karafka-rdkafka 0.21.0.rc2-x86_64-linux-musl → 0.22.0.rc1-x86_64-linux-musl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -1
- data/README.md +2 -1
- data/ext/librdkafka.so +0 -0
- data/karafka-rdkafka.gemspec +33 -6
- data/lib/rdkafka/version.rb +3 -3
- data/renovate.json +5 -17
- metadata +2 -67
- data/.github/CODEOWNERS +0 -3
- data/.github/FUNDING.yml +0 -1
- data/.github/workflows/ci_linux_alpine_x86_64_musl.yml +0 -197
- data/.github/workflows/ci_linux_alpine_x86_64_musl_complementary.yml +0 -264
- data/.github/workflows/ci_linux_debian_x86_64_gnu.yml +0 -271
- data/.github/workflows/ci_linux_debian_x86_64_gnu_complementary.yml +0 -334
- data/.github/workflows/ci_linux_ubuntu_aarch64_gnu.yml +0 -271
- data/.github/workflows/ci_linux_ubuntu_aarch64_gnu_complementary.yml +0 -295
- data/.github/workflows/ci_linux_ubuntu_x86_64_gnu.yml +0 -281
- data/.github/workflows/ci_linux_ubuntu_x86_64_gnu_complementary.yml +0 -294
- data/.github/workflows/ci_macos_arm64.yml +0 -284
- data/.github/workflows/push_linux_aarch64_gnu.yml +0 -65
- data/.github/workflows/push_linux_x86_64_gnu.yml +0 -65
- data/.github/workflows/push_linux_x86_64_musl.yml +0 -79
- data/.github/workflows/push_macos_arm64.yml +0 -54
- data/.github/workflows/push_ruby.yml +0 -37
- data/.github/workflows/trigger-wiki-refresh.yml +0 -30
- data/.github/workflows/verify-action-pins.yml +0 -16
- data/.gitignore +0 -16
- data/.rspec +0 -3
- data/.ruby-gemset +0 -1
- data/.ruby-version +0 -1
- data/.yardopts +0 -2
- data/dist/cyrus-sasl-2.1.28.tar.gz +0 -0
- data/dist/krb5-1.21.3.tar.gz +0 -0
- data/dist/openssl-3.0.16.tar.gz +0 -0
- data/dist/zlib-1.3.1.tar.gz +0 -0
- data/dist/zstd-1.5.7.tar.gz +0 -0
- data/ext/README.md +0 -19
- data/ext/Rakefile +0 -131
- data/ext/build_common.sh +0 -376
- data/ext/build_linux_aarch64_gnu.sh +0 -326
- data/ext/build_linux_x86_64_gnu.sh +0 -317
- data/ext/build_linux_x86_64_musl.sh +0 -773
- data/ext/build_macos_arm64.sh +0 -557
- data/ext/generate-ssl-certs.sh +0 -109
- data/spec/integrations/ssl_stress_spec.rb +0 -121
- data/spec/lib/rdkafka/abstract_handle_spec.rb +0 -117
- data/spec/lib/rdkafka/admin/create_acl_handle_spec.rb +0 -56
- data/spec/lib/rdkafka/admin/create_acl_report_spec.rb +0 -18
- data/spec/lib/rdkafka/admin/create_topic_handle_spec.rb +0 -54
- data/spec/lib/rdkafka/admin/create_topic_report_spec.rb +0 -16
- data/spec/lib/rdkafka/admin/delete_acl_handle_spec.rb +0 -85
- data/spec/lib/rdkafka/admin/delete_acl_report_spec.rb +0 -72
- data/spec/lib/rdkafka/admin/delete_topic_handle_spec.rb +0 -54
- data/spec/lib/rdkafka/admin/delete_topic_report_spec.rb +0 -16
- data/spec/lib/rdkafka/admin/describe_acl_handle_spec.rb +0 -85
- data/spec/lib/rdkafka/admin/describe_acl_report_spec.rb +0 -73
- data/spec/lib/rdkafka/admin_spec.rb +0 -982
- data/spec/lib/rdkafka/bindings_spec.rb +0 -198
- data/spec/lib/rdkafka/callbacks_spec.rb +0 -20
- data/spec/lib/rdkafka/config_spec.rb +0 -258
- data/spec/lib/rdkafka/consumer/headers_spec.rb +0 -73
- data/spec/lib/rdkafka/consumer/message_spec.rb +0 -139
- data/spec/lib/rdkafka/consumer/partition_spec.rb +0 -57
- data/spec/lib/rdkafka/consumer/topic_partition_list_spec.rb +0 -248
- data/spec/lib/rdkafka/consumer_spec.rb +0 -1343
- data/spec/lib/rdkafka/error_spec.rb +0 -95
- data/spec/lib/rdkafka/metadata_spec.rb +0 -79
- data/spec/lib/rdkafka/native_kafka_spec.rb +0 -130
- data/spec/lib/rdkafka/producer/delivery_handle_spec.rb +0 -60
- data/spec/lib/rdkafka/producer/delivery_report_spec.rb +0 -25
- data/spec/lib/rdkafka/producer/partitions_count_cache_spec.rb +0 -359
- data/spec/lib/rdkafka/producer_spec.rb +0 -1527
- data/spec/spec_helper.rb +0 -230
    
        data/ext/build_macos_arm64.sh
    DELETED
    
    | @@ -1,557 +0,0 @@ | |
| 1 | 
            -
            #!/usr/bin/env bash
         | 
| 2 | 
            -
            #
         | 
| 3 | 
            -
            # Simple librdkafka build script for macOS with Kerberos support
         | 
| 4 | 
            -
            # Usage: ./build-librdkafka-macos.sh
         | 
| 5 | 
            -
            #
         | 
| 6 | 
            -
            # Expected directory structure:
         | 
| 7 | 
            -
            #   ext/build_macos.sh                    (this script)
         | 
| 8 | 
            -
            #   ext/build-common.sh                   (shared functions)
         | 
| 9 | 
            -
            #   dist/librdkafka-*.tar.gz              (librdkafka source tarball)
         | 
| 10 | 
            -
            #   dist/patches/*.patch                  (optional Ruby-specific patches)
         | 
| 11 | 
            -
            #
         | 
| 12 | 
            -
            set -euo pipefail
         | 
| 13 | 
            -
             | 
| 14 | 
            -
            # Source common functions and constants
         | 
| 15 | 
            -
            SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
         | 
| 16 | 
            -
            source "$SCRIPT_DIR/build_common.sh"
         | 
| 17 | 
            -
             | 
| 18 | 
            -
            # Platform-specific paths
         | 
| 19 | 
            -
            DIST_DIR="$SCRIPT_DIR/../dist"
         | 
| 20 | 
            -
            PATCHES_DIR="$DIST_DIR/patches"
         | 
| 21 | 
            -
            BUILD_DIR="$(pwd)/build-tmp-macos"
         | 
| 22 | 
            -
            DEPS_PREFIX="/tmp/macos-deps"
         | 
| 23 | 
            -
             | 
| 24 | 
            -
            # macOS-specific dependency check
         | 
| 25 | 
            -
            check_macos_dependencies() {
         | 
| 26 | 
            -
                log "Checking macOS build dependencies..."
