堆栈内存溢出
  简体   繁体   English

Strimzi Kafka Listener 自定义证书配置

[英]Strimzi Kafka Listener Custom Cert configuration

 原文  2022-12-29 10:45:29       azure/ kubernetes/ ssl/ apache-kafka/ strimzi

问题描述

I am trying to configure Strimzi Kafka listener custom cert, following the documentation: https://strimzi.io/docs/operators/latest/full/configuring.html#ref-alternative-subjects-certs-for-listeners-str I want to expose those listener outside of the Azure Kube.netes Service within the private virtual.network.我正在尝试按照文档配置 Strimzi Kafka 监听器自定义证书: https://strimzi.io/docs/operators/latest/full/configuring.html#ref-alternative-subjects-certs-for-listeners-str我想要在私有 virtual.network 内的 Azure Kube.netes 服务之外公开那些侦听器。

I have provided a custom cert with private key generated by an internal CA and pointed towards that secret in the Kafka configuration:我提供了一个由内部 CA 生成的带有私钥的自定义证书,并指向 Kafka 配置中的那个秘密:

kubectl create secret generic kafka-tls --from-literal=listener.cer=$cert --from-literal=listener.key=$skey -n kafka

` `

listeners:
      - name: external
        port: 9094
        type: loadbalancer
        tls: true
        authentication:
          type: tls   
        #Listener TLS config     
        configuration:
          brokerCertChainAndKey: 
            secretName: kafka-tls
            certificate: listener.cer
            key: listener.key
          bootstrap:
            loadBalancerIP: 10.67.249.253
            annotations:
              service.beta.kubernetes.io/azure-load-balancer-internal: "true"
          brokers:
          - broker: 0
            loadBalancerIP: 10.67.249.251
            annotations:
              service.beta.kubernetes.io/azure-load-balancer-internal: "true"
          - broker: 1
            loadBalancerIP: 10.67.249.252
            annotations:
              service.beta.kubernetes.io/azure-load-balancer-internal: "true"
          - broker: 2
            loadBalancerIP: 10.67.249.250
            annotations:
              service.beta.kubernetes.io/azure-load-balancer-internal: "true"
    authorization:
      type: simple

` `

Certificate has following records:证书有如下记录:

SAN: *.kafka-datalake-prod-kafka-brokers *.kafka-datalake-prod-kafka-brokers.kafka.svc kafka-datalake-prod-kafka-bootstrap kafka-datalake-prod-kafka-bootstrap.kafka.svc kafka-datalake-prod-kafka-external-bootstrap kafka-datalake-prod-kafka-external-bootstrap.kafka.svc kafka-datalake-prod-azure.custom.domain SAN:*.kafka-datalake-prod-kafka-brokers *.kafka-datalake-prod-kafka-brokers.kafka.svc kafka-datalake-prod-kafka-bootstrap kafka-datalake-prod-kafka-bootstrap.kafka.svc kafka-datalake-prod-kafka-external-bootstrap kafka-datalake-prod-kafka-external-bootstrap.kafka.svc kafka-datalake-prod-azure.custom.domain

CN=kafka-datalake-produkty-prod-azure.custom.domain CN=kafka-datalake-produkty-prod-azure.custom.domain

I have also created an A record in the custom DNS for the given address: kafka-datalake-produkty-prod-azure.custom.domain 10.67.249.253我还在给定地址的自定义 DNS 中创建了一条 A 记录:kafka-datalake-produkty-prod-azure.custom.domain 10.67.249.253

Then, I created a KafkaUser object:然后,我创建了一个 KafkaUser object:

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  name: customuser
  namespace: kafka
  labels:
    strimzi.io/cluster: kafka-datalake-prod
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      - resource:
          type: topic
          name: notify.somecustomapp.prod.topic_name 
          patternType: literal
        operations:
          - Create
          - Describe
          - Write
        # host: "*"

When I then retrieve the secrets from the Kafka cluster on AKS:然后,当我从 AKS 上的 Kafka 集群检索机密时:

kubectl get secret kafka-datalake-prod-cluster-ca-cert -n kafka -o jsonpath='{.data.ca\.crt}' | base64 -d > broker.crt kubectl get secret customuser -n kafka -o jsonpath='{.data.user\.key}' | base64 -d > customuser.key kubectl get secret customuser -n kafka -o jsonpath='{.data.user\.crt}' | base64 -d > customuser.crt

