Securing connections (TLS, mTLS, SASL)
etl-rs has no framework-wide security layer: transport security is a property of each connector, because every connector talks to its system over that system's own client (librdkafka for Kafka, an HTTP client for ClickHouse) with that client's own TLS/auth knobs. This page is the hub — it covers what is framework-wide (how secrets reach the config, and what happens when auth fails) and points at each connector's own security section for the concrete matrix.
Where each connector documents its security
| Connector | Transport | Auth methods | Build gate | Details |
|---|---|---|---|---|
| Kafka source | TLS / mTLS over librdkafka | client cert, SASL SCRAM/PLAIN | opt-in kafka-tls feature | Kafka source → Security |
| Kafka sink | TLS / mTLS over librdkafka | client cert, SASL SCRAM/PLAIN | opt-in kafka-tls feature | Kafka sink → Security |
| ClickHouse sink | TLS over https:// (rustls) | user / password | none (always available) | ClickHouse → Security |
The Kafka source and sink share one security matrix (the rdkafka: passthrough
is identical for both). ClickHouse needs no feature flag — an https:// replica
URL is encrypted out of the box; client-certificate (mTLS) auth to ClickHouse is
a tracked follow-up. Kerberos/GSSAPI for Kafka is a separate, heavier build and
is also a tracked follow-up.
Secrets stay out of the file
Never commit credentials. Every value in the config — including inside connector
bodies — is
environment-interpolated
before parsing, so pass secrets in from the environment (a Kubernetes
Secret, a vault sidecar) and reference them with ${VAR}:
sink:
clickhouse:
password: "${CLICKHOUSE_PASSWORD}" # quote the site — see interpolation caveats
Interpolation is textual and pre-parse, so quote the value site when a secret
may contain YAML-significant characters. The four ${...} forms and the
quoting rules are in
Configuring pipelines.
A bad credential stops the pipeline loudly
Authentication and TLS failures are a fatal error class, not a retryable one: a wrong password, an untrusted CA, or a rejected client certificate fails the pipeline fast with an actionable message rather than silently stalling or looping. That is deliberate — a security misconfiguration should surface at startup (or at the first connection), not degrade into a stuck consumer. See Delivery guarantees for how fatal error classes propagate, and Error handling for the Skip/Fail taxonomy they sit outside of.
Related
- Kafka source ·
Kafka sink — the
rdkafka:passthrough these properties ride through, and the denylist they must avoid. - ClickHouse sink — the
https://replica model anduser/passwordauth. - Configuration reference — every key,
including the
kafka-tlsbuild feature and the interpolation forms.