Mistakes configuring client in host based routing lab
chuck-confluent opened this issue · comments
These are in the host based routing lab, but might also appear elsewhere.
creating client secret with base64
This code doesn't do what we think:
echo bootstrap.servers=kafka.$DOMAIN:443 \
security.protocol=SSL \
ssl.truststore.location=/mnt/truststore.jks \
ssl.truststore.password=mystorepassword | base64
If you do this, it will not handle newlines correctly and the client will complain that it's invalid to have bootstrap server bootstrap.servers=kafka.$DOMAIN:443 security.protocol=SSL ssl.truststore.location=/mnt/truststore.jks ssl.truststore.password=mystorepassword
.
Instead, you must do something like this:
base64 -w 0 <<-EOF
bootstrap.servers=kafka.$DOMAIN:443
security.protocol=SSL
ssl.truststore.location=/mnt/truststore.jks
ssl.truststore.password=mystorepassword
EOF
Client requires keystore since mtls is enabled, and the store types are PKCS12, not JKS
This lab has mtls enabled for the external listener. Therefore, the client needs to have both keystore and truststore defined. The keystore and truststore are both pkcs12 format, so we also need to specify that in the client configuration. Also, the secrets are mounted under /mnt/sslcerts
, not /mnt
. In the end, this should give the base64 encoded the client configuration:
base64 -w 0 <<-EOF
bootstrap.servers=kafka.$DOMAIN:443
security.protocol=SSL
ssl.truststore.location=/mnt/sslcerts/truststore.p12
ssl.truststore.password=mystorepassword
ssl.truststore.type=PKCS12
ssl.keystore.location=/mnt/sslcerts/keystore.p12
ssl.keystore.password=mystorepassword
ssl.keystore.type=PKCS12
EOF
If we are running the client outside of the kubernetes cluster (which is preferred, since that's the purpose of this lab), then we can extract the generated keystore and truststore:
kubectl get secret kafka-pkcs12 -o json | jq -r '.data."keystore.p12"' | base64 -d 2>/dev/null > certs/keystore.p12
kubectl get secret kafka-pkcs12 -o json | jq -r '.data."truststore.p12"' | base64 -d 2>/dev/null > certs/truststore.p12
The proper kafka.properties file should come from this:
cat <<-EOF > $TUTORIAL_HOME/kafka.properties
bootstrap.servers=kafka.$DOMAIN:443
security.protocol=SSL
ssl.truststore.location=$TUTORIAL_HOME/certs/truststore.p12
ssl.truststore.password=mystorepassword
ssl.truststore.type=PKCS12
ssl.keystore.location=$TUTORIAL_HOME/certs/keystore.p12
ssl.keystore.password=mystorepassword
ssl.keystore.type=PKCS12
EOF
Run a producer from outside the kubernetes cluster:
kafka-console-producer --bootstrap-server kafka.$DOMAIN:443 \
--topic test \
--producer.config $TUTORIAL_HOME/kafka.properties
The kafka client should probably use its own certs and its own keystore and truststore. We can use https://github.com/confluentinc/confluent-operator/tree/master/playbooks/features/directoryPathInContainer/scripts to generate keystore and truststore. The client keystore will be trusted by the broker because its cert would be signed by the same CA. The client truststore trusts the broker keystore for the same reason.