Hostname verification on the connection between the Event Gateway and a Kafka cluster requires that the hostname presented in the Kafka certificates matches the URL that the Event Gateway uses to connect to Kafka. By default, hostname verification is not enabled for this connection. However, you can enable it by setting the algorithm that the Event Gateway uses for hostname verification.
To mitigate security risks, enable hostname verification.
Note: If the certificates on your Kafka cluster do not provide the hostname, ensure you update them to include the hostname. Without the hostname, the connection between Kafka and the Event Gateway will be broken, which will cause Kafka clients that are connecting through the Event Gateway to fail.
Setting the hostname verification algorithm
To set a specific hostname verification algorithm, provide the TCP_HOSTNAME_VERIFICATION_ALGORITHM environment variable to the Event Gateway container.
For a stand-alone Event Gateway, add the new environment variable to the container at start up.
For an operator-deployed Event Gateway, you can turn hostname verification on by setting the environment variable in the Event Gateway custom resource. For example, to set the hostname verification algorithm to HTTPS, provide the environment variable as follows:
spec:
template:
pod:
spec:
containers:
- name: egw
env:
- name: TCP_HOSTNAME_VERIFICATION_ALGORITHM
value: HTTPS