From 4149bc47d6a7620fa189d050c0c52ebd7507bba4 Mon Sep 17 00:00:00 2001
From: Julien Clarysse <julien.clarysse@aiven.io>
Date: Wed, 4 Dec 2024 12:03:18 +0100
Subject: [PATCH] (fix): Format of key/cert upon creation of external kafka
 integration endpoint

The documentation mistakenly suggested to pass a path to SSL key/cert
when calling ServiceIntegrationEndpointCreate via API or CLI.
Moreover the format of these values should match RFC-1421.

[EH-1434]
---
 .../flink/howto/ext-kafka-flink-integration.md    | 15 ++++++++++++---
 docs/tools/cli/service/integration.md             |  4 ++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/docs/products/flink/howto/ext-kafka-flink-integration.md b/docs/products/flink/howto/ext-kafka-flink-integration.md
index bd70aaace..50a3e50db 100644
--- a/docs/products/flink/howto/ext-kafka-flink-integration.md
+++ b/docs/products/flink/howto/ext-kafka-flink-integration.md
@@ -117,13 +117,22 @@ Where:
         and ports to connect to.
     -   `security_protocol`: The type of security protocol to use
         for the connection, which is `SASL` in this case.
-    -   `ssl_ca_cert`: The path to the SSL CA certificate.
-    -   `ssl_client_cert`: The path to the SSL client certificate.
-    -   `ssl_client_key`: The path to the SSL client key.
+    -   `ssl_ca_cert`: The content of the SSL CA certificate.
+    -   `ssl_client_cert`: The content of the SSL client certificate.
+    -   `ssl_client_key`: The content of the SSL client key.
     -   `ssl_endpoint_identification_algorithm`: The endpoint
         identification algorithm to use for SSL verification. For
         example, `https`.
 
+:::important
+After downloading your keys/certificates, the cypher should be in its own line
+while the PEM markers delimited by a line feed, as per [RFC 1421](https://www.rfc-editor.org/rfc/rfc1421#section-4.4).
+The following bash command should help producing the expected content:
+```
+cat $downloaded_cert_or_key | tr -d '\n' | sed 's/\([EY]---[-]*\)\([^-]\)/\1\n\2/g;s/\(=\)\(---[-]*\)/\1\n\2/g'
+```
+:::
+
 #### SASL_PLAINTEXT
 
 To create a SASL_PLAINTEXT protocol type endpoint, use the following
diff --git a/docs/tools/cli/service/integration.md b/docs/tools/cli/service/integration.md
index 2cfd0e0be..76e933d4e 100644
--- a/docs/tools/cli/service/integration.md
+++ b/docs/tools/cli/service/integration.md
@@ -86,6 +86,10 @@ avn service integration-endpoint-create --endpoint-name demo-ext-kafka \
     --user-config-json  '{"bootstrap_servers":"servertest:123","security_protocol":"PLAINTEXT"}'
 ```
 
+:::note
+Further examples of external Apache Kafka® endpoint creations are documented [here](/docs/products/flink/howto/ext-kafka-flink-integration#step-4-create-an-external-apache-kafka-endpoint).
+:::
+
 **Example:** Create an external Loggly endpoint named `Loggly-ext`.
 
 ```bash