Giters

confluentinc / operator-earlyaccess

Confluent Operator Early Access docs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Mistakes configuring client in host based routing lab

chuck-confluent opened this issue · comments

commented

These are in the host based routing lab, but might also appear elsewhere.

creating client secret with base64

This code doesn't do what we think:

echo bootstrap.servers=kafka.$DOMAIN:443 \
  security.protocol=SSL \
  ssl.truststore.location=/mnt/truststore.jks \
  ssl.truststore.password=mystorepassword | base64

If you do this, it will not handle newlines correctly and the client will complain that it's invalid to have bootstrap server bootstrap.servers=kafka.$DOMAIN:443 security.protocol=SSL ssl.truststore.location=/mnt/truststore.jks ssl.truststore.password=mystorepassword .

Instead, you must do something like this:

base64  -w 0 <<-EOF
bootstrap.servers=kafka.$DOMAIN:443
security.protocol=SSL
ssl.truststore.location=/mnt/truststore.jks
ssl.truststore.password=mystorepassword
EOF

Client requires keystore since mtls is enabled, and the store types are PKCS12, not JKS

This lab has mtls enabled for the external listener. Therefore, the client needs to have both keystore and truststore defined. The keystore and truststore are both pkcs12 format, so we also need to specify that in the client configuration. Also, the secrets are mounted under /mnt/sslcerts, not /mnt. In the end, this should give the base64 encoded the client configuration:

base64  -w 0 <<-EOF
bootstrap.servers=kafka.$DOMAIN:443
security.protocol=SSL
ssl.truststore.location=/mnt/sslcerts/truststore.p12
ssl.truststore.password=mystorepassword
ssl.truststore.type=PKCS12
ssl.keystore.location=/mnt/sslcerts/keystore.p12
ssl.keystore.password=mystorepassword
ssl.keystore.type=PKCS12
EOF

If we are running the client outside of the kubernetes cluster (which is preferred, since that's the purpose of this lab), then we can extract the generated keystore and truststore:

kubectl get secret kafka-pkcs12 -o json  | jq -r '.data."keystore.p12"' | base64 -d 2>/dev/null   > certs/keystore.p12
kubectl get secret kafka-pkcs12 -o json  | jq -r '.data."truststore.p12"' | base64 -d 2>/dev/null   > certs/truststore.p12

The proper kafka.properties file should come from this:

cat <<-EOF > $TUTORIAL_HOME/kafka.properties
bootstrap.servers=kafka.$DOMAIN:443
security.protocol=SSL
ssl.truststore.location=$TUTORIAL_HOME/certs/truststore.p12
ssl.truststore.password=mystorepassword
ssl.truststore.type=PKCS12
ssl.keystore.location=$TUTORIAL_HOME/certs/keystore.p12
ssl.keystore.password=mystorepassword
ssl.keystore.type=PKCS12
EOF

Run a producer from outside the kubernetes cluster:

kafka-console-producer --bootstrap-server kafka.$DOMAIN:443 \
    --topic test \
    --producer.config $TUTORIAL_HOME/kafka.properties
commented

The kafka client should probably use its own certs and its own keystore and truststore. We can use https://github.com/confluentinc/confluent-operator/tree/master/playbooks/features/directoryPathInContainer/scripts to generate keystore and truststore. The client keystore will be trusted by the broker because its cert would be signed by the same CA. The client truststore trusts the broker keystore for the same reason.