From a977fad63559bf1d5aafeafa27298bdb87c680e6 Mon Sep 17 00:00:00 2001
From: conorbros <conorbros@protonmail.com>
Date: Wed, 14 Feb 2024 15:51:26 +1100
Subject: [PATCH 1/4] kafka sasl tests

---
 shotover-proxy/config/config.yaml             |   8 +-
 shotover-proxy/tests/kafka_int_tests/mod.rs   |  28 +++
 .../tests/kafka_int_tests/test_cases.rs       |  16 ++
 .../kafka/cluster-sasl/docker-compose.yaml    |  46 ++++
 .../cluster-sasl/tls/docker-compose.yaml      |  16 ++
 .../cluster-sasl/tls/topology-with-key.yaml   |  17 ++
 .../kafka/cluster-sasl/tls/topology.yaml      |  15 ++
 .../kafka/cluster-sasl/topology-single.yaml   |  10 +
 .../kafka/cluster-sasl/topology1.yaml         |  13 ++
 .../kafka/cluster-sasl/topology2.yaml         |  13 ++
 .../kafka/cluster-sasl/topology3.yaml         |  13 ++
 .../certs/kafka-generate-ssl.sh               | 207 ++++++++++++++++++
 .../passthrough-sasl/certs/kafka.keystore.jks | Bin 0 -> 4814 bytes
 .../certs/kafka.truststore.jks                | Bin 0 -> 1286 bytes
 .../passthrough-sasl/docker-compose.yaml      |  32 +++
 .../kafka/passthrough-sasl/save.yaml          |  24 ++
 .../passthrough-sasl/topology-encode.yaml     |  12 +
 .../kafka/passthrough-sasl/topology.yaml      |   9 +
 test-helpers/src/docker_compose.rs            |   7 +-
 19 files changed, 481 insertions(+), 5 deletions(-)
 create mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/docker-compose.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/docker-compose.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology-with-key.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology-single.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology1.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology2.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology3.yaml
 create mode 100755 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka-generate-ssl.sh
 create mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.keystore.jks
 create mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.truststore.jks
 create mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/save.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/topology-encode.yaml
 create mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/topology.yaml

diff --git a/shotover-proxy/config/config.yaml b/shotover-proxy/config/config.yaml
index 85830d979..72664ac38 100644
--- a/shotover-proxy/config/config.yaml
+++ b/shotover-proxy/config/config.yaml
@@ -1,5 +1,5 @@
-# configure the first `info` to set the log level for dependencies
-# configure `shotover=info` to set the log level for shotover itself
-# set `shotover::connection_span=info` to `shotover::connection_span=debug` to attach connection info to most log events, this is disabled by default due to a minor performance hit.
-main_log_level: "info, shotover=info, shotover::connection_span=info"
+# configure the first `debug` to set the log level for dependencies
+# configure `shotover=debug` to set the log level for shotover itself
+# set `shotover::connection_span=debug` to `shotover::connection_span=debug` to attach connection info to most log events, this is disabled by default due to a minor performance hit.
+main_log_level: "debug, shotover=debug, shotover::connection_span=debug"
 observability_interface: "0.0.0.0:9001"
diff --git a/shotover-proxy/tests/kafka_int_tests/mod.rs b/shotover-proxy/tests/kafka_int_tests/mod.rs
index 0195e449e..740692543 100644
--- a/shotover-proxy/tests/kafka_int_tests/mod.rs
+++ b/shotover-proxy/tests/kafka_int_tests/mod.rs
@@ -62,6 +62,34 @@ async fn passthrough_encode() {
     shotover.shutdown_and_then_consume_events(&[]).await;
 }
 