         | 
| 27 | 
            -
             | 
| 28 | 
            -
                # Check for Xcode Command Line Tools
         | 
| 29 | 
            -
                if ! xcode-select -p &> /dev/null; then
         | 
| 30 | 
            -
                    error "Xcode Command Line Tools not found. Install with: xcode-select --install"
         | 
| 31 | 
            -
                fi
         | 
| 32 | 
            -
             | 
| 33 | 
            -
                # Check for required tools (in addition to common ones)
         | 
| 34 | 
            -
                local missing_tools=()
         | 
| 35 | 
            -
             | 
| 36 | 
            -
                command -v gcc &> /dev/null || missing_tools+=("gcc")
         | 
| 37 | 
            -
                command -v clang &> /dev/null || missing_tools+=("clang")
         | 
| 38 | 
            -
             | 
| 39 | 
            -
                if [ ${#missing_tools[@]} -gt 0 ]; then
         | 
| 40 | 
            -
                    error "Missing required tools: ${missing_tools[*]}"
         | 
| 41 | 
            -
                fi
         | 
| 42 | 
            -
             | 
| 43 | 
            -
                log "✅ All required tools found"
         | 
| 44 | 
            -
             | 
| 45 | 
            -
                # Show system info
         | 
| 46 | 
            -
                log "Build environment:"
         | 
| 47 | 
            -
                log "  - macOS version: $(sw_vers -productVersion)"
         | 
| 48 | 
            -
                log "  - Architecture: $(uname -m)"
         | 
| 49 | 
            -
                log "  - Xcode tools: $(xcode-select -p)"
         | 
| 50 | 
            -
            }
         | 
| 51 | 
            -
             | 
| 52 | 
            -
            # macOS-specific compiler setup
         | 
| 53 | 
            -
            setup_macos_compiler() {
         | 
| 54 | 
            -
                local arch="$1"
         | 
| 55 | 
            -
             | 
| 56 | 
            -
                # Get the proper macOS SDK path
         | 
| 57 | 
            -
                MACOS_SDK_PATH=$(xcrun --show-sdk-path)
         | 
| 58 | 
            -
                log "Using macOS SDK: $MACOS_SDK_PATH"
         | 
| 59 | 
            -
             | 
| 60 | 
            -
                # Set macOS-specific flags
         | 
| 61 | 
            -
                export CC="$(xcrun -find clang)"
         | 
| 62 | 
            -
                export CFLAGS="-fPIC -O2 -arch $arch -isysroot $MACOS_SDK_PATH"
         | 
| 63 | 
            -
                export CXXFLAGS="-fPIC -O2 -arch $arch -isysroot $MACOS_SDK_PATH"
         | 
| 64 | 
            -
                export CPPFLAGS="-isysroot $MACOS_SDK_PATH"
         | 
| 65 | 
            -
             | 
| 66 | 
            -
                log "Applied $arch specific flags"
         | 
| 67 | 
            -
            }
         | 
| 68 | 
            -
             | 
| 69 | 
            -
            # Build static OpenSSL for macOS
         | 
| 70 | 
            -
            build_openssl_macos() {
         | 
| 71 | 
            -
                local arch="$1"
         | 
| 72 | 
            -
                local openssl_prefix="$2"
         | 
| 73 | 
            -
                local openssl_dir="$3"
         | 
| 74 | 
            -
             | 
| 75 | 
            -
                cd "$openssl_dir"
         | 
| 76 | 
            -
             | 
| 77 | 
            -
                if [ ! -f "$openssl_prefix/lib/libssl.a" ]; then
         | 
| 78 | 
            -
                    log "Configuring and building static OpenSSL..."
         | 
| 79 | 
            -
                    make clean 2>/dev/null || true
         | 
| 80 | 
            -
             | 
| 81 | 
            -
                    setup_macos_compiler "$arch"
         | 
| 82 | 
            -
             | 
| 83 | 
            -
                    # Configure OpenSSL for macOS
         | 
| 84 | 
            -
                    if [ "$arch" = "arm64" ]; then
         | 
| 85 | 
            -
                        ./Configure darwin64-arm64-cc \
         | 
| 86 | 
            -
                            no-shared \
         | 
| 87 | 
            -
                            no-dso \
         | 
| 88 | 
            -
                            --prefix="$openssl_prefix" \
         | 
| 89 | 
            -
                            --openssldir="$openssl_prefix/ssl"
         | 
| 90 | 
            -
                    else
         | 
| 91 | 
            -
                        ./Configure darwin64-x86_64-cc \
         | 
| 92 | 
            -
                            no-shared \
         | 
| 93 | 
            -
                            no-dso \
         | 
| 94 | 
            -
                            --prefix="$openssl_prefix" \
         | 
| 95 | 
            -
                            --openssldir="$openssl_prefix/ssl"
         | 
| 96 | 
            -
                    fi
         | 
| 97 | 
            -
             | 
| 98 | 
            -
                    make -j$(get_cpu_count)
         | 
| 99 | 
            -
                    make install
         | 
| 100 | 
            -
             | 
| 101 | 
            -
                    # Verify the build
         | 
| 102 | 
            -
                    if [ ! -f "$openssl_prefix/lib/libssl.a" ] || [ ! -f "$openssl_prefix/lib/libcrypto.a" ]; then
         | 
| 103 | 
            -
                        error "Failed to build static OpenSSL"
         | 
| 104 | 
            -
                    fi
         | 
| 105 | 
            -
             | 
| 106 | 
            -
                    log "✅ Static OpenSSL built successfully at $openssl_prefix"
         | 
| 107 | 
            -
                else
         | 
| 108 | 
            -
                    log "Static OpenSSL already built, skipping..."
         | 
| 109 | 
            -
                fi
         | 
| 110 | 
            -
            }
         | 
| 111 | 
            -
             | 
| 112 | 
            -
            # Build static MIT Kerberos for macOS
         | 
| 113 | 
            -
            build_krb5_macos() {
         | 
| 114 | 
            -
                local arch="$1"
         | 
| 115 | 
            -
                local krb5_prefix="$2"
         | 
| 116 | 
            -
                local krb5_dir="$3"
         | 
| 117 | 
            -
             | 
| 118 | 
            -
                cd "$krb5_dir/src"
         | 
| 119 | 
            -
             | 
| 120 | 
            -
                if [ ! -f "$krb5_prefix/lib/libgssapi_krb5.a" ]; then
         | 
| 121 | 
            -
                    log "Configuring and building static MIT Kerberos..."
