1

I have a Strimzi cluster setup with the follow yaml.

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: kafka
spec:
  kafka:
    replicas: 3
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        type: route
        authentication:
          type: scram-sha-512
        tls: true

The pods come up fine and I've created a KafkaUser CR with SCRAM-512 like the following -

apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: scram-user
  labels:
    strimzi.io/cluster: kafka
spec:
  authentication:
    type: scram-sha-512

I've extracted the SCRAM password from the secret properly as well as gotten the ca.crt file from the cluster-ca-cert secret. I'm trying to follow the Go Sarama Code from this sample here - https://github.com/Shopify/sarama/blob/master/examples/sasl_scram_client/main.go

I've also properly gotten the bootstrap server address from the OpenShift Route but I can't seem to connect.

go run sarama.go scram_client.go -brokers bootstrap-address:443  -username scram-user -passwd esoy2WksWRBp -topic test-topic -algorithm sha512 -tls true -ca /path/ca.crt

I've tried a few variations of the above command with adding -certificate or -key flags and none seem to work. Do I have the listener setup wrong?

edit - Forgot to include and mention it but this is what the error I get from the Go Sarama Code.

[Sarama] 2021/08/18 09:22:36 Failed to send SASL handshake kafka-broker:443: x509: certificate signed by unknown authority
[Sarama] 2021/08/18 09:22:36 Closed connection to broker kafka-broker:443
[Sarama] 2021/08/18 09:22:36 client/metadata got error from broker -1 while fetching metadata: x509: certificate signed by unknown authority
[Sarama] 2021/08/18 09:22:36 client/metadata no available broker to send metadata request to
[Sarama] 2021/08/18 09:22:36 client/brokers resurrecting 1 dead seed brokers
[Sarama] 2021/08/18 09:22:36 Closing Client
[Producer] 2021/08/18 09:22:36 failed to create producer:  kafka: client has run out of available brokers to talk to (Is your cluster reachable?)
exit status 1

So it looks to be an cert issue but I seem to have followed the proper instructions to get the cert. My Kafka broker is just named kafka so the secret is just named kafka-cluster-ca-cert. The ca.crt file is the path I was providing to the Sarama code.

oc get secret kafka-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt

Describe of the secret if it matters -

╰─ oc describe secret kafka-cluster-ca-cert
Name:         kafka-cluster-ca-cert
Namespace:    strimzi
Labels:       app.kubernetes.io/instance=kafka
              app.kubernetes.io/managed-by=strimzi-cluster-operator
              app.kubernetes.io/name=strimzi
              app.kubernetes.io/part-of=strimzi-kafka
              strimzi.io/cluster=kafka
              strimzi.io/kind=Kafka
              strimzi.io/name=strimzi
Annotations:  strimzi.io/ca-cert-generation: 0

Type:  Opaque

Data
====
ca.crt:       1854 bytes
ca.p12:       1687 bytes
ca.password:  12 bytes
animusdx
  • 380
  • 3
  • 16
  • The listener configuration looks good. I have no experience with Sarama and SCRAM-SHA-512 ... your options look good from the linked Golang file, but I do not know if there are any otherthings you might need to do. What errors do you get from the client and form the brokers? – Jakub Aug 17 '21 at 23:52
  • @Jakub hello Jakub. Apologies I added an edit with the Sarama error as well as the command to get the ca cert. – animusdx Aug 18 '21 at 13:28
  • Another minor note - As a sanity check, I spun up a new Kafka cluster with the Route listener with tls: true and no SCRAM authentication and it connects fine using the usual steps by getting the crt from the kafka-cluster-ca-cert secret and etc. Not sure what exactly is the issue with SCRAM + TLS. Though instead of the Sarama Go Client I went with the confluent-go client since the previously linked Sarama client was expecting SASL username/password which were obviously missing this time around. – animusdx Aug 18 '21 at 14:41
  • Last update - I figured out the issue and I've posted an answer to the question. – animusdx Aug 18 '21 at 15:50

1 Answers1

1

So it turns out that the problem was mainly a command line issue. I kept trying to use the -ca flag when I should have just used only the -certificate flag. I also needed to add the -verify option flag as well. So the command that allowed me to produce was using the following -

go run sarama.go scram_client.go -brokers <your-kafka-boostrap-address>:443  -username <your-scram-username> -passwd <your-scram-password> -topic <your-topic> -algorithm sha512 -tls -certificate <full-path-to-your-cert-file>/ca.crt -verify true

And likewise the command to consume

go run sarama.go scram_client.go -brokers <your-kafka-boostrap-address>:443  -username <your-scram-username> -passwd <your-scram-password> -topic <your-topic> -mode consume -logmsg -algorithm sha512 -tls -certificate <full-path-to-your-cert-file>/ca.crt -verify true

Lesson learned I guess - understand the differences between CA, certificates, and keys.

animusdx
  • 380
  • 3
  • 16