+#[cfg(feature = "rdkafka-driver-tests")]
+#[tokio::test]
+async fn passthrough_sasl() {
+    let _docker_compose =
+        docker_compose("tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml");
+    let shotover = shotover_process("tests/test-configs/kafka/passthrough-sasl/topology.yaml")
+        .start()
+        .await;
+
+    test_cases::basic_sasl("127.0.0.1:9192").await;
+
+    shotover.shutdown_and_then_consume_events(&[]).await;
+}
+
+#[cfg(feature = "rdkafka-driver-tests")]
+#[tokio::test]
+async fn passthrough_sasl_encode() {
+    let _docker_compose =
+        docker_compose("tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml");
+    let shotover = shotover_process("tests/test-configs/kafka/passthrough-sasl/topology.yaml")
+        .start()
+        .await;
+
+    test_cases::basic_sasl("127.0.0.1:9192").await;
+
+    shotover.shutdown_and_then_consume_events(&[]).await;
+}
+
 #[cfg(feature = "rdkafka-driver-tests")]
 #[tokio::test]
 async fn cluster_single_shotover() {
diff --git a/shotover-proxy/tests/kafka_int_tests/test_cases.rs b/shotover-proxy/tests/kafka_int_tests/test_cases.rs
index 77a428455..e91d5561f 100644
--- a/shotover-proxy/tests/kafka_int_tests/test_cases.rs
+++ b/shotover-proxy/tests/kafka_int_tests/test_cases.rs
@@ -308,3 +308,19 @@ pub async fn basic(address: &str) {
     }
     admin_cleanup(client.clone()).await;
 }
+
+pub async fn basic_sasl(address: &str) {
+    let mut client = ClientConfig::new();
+    client
+        .set("bootstrap.servers", address)
+        .set("sasl.mechanisms", "PLAIN")
+        .set("sasl.username", "user")
+        .set("sasl.password", "password")
+        .set("security.protocol", "SASL_PLAINTEXT")
+        // internal driver debug logs are emitted to tokio tracing, assuming the appropriate filter is used by the tracing subscriber
+        .set("debug", "all");
+    admin(client.clone()).await;
+    produce_consume(client.clone()).await;
+    produce_consume_acks0(client.clone()).await;
+    admin_cleanup(client.clone()).await;
+}
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/docker-compose.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/docker-compose.yaml
new file mode 100644
index 000000000..b7a3fe4a7
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/docker-compose.yaml
@@ -0,0 +1,46 @@
+version: "3"
+networks:
+  cluster_subnet:
+    name: cluster_subnet
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.16.1.0/24
+          gateway: 172.16.1.1
+services:
+  kafka0:
+    image: &image 'bitnami/kafka:3.4.0-debian-11-r22'
+    networks:
+      cluster_subnet:
+        ipv4_address: 172.16.1.2
+    environment: &environment
+      KAFKA_CFG_LISTENERS: "PLAINTEXT://:9092,CONTROLLER://:9093"
+      KAFKA_CFG_ADVERTISED_LISTENERS: "PLAINTEXT://172.16.1.2:9092"
+      ALLOW_PLAINTEXT_LISTENER: "yes"
+      KAFKA_KRAFT_CLUSTER_ID: "abcdefghijklmnopqrstuv"
+      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: "0@kafka0:9093,1@kafka1:9093,2@kafka2:9093"
+      KAFKA_CFG_NODE_ID: 0
+    volumes: &volumes
+      - type: tmpfs
+        target: /bitnami/kafka
+  kafka1:
+    image: *image
+    networks:
+      cluster_subnet:
+        ipv4_address: 172.16.1.3
+    environment:
+      <<: *environment
+      KAFKA_CFG_ADVERTISED_LISTENERS: "PLAINTEXT://172.16.1.3:9092"
+      KAFKA_CFG_NODE_ID: 1
+    volumes: *volumes
+  kafka2:
+    image: *image
+    networks:
+      cluster_subnet:
+        ipv4_address: 172.16.1.4
+    environment:
+      <<: *environment
+      KAFKA_CFG_ADVERTISED_LISTENERS: "PLAINTEXT://172.16.1.4:9092"
+      KAFKA_CFG_NODE_ID: 2
+    volumes: *volumes
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/docker-compose.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/docker-compose.yaml
new file mode 100644
index 000000000..22a18a91f
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/docker-compose.yaml
@@ -0,0 +1,16 @@
+version: "3.3"
+services:
+  cassandra-one:
+    image: shotover/cassandra-test:4.0.6-r1
+    ports:
+      - "9042:9042"
+    environment:
+      MAX_HEAP_SIZE: "400M"
+      MIN_HEAP_SIZE: "400M"
+      HEAP_NEWSIZE: "48M"
+    volumes:
+      - type: tmpfs
+        target: /var/lib/cassandra
+      - type: bind
+        source: "./certs/keystore.p12"
+        target: "/etc/cassandra/certs/keystore.p12"
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology-with-key.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology-with-key.yaml
new file mode 100644
index 000000000..4ccf1acc7
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology-with-key.yaml
@@ -0,0 +1,17 @@
+---
+sources:
+  - Cassandra:
+      name: "cassandra"
+      listen_addr: "127.0.0.1:9043"
+      tls:
+        certificate_path: "tests/test-configs/cassandra/tls/certs/localhost.crt"
+        private_key_path: "tests/test-configs/cassandra/tls/certs/localhost.key"
+      chain:
+        - CassandraSinkSingle:
+            remote_address: "localhost:9042"
+            connect_timeout_ms: 3000
+            tls:
+              certificate_authority_path: "tests/test-configs/cassandra/tls/certs/localhost_CA.crt"
+              certificate_path: "tests/test-configs/cassandra/tls/certs/localhost.crt"
+              private_key_path: "tests/test-configs/cassandra/tls/certs/localhost.key"
+              verify_hostname: true
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology.yaml
new file mode 100644
index 000000000..92ada6cf6
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology.yaml
@@ -0,0 +1,15 @@
+---
+sources:
+  - Cassandra:
+      name: "cassandra"
+      listen_addr: "127.0.0.1:9043"
+      tls:
+        certificate_path: "tests/test-configs/cassandra/tls/certs/localhost.crt"
+        private_key_path: "tests/test-configs/cassandra/tls/certs/localhost.key"
+      chain:
+        - CassandraSinkSingle:
+            remote_address: "localhost:9042"
+            connect_timeout_ms: 3000
+            tls:
+              certificate_authority_path: "tests/test-configs/cassandra/tls/certs/localhost_CA.crt"
+              verify_hostname: true
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology-single.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology-single.yaml
new file mode 100644
index 000000000..d38206e7f
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology-single.yaml
@@ -0,0 +1,10 @@
+---
+sources:
+  - Kafka:
+      name: "kafka"
+      listen_addr: "127.0.0.1:9192"
+      chain:
+        - KafkaSinkCluster:
+            shotover_nodes: ["127.0.0.1:9192"]
+            first_contact_points: ["172.16.1.2:9092"]
+            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology1.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology1.yaml
new file mode 100644
index 000000000..11edd3e78
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology1.yaml
@@ -0,0 +1,13 @@
+---
+sources:
+  - Kafka:
+      name: "kafka"
+      listen_addr: "127.0.0.1:9191"
+      chain:
+        - KafkaSinkCluster:
+            shotover_nodes: 
+              - "127.0.0.1:9191"
+              - "127.0.0.1:9192"
+              - "127.0.0.1:9193"
+            first_contact_points: ["172.16.1.2:9092"]
+            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology2.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology2.yaml
new file mode 100644
index 000000000..2269f83dc
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology2.yaml
@@ -0,0 +1,13 @@
+---
+sources:
+  - Kafka:
+      name: "kafka"
+      listen_addr: "127.0.0.1:9192"
+      chain:
+        - KafkaSinkCluster:
+            shotover_nodes: 
+              - "127.0.0.1:9191"
+              - "127.0.0.1:9192"
+              - "127.0.0.1:9193"
+            first_contact_points: ["172.16.1.2:9092"]
+            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology3.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology3.yaml
new file mode 100644
index 000000000..528030e24
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology3.yaml
@@ -0,0 +1,13 @@
+---
+sources:
+  - Kafka:
+      name: "kafka"
+      listen_addr: "127.0.0.1:9193"
+      chain:
+        - KafkaSinkCluster:
+            shotover_nodes: 
+              - "127.0.0.1:9191"
+              - "127.0.0.1:9192"
+              - "127.0.0.1:9193"
+            first_contact_points: ["172.16.1.2:9092"]
+            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka-generate-ssl.sh b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka-generate-ssl.sh
new file mode 100755
index 000000000..39ff3f984
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka-generate-ssl.sh
@@ -0,0 +1,207 @@
+#!/usr/bin/env bash
+
+set -e
+
+KEYSTORE_FILENAME="kafka.keystore.jks"
+VALIDITY_IN_DAYS=3650
+DEFAULT_TRUSTSTORE_FILENAME="kafka.truststore.jks"
+TRUSTSTORE_WORKING_DIRECTORY="truststore"
+KEYSTORE_WORKING_DIRECTORY="keystore"
+CA_CERT_FILE="ca-cert"
+KEYSTORE_SIGN_REQUEST="cert-file"
+KEYSTORE_SIGN_REQUEST_SRL="ca-cert.srl"
+KEYSTORE_SIGNED_CERT="cert-signed"
+
+function file_exists_and_exit() {
+  echo "'$1' cannot exist. Move or delete it before"
+  echo "re-running this script."
+  exit 1
+}
+
+if [ -e "$KEYSTORE_WORKING_DIRECTORY" ]; then
+  file_exists_and_exit $KEYSTORE_WORKING_DIRECTORY
+fi
+
+if [ -e "$CA_CERT_FILE" ]; then
+  file_exists_and_exit $CA_CERT_FILE
+fi
+
+if [ -e "$KEYSTORE_SIGN_REQUEST" ]; then
+  file_exists_and_exit $KEYSTORE_SIGN_REQUEST
+fi
+
+if [ -e "$KEYSTORE_SIGN_REQUEST_SRL" ]; then
+  file_exists_and_exit $KEYSTORE_SIGN_REQUEST_SRL
+fi
+
+if [ -e "$KEYSTORE_SIGNED_CERT" ]; then
+  file_exists_and_exit $KEYSTORE_SIGNED_CERT
+fi
+
+echo
+echo "Welcome to the Kafka SSL keystore and truststore generator script."
+
+echo
+echo "First, do you need to generate a trust store and associated private key,"
+echo "or do you already have a trust store file and private key?"
+echo
+echo -n "Do you need to generate a trust store and associated private key? [yn] "
+read generate_trust_store
+
+trust_store_file=""
+trust_store_private_key_file=""
+
+if [ "$generate_trust_store" == "y" ]; then
+  if [ -e "$TRUSTSTORE_WORKING_DIRECTORY" ]; then
+    file_exists_and_exit $TRUSTSTORE_WORKING_DIRECTORY
+  fi
+
+  mkdir $TRUSTSTORE_WORKING_DIRECTORY
+  echo
+  echo "OK, we'll generate a trust store and associated private key."
+  echo
+  echo "First, the private key."
+  echo
+  echo "You will be prompted for:"
+  echo " - A password for the private key. Remember this."
+  echo " - Information about you and your company."
+  echo " - NOTE that the Common Name (CN) is currently not important."
+
+  openssl req -new -x509 -keyout $TRUSTSTORE_WORKING_DIRECTORY/ca-key \
+    -out $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE -days $VALIDITY_IN_DAYS
+
+  trust_store_private_key_file="$TRUSTSTORE_WORKING_DIRECTORY/ca-key"
+
+  echo
+  echo "Two files were created:"
+  echo " - $TRUSTSTORE_WORKING_DIRECTORY/ca-key -- the private key used later to"
+  echo "   sign certificates"
+  echo " - $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE -- the certificate that will be"
+  echo "   stored in the trust store in a moment and serve as the certificate"
+  echo "   authority (CA). Once this certificate has been stored in the trust"
