logstash-integration-kafka 11.0.0-java → 11.2.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c0060f7684d8dd0787c1e106fdcc1b1b9673ec42cf2ffc01141dc5a2d9351967
-  data.tar.gz: a0d878319e3ffde777330f9a15c64c23e898f16f8cde797622a804e9f4cbf89c
+  metadata.gz: 5f4d4eeff4c13ac6151467cb7998742151a2829a18b05d6a74377edd7acab7fc
+  data.tar.gz: 22fc71adaf29c11b9f0090436dc2e330a1a21eefc8fceb3aa4b4063f2adad626
 SHA512:
-  metadata.gz: 721c864dff1a72f31cea49f7e3c674bdd827347b7b7a60c8ab1c2f5e88839205e3e94836cc4b664a55fd16107e0412b6885d15949c2ac1fd20798e82124fa502
-  data.tar.gz: 49823c88d015acbdaf7b91d0fe64a9975ff22c9c8691c79c9270bed33aa174d3ea4f770c841e074c64ed82a1b092814817a63447d62fa17c84f9e3666bf89203
+  metadata.gz: 4ae9306a90795f0d877e896ee79e2c7ecd46b1c7033bca2d3182a5b0b4dbc66b50502d23c39a70451b5a7b83013763232e8e7a8a5dba8958d237831e2808ce6a
+  data.tar.gz: 5e4e48213df61f86cabf5e3535fc4f2c424714b904e12b0076812c832793b243ebbf54376edd90f9490e67f0a8268f290296be9570fa71704b626acd51ee92de

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 11.2.0
+ - Added TLS truststore and keystore settings specifically to access the schema registry [#137](https://github.com/logstash-plugins/logstash-integration-kafka/pull/137)
+
+## 11.1.0
+ - Added config `group_instance_id` to use the Kafka's consumer static membership feature [#135](https://github.com/logstash-plugins/logstash-integration-kafka/pull/135)
+
 ## 11.0.0
   - Changed Kafka client to 3.3.1, requires Logstash >= 8.3.0. 
   - Deprecated `default` value for setting `client_dns_lookup` forcing to `use_all_dns_ips` when explicitly used [#130](https://github.com/logstash-plugins/logstash-integration-kafka/pull/130)

data/docs/input-kafka.asciidoc

@@ -113,6 +113,7 @@ See the https://kafka.apache.org/{kafka_client_doc}/documentation for more detai
 | <<plugins-{type}s-{plugin}-fetch_max_wait_ms>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-fetch_min_bytes>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-group_id>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-group_instance_id>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-heartbeat_interval_ms>> |<<number,number>>|No
 | <<plugins-{type}s-{plugin}-isolation_level>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-jaas_path>> |a valid filesystem path|No
@@ -134,6 +135,12 @@ See the https://kafka.apache.org/{kafka_client_doc}/documentation for more detai
 | <<plugins-{type}s-{plugin}-schema_registry_key>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-schema_registry_proxy>> |<<uri,uri>>|No
 | <<plugins-{type}s-{plugin}-schema_registry_secret>> |<<string,string>>|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_keystore_location>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_keystore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_keystore_type>> |<<string,string>>, one of `["jks", "PKCS12"]`|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_truststore_location>> |a valid filesystem path|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_truststore_password>> |<<password,password>>|No
+| <<plugins-{type}s-{plugin}-schema_registry_ssl_truststore_type>> |<<string,string>>, one of `["jks", "PKCS12"]`|No
 | <<plugins-{type}s-{plugin}-schema_registry_url>> |<<uri,uri>>|No
 | <<plugins-{type}s-{plugin}-schema_registry_validation>> |<<string,string>>|No
 | <<plugins-{type}s-{plugin}-security_protocol>> |<<string,string>>, one of `["PLAINTEXT", "SSL", "SASL_PLAINTEXT", "SASL_SSL"]`|No
@@ -344,6 +351,28 @@ NOTE: In cases when multiple inputs are being used in a single pipeline, reading
 it's essential to set a different `group_id => ...` for each input. Setting a unique `client_id => ...`
 is also recommended.
 