         | 
| 122 | 
            -
                    make clean 2>/dev/null || true
         | 
| 123 | 
            -
             | 
| 124 | 
            -
                    setup_macos_compiler "$arch"
         | 
| 125 | 
            -
             | 
| 126 | 
            -
                    # Configure MIT Kerberos for macOS
         | 
| 127 | 
            -
                    ./configure \
         | 
| 128 | 
            -
                        --disable-shared \
         | 
| 129 | 
            -
                        --enable-static \
         | 
| 130 | 
            -
                        --prefix="$krb5_prefix" \
         | 
| 131 | 
            -
                        --without-ldap \
         | 
| 132 | 
            -
                        --without-tcl \
         | 
| 133 | 
            -
                        --without-keyutils \
         | 
| 134 | 
            -
                        --disable-rpath \
         | 
| 135 | 
            -
                        --without-system-verto \
         | 
| 136 | 
            -
                        --disable-thread-support \
         | 
| 137 | 
            -
                        --disable-aesni
         | 
| 138 | 
            -
             | 
| 139 | 
            -
                    # Build everything except the problematic kadmin tools (same as Linux)
         | 
| 140 | 
            -
                    log "Building Kerberos (will ignore kadmin build failures)..."
         | 
| 141 | 
            -
                    make -j$(get_cpu_count) || {
         | 
| 142 | 
            -
                        log "Full build failed (expected due to kadmin), continuing with libraries..."
         | 
| 143 | 
            -
                        # The libraries should be built even if kadmin fails
         | 
| 144 | 
            -
                        true
         | 
| 145 | 
            -
                    }
         | 
| 146 | 
            -
             | 
| 147 | 
            -
                    # Install what was successfully built
         | 
| 148 | 
            -
                    make install || {
         | 
| 149 | 
            -
                        log "Full install failed, installing individual components..."
         | 
| 150 | 
            -
                        # Try to install the core libraries manually
         | 
| 151 | 
            -
                        make install-mkdirs 2>/dev/null || true
         | 
| 152 | 
            -
                        make -C util install 2>/dev/null || true
         | 
| 153 | 
            -
                        make -C lib install 2>/dev/null || true
         | 
| 154 | 
            -
                        make -C plugins/kdb/db2 install 2>/dev/null || true
         | 
| 155 | 
            -
                    }
         | 
| 156 | 
            -
             | 
| 157 | 
            -
                    # Verify we got the essential libraries
         | 
| 158 | 
            -
                    if [ ! -f "$krb5_prefix/lib/libgssapi_krb5.a" ]; then
         | 
| 159 | 
            -
                        error "Failed to build essential Kerberos libraries"
         | 
| 160 | 
            -
                    fi
         | 
| 161 | 
            -
             | 
| 162 | 
            -
                    log "✅ Static MIT Kerberos built successfully at $krb5_prefix"
         | 
| 163 | 
            -
                else
         | 
| 164 | 
            -
                    log "Static MIT Kerberos already built, skipping..."
         | 
| 165 | 
            -
                fi
         | 
| 166 | 
            -
            }
         | 
| 167 | 
            -
             | 
| 168 | 
            -
            # Build static Cyrus SASL for macOS with Kerberos support
         | 
| 169 | 
            -
            build_sasl_macos() {
         | 
| 170 | 
            -
                local arch="$1"
         | 
| 171 | 
            -
                local sasl_prefix="$2"
         | 
| 172 | 
            -
                local sasl_dir="$3"
         | 
| 173 | 
            -
                local openssl_prefix="$4"
         | 
| 174 | 
            -
                local krb5_prefix="$5"
         | 
| 175 | 
            -
             | 
| 176 | 
            -
                cd "$sasl_dir"
         | 
| 177 | 
            -
             | 
| 178 | 
            -
                if [ ! -f "$sasl_prefix/lib/libsasl2.a" ]; then
         | 
| 179 | 
            -
                    log "Configuring and building static Cyrus SASL with Kerberos support..."
         | 
| 180 | 
            -
                    make clean 2>/dev/null || true
         | 
| 181 | 
            -
             | 
| 182 | 
            -
                    setup_macos_compiler "$arch"
         | 
| 183 | 
            -
                    export CPPFLAGS="$CPPFLAGS -I$openssl_prefix/include -I$krb5_prefix/include"
         | 
| 184 | 
            -
                    export LDFLAGS="-L$openssl_prefix/lib -L$krb5_prefix/lib"
         | 
| 185 | 
            -
             | 
| 186 | 
            -
                    # Configure SASL with Kerberos/GSSAPI support (now ENABLED)
         | 
| 187 | 
            -
                    ./configure \
         | 
| 188 | 
            -
                        --disable-shared \
         | 
| 189 | 
            -
                        --enable-static \
         | 
| 190 | 
            -
                        --prefix="$sasl_prefix" \
         | 
| 191 | 
            -
                        --without-dblib \
         | 
| 192 | 
            -
                        --disable-gdbm \
         | 
| 193 | 
            -
                        --disable-macos-framework \
         | 
| 194 | 
            -
                        --disable-sample \
         | 
| 195 | 
            -
                        --disable-obsolete_cram_attr \
         | 
| 196 | 
            -
                        --disable-obsolete_digest_attr \
         | 
| 197 | 
            -
                        --enable-gssapi="$krb5_prefix" \
         | 
| 198 | 
            -
                        --disable-krb4 \
         | 
| 199 | 
            -
                        --with-openssl="$openssl_prefix"
         | 
| 200 | 
            -
             | 
| 201 | 
            -
                    make -j$(get_cpu_count)
         | 
| 202 | 
            -
                    make install
         | 
| 203 | 
            -
             | 
| 204 | 
            -
                    # Verify the build
         | 
| 205 | 
            -
                    if [ ! -f "$sasl_prefix/lib/libsasl2.a" ]; then
         | 
| 206 | 
            -
                        error "Failed to build static Cyrus SASL"
         | 
| 207 | 
            -
                    fi
         | 
| 208 | 
            -
             | 
| 209 | 
            -
                    log "✅ Static Cyrus SASL with Kerberos support built successfully at $sasl_prefix"
         | 
| 210 | 
            -
                else
         | 
| 211 | 
            -
                    log "Static Cyrus SASL already built, skipping..."
         | 
| 212 | 
            -
                fi
         | 
| 213 | 
            -
            }
         | 
| 214 | 
            -
             | 
| 215 | 
            -
            # Build generic static library for macOS
         | 
| 216 | 
            -
            build_static_lib_macos() {
         | 
| 217 | 
            -
                local lib_name="$1"
         | 
| 218 | 
            -
                local arch="$2"
         | 
| 219 | 
            -
                local prefix="$3"
         | 
| 220 | 
            -
                local source_dir="$4"
         | 
| 221 | 
            -
                local configure_args="$5"
         | 
| 222 | 
            -
             | 
| 223 | 
            -
                cd "$source_dir"
         | 
| 224 | 
            -
             | 
| 225 | 
            -
                local lib_file="$prefix/lib/lib${lib_name}.a"
         | 
| 226 | 
            -
                if [ ! -f "$lib_file" ]; then
         | 
| 227 | 
            -
                    log "Configuring and building static $lib_name..."