+  echo "   store, it will be deleted. It can be retrieved from the trust store via:"
+  echo "   $ keytool -keystore <trust-store-file> -export -alias CARoot -rfc"
+
+  echo
+  echo "Now the trust store will be generated from the certificate."
+  echo
+  echo "You will be prompted for:"
+  echo " - the trust store's password (labeled 'keystore'). Remember this"
+  echo " - a confirmation that you want to import the certificate"
+
+  keytool -keystore $TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME \
+    -alias CARoot -import -file $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE
+
+  trust_store_file="$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME"
+
+  echo
+  echo "$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME was created."
+
+  # don't need the cert because it's in the trust store.
+  rm $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE
+else
+  echo
+  echo -n "Enter the path of the trust store file. "
+  read -e trust_store_file
+
+  if ! [ -f $trust_store_file ]; then
+    echo "$trust_store_file isn't a file. Exiting."
+    exit 1
+  fi
+
+  echo -n "Enter the path of the trust store's private key. "
+  read -e trust_store_private_key_file
+
+  if ! [ -f $trust_store_private_key_file ]; then
+    echo "$trust_store_private_key_file isn't a file. Exiting."
+    exit 1
+  fi
+fi
+
+echo
+echo "Continuing with:"
+echo " - trust store file:        $trust_store_file"
+echo " - trust store private key: $trust_store_private_key_file"
+
+mkdir $KEYSTORE_WORKING_DIRECTORY
+
+echo
+echo "Now, a keystore will be generated. Each broker and logical client needs its own"
+echo "keystore. This script will create only one keystore. Run this script multiple"
+echo "times for multiple keystores."
+echo
+echo "You will be prompted for the following:"
+echo " - A keystore password. Remember it."
+echo " - Personal information, such as your name."
+echo "     NOTE: currently in Kafka, the Common Name (CN) does not need to be the FQDN of"
+echo "           this host. However, at some point, this may change. As such, make the CN"
+echo "           the FQDN. Some operating systems call the CN prompt 'first / last name'"
+echo " - A key password, for the key being generated within the keystore. Remember this."
+
+# To learn more about CNs and FQDNs, read:
+# https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html
+
+keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME \
+  -alias localhost -validity $VALIDITY_IN_DAYS -genkey -keyalg RSA
+
+echo
+echo "'$KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME' now contains a key pair and a"
+echo "self-signed certificate. Again, this keystore can only be used for one broker or"
+echo "one logical client. Other brokers or clients need to generate their own keystores."
+
+echo
+echo "Fetching the certificate from the trust store and storing in $CA_CERT_FILE."
+echo
+echo "You will be prompted for the trust store's password (labeled 'keystore')"
+
+keytool -keystore $trust_store_file -export -alias CARoot -rfc -file $CA_CERT_FILE
+
+echo
+echo "Now a certificate signing request will be made to the keystore."
+echo
+echo "You will be prompted for the keystore's password."
+keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost \
+  -certreq -file $KEYSTORE_SIGN_REQUEST
+
+echo
+echo "Now the trust store's private key (CA) will sign the keystore's certificate."
+echo
+echo "You will be prompted for the trust store's private key password."
+openssl x509 -req -CA $CA_CERT_FILE -CAkey $trust_store_private_key_file \
+  -in $KEYSTORE_SIGN_REQUEST -out $KEYSTORE_SIGNED_CERT \
+  -days $VALIDITY_IN_DAYS -CAcreateserial
+# creates $KEYSTORE_SIGN_REQUEST_SRL which is never used or needed.
+
+echo
+echo "Now the CA will be imported into the keystore."
+echo
+echo "You will be prompted for the keystore's password and a confirmation that you want to"
+echo "import the certificate."
+keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias CARoot \
+  -import -file $CA_CERT_FILE
+rm $CA_CERT_FILE # delete the trust store cert because it's stored in the trust store.
+
+echo
+echo "Now the keystore's signed certificate will be imported back into the keystore."
+echo
+echo "You will be prompted for the keystore's password."
+keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost -import \
+  -file $KEYSTORE_SIGNED_CERT
+
+echo
+echo "All done!"
+echo
+echo "Delete intermediate files? They are:"
+echo " - '$KEYSTORE_SIGN_REQUEST_SRL': CA serial number"
+echo " - '$KEYSTORE_SIGN_REQUEST': the keystore's certificate signing request"
+echo "   (that was fulfilled)"
+echo " - '$KEYSTORE_SIGNED_CERT': the keystore's certificate, signed by the CA, and stored back"
+echo "    into the keystore"
+echo -n "Delete? [yn] "
+read delete_intermediate_files
+
+if [ "$delete_intermediate_files" == "y" ]; then
+  rm $KEYSTORE_SIGN_REQUEST_SRL
+  rm $KEYSTORE_SIGN_REQUEST
+  rm $KEYSTORE_SIGNED_CERT
+fi
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.keystore.jks b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..7fa25e52d36632828c176d0392f617d082117627
GIT binary patch
literal 4814
zcma)AWmFUlvtD4?r4|q=i3OC7Wl0I8JEcLuMOr|YE<s?)m6C3dmhSG5?vU;h5b2P-
z-gEDHzk7du-;X&n^UOT+YtD1d3>-x=fQf+xN0B&#aM^<tf-WH#V2rOQ5(^-T<n3SB
z7>>fO{(mLxTp$WN^DmtC*OEZ^|H~r4!@&HC!j||8zJOc)!@!2X4d6omN(tZ`K+*)7
zP_YV7O<IcTXaDcIk?8EV1h|-(EX0@?^l$<Y&i_or#Ki`{X+gLqK?)caSU?PRAhGx%
zTCEJLq0yk$5dF-n1qnm}$5uQJ^E@yy-@E0X=yHo0)>md<Jg${lpeZSk4&SKxE$~?^
z@A8kkk@Fzs{>(hoD@HLDtG1M`C1MjSkCrMC$jg|{C|qp8u{4wT9u;}F$>A?~-=cxJ
z%b#jzIF+d#G`W~as>p8Hcq%#RG%QdNjeDTcSGo62*JOt$<t2=$*ppu*g1?6rBuYIe
zRE!9m1k^cMFeE)jUF#IFK=L)iQ#B$oP0hQm$M}T56c33$9ub9tvTaQ3cZWl;CY848
zav=+N>lCtZ@k>*8leS(SGJWP)c}d2osmyo5@`&+R3n1s7ETtrgS%Y&+?_D#cNFAe9
z0Y~gh=EY~dV&N+1fa?WX@Qj1XEAGftSybZ!g)C!kWR@B4VvM3OV3?Q5Q#LyG;gi|V
znblk!txLvEr4=`o3mBc;k6%|}H|-*yx3}6)QX+~s_U1(g`lmH{DC&~bI7kij*&Ug+
zqY0m)zhX|=tn1c&Yw#&3%}(;lILGqydP6GOrx274ps6C)jE*`;p?WC){NAV{A7{#+
z8Gz63sH!KpH%#9fKI?)H2H8)==!=4)reeQm?(gea{yy_V(a49!9s9F-7&N41?$Yw@
zrutg0w7zROFwJ|}t+EGqk0*XL>*~feB^k4*=TXM^Xf1=WY6U1z8t<UKKu?+s`6lKH
zn+C#D)^<@AE@?5K1%t`e{ad)k{U$#|ooNGKpXNp;l8AKtm8a+vak;sAj{P2TbY2cO
zvKtg^?>-<^h~tPbXP#aOl&;!Zv%P!mMe+TZSu(W+22<_dPGk~1PMn*1mffwVqASs+
z;#WEBm?`zsaMv!V=l7%*qvAz||5(k()8sSM^$1z161muD&6PYPq4d5U+Cj<oV^`3!
zdXOSRmoYlJ3hPx+UO1asuPi4{XF}AHS-D#-CmBp(9P_rl>iQ)F&Ff@d&Lo%k9P7vk
zMSYc||5#E|uXa>!GPdoo2rr2t(H!5~fi3DgJr%e`JNO{7_k86`AC^gb`IpQRv%Q1&
z)va(`gR*m&>GHaugI<;X6^nu1iSletNJC^i*?djVgAtuo*Uq*d9h-LidZz4CYd#m}
zXTFf!U3pR)7?#|oC<lpc{-2#O4Ys3glKrg?R%mRV_EZ|j%`E8^cIaf#7hYEywSgrT
z&a8ByhDR*FgZI?mIfVa;nuYGSqE%-KTq4LnMxEl@d?yLOB{iSpIKeEVw!^imw38L=
zpr2v<$>Q>K>`gaOvna)<X1@nSPMbBA;Oe|95%P~ZE#JdQPdlNI#Z>Xa{^(i4TlZm7
zwdcV%AO}#ffQs)?`?_!uUh>;Lz%$Axo#j8aI})p9zsZBo<V^s*$B&Y#DhO>6Cf4%U
zMx@Hpa}2apbbMkN9Xnn1HtnnZUivlhx9apG2b~`qF0GF#T4KZ5JrF)b)8b8<FGW~Z
z7iBiB01tA%nxeZYDY=Xv^?mSh^)~F9ODfyS`91+VKCLoV+F8a6KaBFqhYhY6^Ux0}
zYqwzgF$fVg3@dm;)wt%0lgUA;0fH+G00?#axL!FzaFO`vS4BAnl$ej`O=ew(BA?%R
z;bM*SGi~>ZL9=X#1$v#>W5+G7;i6CI>lv{6kUa)#r~3}+_7J07{*rh!6zqL9$WR;l
zL5oKY&hU?1;*#=^LP-F203^T+@b<5_{u?;~od0hN84oFtMEl))3woaCa3T0}K4D&d
zK4C#PiXii!IbhIN6hZV~C;}4$@Ye<ZtAg?G#5xu{Vm{D`uWw<1mmOrHy~AV@3j9yR
zTD?ZntGJW<rQfZE4zsv^i7$$Pc+J!Grkbaz2zjZbog21#O!}xzn_WxFUH^uUe?iB4
z>)}i`xB1oCdpW&1wADCY<~SFPg3JCl|8l2bH6__6zFT;P@(~7ys^O81s-Ct4kuv^X
z(J>M+o_Bg5Vk>03D}H${s$({khc<DZE-6amGho<OE=#4%lCK4C0&0|SuhT#LE>(&b
zZ&d$6b@r`Wwm_}<+gXnm{*^;MZ${hHYoO0-<z<3A*fsfFIHV#$03-Ub9L4vov;F%B
zb;-Hfq}0gxX~oxSGX-|u$H&q#wzL~lkDFhB5Tgrkl6E%~en{KO!-&6Jk^q?Uw04f9
zKFx#gXk+unGrl3i8&!))6R^ZK%<@L20{PrP!&H#0D-?S-;YXiR&BX`|+)OXXM26$z
z+T|AqJGy<oGOI&HE&W+FRrc!BubJkQEP9cw*aW_T4O9%<q;U@-eL_~({U$;7S!(nu
z$vXg-=?|XD_fo%I&XaNj8>;idTvBq125udJpWj48+9?y<ClS?}Iu{4rvYFX8fMkaH
zUlIqFOyGMvvid{}VD<jlPSbEZ@BhA(4`vz}lP13+Z}Ca={Jg%^#CD(-OC@S?Pb6@j
zKO+8&$-vF>OX;!qJYn?KT6%~eccWR1no3qRmLKYOuTyovg%-Dmm}S~@?1`&TN0Z=E
z7VkHd;+4pKm(0B~2MWn|%8qOm6>n^S3>_5Jr5O4ftmZZgcHJ(iOfsgwD?Tf(Y*Am?
z1{5N25)>;^g;i6!pPNuU{B%mPCu8nV=Jc5wu(~$<aG&%*6%`+7?6%TJ9oshS7hUz~
zDBg(^3wmJYo87)a36O(cdaW+ZKeygqtuXBjUpOT)YG03{9vY_R05~wB8Wk5KEpBg3
zrL@jiL4PO<-j10;Et~@HhVKJq?>%Mw*ps-_vCM*p?s*=!ANdT!9oyM=s<&f?X<v-~
zKBUJID^f-O5QU^8eJgT*A(WsCQ^5F;7?E-%VrvSi*hU*UF8>jo4mHnl>S4>?r}Rsc
z6=X^;u8+25g%<8{ZA@oqTE<9k35%>sQe>BwVlDGB7!g@#${39_8+!*-Y_t_c5H>f`
z+t=)ZpCq#{n0B2lzv?I;f8u%ag~hSr|LlA=sgFX^Fb-OGhf4V>zCA%jr#oBVeiI3?
zbsKX;&hS!l$+#eS4ZC_aJHZSIoQ}GzAJZbtsiC?2h=Qn)^C2z~Ie~H&MHg@OV}6tK
z(hZMxaA+Y3aJ>P%`Jy{6m5^IkmR}FN^VQt=$6-$;fxb|T_vafIMWxK{=POpROTD3=
z{=fpS<zl(qLezWgP`tm@)V_>aw|HOD)4?~Sqx$Q&;LRzEB~FXanW9M$`QD-vS0M;1
zvNe4s1gf5yKSWklc!RATJQslUm)l9biME%YB`@qe_+V0@vYao|gkU>&lg5BRL!@^M
z4xQ(#!wHUys&8mpxr{Y>e(*TGcuiiNtj0KZu``z2`KIobG2c`)9<?0tkbq+p4!da$
zo3K5UX_2AES?w44BY{2<K@+)|`OPDWGOtQ%RYBf8K1rLUz)-W0C`=}-x>w;#?saCa
z)sn3W+l9E%-8J{3T`EhyO|DN{lbhp^t7Ka(VBbOSqHHf))u&Jo?Vdb*osv&F-fz?X
zZYOVll~JBf(BbCnBuC9n8b;_ltMDDwZKnMGAF$<G!ZH*(VKHBFbO#$p%-q{{%i6l5
zPoWdBc=h3Sw{G>KxWr4*dqKEs4@ZlwL|&vd{T++!>)9+79?>Cj4N%rQ&-Yg2Do^>p
zOIp+APQKt8SPUrFzea<La>F~=cQ=!^Hr+gC3N;B=8C9(pex-6;u&?l43Cb-K$&`FN
zAsPyfUyG9XI>~87Cdw%!uF;cHRZAO)K_&Xw`GytNXXo0wg7(JaZsZ8Vg(bF7(2$+R
zO^n6}etH6RE_D97?9LsFYi>gql7g_dbIFpsqk<V$6^IvUlSdsE|FXqY9<ewMhBBDG
zmyCvf_L&{k?Ee1cV;b5Ne}>xb0{%?9Pvka8YrQLmy(bKkbEsU7QzY{f2bE`U1dF%Q
z`$Lciga#08=SJ-D=K`tZR#w5pHVkZCU;(ccRUMjAlOaL8$^my<Z6iBK=us6`-3d}2
z^GilaW!Ox+6j%(EaGpv*nMl5eo7M|T;5^EZ*m~nHKphCWP7NMBRq-c*l@S}ozho`9
zhqsZ$85$drI2*bNiNBjQ6J_3L<|Y0qbU1Va-}jldA>8Z4ASyO^v?BtgES1|ukkRcv
zg19%wt<IkJK2h;k*=li1+u4=1cg7%u$yux2Xg}@oMe_@K0*o@|nVd3bt_%rO$>fo?
zfx0JNO>x+u1$22e=_7}^w1J!e)W{TTxQ4X{aUpl4^`w=h&Zlpt0QpVtegoRRR*fzf
zWJIhcn3_?v-IltDpUdCXVfpK2yNG`pot;`S*O%$v;|EE(fAa606q6hYM6h#uWtST8
zOvpUjO1KN!yuNh$PtGIHlUpI+(8Cl!iqUO?Tsa5s);@UhCo(}yVkhou>%#A7%A(3U
zPihaLopb5r=RefB`KvQD*KhI#t?=AAxVW4&T-zoK0Au~Fm*SRlEuizQc88v$PQN##
zJx<Y54Q)43=^gPj%Uif4?vA(UCGhyi`*Tc!5h@byRTe(2$bOkNCw}Qhjw6*ryF{6j
z{_ndD#E(7RcSX;ER1i-kS0hdI3bNZ@Y;=GGFrN$|9mZY{EP4M?g0^t=9&J9b747mh
z^Dl==$and}BRcqN+>SU7aS1bU4fxJ{(NoOZHd(Fj(1S=l9Eo_kd~ymEk8Ni+pzyQ1
zvTnuKa}_R{$bb~6nZdD;EPmY64_GX0w$ruKL&gOO;q()~W>hq)4j7#gm7B6ZHE-h9
z`Y$SdCmJI>fsm&9L-_H9MD?2y8EQ720tLSzWu_h)v~nU}h;H{*)2tjbxBGmtjN~%{
z_FZ;y-mV5=n2ABc=S4-R!adJ%&kjn9_+dxV{e9^xY^f)77)%BW#~@bei`cnWZKpEZ
z4P)`A724eCnkE4wM!ANub^U7$(|2kG*wI<i;Kdvnt!%(-PIUt3fP3Tt?n)c-S>AK!
z<*+RxH`Q4MLd`u{X|ETKf^(ci@1iLMUp^5j_mUvkpbMUqr{LAZ467^7VOM*fsEA1>
zL)tekMR=2BCSBIuLPXYCd>-u_)6dca3&ogThXN^|<MOJUs_$OEYEmeMUEAC(44&Yd
z^U~Ikj$XQ`78<hj!(8r<F(nA&9X9Yu)1@NBjH%u6(<%yWs-QoefwYm@xLf&c<5_78
z`8uVC2+Z|M_L1#B^|Kxk7n(m}HQRn^O7RS@b_ue4&@{B(N&drPg<yu2*5gg2L-IR$
ze|9_|q?|leZKP@2IsA<BPgDoVwe+9vQQ#b_&MSF`O~|7dB|gyH3BbCZBc$w2KXYaq
zoCukA6W!OU*7F#u1-MsA{J0!Qrc}w!%068~qBQw^olQ2<y(oOkudNQIgM&G+JBLl&
zW~a@1HlBrH?ztvPqk#{%3HbEMxYls@<y9Sbh0Wjz;}}$^bRVR2gFm!YiK4}pY{78N
zL)c&Y1!H5#0&}wseQ9<r#~Y$c{+{Y(VdiW7YSnkU7MZbWa@<Xqqt>s-NOTQ6!Rdee
z8nhO+JI;utQhUbL(}?79L_H2rZYDM9ENf<E7)=zV%T{j5=&#H-E;V|=yV7mh0)&9b
zCm-FFPctpLxn71C&&+q?6=>JK;ztG0$Tfzf!$J){Zp3*s*{r@v`lKo-7BbR#X>!QU
z0*dM)%yS7!r0?uvoeg-Qt|7o->$Cb^eG6@(ak<GUP!@dD?lWlX|D;OWLnrGFzx|%_
zwg(f(qogNR5t%mB6Xt?Hs<tM%zks$J`cg?)|LAMg7`*E(8a#j7US<#`M&M+mNuV_$
zv@+K3#qNlcN1%{)BF(aT><MG%25j56xJt1ex9cwJtVE71np#4ZZY|ASi`#iuVkA=2
z{GnTy7~SWfoaa1Q4x6j%&3MV1W5-shp=Hh3Ynd%qhUX9K2q!#wpSZq|fg$r#gWLU*
zPmKLe2M|Lwo-UCUr`nkKep_YiT#HtYY^$D-lm>x~hMG~*OtntD-*8np4;=E(j|US2
z8vvwt(pRJ@ltO0+RV5k@X!oA%5Xaw0)7JBbNxTx06<_cLl2*6^-jgg@|1o;Nncx<%
On$UO|)%V{g$$tSbUh_Tx

