feat: Add Kafka SASL/SSL authentication support with ClickHouse integration (#45)

* add kafka auth

* fix README

* fix clickhouse -> kafka auth

---------

Co-authored-by: anton.voskresensky <anton.voskresensky@flant.com>

Author: perhamm

.gitignore

@@ -119,3 +119,5 @@ ios/Pods
 !.yarn/plugins
 
 .turbo
+
+certs

README.md

@@ -171,6 +171,28 @@ If you have questions or need assistance, you can join our [Slack group](https:/
    }
    ```
 
+### Kafka authentication
+
+Trench supports connecting to Kafka clusters that require SASL and/or SSL. Configure via the following environment variables (all optional):
+
+- `KAFKA_SSL_ENABLED`: Enable SSL/TLS when connecting to brokers. Values: `true`/`false` (default: `false`).
+- `KAFKA_SSL_REJECT_UNAUTHORIZED`: Whether to verify broker certificates. Values: `true`/`false` (default: `true`). Set to `false` when using self-signed certs in development.
+- `KAFKA_SSL_CA`: CA certificate contents (PEM). Use when brokers use a custom CA.
+- `KAFKA_SSL_CERT`: Client certificate contents (PEM) if mutual TLS is required.
+- `KAFKA_SSL_KEY`: Client private key (PEM) if mutual TLS is required.
+- `KAFKA_SASL_MECHANISM`: One of `plain`, `scram-sha-256`, or `scram-sha-512`.
+- `KAFKA_SASL_USERNAME`: SASL username (required when `KAFKA_SASL_MECHANISM` is set).
+- `KAFKA_SASL_PASSWORD`: SASL password (required when `KAFKA_SASL_MECHANISM` is set).
+
+Notes:
+- For SSL cert variables, provide the PEM content directly (including header/footer) or mount files and load into env before starting.
+- When using Bitnami Kafka images locally, the default `docker-compose.yml` uses PLAINTEXT; set the appropriate broker listeners and advertise SSL/SASL endpoints in your Kafka deployment if required.
+- Kafka authentication for ClickHouse should be configured in ClickHouse server configuration files, not in SQL migrations.
+
+### ClickHouse Kafka Authentication
+
+For ClickHouse to connect to authenticated Kafka clusters, you need to configure authentication in ClickHouse server configuration files.
+
 ### 2. Trench Cloud ☁️
 
 If you don't want to selfhost, you can get started with Trench in a few minutes via:
@@ -188,6 +210,44 @@ If you don't want to selfhost, you can get started with Trench in a few minutes
 - [Documentation](https://docs.trench.dev/)
 - [Slack community](https://join.slack.com/t/trench-community/shared_invite/zt-2sjet5kh2-v31As3yC_zRIadk_AGn~3A)
 
+### Kafka Authentication Examples
+
+Trench supports Kafka authentication with SASL and SSL. Here are examples of how to configure both Node.js KafkaJS client and ClickHouse for authenticated Kafka connections.
+
+**Quick Start:**
+- **SASL-only**: `docker compose -f docker-compose.sasl.yml up -d --build`
+- **SSL+SASL**: Generate certs first with `./scripts/generate-kafka-certs.sh`, then run the compose file
+
+#### SASL-Only Authentication
+```bash
+# Run with SASL authentication (no SSL)
+docker compose -f docker-compose.sasl.yml up -d --build
+```
+
+This setup uses:
+- **Node.js KafkaJS**: `KAFKA_SASL_MECHANISM=PLAIN`, `KAFKA_SASL_USERNAME=kafka_user`, `KAFKA_SASL_PASSWORD=kafka_password`
+- **ClickHouse**: Pre-configured with `clickhouse-kafka-auth-config-example/clickhouse-sasl.xml` for Kafka authentication
+- **Kafka**: SASL_PLAINTEXT listener on port 9095
+
+#### SSL+SASL Authentication
+```bash
+# Step 1: Generate SSL certificates
+./scripts/generate-kafka-certs.sh
+
+# Step 2: Set environment variables for SSL certificates
+export KAFKA_SSL_CA=$(cat ./certs/ca.pem)
+export KAFKA_SSL_CERT=$(cat ./certs/client.pem)
+export KAFKA_SSL_KEY=$(cat ./certs/client-key.pem)
+
+# Step 3: Run with both SSL and SASL authentication
+docker compose -f docker-compose.ssl-sasl.yml up -d --build
+```
+
+This setup uses:
+- **Node.js KafkaJS**: SSL+SASL authentication via environment variables
+- **ClickHouse**: Pre-configured with `clickhouse-kafka-auth-config-example/clickhouse-ssl-sasl.xml` for Kafka authentication
+- **Kafka**: SASL_SSL listener on port 9095 with SSL certificates
+
 ## 📚 Authors
 
 Trench is a project built by [Frigade](https://frigade.com).

apps/trench/clickhouse-kafka-auth-config-example/clickhouse-sasl.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <kafka>
+        <security_protocol>sasl_plaintext</security_protocol>
+        <sasl_mechanism>PLAIN</sasl_mechanism>
+        <sasl_username>kafka_user</sasl_username>
+        <sasl_password>kafka_password</sasl_password>
+    </kafka>
+</clickhouse>

apps/trench/clickhouse-kafka-auth-config-example/clickhouse-ssl-sasl.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <kafka>
+        <security_protocol>sasl_ssl</security_protocol>
+        <sasl_mechanism>PLAIN</sasl_mechanism>
+        <sasl_username>kafka_user</sasl_username>
+        <sasl_password>kafka_password</sasl_password>
+        <enable_ssl_certificate_verification>false</enable_ssl_certificate_verification>
+    </kafka>
+</clickhouse>

apps/trench/docker-compose.sasl.yml

@@ -0,0 +1,100 @@
+services:
+  api:
+    build:
+      dockerfile: Dockerfile
+      context: .
+      target: production-build
+      args:
+        API_DOMAIN: ${API_DOMAIN}
+    env_file:
+      - .env
+    volumes:
+      - ./:/app
+      - /app/node_modules
+      - /app/certs
+      - /app/schemas
+      - /app/dist
+    command: node /app/dist/main.js -i -1
+    ports:
+      - '${API_PORT}:${API_PORT}'
+    depends_on:
+      kafka:
+        condition: service_healthy
+      clickhouse:
+        condition: service_healthy
+    networks:
+      - app-network
+    restart: unless-stopped
+    environment:
+      - KAFKA_BROKERS=kafka:9095
+      - KAFKA_SSL_ENABLED=false
+      - KAFKA_SASL_MECHANISM=PLAIN
+      - KAFKA_SASL_USERNAME=kafka_user
+      - KAFKA_SASL_PASSWORD=kafka_password
+  clickhouse:
+    image: clickhouse/clickhouse-server:24.8
+    restart: always
+    healthcheck:
+      test: ["CMD", "bash", "-lc", "wget -qO- http://localhost:8123/ping | grep -q 'Ok'"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+    ports:
+      - '8123:8123'
+      - '9000:9000'
+    volumes:
+      - clickhouse-data:/var/lib/clickhouse
+      - ./clickhouse-kafka-auth-config-example/clickhouse-sasl.xml:/etc/clickhouse-server/config.d/kafka.xml:ro
+    environment:
+      - CLICKHOUSE_USER=${CLICKHOUSE_USER}
+      - CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD}
+    ulimits:
+      nofile:
+        soft: 262144
+        hard: 262144
+    networks:
+      - app-network
+  kafka:
+    image: bitnamilegacy/kafka:3.7.0
+    ports:
+      - 9092:9092
+      - 9093:9093
+      - 9094:9094
+      - 9095:9095
+    deploy:
+      resources:
+        limits:
+          cpus: '4'
+          memory: 4096M
+    environment:
+      - KAFKA_CFG_NODE_ID=0
+      - KAFKA_CFG_PROCESS_ROLES=controller,broker
+      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT
+      - KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true
+      - KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR=1
+      - KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR=1
+      - KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR=1
+      - KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093,SASL_PLAINTEXT://:9095,EXTERNAL://:9094
+      - KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://kafka:9092,SASL_PLAINTEXT://kafka:9095,EXTERNAL://localhost:9094
+      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT,EXTERNAL:PLAINTEXT
+      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
+      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
+      - KAFKA_CFG_SASL_ENABLED_MECHANISMS=PLAIN
+      - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
+      - KAFKA_CFG_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka_user" password="kafka_password" user_kafka_user="kafka_password" user_admin="admin_password";
+      - KAFKA_CFG_LISTENER_NAME_SASL_PLAINTEXT_SASL_ENABLED_MECHANISMS=PLAIN
+      - KAFKA_CFG_LISTENER_NAME_SASL_PLAINTEXT_PLAIN_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka_user" password="kafka_password" user_kafka_user="kafka_password" user_admin="admin_password";
+    volumes:
+      - kafka-data:/bitnami/kafka
+    healthcheck:
+      test: ["CMD", "bash", "-lc", "/opt/bitnami/kafka/bin/kafka-topics.sh --bootstrap-server localhost:9092 --list || exit 1"]
+      interval: 5s
+      timeout: 3s
+      retries: 60
+    networks:
+      - app-network
+volumes:
+  clickhouse-data:
+  kafka-data:
+networks:
+  app-network:

apps/trench/docker-compose.ssl-sasl.yml

@@ -0,0 +1,112 @@
+services:
+  api:
+    build:
+      dockerfile: Dockerfile
+      context: .
+      target: production-build
+      args:
+        API_DOMAIN: ${API_DOMAIN}
+    env_file:
+      - .env
+    volumes:
+      - ./:/app
+      - /app/node_modules
+      - /app/certs
+      - /app/schemas
+      - /app/dist
+    command: node /app/dist/main.js -i -1
+    ports:
+      - '${API_PORT}:${API_PORT}'
+    depends_on:
+      kafka:
+        condition: service_healthy
+      clickhouse:
+        condition: service_healthy
+    networks:
+      - app-network
+    restart: unless-stopped
+    environment:
+      - KAFKA_BROKERS=kafka:9095
+      - KAFKA_SSL_ENABLED=true
+      - KAFKA_SSL_REJECT_UNAUTHORIZED=false
+      - KAFKA_SSL_CA=${KAFKA_SSL_CA}
+      - KAFKA_SSL_CERT=${KAFKA_SSL_CERT}
+      - KAFKA_SSL_KEY=${KAFKA_SSL_KEY}
+      - KAFKA_SASL_MECHANISM=PLAIN
+      - KAFKA_SASL_USERNAME=kafka_user
+      - KAFKA_SASL_PASSWORD=kafka_password
+  clickhouse:
+    image: clickhouse/clickhouse-server:24.8
+    restart: always
+    healthcheck:
+      test: ["CMD", "bash", "-lc", "clickhouse-client --query 'SELECT 1'"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+    ports:
+      - '8123:8123'
+      - '9000:9000'
+    volumes:
+      - clickhouse-data:/var/lib/clickhouse
+      - ./clickhouse-kafka-auth-config-example/clickhouse-ssl-sasl.xml:/etc/clickhouse-server/config.d/kafka.xml:ro
+      - ./certs:/opt/bitnami/kafka/config/certs:ro
+    environment:
+      - CLICKHOUSE_USER=${CLICKHOUSE_USER}
+      - CLICKHOUSE_PASSWORD=${CLICKHOUSE_PASSWORD}
+    ulimits:
+      nofile:
+        soft: 262144
+        hard: 262144
+    networks:
+      - app-network
+  kafka:
+    image: bitnamilegacy/kafka:3.7.0
+    ports:
+      - 9092:9092
+      - 9093:9093
+      - 9094:9094
+      - 9095:9095
+    deploy:
+      resources:
+        limits:
+          cpus: '4'
+          memory: 4096M
+    environment:
+      - KAFKA_CFG_NODE_ID=0
+      - KAFKA_CFG_PROCESS_ROLES=controller,broker
+      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT
+      - KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true
+      - KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR=1
+      - KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR=1
+      - KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR=1
+      - KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093,SASL_SSL://:9095,EXTERNAL://:9094
+      - KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://kafka:9092,SASL_SSL://kafka:9095,EXTERNAL://localhost:9094
+      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,SASL_SSL:SASL_SSL,EXTERNAL:PLAINTEXT
+      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
+      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
+      - KAFKA_CFG_SSL_KEYSTORE_LOCATION=/opt/bitnami/kafka/config/certs/kafka.keystore.jks
+      - KAFKA_CFG_SSL_KEYSTORE_PASSWORD=server_keystore_password
+      - KAFKA_CFG_SSL_KEY_PASSWORD=server_keystore_password
+      - KAFKA_CFG_SSL_TRUSTSTORE_LOCATION=/opt/bitnami/kafka/config/certs/kafka.truststore.jks
+      - KAFKA_CFG_SSL_TRUSTSTORE_PASSWORD=server_truststore_password
+      - KAFKA_CFG_SSL_CLIENT_AUTH=required
+      - KAFKA_CFG_SASL_ENABLED_MECHANISMS=PLAIN
+      - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
+      - KAFKA_CFG_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka_user" password="kafka_password" user_kafka_user="kafka_password" user_admin="admin_password";
+      - KAFKA_CFG_LISTENER_NAME_SASL_SSL_SASL_ENABLED_MECHANISMS=PLAIN
+      - KAFKA_CFG_LISTENER_NAME_SASL_SSL_PLAIN_SASL_JAAS_CONFIG=org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka_user" password="kafka_password" user_kafka_user="kafka_password" user_admin="admin_password";
+    volumes:
+      - kafka-data:/bitnami/kafka
+      - ./certs:/opt/bitnami/kafka/config/certs:ro
+    healthcheck:
+      test: ["CMD", "bash", "-lc", "/opt/bitnami/kafka/bin/kafka-topics.sh --bootstrap-server localhost:9092 --list || exit 1"]
+      interval: 5s
+      timeout: 3s
+      retries: 60
+    networks:
+      - app-network
+volumes:
+  clickhouse-data:
+  kafka-data:
+networks:
+  app-network:

apps/trench/docker-compose.yml

@@ -23,8 +23,10 @@ services:
     networks:
       - app-network
     restart: unless-stopped
+    environment:
+      - KAFKA_BROKERS=kafka:9092
   clickhouse:
-    image: clickhouse/clickhouse-server
+    image: clickhouse/clickhouse-server:24.8
     restart: always
     ports:
       - '8123:8123'
@@ -42,7 +44,7 @@ services:
     networks:
       - app-network
   kafka:
-    image: bitnami/kafka:latest
+    image: bitnamilegacy/kafka:3.7.0
     ports:
       - 9092:9092
       - 9093:9093