         | 
| 228 | 
            -
                    make clean 2>/dev/null || true
         | 
| 229 | 
            -
             | 
| 230 | 
            -
                    setup_macos_compiler "$arch"
         | 
| 231 | 
            -
             | 
| 232 | 
            -
                    # Run configure with provided arguments
         | 
| 233 | 
            -
                    eval "./configure --prefix=\"$prefix\" $configure_args"
         | 
| 234 | 
            -
             | 
| 235 | 
            -
                    make -j$(get_cpu_count)
         | 
| 236 | 
            -
                    make install
         | 
| 237 | 
            -
             | 
| 238 | 
            -
                    # Verify the build
         | 
| 239 | 
            -
                    if [ ! -f "$lib_file" ]; then
         | 
| 240 | 
            -
                        error "Failed to build static $lib_name"
         | 
| 241 | 
            -
                    fi
         | 
| 242 | 
            -
             | 
| 243 | 
            -
                    log "✅ Static $lib_name built successfully at $prefix"
         | 
| 244 | 
            -
                else
         | 
| 245 | 
            -
                    log "Static $lib_name already built, skipping..."
         | 
| 246 | 
            -
                fi
         | 
| 247 | 
            -
            }
         | 
| 248 | 
            -
             | 
| 249 | 
            -
            # Check common and macOS-specific dependencies
         | 
| 250 | 
            -
            check_common_dependencies
         | 
| 251 | 
            -
            check_macos_dependencies
         | 
| 252 | 
            -
             | 
| 253 | 
            -
            # Auto-detect librdkafka tarball
         | 
| 254 | 
            -
            log "Looking for librdkafka tarball in $DIST_DIR..."
         | 
| 255 | 
            -
            LIBRDKAFKA_TARBALL=$(find_librdkafka_tarball "$DIST_DIR")
         | 
| 256 | 
            -
            log "Found librdkafka tarball: $LIBRDKAFKA_TARBALL"
         | 
| 257 | 
            -
             | 
| 258 | 
            -
            # Verify librdkafka tarball checksum if available
         | 
| 259 | 
            -
            verify_librdkafka_checksum "$LIBRDKAFKA_TARBALL"
         | 
| 260 | 
            -
             | 
| 261 | 
            -
            # Find patches
         | 
| 262 | 
            -
            PATCHES_FOUND=()
         | 
| 263 | 
            -
            find_patches "$PATCHES_DIR" PATCHES_FOUND
         | 
| 264 | 
            -
             | 
| 265 | 
            -
            # Detect architecture early since we need it for dependency building
         | 
| 266 | 
            -
            ARCH=$(uname -m)
         | 
| 267 | 
            -
            log "Detected architecture: $ARCH"
         | 
| 268 | 
            -
             | 
| 269 | 
            -
            security_log "Starting secure build with checksum verification enabled"
         | 
| 270 | 
            -
            log "Building self-contained librdkafka for macOS with Kerberos support"
         | 
| 271 | 
            -
            log "Dependencies to build:"
         | 
| 272 | 
            -
            log "  - OpenSSL: $OPENSSL_VERSION"
         | 
| 273 | 
            -
            log "  - Cyrus SASL: $CYRUS_SASL_VERSION (with Kerberos support)"
         | 
| 274 | 
            -
            log "  - MIT Kerberos: $KRB5_VERSION"
         | 
| 275 | 
            -
            log "  - zlib: $ZLIB_VERSION"
         | 
| 276 | 
            -
            log "  - ZStd: $ZSTD_VERSION"
         | 
| 277 | 
            -
            log "librdkafka source: $LIBRDKAFKA_TARBALL"
         | 
| 278 | 
            -
            log "Build directory: $BUILD_DIR"
         | 
| 279 | 
            -
             | 
| 280 | 
            -
            # Create build directory
         | 
| 281 | 
            -
            mkdir -p "$BUILD_DIR"
         | 
| 282 | 
            -
            cd "$BUILD_DIR"
         | 
| 283 | 
            -
             | 
| 284 | 
            -
            # Build static OpenSSL first (other deps might need it)
         | 
| 285 | 
            -
            log "Building static OpenSSL $OPENSSL_VERSION..."
         | 
| 286 | 
            -
            OPENSSL_PREFIX="$DEPS_PREFIX/static-openssl-$OPENSSL_VERSION"
         | 
| 287 | 
            -
            OPENSSL_TARBALL="openssl-$OPENSSL_VERSION.tar.gz"
         | 
| 288 | 
            -
            OPENSSL_DIR="openssl-$OPENSSL_VERSION"
         | 
| 289 | 
            -
             | 
| 290 | 
            -
            secure_download "$(get_openssl_url)" "$OPENSSL_TARBALL"
         | 
| 291 | 
            -
            extract_if_needed "$OPENSSL_TARBALL" "$OPENSSL_DIR"
         | 
| 292 | 
            -
            build_openssl_macos "$ARCH" "$OPENSSL_PREFIX" "$OPENSSL_DIR"
         | 
| 293 | 
            -
             | 
| 294 | 
            -
            cd "$BUILD_DIR"
         | 
| 295 | 
            -
             | 
| 296 | 
            -
            # Build static MIT Kerberos (before SASL since SASL needs it)
         | 
| 297 | 
            -
            log "Building static MIT Kerberos $KRB5_VERSION..."
         | 
| 298 | 
            -
            KRB5_PREFIX="$DEPS_PREFIX/static-krb5-$KRB5_VERSION"
         | 
| 299 | 
            -
            KRB5_TARBALL="krb5-$KRB5_VERSION.tar.gz"
         | 
| 300 | 
            -
            KRB5_DIR="krb5-$KRB5_VERSION"
         | 
| 301 | 
            -
             | 
| 302 | 
            -
            secure_download "$(get_krb5_url)" "$KRB5_TARBALL"
         | 
| 303 | 
            -
            extract_if_needed "$KRB5_TARBALL" "$KRB5_DIR"
         | 
| 304 | 
            -
            build_krb5_macos "$ARCH" "$KRB5_PREFIX" "$KRB5_DIR"
         | 
| 305 | 
            -
             | 
| 306 | 
            -
            cd "$BUILD_DIR"
         | 
| 307 | 
            -
             | 
| 308 | 
            -
            # Build static Cyrus SASL (after OpenSSL and Kerberos since it needs both)
         | 
| 309 | 
            -
            log "Building static Cyrus SASL $CYRUS_SASL_VERSION with Kerberos support..."
         | 
| 310 | 
            -
            SASL_PREFIX="$DEPS_PREFIX/static-sasl-$CYRUS_SASL_VERSION"
         | 
| 311 | 
            -
            SASL_TARBALL="cyrus-sasl-$CYRUS_SASL_VERSION.tar.gz"
         | 
| 312 | 
            -
            SASL_DIR="cyrus-sasl-$CYRUS_SASL_VERSION"
         | 
| 313 | 
            -
             | 
| 314 | 
            -
            secure_download "$(get_sasl_url)" "$SASL_TARBALL"
         | 
| 315 | 
            -
            extract_if_needed "$SASL_TARBALL" "$SASL_DIR"
         | 
| 316 | 
            -
            build_sasl_macos "$ARCH" "$SASL_PREFIX" "$SASL_DIR" "$OPENSSL_PREFIX" "$KRB5_PREFIX"
         | 
| 317 | 
            -
             | 
| 318 | 
            -
            cd "$BUILD_DIR"
         | 
| 319 | 
            -
             | 
| 320 | 
            -
            # Build static ZStd
         | 
| 321 | 
            -
            log "Building static ZStd $ZSTD_VERSION..."