+[id="plugins-{type}s-{plugin}-group_instance_id"]
+===== `group_instance_id`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+
+The static membership identifier for this Logstash Kafka consumer. Static membership feature was introduced in
+https://cwiki.apache.org/confluence/display/KAFKA/KIP-345%3A+Introduce+static+membership+protocol+to+reduce+consumer+rebalances[KIP-345],
+available under Kafka property `group.instance.id`.
+Its purpose is to avoid rebalances in situations in which a lot of data
+has to be forwarded after a consumer goes offline.
+This feature mitigates cases where the service state is heavy and the rebalance of one topic partition from instance
+A to B would cause a huge amount of data to be transferred.
+A client that goes offline/online frequently can avoid frequent and heavy rebalances by using this option.
+
+NOTE: The `group_instance_id` setting must be unique across all the clients belonging to the same <<plugins-{type}s-{plugin}-group_id>>.
+Otherwise, another client connecting with same `group.instance.id` value would cause the oldest instance to be disconnected.
+You can set this value to use information such as a hostname, an IP, or anything that uniquely identifies the client application.
+
+NOTE: In cases when multiple threads are configured and `consumer_threads` is greater than one, a suffix is appended to
+the `group_instance_id` to avoid collisions.
+
 [id="plugins-{type}s-{plugin}-heartbeat_interval_ms"]
 ===== `heartbeat_interval_ms` 
 
@@ -575,6 +604,54 @@ Set the address of a forward HTTP proxy. An empty string is treated as if proxy
 
 Set the password for basic authorization to access remote Schema Registry.
 
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_keystore_location"]
+===== `schema_registry_ssl_keystore_location`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+If schema registry client authentication is required, this setting stores the keystore path.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_keystore_password"]
+===== `schema_registry_ssl_keystore_password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+If schema registry authentication is required, this setting stores the keystore password.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_keystore_type"]
+===== `schema_registry_ssl_keystore_type`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+
+The format of the keystore file. It must be either `jks` or `PKCS12`.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_truststore_location"]
+===== `schema_registry_ssl_truststore_location`
+
+* Value type is <<path,path>>
+* There is no default value for this setting.
+
+The truststore path to validate the schema registry's certificate.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_truststore_password"]
+===== `schema_registry_ssl_truststore_password`
+
+* Value type is <<password,password>>
+* There is no default value for this setting.
+
+The schema registry truststore password.
+
+[id="plugins-{type}s-{plugin}-schema_registry_ssl_truststore_type"]
+===== `schema_registry_ssl_truststore_type`
+
+* Value type is <<string,string>>
+* There is no default value for this setting.
+
+The format of the schema registry's truststore file. It must be either `jks` or `PKCS12`.
+
 [id="plugins-{type}s-{plugin}-schema_registry_url"]
 ===== `schema_registry_url`
 

data/lib/logstash/inputs/kafka.rb

@@ -124,6 +124,11 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
   # that happens to be made up of multiple processors. Messages in a topic will be distributed to all
   # Logstash instances with the same `group_id`
   config :group_id, :validate => :string, :default => "logstash"
+  # Set a static group instance id used in static membership feature to avoid rebalancing when a
+  # consumer goes offline. If set and `consumer_threads` is greater than 1 then for each
+  # consumer crated by each thread an artificial suffix is appended to the user provided `group_instance_id`
+  # to avoid clashing.
+  config :group_instance_id, :validate => :string
   # The expected time between heartbeats to the consumer coordinator. Heartbeats are used to ensure 
   # that the consumer's session stays active and to facilitate rebalancing when new
   # consumers join or leave the group. The value must be set lower than
@@ -136,7 +141,7 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
   # been aborted. Non-transactional messages will be returned unconditionally in either mode.
   config :isolation_level, :validate => ["read_uncommitted", "read_committed"], :default => "read_uncommitted" # Kafka default
   # Java Class used to deserialize the record's key
-  config :key_deserializer_class, :validate => :string, :default => "org.apache.kafka.common.serialization.StringDeserializer"
+  config :key_deserializer_class, :validate => :string, :default => DEFAULT_DESERIALIZER_CLASS
   # The maximum delay between invocations of poll() when using consumer group management. This places 
   # an upper bound on the amount of time that the consumer can be idle before fetching more records. 
   # If poll() is not called before expiration of this timeout, then the consumer is considered failed and 
@@ -287,7 +292,10 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
 