literal 0
HcmV?d00001

diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.truststore.jks b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..71b6c435a370ab58bb251b54985dfccf6340c4bb
GIT binary patch
literal 1286
zcmV+h1^N0gf&~Hs0Ru3C1gr)LDuzgg_YDCD0ic2eodkjenJ|I`l`w(?kp>AWhDe6@
z4FLxRpn?Q~FoFbr0s#Opf&_O42`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1Qb#Aftz@pHBP|qfpwT5PgMUGkH!K5ClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q2vNWIS6j9XS^8$0q0uenEhO1OVvACk)g0!6xd*EOEefOx4!1
zg(gqjNCT@utWfE4i<L{aiZeb3Z!TzAzMu~9d3(bT<bh?S$?XAalm*BUX_ne0de99u
zfZ~JG*;?ziCovrI#h0&|sGUVmjW}o)$)o@gwh^@PF-RT0_f?j+TG~Fe&<);dkhgNw
zp2TMXmP#11{ueGTvguz=IQPH^n4R9zqf(jx(NMDch`sz7J3t(oI8@uyNWgZ^iz_a{
zSUSufeUcVdu?RQfkmS*{UlB_O0<_*#J%(mu9Am53FwWXzU?os=KZroDw%0)igU3k~
zU8d=FTp7|Y=DyS#K`XpLb&J@Y5Sv3ADDgEeNMujMP>!}a9!`;a`Y!U-9{(lZLqwL#
z#vG!+at_d6^wv6>@wK^&8Bbnh0rOcKNn*PiwT?p<NpIe1ixPQg7}KSmbNo@79Ry(i
zQQN+5odZk5u=)Psb~qEup9D|s`w>+=Qf-T$nSHHUM~@=-8(WQD0Ebz#>naaXCp0G=
z3A*xqh?ZnJ(X2GaT_x}@)o_y^dWPUNi_-iBg(hk&@jL$!VauxO4i?G*S$DqB?7+(C
zF{bTfFsA+_vQLssGZqRJw2=!05I!*pL3YDuN8j$=g<O5d`o-+(I`*!ikF!+a@|n#7
zvlT$`%C!1O&?xVs2AA{^tgUBC?+n(qC$yn5v3lT-115PSR6o7MQwCTxQ}?Ke6pJYV
zwx-<})pgfB!3{Tj01c57Q787L5=2S(6o|%dd|{WORC}bl`WM8SO58eMEEdL7@)Q9#
zj9R++?W$2iPi>+ixtOSW9H|qZ7nR=2u>m-KzAg_=>_Q#dbUF0VMER;n=U0mk$1-Yd
z43*G=YQVd`F{-9s?x8*Z32+LFO!as3h2g+|?mLUX`-Q(D*-#HRAbW&6zXtLlwI0?$
z%xv5@4|dfhLV<`Kq(@fQfeqo7==Yx#E?8l8LgU+Qu0CE)1i9?)mJot|We7O60+j2b
zCjMC3D0?ak0WG|(#QHgux_O4JQuonPC_44io~J@xIoHw}J+$G~LqmGZ^+DT$4Q!pP
zj^Bw%)W#W8y@k;+L$J=UZY<Th6A3`gXh(#)LY&SSak@vXs_=*iRO_p`Ks3aIt~lg)
zAJq+}b7!>h(VdTdHGx3FdZ?fI6ejxi5VAh1ZlwvI6zz82M^8L_FDnr<Byc2mbl14+
zj%Xva!id-Ta=S0(45_d=%*oBHesxHhnhi{ZA;>Z~vk~^=T-=QgOZUbArkmjYN9Hgx
zRyEu9dg;ejg1?f_+Ov;&P-uz${wlr^$K~_WZTMI7H&d^r90_BDXm)%tYp;OvC3B~N
zH`^=uUrfe^8iW?V_%SvT*h?@?FflL<1_@w>NC9O71OfpC00bZg?qli;f=~8$6ElMh
wBz~Vu!49>^hDG#A?`@$5&DP)q6g2C(_Kq+>wQDyuRDdF?+9LyglmY@L5NGR1E&u=k

literal 0
HcmV?d00001

diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
new file mode 100644
index 000000000..798741697
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
@@ -0,0 +1,32 @@
+version: '2'
+
+services:
+  kafka:
+    image: 'bitnami/kafka:latest'
+    ports:
+      - '9092:9092'
+      - '9093:9093'
+    environment:
+      - KAFKA_CFG_NODE_ID=0
+      - KAFKA_CFG_PROCESS_ROLES=controller,broker
+      - KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
+      - KAFKA_CFG_LISTENERS=SASL_PLAINTEXT://:9092,CONTROLLER://:9093
+      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:SASL_PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT
+      - KAFKA_CFG_ADVERTISED_LISTENERS=SASL_PLAINTEXT://127.0.0.1:9092
+      - KAFKA_CLIENT_USERS=user
+      - KAFKA_CLIENT_PASSWORDS=password
+      - KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
+      - KAFKA_CFG_SASL_MECHANISM_CONTROLLER_PROTOCOL=PLAIN
+      - KAFKA_CONTROLLER_USER=controller_user
+      - KAFKA_CONTROLLER_PASSWORD=controller_password
+      - KAFKA_CFG_INTER_BROKER_LISTENER_NAME=SASL_PLAINTEXT
+      - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
+      - KAFKA_INTER_BROKER_USER=controller_user
+      - KAFKA_INTER_BROKER_PASSWORD=controller_password
+      - KAFKA_CERTIFICATE_PASSWORD=123456
+      - KAFKA_TLS_TYPE=JKS # or PEM
+      - KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=""
+      - BITNAMI_DEBUG=true
+    volumes:
+      - './certs/kafka.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks:ro'
+      - './certs/kafka.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks:ro'
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/save.yaml b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/save.yaml
new file mode 100644
index 000000000..9e02564a5
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/save.yaml
@@ -0,0 +1,24 @@
+version: "3"
+services:
+  kafka:
+    image: 'bitnami/kafka:3.4.0-debian-11-r22'
+    ports:
+      - '9092:9092'
+    environment:
+      - KAFKA_CFG_LISTENERS=SASL_SSL://:9092,CONTROLLER://:9093
+      - KAFKA_CFG_ADVERTISED_LISTENERS=SASL_SSL://localhost:9092
+      - KAFKA_CLIENT_USERS=user
+      - KAFKA_CLIENT_PASSWORDS=password
+      - KAFKA_CLIENT_LISTENER_NAME=SASL_SSL
+      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
+      - KAFKA_CFG_SASL_MECHANISM_CONTROLLER_PROTOCOL=PLAIN
+      - KAFKA_CONTROLLER_USER=controller_user
+      - KAFKA_CONTROLLER_PASSWORD=controller_password
+      - KAFKA_KRAFT_CLUSTER_ID=abcdefghijklmnopqrstuv
+      - BITNAMI_DEBUG=true
+    volumes:
+      - type: tmpfs
+        target: /bitnami/kafka
+      - type: bind
+        source: "./certs/jks"
+        target: "/bitnami/kafka/config/certs"
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/topology-encode.yaml b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/topology-encode.yaml
new file mode 100644
index 000000000..d2a16eefc
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/topology-encode.yaml
@@ -0,0 +1,12 @@
+---
+sources:
+  - Kafka:
+      name: "kafka"
+      listen_addr: "127.0.0.1:9192"
+      chain:
+        - DebugForceEncode:
+            encode_requests: true
+            encode_responses: true
+        - KafkaSinkSingle:
+            destination_port: 9092
+            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/topology.yaml b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/topology.yaml
new file mode 100644
index 000000000..3d6131156
--- /dev/null
+++ b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/topology.yaml
@@ -0,0 +1,9 @@
+---
+sources:
+  - Kafka:
+      name: "kafka"
+      listen_addr: "127.0.0.1:9192"
+      chain:
+        - KafkaSinkSingle:
+            destination_port: 9092
+            connect_timeout_ms: 3000
diff --git a/test-helpers/src/docker_compose.rs b/test-helpers/src/docker_compose.rs
index f512fe7e8..7eab582a9 100644
--- a/test-helpers/src/docker_compose.rs
+++ b/test-helpers/src/docker_compose.rs
@@ -20,7 +20,7 @@ pub fn new_moto() -> DockerCompose {
     docker_compose("tests/transforms/docker-compose-moto.yaml")
 }
 
-pub static IMAGE_WAITERS: [Image; 11] = [
+pub static IMAGE_WAITERS: [Image; 12] = [
     Image {
         name: "motoserver/moto",
         log_regex_to_wait_for: r"Press CTRL\+C to quit",
@@ -68,6 +68,11 @@ pub static IMAGE_WAITERS: [Image; 11] = [
         log_regex_to_wait_for: r"Kafka Server started",
         timeout: Duration::from_secs(120),
     },
+    Image {
+        name: "bitnami/kafka:latest",
+        log_regex_to_wait_for: r"Kafka Server started",
+        timeout: Duration::from_secs(120),
+    },
     Image {
         name: "opensearchproject/opensearch:2.9.0",
         log_regex_to_wait_for: r"Node started",