         | 
| 322 | 
            -
            ZSTD_PREFIX="$DEPS_PREFIX/static-zstd-$ZSTD_VERSION"
         | 
| 323 | 
            -
            ZSTD_TARBALL="zstd-$ZSTD_VERSION.tar.gz"
         | 
| 324 | 
            -
            ZSTD_DIR="zstd-$ZSTD_VERSION"
         | 
| 325 | 
            -
             | 
| 326 | 
            -
            secure_download "$(get_zstd_url)" "$ZSTD_TARBALL"
         | 
| 327 | 
            -
            extract_if_needed "$ZSTD_TARBALL" "$ZSTD_DIR"
         | 
| 328 | 
            -
            cd "$ZSTD_DIR"
         | 
| 329 | 
            -
             | 
| 330 | 
            -
            if [ ! -f "$ZSTD_PREFIX/lib/libzstd.a" ]; then
         | 
| 331 | 
            -
                log "Configuring and building static ZStd..."
         | 
| 332 | 
            -
                make clean 2>/dev/null || true
         | 
| 333 | 
            -
             | 
| 334 | 
            -
                setup_macos_compiler "$ARCH"
         | 
| 335 | 
            -
             | 
| 336 | 
            -
                # Build static library using ZStd's Makefile
         | 
| 337 | 
            -
                make lib-mt CFLAGS="$CFLAGS" PREFIX="$ZSTD_PREFIX" -j$(get_cpu_count)
         | 
| 338 | 
            -
                make install PREFIX="$ZSTD_PREFIX"
         | 
| 339 | 
            -
             | 
| 340 | 
            -
                # Verify the build
         | 
| 341 | 
            -
                if [ ! -f "$ZSTD_PREFIX/lib/libzstd.a" ]; then
         | 
| 342 | 
            -
                    error "Failed to build static ZStd"
         | 
| 343 | 
            -
                fi
         | 
| 344 | 
            -
             | 
| 345 | 
            -
                log "✅ Static ZStd built successfully at $ZSTD_PREFIX"
         | 
| 346 | 
            -
            else
         | 
| 347 | 
            -
                log "Static ZStd already built, skipping..."
         | 
| 348 | 
            -
            fi
         | 
| 349 | 
            -
             | 
| 350 | 
            -
            cd "$BUILD_DIR"
         | 
| 351 | 
            -
             | 
| 352 | 
            -
            # Build static zlib
         | 
| 353 | 
            -
            log "Building static zlib $ZLIB_VERSION..."
         | 
| 354 | 
            -
            ZLIB_PREFIX="$DEPS_PREFIX/static-zlib-$ZLIB_VERSION"
         | 
| 355 | 
            -
            ZLIB_TARBALL="zlib-$ZLIB_VERSION.tar.gz"
         | 
| 356 | 
            -
            ZLIB_DIR="zlib-$ZLIB_VERSION"
         | 
| 357 | 
            -
             | 
| 358 | 
            -
            secure_download "$(get_zlib_url)" "$ZLIB_TARBALL"
         | 
| 359 | 
            -
            extract_if_needed "$ZLIB_TARBALL" "$ZLIB_DIR"
         | 
| 360 | 
            -
            build_static_lib_macos "z" "$ARCH" "$ZLIB_PREFIX" "$ZLIB_DIR" "--static"
         | 
| 361 | 
            -
             | 
| 362 | 
            -
            cd "$BUILD_DIR"
         | 
| 363 | 
            -
             | 
| 364 | 
            -
            # Completely disable pkg-config to prevent Homebrew library detection
         | 
| 365 | 
            -
            log "Disabling pkg-config to prevent Homebrew interference..."
         | 
| 366 | 
            -
            export PKG_CONFIG=""
         | 
| 367 | 
            -
            export PKG_CONFIG_PATH=""
         | 
| 368 | 
            -
            export PKG_CONFIG_LIBDIR=""
         | 
| 369 | 
            -
             | 
| 370 | 
            -
            # Create a dummy pkg-config that always fails
         | 
| 371 | 
            -
            mkdir -p "$BUILD_DIR/no-pkg-config"
         | 
| 372 | 
            -
            cat > "$BUILD_DIR/no-pkg-config/pkg-config" << 'EOF'
         | 
| 373 | 
            -
            #!/bin/sh
         | 
| 374 | 
            -
            # Dummy pkg-config that always fails to prevent Homebrew detection
         | 
| 375 | 
            -
            exit 1
         | 
| 376 | 
            -
            EOF
         | 
| 377 | 
            -
            chmod +x "$BUILD_DIR/no-pkg-config/pkg-config"
         | 
| 378 | 
            -
             | 
| 379 | 
            -
            # Put our dummy pkg-config first in PATH
         | 
| 380 | 
            -
            export PATH="$BUILD_DIR/no-pkg-config:$PATH"
         | 
| 381 | 
            -
             | 
| 382 | 
            -
            log "pkg-config disabled - configure will use manual library detection only"
         | 
| 383 | 
            -
             | 
| 384 | 
            -
            # Extract librdkafka
         | 
| 385 | 
            -
            log "Extracting librdkafka..."
         | 
| 386 | 
            -
            tar xzf "$LIBRDKAFKA_TARBALL"
         | 
| 387 | 
            -
            cd "librdkafka-$LIBRDKAFKA_VERSION"
         | 
| 388 | 
            -
             | 
| 389 | 
            -
            # Fix permissions and apply patches
         | 
| 390 | 
            -
            fix_configure_permissions
         | 
| 391 | 
            -
            apply_patches PATCHES_FOUND
         | 
| 392 | 
            -
             | 
| 393 | 
            -
            # Set compiler flags for librdkafka
         | 
| 394 | 
            -
            setup_macos_compiler "$ARCH"
         | 
| 395 | 
            -
             | 
| 396 | 
            -
            # Configure librdkafka with static dependencies INCLUDING Kerberos
         | 
| 397 | 
            -
            log "Configuring librdkafka with static dependencies including Kerberos..."
