I'm trying a small sample app to try and map the binding info with Java CFEnv into the Kafka settings for Spring Boot. 

Shouldn't the broker be returning "SASL_SSL" for the security_protocol instead of "SASL_PLAINTEXT"?

Here's what I see from the broker:

VCAP_SERVICES: {
  "kafka": [
    {
    "binding_guid": "########-####-####-####-############",
      "binding_name": null,
      "credentials": {
        "bootstrap_servers": [
        "########-####-####-####-############-0.sys.domain:9092"
        ],
        "sasl": {
          "mechanism": "SCRAM-SHA-512",
        "password": "################",
        "username": "############"
        },
        "security_protocol": "SASL_PLAINTEXT",
        "tls": {
          "enable": true
        }
      },
    "instance_guid": "########-####-####-####-############",
      "instance_name": "kafka-test",
      "label": "kafka",
      "name": "kafka-test",
      "plan": "small",
      "provider": null,
      "syslog_drain_url": null,
      "tags": [
        "strimzi",
        "kafka"
      ],
      "volume_mounts": []
    }
  ]
}

If I take it at face value and try to set spring.kafka.security.protocol to SASL_PLAINTEXT I can't get connected. However, if I ignore that and set SASL_SSL, I connect just fine.

We have engaged our engineering team to address this behavior. To resolve this, we are looking into updating the service broker to correctly return SASL_SSL (or accurately reflect the protocol in the VCAP_SERVICES response if the protocol is already in use).

While we work on this update:

1. Please confirm if your current application is successfully connecting despite the naming discrepancy.
2. We will provide an update once the broker response has been adjusted to match the expected security standards.

This article will be updated when the issue is resolved. We suggest that you subscribe to this article to keep up-to-date with this issue.