From c570f40b260a09627560948431de9a43e419c32e Mon Sep 17 00:00:00 2001
From: conorbros <conorbros@protonmail.com>
Date: Tue, 20 Feb 2024 11:16:06 +1100
Subject: [PATCH 2/4] cleanup

---
 .../kafka/cluster-sasl/docker-compose.yaml    | 46 -------------------
 .../cluster-sasl/tls/docker-compose.yaml      | 16 -------
 .../cluster-sasl/tls/topology-with-key.yaml   | 17 -------
 .../kafka/cluster-sasl/tls/topology.yaml      | 15 ------
 .../kafka/cluster-sasl/topology-single.yaml   | 10 ----
 .../kafka/cluster-sasl/topology1.yaml         | 13 ------
 .../kafka/cluster-sasl/topology2.yaml         | 13 ------
 .../kafka/cluster-sasl/topology3.yaml         | 13 ------
 .../passthrough-sasl/docker-compose.yaml      | 12 ++---
 9 files changed, 6 insertions(+), 149 deletions(-)
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/docker-compose.yaml
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/docker-compose.yaml
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology-with-key.yaml
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology.yaml
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology-single.yaml
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology1.yaml
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology2.yaml
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology3.yaml

diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/docker-compose.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/docker-compose.yaml
deleted file mode 100644
index b7a3fe4a7..000000000
--- a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/docker-compose.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-version: "3"
-networks:
-  cluster_subnet:
-    name: cluster_subnet
-    driver: bridge
-    ipam:
-      driver: default
-      config:
-        - subnet: 172.16.1.0/24
-          gateway: 172.16.1.1
-services:
-  kafka0:
-    image: &image 'bitnami/kafka:3.4.0-debian-11-r22'
-    networks:
-      cluster_subnet:
-        ipv4_address: 172.16.1.2
-    environment: &environment
-      KAFKA_CFG_LISTENERS: "PLAINTEXT://:9092,CONTROLLER://:9093"
-      KAFKA_CFG_ADVERTISED_LISTENERS: "PLAINTEXT://172.16.1.2:9092"
-      ALLOW_PLAINTEXT_LISTENER: "yes"
-      KAFKA_KRAFT_CLUSTER_ID: "abcdefghijklmnopqrstuv"
-      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: "0@kafka0:9093,1@kafka1:9093,2@kafka2:9093"
-      KAFKA_CFG_NODE_ID: 0
-    volumes: &volumes
-      - type: tmpfs
-        target: /bitnami/kafka
-  kafka1:
-    image: *image
-    networks:
-      cluster_subnet:
-        ipv4_address: 172.16.1.3
-    environment:
-      <<: *environment
-      KAFKA_CFG_ADVERTISED_LISTENERS: "PLAINTEXT://172.16.1.3:9092"
-      KAFKA_CFG_NODE_ID: 1
-    volumes: *volumes
-  kafka2:
-    image: *image
-    networks:
-      cluster_subnet:
-        ipv4_address: 172.16.1.4
-    environment:
-      <<: *environment
-      KAFKA_CFG_ADVERTISED_LISTENERS: "PLAINTEXT://172.16.1.4:9092"
-      KAFKA_CFG_NODE_ID: 2
-    volumes: *volumes
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/docker-compose.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/docker-compose.yaml
deleted file mode 100644
index 22a18a91f..000000000
--- a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/docker-compose.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-version: "3.3"
-services:
-  cassandra-one:
-    image: shotover/cassandra-test:4.0.6-r1
-    ports:
-      - "9042:9042"
-    environment:
-      MAX_HEAP_SIZE: "400M"
-      MIN_HEAP_SIZE: "400M"
-      HEAP_NEWSIZE: "48M"
-    volumes:
-      - type: tmpfs
-        target: /var/lib/cassandra
-      - type: bind
-        source: "./certs/keystore.p12"
-        target: "/etc/cassandra/certs/keystore.p12"
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology-with-key.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology-with-key.yaml
deleted file mode 100644
index 4ccf1acc7..000000000
--- a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology-with-key.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-sources:
-  - Cassandra:
-      name: "cassandra"
-      listen_addr: "127.0.0.1:9043"
-      tls:
-        certificate_path: "tests/test-configs/cassandra/tls/certs/localhost.crt"
-        private_key_path: "tests/test-configs/cassandra/tls/certs/localhost.key"
-      chain:
-        - CassandraSinkSingle:
-            remote_address: "localhost:9042"
-            connect_timeout_ms: 3000
-            tls:
-              certificate_authority_path: "tests/test-configs/cassandra/tls/certs/localhost_CA.crt"
-              certificate_path: "tests/test-configs/cassandra/tls/certs/localhost.crt"
-              private_key_path: "tests/test-configs/cassandra/tls/certs/localhost.key"
-              verify_hostname: true
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology.yaml
deleted file mode 100644
index 92ada6cf6..000000000
--- a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/tls/topology.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-sources:
-  - Cassandra:
-      name: "cassandra"
-      listen_addr: "127.0.0.1:9043"
-      tls:
-        certificate_path: "tests/test-configs/cassandra/tls/certs/localhost.crt"
-        private_key_path: "tests/test-configs/cassandra/tls/certs/localhost.key"
-      chain:
-        - CassandraSinkSingle:
-            remote_address: "localhost:9042"
-            connect_timeout_ms: 3000
-            tls:
-              certificate_authority_path: "tests/test-configs/cassandra/tls/certs/localhost_CA.crt"
-              verify_hostname: true
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology-single.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology-single.yaml
deleted file mode 100644
index d38206e7f..000000000
--- a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology-single.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-sources:
-  - Kafka:
-      name: "kafka"
-      listen_addr: "127.0.0.1:9192"
-      chain:
-        - KafkaSinkCluster:
-            shotover_nodes: ["127.0.0.1:9192"]
-            first_contact_points: ["172.16.1.2:9092"]
-            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology1.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology1.yaml
deleted file mode 100644
index 11edd3e78..000000000
--- a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology1.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-sources:
-  - Kafka:
-      name: "kafka"
-      listen_addr: "127.0.0.1:9191"
-      chain:
-        - KafkaSinkCluster:
-            shotover_nodes: 
-              - "127.0.0.1:9191"
-              - "127.0.0.1:9192"
-              - "127.0.0.1:9193"
-            first_contact_points: ["172.16.1.2:9092"]
-            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology2.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology2.yaml
deleted file mode 100644
index 2269f83dc..000000000
--- a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology2.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-sources:
-  - Kafka:
-      name: "kafka"
-      listen_addr: "127.0.0.1:9192"
-      chain:
-        - KafkaSinkCluster:
-            shotover_nodes: 
-              - "127.0.0.1:9191"
-              - "127.0.0.1:9192"
-              - "127.0.0.1:9193"
-            first_contact_points: ["172.16.1.2:9092"]
-            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology3.yaml b/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology3.yaml
deleted file mode 100644
index 528030e24..000000000
--- a/shotover-proxy/tests/test-configs/kafka/cluster-sasl/topology3.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-sources:
-  - Kafka:
-      name: "kafka"
-      listen_addr: "127.0.0.1:9193"
-      chain:
-        - KafkaSinkCluster:
-            shotover_nodes: 
-              - "127.0.0.1:9191"
-              - "127.0.0.1:9192"
-              - "127.0.0.1:9193"
-            first_contact_points: ["172.16.1.2:9092"]
-            connect_timeout_ms: 3000
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
index 798741697..26892466b 100644
--- a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
+++ b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
@@ -23,10 +23,10 @@ services:
       - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
       - KAFKA_INTER_BROKER_USER=controller_user
       - KAFKA_INTER_BROKER_PASSWORD=controller_password
-      - KAFKA_CERTIFICATE_PASSWORD=123456
-      - KAFKA_TLS_TYPE=JKS # or PEM
-      - KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=""
+      # - KAFKA_CERTIFICATE_PASSWORD=123456
+      # - KAFKA_TLS_TYPE=JKS # or PEM
+      # - KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=""
       - BITNAMI_DEBUG=true
-    volumes:
-      - './certs/kafka.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks:ro'
-      - './certs/kafka.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks:ro'
+    # volumes:
+    #   - './certs/kafka.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks:ro'
+    #   - './certs/kafka.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks:ro'

From 867e28d1c7e3164aca0d18d2e2990a15fd4ed188 Mon Sep 17 00:00:00 2001
From: conorbros <conorbros@protonmail.com>
Date: Tue, 20 Feb 2024 11:58:19 +1100
Subject: [PATCH 3/4] cleanup

---
 .../passthrough-sasl/docker-compose.yaml      |  8 +------
 .../kafka/passthrough-sasl/save.yaml          | 24 -------------------
 2 files changed, 1 insertion(+), 31 deletions(-)
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/save.yaml

diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
index 26892466b..f0d36dbbf 100644
--- a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
+++ b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
@@ -23,10 +23,4 @@ services:
       - KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL=PLAIN
       - KAFKA_INTER_BROKER_USER=controller_user
       - KAFKA_INTER_BROKER_PASSWORD=controller_password
-      # - KAFKA_CERTIFICATE_PASSWORD=123456
-      # - KAFKA_TLS_TYPE=JKS # or PEM
-      # - KAFKA_CFG_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM=""
-      - BITNAMI_DEBUG=true
-    # volumes:
-    #   - './certs/kafka.keystore.jks:/opt/bitnami/kafka/config/certs/kafka.keystore.jks:ro'
-    #   - './certs/kafka.truststore.jks:/opt/bitnami/kafka/config/certs/kafka.truststore.jks:ro'
+
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/save.yaml b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/save.yaml
deleted file mode 100644
index 9e02564a5..000000000
--- a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/save.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-version: "3"
-services:
-  kafka:
-    image: 'bitnami/kafka:3.4.0-debian-11-r22'
-    ports:
-      - '9092:9092'
-    environment:
-      - KAFKA_CFG_LISTENERS=SASL_SSL://:9092,CONTROLLER://:9093
-      - KAFKA_CFG_ADVERTISED_LISTENERS=SASL_SSL://localhost:9092
-      - KAFKA_CLIENT_USERS=user
-      - KAFKA_CLIENT_PASSWORDS=password
-      - KAFKA_CLIENT_LISTENER_NAME=SASL_SSL
-      - KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
-      - KAFKA_CFG_SASL_MECHANISM_CONTROLLER_PROTOCOL=PLAIN
-      - KAFKA_CONTROLLER_USER=controller_user
-      - KAFKA_CONTROLLER_PASSWORD=controller_password
-      - KAFKA_KRAFT_CLUSTER_ID=abcdefghijklmnopqrstuv
-      - BITNAMI_DEBUG=true
-    volumes:
-      - type: tmpfs
-        target: /bitnami/kafka
-      - type: bind
-        source: "./certs/jks"
-        target: "/bitnami/kafka/config/certs"