         | 
| 398 | 
            -
             | 
| 399 | 
            -
            # Tell configure that math functions don't need -lm on macOS
         | 
| 400 | 
            -
            export ac_cv_lib_m_floor=yes
         | 
| 401 | 
            -
            export ac_cv_lib_m_ceil=yes
         | 
| 402 | 
            -
            export ac_cv_lib_m_sqrt=yes
         | 
| 403 | 
            -
            export ac_cv_lib_m_pow=yes
         | 
| 404 | 
            -
            export LIBS=""  # Clear any LIBS that might include -lm
         | 
| 405 | 
            -
             | 
| 406 | 
            -
            # Use our static libraries instead of system versions (now including Kerberos)
         | 
| 407 | 
            -
            export CPPFLAGS="$CPPFLAGS -I$OPENSSL_PREFIX/include -I$SASL_PREFIX/include -I$KRB5_PREFIX/include -I$ZLIB_PREFIX/include -I$ZSTD_PREFIX/include"
         | 
| 408 | 
            -
            export LDFLAGS="-L$OPENSSL_PREFIX/lib -L$SASL_PREFIX/lib -L$KRB5_PREFIX/lib -L$ZLIB_PREFIX/lib -L$ZSTD_PREFIX/lib"
         | 
| 409 | 
            -
             | 
| 410 | 
            -
            if [ -f configure ]; then
         | 
| 411 | 
            -
                log "Using mklove configure script"
         | 
| 412 | 
            -
                ./configure \
         | 
| 413 | 
            -
                    --enable-static \
         | 
| 414 | 
            -
                    --disable-shared \
         | 
| 415 | 
            -
                    --disable-curl \
         | 
| 416 | 
            -
                    --enable-gssapi
         | 
| 417 | 
            -
            else
         | 
| 418 | 
            -
                error "No configure script found"
         | 
| 419 | 
            -
            fi
         | 
| 420 | 
            -
             | 
| 421 | 
            -
            # Fix system library path for linking
         | 
| 422 | 
            -
            MACOS_SDK_PATH=$(xcrun --show-sdk-path)
         | 
| 423 | 
            -
            export LDFLAGS="$LDFLAGS -L$MACOS_SDK_PATH/usr/lib"
         | 
| 424 | 
            -
             | 
| 425 | 
            -
            # Build librdkafka
         | 
| 426 | 
            -
            log "Compiling librdkafka..."
         | 
| 427 | 
            -
            make clean || true
         | 
| 428 | 
            -
             | 
| 429 | 
            -
            # Build with LIBS override, but ignore dylib build failures
         | 
| 430 | 
            -
            make -j$(get_cpu_count) LIBS="" || {
         | 
| 431 | 
            -
                log "Build failed (expected - dylib linking issue), checking if static library was created..."
         | 
| 432 | 
            -
            }
         | 
| 433 | 
            -
             | 
| 434 | 
            -
            # Verify static library exists (this is what we actually need)
         | 
| 435 | 
            -
            if [ ! -f src/librdkafka.a ]; then
         | 
| 436 | 
            -
                error "librdkafka.a not found after build"
         | 
| 437 | 
            -
            fi
         | 
| 438 | 
            -
             | 
| 439 | 
            -
            log "✅ Static librdkafka.a built successfully"
         | 
| 440 | 
            -
             | 
| 441 | 
            -
            # Remove the dylib check since we're building our own
         | 
| 442 | 
            -
            # Don't check for src/librdkafka.1.dylib
         | 
| 443 | 
            -
             | 
| 444 | 
            -
            log "librdkafka built successfully - proceeding to create custom self-contained dylib"
         | 
| 445 | 
            -
             | 
| 446 | 
            -
            # Create self-contained dylib with Kerberos libraries included
         | 
| 447 | 
            -
            log "Creating self-contained librdkafka.dylib with Kerberos support..."
         | 
| 448 | 
            -
             | 
| 449 | 
            -
            # Create self-contained shared library by linking all static dependencies (NOW INCLUDING KERBEROS)
         | 
| 450 | 
            -
            # This is the macOS equivalent of your Linux gcc -shared command
         | 
| 451 | 
            -
             | 
| 452 | 
            -
            # Write symbol export file (macOS equivalent of export.map)
         | 
| 453 | 
            -
            cat > export_symbols.txt <<'EOF'
         | 
| 454 | 
            -
            _rd_kafka_*
         | 
| 455 | 
            -
            EOF
         | 
| 456 | 
            -
             | 
| 457 | 
            -
            clang -dynamiclib -fPIC \
         | 
| 458 | 
            -
                -Wl,-force_load,src/librdkafka.a \
         | 
| 459 | 
            -
                -Wl,-force_load,"$SASL_PREFIX/lib/libsasl2.a" \
         | 
| 460 | 
            -
                -Wl,-force_load,"$KRB5_PREFIX/lib/libgssapi_krb5.a" \
         | 
| 461 | 
            -
                -Wl,-force_load,"$KRB5_PREFIX/lib/libkrb5.a" \
         | 
| 462 | 
            -
                -Wl,-force_load,"$KRB5_PREFIX/lib/libk5crypto.a" \
         | 
| 463 | 
            -
                -Wl,-force_load,"$KRB5_PREFIX/lib/libcom_err.a" \
         | 
| 464 | 
            -
                -Wl,-force_load,"$KRB5_PREFIX/lib/libkrb5support.a" \
         | 
| 465 | 
            -
                -Wl,-force_load,"$OPENSSL_PREFIX/lib/libssl.a" \
         | 
| 466 | 
            -
                -Wl,-force_load,"$OPENSSL_PREFIX/lib/libcrypto.a" \
         | 
| 467 | 
            -
                -Wl,-force_load,"$ZLIB_PREFIX/lib/libz.a" \
         | 
| 468 | 
            -
                -Wl,-force_load,"$ZSTD_PREFIX/lib/libzstd.a" \
         | 
| 469 | 
            -
                -o librdkafka.dylib \
         | 
| 470 | 
            -
                -lpthread -lc -arch $ARCH -lresolv \
         | 
| 471 | 
            -
                -framework GSS -framework Kerberos \
         | 
| 472 | 
            -
                -install_name @rpath/librdkafka.dylib \
         | 
| 473 | 
            -
                -Wl,-undefined,dynamic_lookup
         | 
| 474 | 
            -
             | 
| 475 | 
            -
            if [ ! -f librdkafka.dylib ]; then
         | 
| 476 | 
            -
                error "Failed to create self-contained librdkafka.dylib"
         | 
| 477 | 
            -
            fi
         | 
| 478 | 
            -
             | 
| 479 | 
            -
            log "✅ Self-contained librdkafka.dylib with Kerberos support created successfully"
         | 
| 480 | 
            -
             | 
| 481 | 
            -
            # Verify the self-contained build
         | 
| 482 | 
            -
            log "Verifying self-contained build..."
         | 
| 483 | 
            -
            file librdkafka.dylib
         | 
| 484 | 
            -
             | 
| 485 | 
            -
            log "Checking dependencies with otool (should only show system libraries):"
         | 
| 486 | 
            -
            otool -L librdkafka.dylib
         | 
| 487 | 
            -
             | 
| 488 | 
            -
            # Check for external dependencies that shouldn't be there (strict like Linux version)
         | 
| 489 | 
            -
            log "Checking for external dependencies (should only show system libraries):"
         | 
| 490 | 
            -
            EXTERNAL_DEPS=$(otool -L librdkafka.dylib | grep -v "librdkafka.dylib" | grep -v "/usr/lib/" | grep -v "/System/Library/" | grep -v "@rpath" || true)
         | 
| 491 | 
            -
            if [ -n "$EXTERNAL_DEPS" ]; then
         | 
| 492 | 
            -
                error "Found external dependencies - library is not self-contained: $EXTERNAL_DEPS"
         | 
| 493 | 
            -
            else
         | 
| 494 | 
            -
                log "✅ No external dependencies found - library is self-contained!"
