Hi Thomas, We recently fixed a bug https://issues.apache.org/jira/browse/KAFKA-8191 , which allows users to configure their own KeyManager, TrustManager. One can implement these KeyManagers and pass them as configs and these Keymanagers can make a call to service to fetch a certificate to enable TLS. JKS stores are for doing it manually. You can check out https://github.com/spiffe/java-spiffe which talks spiffee agent to get a certificate and pass it to Kafka's SSL context.
Thanks, Harsha On Thu, May 16, 2019, at 3:57 PM, Zhou, Thomas wrote: > Hi, > > I have a question about how TLS config at Kafka client side. Based on > the official document, if clients want to enable TLS, they must put > ssl.truststore.location in the client config in where there is a JKS > file to hold the trust store. My question is that is this config > mandatory? Is there a possibility that we get truststore.jks from a > service and store in memory so we don’t have to maintain a file in > client side. > > Thanks, > Thomas >