   public
   def run(logstash_queue)
-    @runner_consumers = consumer_threads.times.map { |i| subscribe(create_consumer("#{client_id}-#{i}")) }
+    @runner_consumers = consumer_threads.times.map do |i|
+      thread_group_instance_id = consumer_threads > 1 && group_instance_id ? "#{group_instance_id}-#{i}" : group_instance_id
+      subscribe(create_consumer("#{client_id}-#{i}", thread_group_instance_id))
+    end
     @runner_threads = @runner_consumers.map.with_index { |consumer, i| thread_runner(logstash_queue, consumer,
                                                                                      "kafka-input-worker-#{client_id}-#{i}") }
     @runner_threads.each(&:start)
@@ -335,6 +343,9 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
     rescue org.apache.kafka.common.errors.WakeupException => e
       logger.debug("Wake up from poll", :kafka_error_message => e)
       raise e unless stop?
+    rescue org.apache.kafka.common.errors.FencedInstanceIdException => e
+      logger.error("Another consumer with same group.instance.id has connected", :original_error_message => e.message)
+      raise e unless stop?
     rescue => e
       logger.error("Unable to poll Kafka consumer",
                    :kafka_error_message => e,
@@ -389,7 +400,7 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
   end
 
   private
-  def create_consumer(client_id)
+  def create_consumer(client_id, group_instance_id)
     begin
       props = java.util.Properties.new
       kafka = org.apache.kafka.clients.consumer.ConsumerConfig
@@ -407,6 +418,7 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
       props.put(kafka::FETCH_MAX_WAIT_MS_CONFIG, fetch_max_wait_ms.to_s) unless fetch_max_wait_ms.nil?
       props.put(kafka::FETCH_MIN_BYTES_CONFIG, fetch_min_bytes.to_s) unless fetch_min_bytes.nil?
       props.put(kafka::GROUP_ID_CONFIG, group_id)
+      props.put(kafka::GROUP_INSTANCE_ID_CONFIG, group_instance_id) unless group_instance_id.nil?
       props.put(kafka::HEARTBEAT_INTERVAL_MS_CONFIG, heartbeat_interval_ms.to_s) unless heartbeat_interval_ms.nil?
       props.put(kafka::ISOLATION_LEVEL_CONFIG, isolation_level)
       props.put(kafka::KEY_DESERIALIZER_CLASS_CONFIG, key_deserializer_class)
@@ -448,6 +460,17 @@ class LogStash::Inputs::Kafka < LogStash::Inputs::Base
         set_trustore_keystore_config(props)
         set_sasl_config(props)
       end
+      if schema_registry_ssl_truststore_location
+        props.put('schema.registry.ssl.truststore.location', schema_registry_ssl_truststore_location)
+        props.put('schema.registry.ssl.truststore.password', schema_registry_ssl_truststore_password.value)
+        props.put('schema.registry.ssl.truststore.type', schema_registry_ssl_truststore_type)
+      end
+
+      if schema_registry_ssl_keystore_location
+        props.put('schema.registry.ssl.keystore.location', schema_registry_ssl_keystore_location)
+        props.put('schema.registry.ssl.keystore.password', schema_registry_ssl_keystore_password.value)
+        props.put('schema.registry.ssl.keystore.type', schema_registry_ssl_keystore_type)
+      end
 
       org.apache.kafka.clients.consumer.KafkaConsumer.new(props)
     rescue => e

data/lib/logstash/plugin_mixins/kafka/avro_schema_registry.rb

@@ -24,6 +24,24 @@ module LogStash module PluginMixins module Kafka
       # This option permits to define a proxy to be used to reach the schema registry service instance.
       config :schema_registry_proxy, :validate => :uri
 
