1

I have configured a Kafka cluster on Kubernetes using Strimzi. Using this article - https://itnext.io/kafka-on-kubernetes-the-strimzi-way-part-2-43192f1dd831 But the security service in my company does not want to deploy this solution in UAT with a self-signed certificate. Could you please tell me can I import our trust certificate from a trusted surf center into this Kafka solution.

I add this section in my yml file refer https://strimzi.io/docs/operators/master/using.html#kafka-listener-certificates-str configuration: brokerCertChainAndKey: secretName: es-kafka-secret certificate: certificate.crt key: certificate.key

But when I test I had error


[thrd:ssl://104.42.195.73:9094/bootstrap]: ssl://104.42.195.73:9094/bootstrap: SSL handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed: broker certificate could not be verified, verify that ssl.ca.location is correctly configured or root CA certificates are installed (install ca-certificates package) (after 377ms in state CONNECT)
panic: interface conversion: kafka.Event is kafka.Error, not *kafka.Message

goroutine 38 [running]:
main.main.func2(0xc421004060)
        /root/kafka-kubernetes-strimzi/part-3/go-client-app/kafka-tls-auth-client.go:85 +0x2a5
created by main.main
        /root/kafka-kubernetes-strimzi/part-3/go-client-app/kafka-tls-auth-client.go:74 +0x109

And how after adding my certificate I can check the connection?

Could you please help me? Thanks.

Vitalii Fedorenko
  • 279
  • 6
  • 18

1 Answers1

1

As described in the Strimzi documentation - you have two options to choose from:

  1. You can provide your own CA for the cluster or clients certification authorities. For more details see https://strimzi.io/docs/operators/latest/full/using.html#installing-your-own-ca-certificates-str
  2. You can let Strimzi use its self-signed CA for ZooKeeper, Kafka replication etc. and just configure your own server certificate for the Kafka listeners where clients will be connecting. For more details see https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str

Once you configure it, you can check whether it was correctly applied for example using OpenSSL (openssl s_client ...). Or you can use the Java clients and set the Java system property javax.net.debug to value ssl - that would also print the details about the TLS handshake, the used certificates etc.

Jakub
  • 3,506
  • 12
  • 20
  • thanks for your answer. I had error ```Message: Cluster CA should not be generated, but the secrets were not found.``` – Vitalii Fedorenko Apr 15 '21 at 08:36
  • Well, that probably means that you disabled generating the CA but did not create the secrets with your own CAs. – Jakub Apr 15 '21 at 10:33
  • I created ``` kubectl.exe describe secret test-crt -n testkafka Name: test-crt Namespace: testkafka Labels: app.kubernetes.io/instance=test-kafka-cluster app.kubernetes.io/managed-by=strimzi-cluster-operator app.kubernetes.io/name=strimzi app.kubernetes.io/part-of=strimzi-test-kafka-cluster strimzi.io/cluster=test-kafka-cluster strimzi.io/kind=Kafka strimzi.io/name=strimzi ``` – Vitalii Fedorenko Apr 15 '21 at 12:19
  • this is my mistake I explained incorrectly. I do not want to use a local certification authority, I want to use my certificate for tls communication, which I use on ingress and my sites. Which is issued by Godaddy) – Vitalii Fedorenko Apr 15 '21 at 13:44
  • The secrets need to have the right name as described in the docs. I do not think `test-crt` is correct. – Jakub Apr 15 '21 at 15:58
  • I'm not sure I follow the stuff with Ingress and Godaddy. Ingress is designed for HTTP - but Kafka is TCP protocol. So to use Ingress, you need to use TLS Passthrough and that means you cannot terminate the TLS connection in Ingress and configure the certificates in Ingress. If all you care about is what certificates is used when the client connects to the broker, use the listener certificats I linked in the answer. You can use certs from a Public CA for that. – Jakub Apr 15 '21 at 16:02
  • The docs for the custom CA I linked tell you what the secret names should be ... e.g. `my-cluster-cluster-ca`, `my-cluster-cluster-ca-cert` etc. – Jakub Apr 15 '21 at 16:04
  • Own CA documentation was now moved from configuration to deployment. For example: https://strimzi.io/docs/operators/latest/full/deploying.html#installing-your-own-ca-certificates-str – practical programmer Apr 29 '23 at 10:17