Skip to main content

Securing connections (TLS, mTLS, SASL)

etl-rs has no framework-wide security layer: transport security is a property of each connector, because every connector talks to its system over that system's own client (librdkafka for Kafka, an HTTP client for ClickHouse) with that client's own TLS/auth knobs. This page is the hub — it covers what is framework-wide (how secrets reach the config, and what happens when auth fails) and points at each connector's own security section for the concrete matrix.

Where each connector documents its security

ConnectorTransportAuth methodsBuild gateDetails
Kafka sourceTLS / mTLS over librdkafkaclient cert, SASL SCRAM/PLAINopt-in kafka-tls featureKafka source → Security
Kafka sinkTLS / mTLS over librdkafkaclient cert, SASL SCRAM/PLAINopt-in kafka-tls featureKafka sink → Security
ClickHouse sinkTLS over https:// (rustls)user / passwordnone (always available)ClickHouse → Security

The Kafka source and sink share one security matrix (the rdkafka: passthrough is identical for both). ClickHouse needs no feature flag — an https:// replica URL is encrypted out of the box; client-certificate (mTLS) auth to ClickHouse is a tracked follow-up. Kerberos/GSSAPI for Kafka is a separate, heavier build and is also a tracked follow-up.

Secrets stay out of the file

Never commit credentials. Every value in the config — including inside connector bodies — is environment-interpolated before parsing, so pass secrets in from the environment (a Kubernetes Secret, a vault sidecar) and reference them with ${VAR}:

sink:
clickhouse:
password: "${CLICKHOUSE_PASSWORD}" # quote the site — see interpolation caveats

Interpolation is textual and pre-parse, so quote the value site when a secret may contain YAML-significant characters. The four ${...} forms and the quoting rules are in Configuring pipelines.

A bad credential stops the pipeline loudly

Authentication and TLS failures are a fatal error class, not a retryable one: a wrong password, an untrusted CA, or a rejected client certificate fails the pipeline fast with an actionable message rather than silently stalling or looping. That is deliberate — a security misconfiguration should surface at startup (or at the first connection), not degrade into a stuck consumer. See Delivery guarantees for how fatal error classes propagate, and Error handling for the Skip/Fail taxonomy they sit outside of.