+      # If schema registry client authentication is required, this setting stores the keystore path.
+      config :schema_registry_ssl_keystore_location, :validate => :string
+
+      # The keystore password.
+      config :schema_registry_ssl_keystore_password, :validate => :password
+
+      # The keystore type
+      config :schema_registry_ssl_keystore_type, :validate => ['jks', 'PKCS12'], :default => "jks"
+
+      # The JKS truststore path to validate the Schema Registry's certificate.
+      config :schema_registry_ssl_truststore_location, :validate => :string
+
+      # The truststore password.
+      config :schema_registry_ssl_truststore_password, :validate => :password
+
+      # The truststore type
+      config :schema_registry_ssl_truststore_type, :validate => ['jks', 'PKCS12'], :default => "jks"
+
       # Option to skip validating the schema registry during registration. This can be useful when using
       # certificate based auth
       config :schema_registry_validation, :validate => ['auto', 'skip'], :default => 'auto'
@@ -68,6 +86,19 @@ module LogStash module PluginMixins module Kafka
       if schema_registry_key and !schema_registry_key.empty?
         options[:auth] = {:user => schema_registry_key, :password => schema_registry_secret.value}
       end
+      if schema_registry_ssl_truststore_location and !schema_registry_ssl_truststore_location.empty?
+        options[:ssl] = {} unless options.key?(:ssl)
+        options[:ssl][:truststore] = schema_registry_ssl_truststore_location unless schema_registry_ssl_truststore_location.nil?
+        options[:ssl][:truststore_password] = schema_registry_ssl_truststore_password.value unless schema_registry_ssl_truststore_password.nil?
+        options[:ssl][:truststore_type] = schema_registry_ssl_truststore_type unless schema_registry_ssl_truststore_type.nil?
+      end
+      if schema_registry_ssl_keystore_location and !schema_registry_ssl_keystore_location.empty?
+        options[:ssl] = {} unless options.key? :ssl
+        options[:ssl][:keystore] = schema_registry_ssl_keystore_location unless schema_registry_ssl_keystore_location.nil?
+        options[:ssl][:keystore_password] = schema_registry_ssl_keystore_password.value unless schema_registry_ssl_keystore_password.nil?
+        options[:ssl][:keystore_type] = schema_registry_ssl_keystore_type unless schema_registry_ssl_keystore_type.nil?
+      end
+
       client = Manticore::Client.new(options)
       begin
         response = client.get(@schema_registry_url.uri.to_s + '/subjects').body

data/logstash-integration-kafka.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-integration-kafka'
-  s.version         = '11.0.0'
+  s.version         = '11.2.0'
   s.licenses        = ['Apache-2.0']
   s.summary         = "Integration with Kafka - input and output plugins"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline "+

data/spec/integration/inputs/kafka_spec.rb

@@ -79,6 +79,7 @@ describe "inputs/kafka", :integration => true do
     producer = org.apache.kafka.clients.producer.KafkaProducer.new(props)
 
     producer.send(record)
+    producer.flush
     producer.close
   end
 
@@ -185,10 +186,105 @@ describe "inputs/kafka", :integration => true do
       end
     end
   end
+
+  context "static membership 'group.instance.id' setting" do
+    let(:base_config) do
+      {
+        "topics" => ["logstash_integration_static_membership_topic"],
+        "group_id" => "logstash",
+        "consumer_threads" => 1,
+        # this is needed because the worker thread could be executed little after the producer sent the "up" message
+        "auto_offset_reset" => "earliest",
+        "group_instance_id" => "test_static_group_id"
+      }
+    end
+    let(:consumer_config) { base_config }
+    let(:logger) { double("logger") }
+    let(:queue) { java.util.concurrent.ArrayBlockingQueue.new(10) }
+    let(:kafka_input) { LogStash::Inputs::Kafka.new(consumer_config) }
+    before :each do
+      allow(LogStash::Inputs::Kafka).to receive(:logger).and_return(logger)
+      [:error, :warn, :info, :debug].each do |level|
+        allow(logger).to receive(level)
+      end
+
+      kafka_input.register
+    end
+
+    it "input plugin disconnects from the broker when another client with same static membership connects" do
+      expect(logger).to receive(:error).with("Another consumer with same group.instance.id has connected", anything)
+
+      input_worker = java.lang.Thread.new { kafka_input.run(queue) }
+      begin
+        input_worker.start
+        wait_kafka_input_is_ready("logstash_integration_static_membership_topic", queue)
+        saboteur_kafka_consumer = create_consumer_and_start_consuming("test_static_group_id")
+        saboteur_kafka_consumer.run # ask to be scheduled
+        saboteur_kafka_consumer.join
+
+        expect(saboteur_kafka_consumer.value).to eq("saboteur exited")
+      ensure
+        input_worker.join(30_000)
+      end
+    end
+
+    context "when the plugin is configured with multiple consumer threads" do
+      let(:consumer_config) { base_config.merge({"consumer_threads" => 2}) }
+
+      it "should avoid to connect with same 'group.instance.id'" do
+        expect(logger).to_not receive(:error).with("Another consumer with same group.instance.id has connected", anything)
+
+        input_worker = java.lang.Thread.new { kafka_input.run(queue) }
+        begin
+          input_worker.start
+          wait_kafka_input_is_ready("logstash_integration_static_membership_topic", queue)
+        ensure
+          kafka_input.stop
+          input_worker.join(1_000)
+        end
+      end
+    end
+  end
+end
+
+# return consumer Ruby Thread
+def create_consumer_and_start_consuming(static_group_id)
+  props = java.util.Properties.new
+  kafka = org.apache.kafka.clients.consumer.ConsumerConfig
+  props.put(kafka::BOOTSTRAP_SERVERS_CONFIG, "localhost:9092")
+  props.put(kafka::KEY_DESERIALIZER_CLASS_CONFIG, LogStash::Inputs::Kafka::DEFAULT_DESERIALIZER_CLASS)
+  props.put(kafka::VALUE_DESERIALIZER_CLASS_CONFIG, LogStash::Inputs::Kafka::DEFAULT_DESERIALIZER_CLASS)
+  props.put(kafka::GROUP_ID_CONFIG, "logstash")
+  props.put(kafka::GROUP_INSTANCE_ID_CONFIG, static_group_id)
+  consumer = org.apache.kafka.clients.consumer.KafkaConsumer.new(props)
+
+  Thread.new do
+    LogStash::Util::set_thread_name("integration_test_simple_consumer")
+    begin
+      consumer.subscribe(["logstash_integration_static_membership_topic"])
+      records = consumer.poll(java.time.Duration.ofSeconds(3))
+      "saboteur exited"
+    rescue => e
+      e # return the exception reached in thread.value
+    ensure
+      consumer.close
+    end
+  end
 end
 