Communication fails, when I try to connect and send some messages with a producer using those 3 files to authenticate/authorize, I get a following issue:通信失败,当我尝试使用这 3 个文件与生产者连接并发送一些消息以进行身份验证/授权时,出现以下问题:

INFO:kafka.conn:<BrokerConnection node_id=bootstrap-0 host=10.67.249.253:9094 <connecting> [IPv4 ('10.67.249.253', 9094)]>: connecting to 10.67.249.253:9094 [('10.67.249.253', 9094) IPv4] INFO:kafka.conn:Probing node bootstrap-0 broker version INFO:kafka.conn:<BrokerConnection node_id=bootstrap-0 host=10.67.249.253:9094 <handshake> [IPv4 ('10.67.249.253', 9094)]>: Loading SSL CA from certs/prod/broker.crt INFO:kafka.conn:<BrokerConnection node_id=bootstrap-0 host=10.67.249.253:9094 <handshake> [IPv4 ('10.67.249.253', 9094)]>: Loading SSL Cert from certs/prod/customuser.crt INFO:kafka.conn:<BrokerConnection node_id=bootstrap-0 host=10.67.249.253:9094 <handshake> [IPv4 ('10.67.249.253', 9094)]>: Loading SSL Key from certs/prod/customuser.key [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

What am I doing wrong?我究竟做错了什么?

The communication worked perfectly fine when I was using the same method of connecting, yet the cluster itself and listeners were using the default certs generated by Strimzi cluster.当我使用相同的连接方法时,通信工作得很好,但集群本身和侦听器使用的是 Strimzi 集群生成的默认证书。

All the best, Krzysztof一切顺利,克日什托夫

1 个解决方案

解决方案1
 1  2023-01-02 10:00:48

@Turing85 @Jakub @Turing85 @Jakub

Many thanks for your comments - especially those critical ones非常感谢您的评论 - 特别是那些批评的

And thanks, Jakub, for pointing me towards using the CA of custom certificate.感谢 Jakub 指导我使用自定义证书的 CA。 What needed to be done in order to fix this was:为了解决这个问题需要做的是:

  1. switch the value obtained from kafka-datalake-prod-cluster-ca-cert secret with the full chain of root CA, intermediate signing cert and the certificate itself.将从 kafka-datalake-prod-cluster-ca-cert secret 获得的值与根 CA、中间签名证书和证书本身的完整链交换。
  2. Add LoadBalancer IPs of brokers - this is stated in the documentation, yet the way it is formulated misguided me into thinking that adding hostnames/service names to SAN is enough ( https://strimzi.io/docs/operators/latest/full/configuring.html#tls_listener_san_examples , and later https://strimzi.io/docs/operators/latest/full/configuring.html#external_listener_san_examples ).添加代理的 LoadBalancer IP - 这在文档中有说明,但它的制定方式误导我认为向 SAN 添加主机名/服务名称就足够了( https://strimzi.io/docs/operators/latest/full/ configuring.html#tls_listener_san_examples ,以及后来的 https://strimzi.io/docs/operators/latest/full/configuring.html#external_listener_san_examples )。

After those changes, everything started to work.在这些更改之后,一切都开始工作了。

Thank you for help.谢谢你的帮助。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Strimzi Kafka 与 Azure 存储类兼容? - Strimzi Kafka compatible with Azure storage classes? Strimzi 无法调整 PV 大小 - Strimzi cant resize PV 具有静态IP和自定义证书/ AKS入口问题的AKS - AKS with Static IP and Custom Cert / AKS Ingress issues 使用 WAFV2 Azure 应用程序网关使用多个基本侦听器时无法更新 SSL 证书 - Unable to update SSL cert while using multiple basic listener using WAFV2 Azure App Gateway 如何读取自定义配置设置? - How to read custom configuration settings? Azure VM - TCP 侦听器不适用于自定义端口 - Azure VM - TCP listener is not working for custom port 自定义配置的粘性AppSetting部分 - Sticky AppSetting for Custom Configuration Section 自定义配置脚本azure资源管理器模板 - Custom configuration script azure resource manager template Azure 应用服务中的自定义日志记录配置 - Custom Logging Configuration in Azure App Services Cloud Service自定义域重定向配置 - Cloud Service Custom Domain Redirection configuration
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM