2

I have a requirement to consume from Kafka, which has SASA_PLAINTEXT protocol. My application is springboot app and I am trying to deploy it in kubernetes using helm chart.

I have key tab added as kubernetes secret that I mounted as file using below code :

apiVersion: v1
kind: Pod
metadata:
  name: service-name
spec:
  volumes:
  - name: Kafka-secret
    secret:
    secretName : kafka-keytab
    emptyDir: {}
  containers:
  - name: redis
    image: redis
    volumeMounts:
    - name: Kafka-secret
      mountPath: “/etc/security”

I am specifying that mounted location on key tab in spring.jaas.config in application.yaml

sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
    useKeyTab=true \
    storeKey=true  \
    keyTab="/etc/security/keytabs/kafka-keytab“ (This is a mounted path on kubernetes and kafka-vol is key name) \
    principal="kafka-client-1@EXAMPLE.COM";

I have kerberos setup. Currently I am adding krb5.cong in Dockerfile using below

FROM java-jdk:11
ADD service-name.tar /

ADD krb5.conf /etc/krb5.conf
ENTRYPOINT java -Djava.security.krb5.conf=/etc/krb5.conf -jar /<jar-path>

I am getting below error after starting pod in kubernets :

2019-08-14T09:49:51.949-05:00 [APP/PROC/WEB/0] [OUT] INFO [d3-5b28248c661c] o.a.k.common.network.SaslChannelBuilder o.a.k.c.n.SaslChannelBuilder.buildChannel(SaslChannelBuilder.java:119) - ||||||||||||||Failed to create channel due to :
org.apache.kafka.common.KafkaException: Failed to configure SaslClientAuthenticator at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.configure(SaslClientAuthenticator.java:125) at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.kafka.common.KafkaException: Failed to create SaslClient with mechanism GSSAPI 
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:140) 
at javax.security.auth.Subject.doAs(Subject.java:422) 
at org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.createSaslClient(SaslClientAuthenticator.java:131) ... 11 common frames omitted
Caused by: org.ietf.jgss.GSSException: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm) 
at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:129) 
at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:95)

Please let me know if any information is needed. Appreciate any pointers or help regarding this issue.

Alexandre Juma
  • 3,128
  • 1
  • 20
  • 46
Priya Tanwar
  • 117
  • 2
  • 12
  • When you use `mountPath: “/etc/security”` your secret will override the content of this directory, is it the expect behavior? Just for clarify, the secret created is a keytab file converted into base64, right? If you log into container you can see the file in place correctly? – Mr.KoopaKiller Feb 03 '20 at 14:02
  • It is being injected as Kubernetes secret and I can see it coming as volume mount on the location. – Priya Tanwar Feb 03 '20 at 18:36
  • Yes it is base64. – Priya Tanwar Feb 03 '20 at 20:13
  • Interesting bit of exception for me is "org.ietf.jgss.GSSException: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)". Seems to be something wrong with your krb5.conf file. – Shakti Garg Jul 30 '20 at 11:47

0 Answers0