I do not understand the objective of this PR. As mentioned in the README, you can usekafka.properties for configuration information "including key/truststore passwords".

What do you want to add to that?

@Bert-R
As mentioned in the README, I have already tried specifying truststore.password in kafka.properties, but Kafdrop still couldn't connect to our TLS-enabled Kafka brokers. This issue persisted even though the kafka.properties file was correctly mounted as a volume.

Additionally, in the company I work for, security policies prohibit storing passwords in configuration files like properties. (Honestly, I find this requirement quite perplexing myself.) However, storing passwords in objects such as Kubernetes Secrets is allowed.

This is why I created this PR. I believe that passwords required for certificate access should also be managed as separate parameters.

In that case, I suggest a much simpler implementation. We already supportSSL_KEY_STORE_PASSWORD. If yousearch for that string, you'll find two occurrences:

• kafdrop/README.md

  Line 338 in87c6f77

  |`SSL_KEY_STORE_PASSWORD` | Keystore password

• kafdrop/src/main/resources/application.yml

  Line 12 in87c6f77

  key-store-password:${SSL_KEY_STORE_PASSWORD:}

If you copy these lines and adapt them for the trust store, you're all set.

Thank you for your suggestion,@Bert-R

I understand that we already haveSSL_KEY_STORE_PASSWORD for the keystore password.
However, keystore and truststore serve different purposes in TLS communication.
While the keystore is used for server-side authentication, the truststore is necessary for verifying the broker’s certificate in client-side authentication.

Currently, there is no dedicated parameter for truststore.password, which is required for TLS connections with Kafka brokers. Simply duplicatingSSL_KEY_STORE_PASSWORD would not solve the issue, as it only addresses the keystore, not the truststore.

This PR proposes adding new parameters (SSL_TRUST_STORE andSSL_TRUST_STORE_PASSWORD) to handle truststore configuration separately, ensuring proper TLS support.

I hope this clarifies the need for the PR. Please review my PR again.

Your PR addsKAFKA_TRUSTSTORE_PASSWORD andKAFKA_KEYSTORE_PASSWORD, right? The latter one, we already have. It's namedSSL_KEY_STORE_PASSWORD. So there is no need to add that. The only thing that is missing is the trust store password.

We do not have theSSL_TRUST_STORE_PASSWORD yet, but that could be added with this simple change:

diff --git a/README.md b/README.mdindex e8e3b41..e4fc3a5 100644--- a/README.md+++ b/README.md@@ -353,6 +353,7 @@ docker run -d --rm -p 9000:9000 \ | `SSL_KEY_STORE_TYPE`     | Type of SSL keystore. Default is `PKCS12` | `SSL_KEY_STORE`          | Path to keystore file | `SSL_KEY_STORE_PASSWORD` | Keystore password+| `SSL_TRUST_STORE_PASSWORD` | Truststore password | `SSL_KEY_ALIAS`          | Key alias ### Using Helmdiff --git a/src/main/resources/application.yml b/src/main/resources/application.ymlindex d80ad48..d52ec18 100644--- a/src/main/resources/application.yml+++ b/src/main/resources/application.yml@@ -10,6 +10,7 @@ server:     key-store-type: ${SSL_KEY_STORE_TYPE:PKCS12}     key-store: ${SSL_KEY_STORE:}     key-store-password: ${SSL_KEY_STORE_PASSWORD:}+    trust-store-password: ${SSL_TRUST_STORE_PASSWORD:}     key-alias: ${SSL_KEY_ALIAS:}     enabled: ${SSL_ENABLED:false}

That's what I meant with "copy these lines and adapt them for the trust store".
Makes sense?