 private
 
+def wait_kafka_input_is_ready(topic, queue)
+  # this is needed to give time to the kafka input to be up and running
+  header = org.apache.kafka.common.header.internals.RecordHeader.new("name", "Ping Up".to_java_bytes)
+  record = org.apache.kafka.clients.producer.ProducerRecord.new(topic, 0, "key", "value", [header])
+  send_message(record)
+
+  # Wait the message is processed
+  message = queue.poll(1, java.util.concurrent.TimeUnit::MINUTES)
+  expect(message).to_not eq(nil)
+end
+
 def consume_messages(config, queue: Queue.new, timeout:, event_count:)
   kafka_input = LogStash::Inputs::Kafka.new(config)
   kafka_input.register
@@ -257,10 +353,13 @@ describe "schema registry connection options" do
   end
 end
 
-def save_avro_schema_to_schema_registry(schema_file, subject_name)
+def save_avro_schema_to_schema_registry(schema_file, subject_name, proto = 'http', port = 8081, manticore_options = {})
   raw_schema = File.readlines(schema_file).map(&:chomp).join
   raw_schema_quoted = raw_schema.gsub('"', '\"')
-  response = Manticore.post("http://localhost:8081/subjects/#{subject_name}/versions",
+
+  client = Manticore::Client.new(manticore_options)
+
+  response = client.post("#{proto}://localhost:#{port}/subjects/#{subject_name}/versions",
           body: '{"schema": "' + raw_schema_quoted + '"}',
           headers: {"Content-Type" => "application/vnd.schemaregistry.v1+json"})
   response
@@ -282,8 +381,17 @@ def startup_schema_registry(schema_registry, auth=false)
   end
 end
 
-describe "Schema registry API", :integration => true do
-  schema_registry = Manticore::Client.new
+shared_examples 'it has endpoints available to' do |tls|
+  let(:port) { tls ? 8083 : 8081 }
+  let(:proto) { tls ? 'https' : 'http' }
+
+  manticore_options = {
+    :ssl => {
+      :truststore => File.join(Dir.pwd, "tls_repository/clienttruststore.jks"),
+      :truststore_password => "changeit"
+    }
+  }
+  schema_registry = Manticore::Client.new(manticore_options)
 
   before(:all) do
     startup_schema_registry(schema_registry)
@@ -295,36 +403,53 @@ describe "Schema registry API", :integration => true do
 
   context 'listing subject on clean instance' do
     it "should return an empty set" do
-      subjects = JSON.parse schema_registry.get('http://localhost:8081/subjects').body
+      subjects = JSON.parse schema_registry.get("#{proto}://localhost:#{port}/subjects").body
       expect( subjects ).to be_empty
     end
   end
 