         | 
| 495 | 
            -
            fi
         | 
| 496 | 
            -
             | 
| 497 | 
            -
            log "Checking exported symbols:"
         | 
| 498 | 
            -
            # Avoid SIGPIPE by not using head in a pipe
         | 
| 499 | 
            -
            nm -gU librdkafka.dylib > /tmp/symbols.txt 2>/dev/null || true
         | 
| 500 | 
            -
            if [ -f /tmp/symbols.txt ]; then
         | 
| 501 | 
            -
                head -10 /tmp/symbols.txt
         | 
| 502 | 
            -
                rm -f /tmp/symbols.txt
         | 
| 503 | 
            -
            else
         | 
| 504 | 
            -
                log "Could not extract symbols (this is normal)"
         | 
| 505 | 
            -
            fi
         | 
| 506 | 
            -
             | 
| 507 | 
            -
            # Force output flush and add small delay
         | 
| 508 | 
            -
            sync
         | 
| 509 | 
            -
            sleep 1
         | 
| 510 | 
            -
             | 
| 511 | 
            -
            # Copy to output directory
         | 
| 512 | 
            -
            OUTPUT_DIR="$SCRIPT_DIR"
         | 
| 513 | 
            -
            cp librdkafka.dylib "$OUTPUT_DIR/"
         | 
| 514 | 
            -
            cp src/librdkafka.a "$OUTPUT_DIR/"
         | 
| 515 | 
            -
             | 
| 516 | 
            -
            log "Build artifacts copied to: $OUTPUT_DIR/"
         | 
| 517 | 
            -
            log "  - librdkafka.dylib (shared library)"
         | 
| 518 | 
            -
            log "  - librdkafka.a (static library)"
         | 
| 519 | 
            -
             | 
| 520 | 
            -
            # Force another flush
         | 
| 521 | 
            -
            sync
         | 
| 522 | 
            -
            sleep 1
         | 
| 523 | 
            -
             | 
| 524 | 
            -
            # Print summaries
         | 
| 525 | 
            -
            print_security_summary
         | 
| 526 | 
            -
             | 
| 527 | 
            -
            # Enhanced summary for macOS with Kerberos
         | 
| 528 | 
            -
            sync
         | 
| 529 | 
            -
            echo ""
         | 
| 530 | 
            -
            echo "🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉"
         | 
| 531 | 
            -
            log "Build completed successfully!"
         | 
| 532 | 
            -
            log "📦 Self-contained librdkafka built for macOS $ARCH with Kerberos support:"
         | 
| 533 | 
            -
            log "   ✅ Static library: librdkafka.a"
         | 
| 534 | 
            -
            log "   ✅ Self-contained dylib: librdkafka.dylib (with bundled dependencies)"
         | 
| 535 | 
            -
            log "   ✅ Static OpenSSL: $OPENSSL_VERSION (SSL/TLS support) - bundled"
         | 
| 536 | 
            -
            log "   ✅ Static Cyrus SASL: $CYRUS_SASL_VERSION (authentication for AWS MSK) - bundled"
         | 
| 537 | 
            -
            log "   ✅ Static MIT Kerberos: $KRB5_VERSION (GSSAPI/Kerberos authentication) - bundled"
         | 
| 538 | 
            -
            log "   ✅ Static zlib: $ZLIB_VERSION (compression) - bundled"
         | 
| 539 | 
            -
            log "   ✅ Static ZStd: $ZSTD_VERSION (high-performance compression) - bundled"
         | 
| 540 | 
            -
            log ""
         | 
| 541 | 
            -
            log "🎯 Ready for deployment on macOS systems"
         | 
| 542 | 
            -
            log "☁️  Compatible with AWS MSK and other secured Kafka clusters"
         | 
| 543 | 
            -
            log "🔐 Supply chain security: All dependencies cryptographically verified"
         | 
| 544 | 
            -
            log "📦 Self-contained: Ready for Ruby FFI distribution"
         | 
| 545 | 
            -
            log "🔑 Kerberos/GSSAPI support: Full feature parity with Linux build"
         | 
| 546 | 
            -
            log ""
         | 
| 547 | 
            -
            log "Location: $OUTPUT_DIR/librdkafka.dylib"
         | 
| 548 | 
            -
            echo "🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉🎉"
         | 
| 549 | 
            -
             | 
| 550 | 
            -
            # Force final flush
         | 
| 551 | 
            -
            sync
         | 
| 552 | 
            -
             | 
| 553 | 
            -
            # Cleanup
         | 
| 554 | 
            -
            cleanup_build_dir "$BUILD_DIR"
         | 
| 555 | 
            -
             | 
| 556 | 
            -
            # Reset environment variables
         | 
| 557 | 
            -
            unset CFLAGS CXXFLAGS CPPFLAGS LDFLAGS
         | 
    
        data/ext/generate-ssl-certs.sh
    DELETED
    