From ede164c7c04e24cefd0441f5f0983f7b44c3c218 Mon Sep 17 00:00:00 2001
From: conorbros <conorbros@protonmail.com>
Date: Thu, 22 Feb 2024 10:47:54 +1100
Subject: [PATCH 4/4] review feedback

---
 shotover-proxy/config/config.yaml             |   8 +-
 shotover-proxy/tests/kafka_int_tests/mod.rs   |   7 +-
 .../tests/kafka_int_tests/test_cases.rs       |   7 +-
 .../certs/kafka-generate-ssl.sh               | 207 ------------------
 .../passthrough-sasl/certs/kafka.keystore.jks | Bin 4814 -> 0 bytes
 .../certs/kafka.truststore.jks                | Bin 1286 -> 0 bytes
 .../passthrough-sasl/docker-compose.yaml      |   2 +-
 test-helpers/src/docker_compose.rs            |   7 +-
 8 files changed, 15 insertions(+), 223 deletions(-)
 delete mode 100755 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka-generate-ssl.sh
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.keystore.jks
 delete mode 100644 shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.truststore.jks

diff --git a/shotover-proxy/config/config.yaml b/shotover-proxy/config/config.yaml
index 72664ac38..85830d979 100644
--- a/shotover-proxy/config/config.yaml
+++ b/shotover-proxy/config/config.yaml
@@ -1,5 +1,5 @@
-# configure the first `debug` to set the log level for dependencies
-# configure `shotover=debug` to set the log level for shotover itself
-# set `shotover::connection_span=debug` to `shotover::connection_span=debug` to attach connection info to most log events, this is disabled by default due to a minor performance hit.
-main_log_level: "debug, shotover=debug, shotover::connection_span=debug"
+# configure the first `info` to set the log level for dependencies
+# configure `shotover=info` to set the log level for shotover itself
+# set `shotover::connection_span=info` to `shotover::connection_span=debug` to attach connection info to most log events, this is disabled by default due to a minor performance hit.
+main_log_level: "info, shotover=info, shotover::connection_span=info"
 observability_interface: "0.0.0.0:9001"
diff --git a/shotover-proxy/tests/kafka_int_tests/mod.rs b/shotover-proxy/tests/kafka_int_tests/mod.rs
index 740692543..75e19c997 100644
--- a/shotover-proxy/tests/kafka_int_tests/mod.rs
+++ b/shotover-proxy/tests/kafka_int_tests/mod.rs
@@ -81,9 +81,10 @@ async fn passthrough_sasl() {
 async fn passthrough_sasl_encode() {
     let _docker_compose =
         docker_compose("tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml");
-    let shotover = shotover_process("tests/test-configs/kafka/passthrough-sasl/topology.yaml")
-        .start()
-        .await;
+    let shotover =
+        shotover_process("tests/test-configs/kafka/passthrough-sasl/topology-encode.yaml")
+            .start()
+            .await;
 
     test_cases::basic_sasl("127.0.0.1:9192").await;
 