   context 'send a schema definition' do
     it "save the definition" do
-      response = save_avro_schema_to_schema_registry(File.join(Dir.pwd, "spec", "unit", "inputs", "avro_schema_fixture_payment.asvc"), "schema_test_1")
+      response = save_avro_schema_to_schema_registry(File.join(Dir.pwd, "spec", "unit", "inputs", "avro_schema_fixture_payment.asvc"), "schema_test_1", proto, port, manticore_options)
       expect( response.code ).to be(200)
       delete_remote_schema(schema_registry, "schema_test_1")
     end
 
     it "delete the schema just added" do
-      response = save_avro_schema_to_schema_registry(File.join(Dir.pwd, "spec", "unit", "inputs", "avro_schema_fixture_payment.asvc"), "schema_test_1")
+      response = save_avro_schema_to_schema_registry(File.join(Dir.pwd, "spec", "unit", "inputs", "avro_schema_fixture_payment.asvc"), "schema_test_1", proto, port, manticore_options)
       expect( response.code ).to be(200)
 
-      expect( schema_registry.delete('http://localhost:8081/subjects/schema_test_1?permanent=false').code ).to be(200)
+      expect( schema_registry.delete("#{proto}://localhost:#{port}/subjects/schema_test_1?permanent=false").code ).to be(200)
       sleep(1)
-      subjects = JSON.parse schema_registry.get('http://localhost:8081/subjects').body
+      subjects = JSON.parse schema_registry.get("#{proto}://localhost:#{port}/subjects").body
       expect( subjects ).to be_empty
     end
   end
 end
 
+describe "Schema registry API", :integration => true do
+
+  context "when exposed with HTTPS" do
+    it_behaves_like 'it has endpoints available to', true
+  end
+
+  context "when exposed with plain HTTP" do
+    it_behaves_like 'it has endpoints available to', false
+  end
+end
+
 def shutdown_schema_registry
   system('./stop_schema_registry.sh')
 end
 
 describe "Deserializing with the schema registry", :integration => true do
-  schema_registry = Manticore::Client.new
+  manticore_options = {
+    :ssl => {
+      :truststore => File.join(Dir.pwd, "tls_repository/clienttruststore.jks"),
+      :truststore_password => "changeit"
+    }
+  }
+  schema_registry = Manticore::Client.new(manticore_options)
 
   shared_examples 'it reads from a topic using a schema registry' do |with_auth|
 
@@ -423,28 +548,57 @@ describe "Deserializing with the schema registry", :integration => true do
     end
   end
 
-  context 'with an unauthed schema registry' do
+  shared_examples 'with an unauthed schema registry' do |tls|
+    let(:port) { tls ? 8083 : 8081 }
+    let(:proto) { tls ? 'https' : 'http' }
+
     let(:auth) { false }
     let(:avro_topic_name) { "topic_avro" }
-    let(:subject_url) { "http://localhost:8081/subjects" }
-    let(:plain_config)  { base_config.merge!({'schema_registry_url' => "http://localhost:8081"}) }
+    let(:subject_url) { "#{proto}://localhost:#{port}/subjects" }
+    let(:plain_config)  { base_config.merge!({
+      'schema_registry_url' => "#{proto}://localhost:#{port}",
+      'schema_registry_ssl_truststore_location' => File.join(Dir.pwd, "tls_repository/clienttruststore.jks"),
+      'schema_registry_ssl_truststore_password' => 'changeit',
+    }) }
 
     it_behaves_like 'it reads from a topic using a schema registry', false
   end
 
-  context 'with an authed schema registry' do
+  context 'with an unauthed schema registry' do
+    context "accessed through HTTPS" do
+      it_behaves_like 'with an unauthed schema registry', true
+    end
+
+    context "accessed through HTTPS" do
+      it_behaves_like 'with an unauthed schema registry', false
+    end
+  end
+
+  shared_examples 'with an authed schema registry' do |tls|
+    let(:port) { tls ? 8083 : 8081 }
+    let(:proto) { tls ? 'https' : 'http' }
     let(:auth) { true }
     let(:user) { "barney" }
     let(:password) { "changeme" }
     let(:avro_topic_name) { "topic_avro_auth" }
-    let(:subject_url) { "http://#{user}:#{password}@localhost:8081/subjects" }
+    let(:subject_url) { "#{proto}://#{user}:#{password}@localhost:#{port}/subjects" }
+    let(:tls_base_config) do
+      if tls
+        base_config.merge({
+          'schema_registry_ssl_truststore_location' => ::File.join(Dir.pwd, "tls_repository/clienttruststore.jks"),
+          'schema_registry_ssl_truststore_password' => 'changeit',
+        })
+      else
+        base_config
+      end
+    end
 
