
-			Properties properties = new Properties();
 			PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
 			map.from(this::getKeyPassword).to(properties.in(SslConfigs.SSL_KEY_PASSWORD_CONFIG));
 			map.from(this::getKeyStoreCertificateChain)
@@ -1425,13 +1424,6 @@ public Map<String, Object> buildProperties(SslBundles sslBundles) {
 			return properties;
 		}
 
-		private Map<String, Object> buildPropertiesForSslBundle(SslBundles sslBundles, String name) {
-			Properties properties = new Properties();
-			properties.in(SslConfigs.SSL_ENGINE_FACTORY_CLASS_CONFIG).accept(SslBundleSslEngineFactory.class.getName());
-			properties.in(SslBundle.class.getName()).accept(sslBundles.getBundle(name));
-			return properties;
-		}
-
 		private void validate() {
 			MutuallyExclusiveConfigurationPropertiesException.throwIfMultipleMatchingValuesIn((entries) -> {
 				entries.put("spring.kafka.ssl.key-store-key", getKeyStoreKey());