diff --git a/shotover-proxy/tests/kafka_int_tests/test_cases.rs b/shotover-proxy/tests/kafka_int_tests/test_cases.rs
index e91d5561f..a7d6be1cf 100644
--- a/shotover-proxy/tests/kafka_int_tests/test_cases.rs
+++ b/shotover-proxy/tests/kafka_int_tests/test_cases.rs
@@ -320,7 +320,10 @@ pub async fn basic_sasl(address: &str) {
         // internal driver debug logs are emitted to tokio tracing, assuming the appropriate filter is used by the tracing subscriber
         .set("debug", "all");
     admin(client.clone()).await;
-    produce_consume(client.clone()).await;
-    produce_consume_acks0(client.clone()).await;
+    for i in 0..2 {
+        produce_consume(client.clone(), "partitions1", i).await;
+        produce_consume(client.clone(), "partitions3", i).await;
+        produce_consume_acks0(client.clone()).await;
+    }
     admin_cleanup(client.clone()).await;
 }
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka-generate-ssl.sh b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka-generate-ssl.sh
deleted file mode 100755
index 39ff3f984..000000000
--- a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka-generate-ssl.sh
+++ /dev/null
@@ -1,207 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-KEYSTORE_FILENAME="kafka.keystore.jks"
-VALIDITY_IN_DAYS=3650
-DEFAULT_TRUSTSTORE_FILENAME="kafka.truststore.jks"
-TRUSTSTORE_WORKING_DIRECTORY="truststore"
-KEYSTORE_WORKING_DIRECTORY="keystore"
-CA_CERT_FILE="ca-cert"
-KEYSTORE_SIGN_REQUEST="cert-file"
-KEYSTORE_SIGN_REQUEST_SRL="ca-cert.srl"
-KEYSTORE_SIGNED_CERT="cert-signed"
-
-function file_exists_and_exit() {
-  echo "'$1' cannot exist. Move or delete it before"
-  echo "re-running this script."
-  exit 1
-}
-
-if [ -e "$KEYSTORE_WORKING_DIRECTORY" ]; then
-  file_exists_and_exit $KEYSTORE_WORKING_DIRECTORY
-fi
-
-if [ -e "$CA_CERT_FILE" ]; then
-  file_exists_and_exit $CA_CERT_FILE
-fi
-
-if [ -e "$KEYSTORE_SIGN_REQUEST" ]; then
-  file_exists_and_exit $KEYSTORE_SIGN_REQUEST
-fi
-
-if [ -e "$KEYSTORE_SIGN_REQUEST_SRL" ]; then
-  file_exists_and_exit $KEYSTORE_SIGN_REQUEST_SRL
-fi
-
-if [ -e "$KEYSTORE_SIGNED_CERT" ]; then
-  file_exists_and_exit $KEYSTORE_SIGNED_CERT
-fi
-
-echo
-echo "Welcome to the Kafka SSL keystore and truststore generator script."
-
-echo
-echo "First, do you need to generate a trust store and associated private key,"
-echo "or do you already have a trust store file and private key?"
-echo
-echo -n "Do you need to generate a trust store and associated private key? [yn] "
-read generate_trust_store
-
-trust_store_file=""
-trust_store_private_key_file=""
-
-if [ "$generate_trust_store" == "y" ]; then
-  if [ -e "$TRUSTSTORE_WORKING_DIRECTORY" ]; then
-    file_exists_and_exit $TRUSTSTORE_WORKING_DIRECTORY
-  fi
-
-  mkdir $TRUSTSTORE_WORKING_DIRECTORY
-  echo
-  echo "OK, we'll generate a trust store and associated private key."
-  echo
-  echo "First, the private key."
-  echo
-  echo "You will be prompted for:"
-  echo " - A password for the private key. Remember this."
-  echo " - Information about you and your company."
-  echo " - NOTE that the Common Name (CN) is currently not important."
-
-  openssl req -new -x509 -keyout $TRUSTSTORE_WORKING_DIRECTORY/ca-key \
-    -out $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE -days $VALIDITY_IN_DAYS
-
-  trust_store_private_key_file="$TRUSTSTORE_WORKING_DIRECTORY/ca-key"
-
-  echo
-  echo "Two files were created:"
-  echo " - $TRUSTSTORE_WORKING_DIRECTORY/ca-key -- the private key used later to"
-  echo "   sign certificates"
-  echo " - $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE -- the certificate that will be"
-  echo "   stored in the trust store in a moment and serve as the certificate"
-  echo "   authority (CA). Once this certificate has been stored in the trust"
-  echo "   store, it will be deleted. It can be retrieved from the trust store via:"
-  echo "   $ keytool -keystore <trust-store-file> -export -alias CARoot -rfc"
-
-  echo
-  echo "Now the trust store will be generated from the certificate."
-  echo
-  echo "You will be prompted for:"
-  echo " - the trust store's password (labeled 'keystore'). Remember this"
-  echo " - a confirmation that you want to import the certificate"
-
-  keytool -keystore $TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME \
-    -alias CARoot -import -file $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE
-
-  trust_store_file="$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME"
-
-  echo
-  echo "$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME was created."
-
-  # don't need the cert because it's in the trust store.
-  rm $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE
-else
-  echo
-  echo -n "Enter the path of the trust store file. "
-  read -e trust_store_file
-
-  if ! [ -f $trust_store_file ]; then
-    echo "$trust_store_file isn't a file. Exiting."
-    exit 1
-  fi
-
-  echo -n "Enter the path of the trust store's private key. "
-  read -e trust_store_private_key_file
-
-  if ! [ -f $trust_store_private_key_file ]; then
-    echo "$trust_store_private_key_file isn't a file. Exiting."
-    exit 1
-  fi
-fi
-
-echo
-echo "Continuing with:"
-echo " - trust store file:        $trust_store_file"
-echo " - trust store private key: $trust_store_private_key_file"
-
-mkdir $KEYSTORE_WORKING_DIRECTORY
-
-echo
-echo "Now, a keystore will be generated. Each broker and logical client needs its own"
-echo "keystore. This script will create only one keystore. Run this script multiple"
-echo "times for multiple keystores."
-echo
-echo "You will be prompted for the following:"
-echo " - A keystore password. Remember it."
-echo " - Personal information, such as your name."
-echo "     NOTE: currently in Kafka, the Common Name (CN) does not need to be the FQDN of"
-echo "           this host. However, at some point, this may change. As such, make the CN"
-echo "           the FQDN. Some operating systems call the CN prompt 'first / last name'"
-echo " - A key password, for the key being generated within the keystore. Remember this."
-
-# To learn more about CNs and FQDNs, read:
-# https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html
-
-keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME \
-  -alias localhost -validity $VALIDITY_IN_DAYS -genkey -keyalg RSA
-
-echo
-echo "'$KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME' now contains a key pair and a"
-echo "self-signed certificate. Again, this keystore can only be used for one broker or"
-echo "one logical client. Other brokers or clients need to generate their own keystores."
-
-echo
-echo "Fetching the certificate from the trust store and storing in $CA_CERT_FILE."
-echo
-echo "You will be prompted for the trust store's password (labeled 'keystore')"
-
-keytool -keystore $trust_store_file -export -alias CARoot -rfc -file $CA_CERT_FILE
-
-echo
-echo "Now a certificate signing request will be made to the keystore."
-echo
-echo "You will be prompted for the keystore's password."
-keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost \
-  -certreq -file $KEYSTORE_SIGN_REQUEST
-
-echo
-echo "Now the trust store's private key (CA) will sign the keystore's certificate."
-echo
-echo "You will be prompted for the trust store's private key password."
-openssl x509 -req -CA $CA_CERT_FILE -CAkey $trust_store_private_key_file \
-  -in $KEYSTORE_SIGN_REQUEST -out $KEYSTORE_SIGNED_CERT \
-  -days $VALIDITY_IN_DAYS -CAcreateserial
-# creates $KEYSTORE_SIGN_REQUEST_SRL which is never used or needed.
-
-echo
-echo "Now the CA will be imported into the keystore."
-echo
-echo "You will be prompted for the keystore's password and a confirmation that you want to"
-echo "import the certificate."
-keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias CARoot \
-  -import -file $CA_CERT_FILE
-rm $CA_CERT_FILE # delete the trust store cert because it's stored in the trust store.
-
-echo
-echo "Now the keystore's signed certificate will be imported back into the keystore."
-echo
-echo "You will be prompted for the keystore's password."
-keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost -import \
-  -file $KEYSTORE_SIGNED_CERT
-
-echo
-echo "All done!"
-echo
-echo "Delete intermediate files? They are:"
-echo " - '$KEYSTORE_SIGN_REQUEST_SRL': CA serial number"
-echo " - '$KEYSTORE_SIGN_REQUEST': the keystore's certificate signing request"
-echo "   (that was fulfilled)"
-echo " - '$KEYSTORE_SIGNED_CERT': the keystore's certificate, signed by the CA, and stored back"
-echo "    into the keystore"
-echo -n "Delete? [yn] "
-read delete_intermediate_files
-
-if [ "$delete_intermediate_files" == "y" ]; then
-  rm $KEYSTORE_SIGN_REQUEST_SRL
-  rm $KEYSTORE_SIGN_REQUEST
-  rm $KEYSTORE_SIGNED_CERT
-fi
diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.keystore.jks b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.keystore.jks
deleted file mode 100644
index 7fa25e52d36632828c176d0392f617d082117627..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4814
zcma)AWmFUlvtD4?r4|q=i3OC7Wl0I8JEcLuMOr|YE<s?)m6C3dmhSG5?vU;h5b2P-
z-gEDHzk7du-;X&n^UOT+YtD1d3>-x=fQf+xN0B&#aM^<tf-WH#V2rOQ5(^-T<n3SB
z7>>fO{(mLxTp$WN^DmtC*OEZ^|H~r4!@&HC!j||8zJOc)!@!2X4d6omN(tZ`K+*)7
zP_YV7O<IcTXaDcIk?8EV1h|-(EX0@?^l$<Y&i_or#Ki`{X+gLqK?)caSU?PRAhGx%
zTCEJLq0yk$5dF-n1qnm}$5uQJ^E@yy-@E0X=yHo0)>md<Jg${lpeZSk4&SKxE$~?^
z@A8kkk@Fzs{>(hoD@HLDtG1M`C1MjSkCrMC$jg|{C|qp8u{4wT9u;}F$>A?~-=cxJ
z%b#jzIF+d#G`W~as>p8Hcq%#RG%QdNjeDTcSGo62*JOt$<t2=$*ppu*g1?6rBuYIe
zRE!9m1k^cMFeE)jUF#IFK=L)iQ#B$oP0hQm$M}T56c33$9ub9tvTaQ3cZWl;CY848
zav=+N>lCtZ@k>*8leS(SGJWP)c}d2osmyo5@`&+R3n1s7ETtrgS%Y&+?_D#cNFAe9
z0Y~gh=EY~dV&N+1fa?WX@Qj1XEAGftSybZ!g)C!kWR@B4VvM3OV3?Q5Q#LyG;gi|V
znblk!txLvEr4=`o3mBc;k6%|}H|-*yx3}6)QX+~s_U1(g`lmH{DC&~bI7kij*&Ug+
zqY0m)zhX|=tn1c&Yw#&3%}(;lILGqydP6GOrx274ps6C)jE*`;p?WC){NAV{A7{#+
z8Gz63sH!KpH%#9fKI?)H2H8)==!=4)reeQm?(gea{yy_V(a49!9s9F-7&N41?$Yw@
zrutg0w7zROFwJ|}t+EGqk0*XL>*~feB^k4*=TXM^Xf1=WY6U1z8t<UKKu?+s`6lKH
zn+C#D)^<@AE@?5K1%t`e{ad)k{U$#|ooNGKpXNp;l8AKtm8a+vak;sAj{P2TbY2cO
zvKtg^?>-<^h~tPbXP#aOl&;!Zv%P!mMe+TZSu(W+22<_dPGk~1PMn*1mffwVqASs+
z;#WEBm?`zsaMv!V=l7%*qvAz||5(k()8sSM^$1z161muD&6PYPq4d5U+Cj<oV^`3!
zdXOSRmoYlJ3hPx+UO1asuPi4{XF}AHS-D#-CmBp(9P_rl>iQ)F&Ff@d&Lo%k9P7vk
zMSYc||5#E|uXa>!GPdoo2rr2t(H!5~fi3DgJr%e`JNO{7_k86`AC^gb`IpQRv%Q1&
z)va(`gR*m&>GHaugI<;X6^nu1iSletNJC^i*?djVgAtuo*Uq*d9h-LidZz4CYd#m}
zXTFf!U3pR)7?#|oC<lpc{-2#O4Ys3glKrg?R%mRV_EZ|j%`E8^cIaf#7hYEywSgrT
z&a8ByhDR*FgZI?mIfVa;nuYGSqE%-KTq4LnMxEl@d?yLOB{iSpIKeEVw!^imw38L=
zpr2v<$>Q>K>`gaOvna)<X1@nSPMbBA;Oe|95%P~ZE#JdQPdlNI#Z>Xa{^(i4TlZm7
zwdcV%AO}#ffQs)?`?_!uUh>;Lz%$Axo#j8aI})p9zsZBo<V^s*$B&Y#DhO>6Cf4%U
zMx@Hpa}2apbbMkN9Xnn1HtnnZUivlhx9apG2b~`qF0GF#T4KZ5JrF)b)8b8<FGW~Z
z7iBiB01tA%nxeZYDY=Xv^?mSh^)~F9ODfyS`91+VKCLoV+F8a6KaBFqhYhY6^Ux0}
zYqwzgF$fVg3@dm;)wt%0lgUA;0fH+G00?#axL!FzaFO`vS4BAnl$ej`O=ew(BA?%R
z;bM*SGi~>ZL9=X#1$v#>W5+G7;i6CI>lv{6kUa)#r~3}+_7J07{*rh!6zqL9$WR;l
zL5oKY&hU?1;*#=^LP-F203^T+@b<5_{u?;~od0hN84oFtMEl))3woaCa3T0}K4D&d
zK4C#PiXii!IbhIN6hZV~C;}4$@Ye<ZtAg?G#5xu{Vm{D`uWw<1mmOrHy~AV@3j9yR
zTD?ZntGJW<rQfZE4zsv^i7$$Pc+J!Grkbaz2zjZbog21#O!}xzn_WxFUH^uUe?iB4
z>)}i`xB1oCdpW&1wADCY<~SFPg3JCl|8l2bH6__6zFT;P@(~7ys^O81s-Ct4kuv^X
z(J>M+o_Bg5Vk>03D}H${s$({khc<DZE-6amGho<OE=#4%lCK4C0&0|SuhT#LE>(&b
zZ&d$6b@r`Wwm_}<+gXnm{*^;MZ${hHYoO0-<z<3A*fsfFIHV#$03-Ub9L4vov;F%B
zb;-Hfq}0gxX~oxSGX-|u$H&q#wzL~lkDFhB5Tgrkl6E%~en{KO!-&6Jk^q?Uw04f9
zKFx#gXk+unGrl3i8&!))6R^ZK%<@L20{PrP!&H#0D-?S-;YXiR&BX`|+)OXXM26$z
z+T|AqJGy<oGOI&HE&W+FRrc!BubJkQEP9cw*aW_T4O9%<q;U@-eL_~({U$;7S!(nu
z$vXg-=?|XD_fo%I&XaNj8>;idTvBq125udJpWj48+9?y<ClS?}Iu{4rvYFX8fMkaH
zUlIqFOyGMvvid{}VD<jlPSbEZ@BhA(4`vz}lP13+Z}Ca={Jg%^#CD(-OC@S?Pb6@j
zKO+8&$-vF>OX;!qJYn?KT6%~eccWR1no3qRmLKYOuTyovg%-Dmm}S~@?1`&TN0Z=E
z7VkHd;+4pKm(0B~2MWn|%8qOm6>n^S3>_5Jr5O4ftmZZgcHJ(iOfsgwD?Tf(Y*Am?
z1{5N25)>;^g;i6!pPNuU{B%mPCu8nV=Jc5wu(~$<aG&%*6%`+7?6%TJ9oshS7hUz~
zDBg(^3wmJYo87)a36O(cdaW+ZKeygqtuXBjUpOT)YG03{9vY_R05~wB8Wk5KEpBg3
zrL@jiL4PO<-j10;Et~@HhVKJq?>%Mw*ps-_vCM*p?s*=!ANdT!9oyM=s<&f?X<v-~
zKBUJID^f-O5QU^8eJgT*A(WsCQ^5F;7?E-%VrvSi*hU*UF8>jo4mHnl>S4>?r}Rsc
z6=X^;u8+25g%<8{ZA@oqTE<9k35%>sQe>BwVlDGB7!g@#${39_8+!*-Y_t_c5H>f`
z+t=)ZpCq#{n0B2lzv?I;f8u%ag~hSr|LlA=sgFX^Fb-OGhf4V>zCA%jr#oBVeiI3?
zbsKX;&hS!l$+#eS4ZC_aJHZSIoQ}GzAJZbtsiC?2h=Qn)^C2z~Ie~H&MHg@OV}6tK
z(hZMxaA+Y3aJ>P%`Jy{6m5^IkmR}FN^VQt=$6-$;fxb|T_vafIMWxK{=POpROTD3=
z{=fpS<zl(qLezWgP`tm@)V_>aw|HOD)4?~Sqx$Q&;LRzEB~FXanW9M$`QD-vS0M;1
zvNe4s1gf5yKSWklc!RATJQslUm)l9biME%YB`@qe_+V0@vYao|gkU>&lg5BRL!@^M
z4xQ(#!wHUys&8mpxr{Y>e(*TGcuiiNtj0KZu``z2`KIobG2c`)9<?0tkbq+p4!da$
zo3K5UX_2AES?w44BY{2<K@+)|`OPDWGOtQ%RYBf8K1rLUz)-W0C`=}-x>w;#?saCa
z)sn3W+l9E%-8J{3T`EhyO|DN{lbhp^t7Ka(VBbOSqHHf))u&Jo?Vdb*osv&F-fz?X
zZYOVll~JBf(BbCnBuC9n8b;_ltMDDwZKnMGAF$<G!ZH*(VKHBFbO#$p%-q{{%i6l5
zPoWdBc=h3Sw{G>KxWr4*dqKEs4@ZlwL|&vd{T++!>)9+79?>Cj4N%rQ&-Yg2Do^>p
zOIp+APQKt8SPUrFzea<La>F~=cQ=!^Hr+gC3N;B=8C9(pex-6;u&?l43Cb-K$&`FN
zAsPyfUyG9XI>~87Cdw%!uF;cHRZAO)K_&Xw`GytNXXo0wg7(JaZsZ8Vg(bF7(2$+R
zO^n6}etH6RE_D97?9LsFYi>gql7g_dbIFpsqk<V$6^IvUlSdsE|FXqY9<ewMhBBDG
zmyCvf_L&{k?Ee1cV;b5Ne}>xb0{%?9Pvka8YrQLmy(bKkbEsU7QzY{f2bE`U1dF%Q
z`$Lciga#08=SJ-D=K`tZR#w5pHVkZCU;(ccRUMjAlOaL8$^my<Z6iBK=us6`-3d}2
z^GilaW!Ox+6j%(EaGpv*nMl5eo7M|T;5^EZ*m~nHKphCWP7NMBRq-c*l@S}ozho`9
zhqsZ$85$drI2*bNiNBjQ6J_3L<|Y0qbU1Va-}jldA>8Z4ASyO^v?BtgES1|ukkRcv
zg19%wt<IkJK2h;k*=li1+u4=1cg7%u$yux2Xg}@oMe_@K0*o@|nVd3bt_%rO$>fo?
zfx0JNO>x+u1$22e=_7}^w1J!e)W{TTxQ4X{aUpl4^`w=h&Zlpt0QpVtegoRRR*fzf
zWJIhcn3_?v-IltDpUdCXVfpK2yNG`pot;`S*O%$v;|EE(fAa606q6hYM6h#uWtST8
zOvpUjO1KN!yuNh$PtGIHlUpI+(8Cl!iqUO?Tsa5s);@UhCo(}yVkhou>%#A7%A(3U
zPihaLopb5r=RefB`KvQD*KhI#t?=AAxVW4&T-zoK0Au~Fm*SRlEuizQc88v$PQN##
zJx<Y54Q)43=^gPj%Uif4?vA(UCGhyi`*Tc!5h@byRTe(2$bOkNCw}Qhjw6*ryF{6j
z{_ndD#E(7RcSX;ER1i-kS0hdI3bNZ@Y;=GGFrN$|9mZY{EP4M?g0^t=9&J9b747mh
z^Dl==$and}BRcqN+>SU7aS1bU4fxJ{(NoOZHd(Fj(1S=l9Eo_kd~ymEk8Ni+pzyQ1
zvTnuKa}_R{$bb~6nZdD;EPmY64_GX0w$ruKL&gOO;q()~W>hq)4j7#gm7B6ZHE-h9
z`Y$SdCmJI>fsm&9L-_H9MD?2y8EQ720tLSzWu_h)v~nU}h;H{*)2tjbxBGmtjN~%{
z_FZ;y-mV5=n2ABc=S4-R!adJ%&kjn9_+dxV{e9^xY^f)77)%BW#~@bei`cnWZKpEZ
z4P)`A724eCnkE4wM!ANub^U7$(|2kG*wI<i;Kdvnt!%(-PIUt3fP3Tt?n)c-S>AK!
z<*+RxH`Q4MLd`u{X|ETKf^(ci@1iLMUp^5j_mUvkpbMUqr{LAZ467^7VOM*fsEA1>
zL)tekMR=2BCSBIuLPXYCd>-u_)6dca3&ogThXN^|<MOJUs_$OEYEmeMUEAC(44&Yd
z^U~Ikj$XQ`78<hj!(8r<F(nA&9X9Yu)1@NBjH%u6(<%yWs-QoefwYm@xLf&c<5_78
z`8uVC2+Z|M_L1#B^|Kxk7n(m}HQRn^O7RS@b_ue4&@{B(N&drPg<yu2*5gg2L-IR$
ze|9_|q?|leZKP@2IsA<BPgDoVwe+9vQQ#b_&MSF`O~|7dB|gyH3BbCZBc$w2KXYaq
zoCukA6W!OU*7F#u1-MsA{J0!Qrc}w!%068~qBQw^olQ2<y(oOkudNQIgM&G+JBLl&
zW~a@1HlBrH?ztvPqk#{%3HbEMxYls@<y9Sbh0Wjz;}}$^bRVR2gFm!YiK4}pY{78N
zL)c&Y1!H5#0&}wseQ9<r#~Y$c{+{Y(VdiW7YSnkU7MZbWa@<Xqqt>s-NOTQ6!Rdee
z8nhO+JI;utQhUbL(}?79L_H2rZYDM9ENf<E7)=zV%T{j5=&#H-E;V|=yV7mh0)&9b
zCm-FFPctpLxn71C&&+q?6=>JK;ztG0$Tfzf!$J){Zp3*s*{r@v`lKo-7BbR#X>!QU
z0*dM)%yS7!r0?uvoeg-Qt|7o->$Cb^eG6@(ak<GUP!@dD?lWlX|D;OWLnrGFzx|%_
zwg(f(qogNR5t%mB6Xt?Hs<tM%zks$J`cg?)|LAMg7`*E(8a#j7US<#`M&M+mNuV_$
zv@+K3#qNlcN1%{)BF(aT><MG%25j56xJt1ex9cwJtVE71np#4ZZY|ASi`#iuVkA=2
z{GnTy7~SWfoaa1Q4x6j%&3MV1W5-shp=Hh3Ynd%qhUX9K2q!#wpSZq|fg$r#gWLU*
zPmKLe2M|Lwo-UCUr`nkKep_YiT#HtYY^$D-lm>x~hMG~*OtntD-*8np4;=E(j|US2
z8vvwt(pRJ@ltO0+RV5k@X!oA%5Xaw0)7JBbNxTx06<_cLl2*6^-jgg@|1o;Nncx<%
On$UO|)%V{g$$tSbUh_Tx

diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.truststore.jks b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/certs/kafka.truststore.jks
deleted file mode 100644
index 71b6c435a370ab58bb251b54985dfccf6340c4bb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1286
zcmV+h1^N0gf&~Hs0Ru3C1gr)LDuzgg_YDCD0ic2eodkjenJ|I`l`w(?kp>AWhDe6@
z4FLxRpn?Q~FoFbr0s#Opf&_O42`Yw2hW8Bt2LUi<1_>&LNQU<f0R;^(Sui*T2`Yw2
zhW8Bt1q?7N1Qb#Aftz@pHBP|qfpwT5PgMUGkH!K5ClCSwATSID2r7n1hW8Bu2?YQ!
z9R>+thDZTr0|Wso1Q2vNWIS6j9XS^8$0q0uenEhO1OVvACk)g0!6xd*EOEefOx4!1
zg(gqjNCT@utWfE4i<L{aiZeb3Z!TzAzMu~9d3(bT<bh?S$?XAalm*BUX_ne0de99u
zfZ~JG*;?ziCovrI#h0&|sGUVmjW}o)$)o@gwh^@PF-RT0_f?j+TG~Fe&<);dkhgNw
zp2TMXmP#11{ueGTvguz=IQPH^n4R9zqf(jx(NMDch`sz7J3t(oI8@uyNWgZ^iz_a{
zSUSufeUcVdu?RQfkmS*{UlB_O0<_*#J%(mu9Am53FwWXzU?os=KZroDw%0)igU3k~
zU8d=FTp7|Y=DyS#K`XpLb&J@Y5Sv3ADDgEeNMujMP>!}a9!`;a`Y!U-9{(lZLqwL#
z#vG!+at_d6^wv6>@wK^&8Bbnh0rOcKNn*PiwT?p<NpIe1ixPQg7}KSmbNo@79Ry(i
zQQN+5odZk5u=)Psb~qEup9D|s`w>+=Qf-T$nSHHUM~@=-8(WQD0Ebz#>naaXCp0G=
z3A*xqh?ZnJ(X2GaT_x}@)o_y^dWPUNi_-iBg(hk&@jL$!VauxO4i?G*S$DqB?7+(C
zF{bTfFsA+_vQLssGZqRJw2=!05I!*pL3YDuN8j$=g<O5d`o-+(I`*!ikF!+a@|n#7
zvlT$`%C!1O&?xVs2AA{^tgUBC?+n(qC$yn5v3lT-115PSR6o7MQwCTxQ}?Ke6pJYV
zwx-<})pgfB!3{Tj01c57Q787L5=2S(6o|%dd|{WORC}bl`WM8SO58eMEEdL7@)Q9#
zj9R++?W$2iPi>+ixtOSW9H|qZ7nR=2u>m-KzAg_=>_Q#dbUF0VMER;n=U0mk$1-Yd
z43*G=YQVd`F{-9s?x8*Z32+LFO!as3h2g+|?mLUX`-Q(D*-#HRAbW&6zXtLlwI0?$
z%xv5@4|dfhLV<`Kq(@fQfeqo7==Yx#E?8l8LgU+Qu0CE)1i9?)mJot|We7O60+j2b
zCjMC3D0?ak0WG|(#QHgux_O4JQuonPC_44io~J@xIoHw}J+$G~LqmGZ^+DT$4Q!pP
zj^Bw%)W#W8y@k;+L$J=UZY<Th6A3`gXh(#)LY&SSak@vXs_=*iRO_p`Ks3aIt~lg)
zAJq+}b7!>h(VdTdHGx3FdZ?fI6ejxi5VAh1ZlwvI6zz82M^8L_FDnr<Byc2mbl14+
zj%Xva!id-Ta=S0(45_d=%*oBHesxHhnhi{ZA;>Z~vk~^=T-=QgOZUbArkmjYN9Hgx
zRyEu9dg;ejg1?f_+Ov;&P-uz${wlr^$K~_WZTMI7H&d^r90_BDXm)%tYp;OvC3B~N
zH`^=uUrfe^8iW?V_%SvT*h?@?FflL<1_@w>NC9O71OfpC00bZg?qli;f=~8$6ElMh
wBz~Vu!49>^hDG#A?`@$5&DP)q6g2C(_Kq+>wQDyuRDdF?+9LyglmY@L5NGR1E&u=k

diff --git a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
index f0d36dbbf..63c802715 100644
--- a/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
+++ b/shotover-proxy/tests/test-configs/kafka/passthrough-sasl/docker-compose.yaml
@@ -2,7 +2,7 @@ version: '2'
 
 services:
   kafka:
-    image: 'bitnami/kafka:latest'
+    image: 'bitnami/kafka:3.6.1-debian-11-r24'
     ports:
       - '9092:9092'
       - '9093:9093'
diff --git a/test-helpers/src/docker_compose.rs b/test-helpers/src/docker_compose.rs
index 7eab582a9..f512fe7e8 100644
--- a/test-helpers/src/docker_compose.rs
+++ b/test-helpers/src/docker_compose.rs
@@ -20,7 +20,7 @@ pub fn new_moto() -> DockerCompose {
     docker_compose("tests/transforms/docker-compose-moto.yaml")
 }
 
-pub static IMAGE_WAITERS: [Image; 12] = [
+pub static IMAGE_WAITERS: [Image; 11] = [
     Image {
         name: "motoserver/moto",
         log_regex_to_wait_for: r"Press CTRL\+C to quit",
@@ -68,11 +68,6 @@ pub static IMAGE_WAITERS: [Image; 12] = [
         log_regex_to_wait_for: r"Kafka Server started",
         timeout: Duration::from_secs(120),
     },
-    Image {
-        name: "bitnami/kafka:latest",
-        log_regex_to_wait_for: r"Kafka Server started",
-        timeout: Duration::from_secs(120),
-    },
     Image {
         name: "opensearchproject/opensearch:2.9.0",
         log_regex_to_wait_for: r"Node started",