     context 'using schema_registry_key' do
       let(:plain_config) do
-        base_config.merge!({
-          'schema_registry_url' => "http://localhost:8081",
+        tls_base_config.merge!({
+          'schema_registry_url' => "#{proto}://localhost:#{port}",
           'schema_registry_key' => user,
-          'schema_registry_secret' => password
+          'schema_registry_secret' => password,
         })
       end
 
@@ -453,12 +607,22 @@ describe "Deserializing with the schema registry", :integration => true do
 
     context 'using schema_registry_url' do
       let(:plain_config) do
-        base_config.merge!({
-          'schema_registry_url' => "http://#{user}:#{password}@localhost:8081"
+        tls_base_config.merge!({
+          'schema_registry_url' => "#{proto}://#{user}:#{password}@localhost:#{port}",
         })
       end
 
       it_behaves_like 'it reads from a topic using a schema registry', true
     end
   end
+
+  context 'with an authed schema registry' do
+    context "accessed through HTTPS" do
+      it_behaves_like 'with an authed schema registry', true
+    end
+
+    context "accessed through HTTPS" do
+      it_behaves_like 'with an authed schema registry', false
+    end
+  end
 end

data/spec/unit/inputs/kafka_spec.rb

@@ -297,7 +297,7 @@ describe LogStash::Inputs::Kafka do
           to receive(:new).with(hash_including('client.rack' => 'EU-R1')).
               and_return kafka_client = double('kafka-consumer')
 
-      expect( subject.send(:create_consumer, 'sample_client-0') ).to be kafka_client
+      expect( subject.send(:create_consumer, 'sample_client-0', 'group_instance_id') ).to be kafka_client
     end
   end
 
@@ -309,7 +309,7 @@ describe LogStash::Inputs::Kafka do
           to receive(:new).with(hash_including('session.timeout.ms' => '25000', 'max.poll.interval.ms' => '345000')).
               and_return kafka_client = double('kafka-consumer')
 
-      expect( subject.send(:create_consumer, 'sample_client-1') ).to be kafka_client
+      expect( subject.send(:create_consumer, 'sample_client-1', 'group_instance_id') ).to be kafka_client
     end
   end
 
@@ -321,7 +321,7 @@ describe LogStash::Inputs::Kafka do
           to receive(:new).with(hash_including('session.timeout.ms' => '25200', 'max.poll.interval.ms' => '123000')).
               and_return kafka_client = double('kafka-consumer')
 
-      expect( subject.send(:create_consumer, 'sample_client-2') ).to be kafka_client
+      expect( subject.send(:create_consumer, 'sample_client-2', 'group_instance_id') ).to be kafka_client
     end
   end
 
@@ -333,7 +333,7 @@ describe LogStash::Inputs::Kafka do
           to receive(:new).with(hash_including('enable.auto.commit' => 'false', 'check.crcs' => 'true')).
               and_return kafka_client = double('kafka-consumer')
 
-      expect( subject.send(:create_consumer, 'sample_client-3') ).to be kafka_client
+      expect( subject.send(:create_consumer, 'sample_client-3', 'group_instance_id') ).to be kafka_client
       expect( subject.enable_auto_commit ).to be false
     end
   end
@@ -346,7 +346,7 @@ describe LogStash::Inputs::Kafka do
           to receive(:new).with(hash_including('enable.auto.commit' => 'true', 'check.crcs' => 'false')).
               and_return kafka_client = double('kafka-consumer')
 
-      expect( subject.send(:create_consumer, 'sample_client-4') ).to be kafka_client
+      expect( subject.send(:create_consumer, 'sample_client-4', 'group_instance_id') ).to be kafka_client
       expect( subject.enable_auto_commit ).to be true
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-integration-kafka
 version: !ruby/object:Gem::Version
-  version: 11.0.0
+  version: 11.2.0
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-16 00:00:00.000000000 Z
+date: 2023-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement