Zookeeper definitely has the information about endpoints and protocol. The /brokers/ids/<broker_id> paths in zookeeper contains the endpoints that are open on the broker.
I have doubts that you'll be able to make this change without any downtime though. To my knowledge, clients are only capable of using one security protocol at a time. If half your brokers are only using plaintext and the other half are only using ssl, the clients will be unable to talk to half of your brokers. Any partitions whose leader is on one of the brokers with the wrong protocol will be offline as far as the client is concerned. The same would apply to the replication protocol. Any followers that aren't using the same protocol as the leader will be unable to retrieve data from the leader and will eventually drop from the ISR. On Wed, Aug 15, 2018 at 10:18 AM John Calcote <john.calc...@gmail.com> wrote: > I have a situation where I have to upgrade a distributed system in a > piecemeal from plaintext to ssl between kafka clients and broker. > > Is there a simple way to detect from the client if it should be trying to > use plaintext or ssl - from a kafka API perspective? I can do a low-level > trick like open a socket and send an ssl client-hello message, but I was > hoping I could read some zookeeper data to determine if the broker is using > ssl or plaintext. Also, (for internal political reasons) I can't open both > ssl and plaintext channels - once the broker changes over, it has to be all > or nothing. > > Thanks in advance, > John >