    | @@ -1,109 +0,0 @@ | |
| 1 | 
            -
            #!/bin/bash
         | 
| 2 | 
            -
             | 
| 3 | 
            -
            #==============================================================================
         | 
| 4 | 
            -
            # Kafka SSL Certificate Generator
         | 
| 5 | 
            -
            #==============================================================================
         | 
| 6 | 
            -
            #
         | 
| 7 | 
            -
            # DESCRIPTION:
         | 
| 8 | 
            -
            #   Generates SSL certificates for testing Kafka with SSL/TLS encryption.
         | 
| 9 | 
            -
            #   Creates both Java KeyStore (JKS) files for Kafka server and PEM files
         | 
| 10 | 
            -
            #   for client applications like rdkafka.
         | 
| 11 | 
            -
            #
         | 
| 12 | 
            -
            # PURPOSE:
         | 
| 13 | 
            -
            #   - Test SSL connectivity between Kafka clients and brokers
         | 
| 14 | 
            -
            #   - Validate rdkafka SSL integration
         | 
| 15 | 
            -
            #   - Enable encrypted communication for development/testing environments
         | 
| 16 | 
            -
            #
         | 
| 17 | 
            -
            # USAGE:
         | 
| 18 | 
            -
            #   ./ext/generate-ssl-certs.sh
         | 
| 19 | 
            -
            #   docker compose -f docker-compose-ssl.yml up
         | 
| 20 | 
            -
            #
         | 
| 21 | 
            -
            # REQUIREMENTS:
         | 
| 22 | 
            -
            #   - OpenSSL (for certificate generation)
         | 
| 23 | 
            -
            #   - Java keytool (usually included with JDK/JRE)
         | 
| 24 | 
            -
            #   - Write permissions in current directory
         | 
| 25 | 
            -
            #
         | 
| 26 | 
            -
            # OUTPUT FILES (created in ./ssl/ directory):
         | 
| 27 | 
            -
            #   ├── kafka.server.keystore.jks    # Kafka server's private key and certificate
         | 
| 28 | 
            -
            #   ├── kafka.server.truststore.jks  # Trusted CA certificates for Kafka
         | 
| 29 | 
            -
            #   ├── kafka_keystore_creds         # Password file for keystore
         | 
| 30 | 
            -
            #   ├── kafka_truststore_creds       # Password file for truststore
         | 
| 31 | 
            -
            #   ├── kafka_ssl_key_creds          # Password file for SSL keys
         | 
| 32 | 
            -
            #   ├── ca-cert                      # CA certificate (for rdkafka clients)
         | 
| 33 | 
            -
            #   └── ca-cert.pem                  # CA certificate in PEM format
         | 
| 34 | 
            -
            #
         | 
| 35 | 
            -
            # CONFIGURATION:
         | 
| 36 | 
            -
            #   - Certificate validity: 365 days
         | 
| 37 | 
            -
            #   - Password: "confluent" (all certificates use same password for simplicity)
         | 
| 38 | 
            -
            #   - Subject: CN=localhost (suitable for local testing)
         | 
| 39 | 
            -
            #   - CA Subject: CN=localhost-ca
         | 
| 40 | 
            -
            #
         | 
| 41 | 
            -
            # DOCKER COMPOSE INTEGRATION:
         | 
| 42 | 
            -
            #   Use with docker-compose-ssl.yml that mounts ./ssl directory to
         | 
| 43 | 
            -
            #   /etc/kafka/secrets inside the Kafka container.
         | 
| 44 | 
            -
            #
         | 
| 45 | 
            -
            # RDKAFKA CLIENT CONFIGURATION:
         | 
| 46 | 
            -
            #   security.protocol=SSL
         | 
| 47 | 
            -
            #   ssl.ca.location=./ssl/ca-cert
         | 
| 48 | 
            -
            #   ssl.endpoint.identification.algorithm=none  # For localhost testing
         | 
| 49 | 
            -
            #
         | 
| 50 | 
            -
            # NOTES:
         | 
| 51 | 
            -
            #   - Safe to run multiple times (cleans up existing files)
         | 
| 52 | 
            -
            #   - Certificates are self-signed and suitable for testing only
         | 
| 53 | 
            -
            #   - For production, use certificates signed by a trusted CA
         | 
| 54 | 
            -
            #   - All passwords are set to "confluent" for simplicity
         | 
| 55 | 
            -
            #
         | 
| 56 | 
            -
            #==============================================================================
         | 
| 57 | 
            -
             | 
| 58 | 
            -
            # Create ssl directory and clean up any existing files
         | 
| 59 | 
            -
            mkdir -p ssl
         | 
| 60 | 
            -
            cd ssl
         | 
| 61 | 
            -
             | 
| 62 | 
            -
            # Clean up existing files
         | 
| 63 | 
            -
            rm -f kafka.server.keystore.jks kafka.server.truststore.jks
         | 
| 64 | 
            -
            rm -f kafka_keystore_creds kafka_truststore_creds kafka_ssl_key_creds
         | 
| 65 | 
            -
            rm -f ca-key ca-cert cert-file cert-signed ca-cert.srl ca-cert.pem
         | 
| 66 | 
            -
             | 
| 67 | 
            -
            echo "Cleaned up existing SSL files..."
         | 
| 68 | 
            -
             | 
| 69 | 
            -
            # Set variables
         | 
| 70 | 
            -
            VALIDITY_DAYS=365
         | 
| 71 | 
            -
            PASSWORD="confluent"  # Use a simpler, well-known password
         | 
| 72 | 
            -
            DNAME="CN=localhost,OU=Test,O=Test,L=Test,ST=Test,C=US"
         | 
| 73 | 
            -
             | 
| 74 | 
            -
            # Create password files (all same password for simplicity)
         | 
| 75 | 
            -
            echo "$PASSWORD" > kafka_keystore_creds
         | 
| 76 | 
            -
            echo "$PASSWORD" > kafka_truststore_creds
         | 
| 77 | 
            -
            echo "$PASSWORD" > kafka_ssl_key_creds
         | 
| 78 | 
            -
             | 
| 79 | 
            -
            # Step 1: Generate CA key and certificate
         | 
| 80 | 
            -
            openssl req -new -x509 -keyout ca-key -out ca-cert -days $VALIDITY_DAYS -subj "/CN=localhost-ca/OU=Test/O=Test/L=Test/S=Test/C=US" -passin pass:$PASSWORD -passout pass:$PASSWORD
         | 
| 81 | 
            -
             | 
| 82 | 
            -
            # Step 2: Create truststore and import the CA certificate
         | 
| 83 | 
            -
            keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $PASSWORD -keypass $PASSWORD -noprompt
         | 
| 84 | 
            -
             | 
| 85 | 
            -
            # Step 3: Create keystore
         | 
| 86 | 
            -
            keytool -keystore kafka.server.keystore.jks -alias localhost -validity $VALIDITY_DAYS -genkey -keyalg RSA -dname "$DNAME" -storepass $PASSWORD -keypass $PASSWORD
         | 
| 87 | 
            -
             | 
| 88 | 
            -
            # Step 4: Create certificate signing request
         | 
| 89 | 
            -
            keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file cert-file -storepass $PASSWORD -keypass $PASSWORD
         | 
| 90 | 
            -
             | 
| 91 | 
            -
            # Step 5: Sign the certificate with the CA
         | 
| 92 | 
            -
            openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days $VALIDITY_DAYS -CAcreateserial -passin pass:$PASSWORD
         | 
| 93 | 
            -
             | 
| 94 | 
            -
            # Step 6: Import CA certificate into keystore
         | 
| 95 | 
            -
            keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert -storepass $PASSWORD -keypass $PASSWORD -noprompt
         | 
| 96 | 
            -
             | 
| 97 | 
            -
            # Step 7: Import signed certificate into keystore
         | 
| 98 | 
            -
            keytool -keystore kafka.server.keystore.jks -alias localhost -import -file cert-signed -storepass $PASSWORD -keypass $PASSWORD -noprompt
         | 
| 99 | 
            -
             | 
| 100 | 
            -
            # Export CA certificate to PEM format for rdkafka
         | 
| 101 | 
            -
            cp ca-cert ca-cert.pem
         | 
| 102 | 
            -
             | 
| 103 | 
            -
            # Clean up intermediate files (but keep ca-cert.pem for rdkafka)
         | 
| 104 | 
            -
            rm ca-key cert-file cert-signed
         | 
| 105 | 
            -
             | 
| 106 | 
            -
            echo "SSL certificates generated successfully!"
         | 
| 107 | 
            -
            echo "Password: $PASSWORD"
         | 
| 108 | 
            -
            echo ""
         | 
| 109 | 
            -
            echo "For rdkafka, use ca-cert.pem or ca-cert files"
         |